Transparent SOCKS proxy - redsocks .rpm package
463 views
Skip to first unread message
Zrubi
Dec 8, 2016, 6:07:58 AM12/8/16
to qubes-devel
Hi,
As I mentioned earlier, I have a working transparent SOCKS proxy
solution based on redsocks:
http://darkk.net.ru/redsocks/
Now I'm created an .rpm package because there was no pre-build binary
distributed for fedora jet.
I would not be able to handle the hassle to include it to the official
fedora repos, but I think it is worth to include in qubes repos at least.
Sending the SRPM package to qubes-devel.
This is building fine under F24, and F23
(and probably others too)
I'm gonna make my scripts public (soon) as an usage example under Qubes
--
Zrubi
As I mentioned earlier, I have a working transparent SOCKS proxy
solution based on redsocks:
http://darkk.net.ru/redsocks/
Now I'm created an .rpm package because there was no pre-build binary
distributed for fedora jet.
I would not be able to handle the hassle to include it to the official
fedora repos, but I think it is worth to include in qubes repos at least.
Sending the SRPM package to qubes-devel.
This is building fine under F24, and F23
(and probably others too)
I'm gonna make my scripts public (soon) as an usage example under Qubes
--
Zrubi
Zrubi
Dec 8, 2016, 6:09:39 AM12/8/16
to qubes...@googlegroups.com
On 12/08/2016 12:07 PM, Zrubi wrote:
> Hi,
>
> As I mentioned earlier, I have a working transparent SOCKS proxy
> solution based on redsocks:
> http://darkk.net.ru/redsocks/
>
> Now I'm created an .rpm package because there was no pre-build binary
> distributed for fedora jet.
Just for the record, this is related to #1536
> Hi,
>
> As I mentioned earlier, I have a working transparent SOCKS proxy
> solution based on redsocks:
> http://darkk.net.ru/redsocks/
>
> Now I'm created an .rpm package because there was no pre-build binary
> distributed for fedora jet.
https://github.com/QubesOS/qubes-issues/issues/1536
--
Zrubi
Outback Dingo
Dec 8, 2016, 6:53:53 AM12/8/16
to Zrubi, qubes...@googlegroups.com
setup.... or wireguard even
>
> --
> You received this message because you are subscribed to the Google Groups "qubes-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/01d46ed1-5f26-ecbe-457b-459eb75163c0%40zrubi.hu.
> For more options, visit https://groups.google.com/d/optout.
Zrubi
Dec 8, 2016, 7:36:25 AM12/8/16
to Outback Dingo, Zrubi, qubes...@googlegroups.com
On 12/08/2016 12:53 PM, Outback Dingo wrote:
> Id be curious how redsocks compare to say shadowsocks for this type of
> setup.... or wireguard even
Wireguard is a VPN tunnel.
> Id be curious how redsocks compare to say shadowsocks for this type of
> setup.... or wireguard even
Shadowsocks is a SOCKS compatible solution, however it is not support
transparent proxy feature.
So the key is here the TRANSPARENT SOCKS proxy.
In such scenario the clients are not even notice that they are forced
trough a SOCKS proxy. So every app will work out of the box.
You may understand this better once I publish my iptables scripts and a
connection design drawings.
it is something like the proxyfier for MAC (without the GUI;)
BTW:
I'm working on this because I need such connections for my work. So it
my be not a feature that every user must need. However it can be the
base of any kind of "clientless" transparent "leak proof" setup -
especially in Qubes.
--
Zrubi
entr0py
Dec 8, 2016, 2:05:53 PM12/8/16
to Zrubi, qubes-devel
Zrubi:
I'm curious to see how you implemented DNS resolution. Do you use a hardcoded DNS server? Programs like Firefox and Proxifier (Windows) can remotely resolve DNS requests on the SOCKS server but I don't understand how they do that. I've never been able to accomplish that with Redsocks. Perhaps, there's a way to query the SOCKS server for it's DNS server, then write a script to update Redsocks config?
Here's a better explanation of the problem from https://www.whonix.org/wiki/Dev/Inspiration#Transparent_Proxying_Method:
> Transparent Proxying (like Whonix with Tor's TransPort) is, due to technical limitations, not fully supported by proxies. Proxies do not offer a DnsPort and also do not act as a DNS server. While it's possible to relay TCP and UDP traffic through the proxy on the IP level (using iptables), you would still always require known (you know the IP) DNS server. (i.e. public DNS server such as OpenDNS, Google, httpsdnsd) DNS resolution would look like: Proxy-Workstation -> Proxy-Gateway -> Proxy -> DNS server. It's technically not possible to let the proxy transparently (!) do the DNS resolution (no tools available) - at least not that we know after extended research know of. This is because proxies offer hostname resolution, but not DNS.
> Future: This technical limitation may be lifted if redsocks Feature Request: fake DNS resolver gets implemented.
> Due to the DNS issue, you can't completely hide behind the proxy (using it transparently). You always would have to reveal, that you are using a public (or private) extra DNS resolver. Of course, you would also not only have to trust the proxy, but also the extra DNS server, which can see, log and correlate all your DNS queries.
Here's a better explanation of the problem from https://www.whonix.org/wiki/Dev/Inspiration#Transparent_Proxying_Method:
> Transparent Proxying (like Whonix with Tor's TransPort) is, due to technical limitations, not fully supported by proxies. Proxies do not offer a DnsPort and also do not act as a DNS server. While it's possible to relay TCP and UDP traffic through the proxy on the IP level (using iptables), you would still always require known (you know the IP) DNS server. (i.e. public DNS server such as OpenDNS, Google, httpsdnsd) DNS resolution would look like: Proxy-Workstation -> Proxy-Gateway -> Proxy -> DNS server. It's technically not possible to let the proxy transparently (!) do the DNS resolution (no tools available) - at least not that we know after extended research know of. This is because proxies offer hostname resolution, but not DNS.
> Future: This technical limitation may be lifted if redsocks Feature Request: fake DNS resolver gets implemented.
> Due to the DNS issue, you can't completely hide behind the proxy (using it transparently). You always would have to reveal, that you are using a public (or private) extra DNS resolver. Of course, you would also not only have to trust the proxy, but also the extra DNS server, which can see, log and correlate all your DNS queries.
Zrubi
Dec 9, 2016, 4:45:35 AM12/9/16
to qubes...@googlegroups.com
On 12/08/2016 08:05 PM, entr0py wrote:
>
> I'm curious to see how you implemented DNS resolution. Do you use a hardcoded DNS server?
No, it's not gonna solve that "problem".
>
> I'm curious to see how you implemented DNS resolution. Do you use a hardcoded DNS server?
In the scenario I'm using transparent SOCKS
- the DNS servers are hardcoded (and we also have a local DNS relay)
- DNS requests handled by FoxyProxy
again, this is not a general magic thing solving all the problems out
there. It is only do the "transparently forwarding to a proxy" job.
nothing really more. It is not even usable alone, it's needs a proper
iptables support as well. But it is really tiny, and the clients are not
even know if they are pushed through a proxy. <- that is the main goal here.
If you not know why this can be handy, you probably do not need such
solution.
(But the main reason using such thing is not about hiding things but
instead allow to use clients that are not support using ANY kind of
proxy. Like RDP)
--
Zrubi
Reply all
Reply to author
Forward
0 new messages