Closed faddat closed 7 years ago
faddat
commented
10 years ago Software for doing this:
jlund
commented
10 years ago This sounds like an interesting idea! How did the Zeroshell experiment go?
faddat
commented
10 years ago @jlund No luck with it just yet, more or less due to a lack of time. Step one is getting zeroshell or pfsense or equivalent (not sure if openwrt will let me do this or not) running on a BananaPi. The VM was causing network "wierdness" so I canned that option for now.
faddat
commented
8 years ago @jlund it took a heck of a long time-- apparently nearly two years!
Here's what's up to make this work:
So right there, you've got three paths. This is crucial, as the "path count" is what needs to be increased in order to optimize the harmony of your internet. In some areas in China, ipv6 is enough to brush aside Mr. Xi's thought banishment tool's.
But it surely wouldn't be enough to satisfy my need for speed, so: you use an MPTCP kernel, and a tool similar to multi to ensure that v4 and v6 connections are properly multipathed by your system. then you would scatter some sexy streisands around the world:
| Location | Second Header |
|---|---|
| US-East | dual stack VPN |
| US-West | dual stack shadowsocks |
| South America | dual stack VPN |
| Europe | dual stack shadowsocks |
| Hong Kong | dual stack VPN |
| Japan | dual stack shadowsocks |
nickolasclarke
commented
8 years ago @faddat I'd be interested in hearing more about how this went and your current implementation.
hydrandt
commented
8 years ago Same here, what's your setup, @faddat ?
What I am working on now is highly-available shadowsocks setup. I have four shadowsocks servers running in four different locations (Hong Kong, Tokyo, Singapore, Los Angeles). I start sslocal on four different ports. I use these as backends for haproxy in tcp mode:
frontend shadowsocks-ha
bind 0.0.0.0:1080
default_backend shadowsocks
backend shadowsocks
balance roundrobin
mode tcp
option tcp-check
tcp-check send-binary 050100
tcp-check expect binary 0500
tcp-check send-binary 0501000167193c412711
tcp-check expect binary 05000001000000000000
tcp-check expect binary 34320a
server shadowsocks-la 127.0.0.1:12346 check weight 70
server shadowsocks-sg 127.0.0.1:12347 check weight 10
server shadowsocks-jp 127.0.0.1:12348 check weight 10
server shadowsocks-hk 127.0.0.1:12349 check weight 10
Problem are the checks, as even when the remote server is unreachable, sslocal responds to tcp requests (default haproxy check), and even if you just initiate socks connection (050100), it responds as if everything is fine -> you have to try to connect somewhere. So I connect to one of the servers, where there is
ncat -l 10001 -k --exec "/bin/echo 42"running. Downside: this is testing connectivity between the servers at the same time, which is unnecessary. Better idea? This is something that has to be made better.
Next step is putting the whole thing behind redsocks2 to be able to route any tcp (and udp) traffic through it. This all is in an openwrt router. Then one ssid will be with direct connection and one with shadowsocks.
Next next step is automatic changing of weight. haproxy can make a tcp connection, read a number and use it as weight. So I need to write a script that will somehow check the connectivity to the server - I'm thinking about a combination of ping packet loss ( = congestion) and transfer speed - and make it available on a simple tcp socket (ncat again I guess).
faddat
commented
8 years ago I'm going to bring in @miolini on this. He is a lot more qualified to help with things like this than I am. My current setup is "being refactored" at the moment, but when I have it re-implemented I'll put it here and put relevant scripts in a repo somewhere. (And I'm talking with him to determine the likelihood that this can be commercially implemented in an entirely open source manner across 100's of VPSes scattered throughout our planet's various networks)
@hydrant I see no mention of MPTCP in your setup. Have you played with that at all?
braian87b
commented
8 years ago @faddat Hi, this topic is very interesting, but I didn't get the load balance thing, you mean that you had a tiny box with access to two or more Streisand host for optimizing routes based on destinations?... when you connect, for example, from US to UK and have 5 hops until destination, if you set a Streisand host on UK you will have 1 hop (your computer to Streisand host) and then 1 or 2 hops until same destination on UK... BUT, the outside VPN connection from your tiny box to that Streisand host will have probably the other 3 or 4 hops under the hood, the one needed to bring up the tunnel... doesn't it?
The Highly Available mentioned later by @hydrandt sounds interesting too, if many tiny boxes connect to a pool of Streisand hosts, in that way if you add more boxes, you will have more availability adding more host, you can grow or shrink dinamically. And if you lost a host, you still have everything working as HA also may feature as fail-over.
In OpenWrt I know route-metric-iptables trick to do some kind of load balancing, there is also a mwan (multiwan) package that performs very well too to do the job, and OpenVPN is known to rotate when config has many remote. Also if you add a properly configured DNS with the multiple IP, you could work as a CDN like, rotating IP of the Streisand host on different DNS responses to distribute the load a little bit or even geolocalized depending of the IP of the DNS query.
I just uploaded an article on the Wiki today, step-by-step instructions tutorial to Setting an OpenWrt Router as OpenVPN Client:
https://github.com/jlund/streisand/issues/166#issuecomment-231841621
https://github.com/jlund/streisand/wiki/Setting-an-OpenWrt-Router-as-OpenVPN-Client
PS: About the vm weirdness you mention, I am pretty sure that is probably related to Promiscuos mode, without it vm losses network packages (happened many times to me using VMware)
cpu
commented
7 years ago I think this conversation is sufficiently far from the goals of the Streisand project as to be inappropriate to keep discussing here in a Github issue. Thanks for understanding!
So I want to make a StriesandBox. If this isn't immediatley obivous as to it's fucntion, here's what a striesandbox is: A teeny PC (Stick PC/"Android TV Box"/beefy router) that will go about the business of launching striesand for you. Further, it should act as a 2nd internet gateway, optimizing the routes that your traffic takes based on destination. I've talked up another similar concept but haven't made significant headway yet. In fact, I'm not 100% sure how to do it, though I know it's possible. Imagine with me for a second, and technical gals & guys who've done some rather hardcore networking, I need your help in implementing this-- I guess it's optimized load balancing?
Anyway, the load balancing gets done on the StriesandBox, which in turn provides a single local gateway for end-user's home network. This way we can avoid the current difficulty with babs: she can be quite slow from time to time (this of course being a function of the censorship.) Free internet, however, is priceless (at least IMHO) and so users would likely be willing to shell out the ~$25/mo to have 5x babs to support one home internet connection. This also brings about the possibility of "Babs Bands" where users exchange multiple Babs addresses with one another.
Am I crazy, or is this a great idea? I am going to try and implement this immediatley, and will put updates here. I'm just starting off with an Ubuntu VM on my home network and will see if I can get it to connect to 5x Babs' and then create a gateway server for me to put my traffic through. My desired result is reduced latency and greater throughput.