Hi. I have a Linux VPS running IPSec VPN server (installed by hwdsl2/setup-ipsec-vpn script). On my VPS I want to make my IPSec clients traffic (UDP and TCP) to go through an SSH-based socks5 proxy on my VPS (127.0.0.1:1080) to another Linux VPS. Is such a thing possible with gost? Can someone guide me to achieve this?
(I know there are easier ways to run a double proxy, but I want my users to be able to use their pre-installed tools to access the first VPS.)
What I did on first VPS:
ssh -N -D 1080 user@secondVPS:7999
Then according to examples in transparent proxy section in Docs:
./gost-linux-amd64-3.0.0-beta.5 -L "red://:12345?sniffing=true&tproxy=true" -F socks5://127.0.0.1:1080 &
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -N GOST
iptables -t mangle -A GOST -p tcp -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A GOST -p tcp -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A GOST -p tcp -m mark --mark 100 -j RETURN
iptables -t mangle -A GOST -p tcp -j TPROXY --tproxy-mark 0x1/0x1 --on-ip 127.0.0.1 --on-port 12345
iptables -t mangle -A PREROUTING -p tcp ! --dport 22 ! --sport 22 -j GOST
iptables -t mangle -N GOST_LOCAL
iptables -t mangle -A GOST_LOCAL -p tcp -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A GOST_LOCAL -p tcp -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A GOST_LOCAL -p tcp -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A GOST_LOCAL -p tcp -m mark --mark 100 -j RETURN
iptables -t mangle -A GOST_LOCAL -p tcp -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -p tcp ! --dport 22 ! --sport 22 -j GOST_LOCAL
I excluded port 22 to not lose SSH connection to VPS.
Now IPSec clients can connect and websites show that their IP address changes to second VPS's. This is good for web browsing. But i need to do it for UDP traffics too, and problem starts when I add this:
./gost-linux-amd64-3.0.0-beta.5 -L redu://:13579?ttl=10s -F socks5://127.0.0.1:1080 &
ip rule add fwmark 2 lookup 200
ip route add local 0.0.0.0/0 dev lo table 200
iptables -t mangle -N GOST
iptables -t mangle -A GOST -p udp -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A GOST -p udp -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A GOST -p udp -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A GOST -p udp -m mark --mark 200 -j RETURN
iptables -t mangle -A GOST -p udp -j TPROXY --tproxy-mark 0x2/0x2 --on-ip 127.0.0.1 --on-port 13579
iptables -t mangle -A PREROUTING -p udp -m multiport ! --destination-ports 500,50,51,4500,1701 -m multiport ! --source-ports 500,50,51,4500,1701 -j GOST
iptables -t mangle -N GOST_LOCAL
iptables -t mangle -A GOST_LOCAL -p udp -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A GOST_LOCAL -p udp -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A GOST_LOCAL -p udp -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A GOST_LOCAL -p udp -m mark --mark 200 -j RETURN
iptables -t mangle -A GOST_LOCAL -p udp -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p udp -m multiport ! --destination-ports 500,50,51,4500,1701 -m multiport ! --source-ports 500,50,51,4500,1701 -j GOST_LOCAL
Now clients can connect to IPSec VPN but they can't web browse let alone using other apps. (I thinks it's a DNS problem since 1.1.1.1 opens up)
Hi. I have a Linux VPS running IPSec VPN server (installed by hwdsl2/setup-ipsec-vpn script). On my VPS I want to make my IPSec clients traffic (UDP and TCP) to go through an SSH-based socks5 proxy on my VPS (127.0.0.1:1080) to another Linux VPS. Is such a thing possible with gost? Can someone guide me to achieve this? (I know there are easier ways to run a double proxy, but I want my users to be able to use their pre-installed tools to access the first VPS.) What I did on first VPS:
ssh -N -D 1080 user@secondVPS:7999Then according to examples in transparent proxy section in Docs:I excluded port 22 to not lose SSH connection to VPS. Now IPSec clients can connect and websites show that their IP address changes to second VPS's. This is good for web browsing. But i need to do it for UDP traffics too, and problem starts when I add this:
Now clients can connect to IPSec VPN but they can't web browse let alone using other apps. (I thinks it's a DNS problem since 1.1.1.1 opens up)