planetoryd / nsproxy

Kernel-namespaces-based alternative to proxychains.
31 stars 0 forks source link
anti-forensics network-namespace opsec privacy proxychains systemd

NSProxy

Kernel-namespaces-based alternative to proxychains.

Part of Accessible OPSEC series (if there even is).

quick start

# download or compile
sudo ./nsproxy install -s
# geph is a well known tool with good opsec
# this command sets up a namespace and enters it giving you a shell
sproxy geph
# now open another terminal
sproxy librewolf # lauches librewolf with a prompt for choosing a profile
# you can use different profiles for different namespaces
sproxy fractal  # lauches `fractal` by directing running the command ie not using flatpak
# fractal is a matrix client written in Rust

apart from biased shortcuts, the standard commands are....

here is the case where you connect to a proxy from another computer in a local network

# get the binary to the device you want to proxy by whatever way, like kde-connect
kdeconnect-cli --share ./target/debug/nsproxy -d _a82d921a_aaa3_495f_978e_433a17395f3e_
# now run this one liner to install it to /usr/bin/ of course this doesnt work with nixos
sudo ./nsproxy install -s
# must use sproxy (which has SUID flag set) to initialize userns
sproxy userns
# subsequent operations do not need the SUID binary
# make the container
nsproxy socks --proxy socks5://192.167.1.2:9909
# you may also not use userns, which has better compatibility especially for system softwares, such as distribution's package managers
sproxy socks --proxy socks5://192.167.1.2:9909 --root
# this affects system wide DNS configuration temporarily though

and it enters a shell which is proxied as instructed.

for flatpak apps you can always run "flatpak run com.someapp" inside a shell like above. at least by the time I'm writing this, flatpak does not run the app through another process outside the namespace.....

more

It's recommended to use the veth + tun2proxy method.

./nsproxy install -s # installs nsproxy and sproxy to your /usr/local (requires root) and makes sproxy suid
# it assumes sproxy is in the same directory as its nsproxy binary
# even though sproxy is SUID, it still runs SUDO to check your permission
sproxy new --mount --veth --tun2proxy ./test_proxy.json # gives you a shell inside a proxied container
# later you may
sproxy node 1 run # enter that container from another shell

Rationale

The usecase

Examples

We've got you covered

Root or not

The proxy

The app

Fix flatpak networking, sideways.

You can run nsproxy watch ./test_proxy.json to automatically proxy flatpak apps.

Currently it's not recommended (bad for anonymity) to have multiple instances of an app because the data could not be segregated, see the issue.

Development

Why doesn't my IPV6 work ?

I've been using nsproxy with Geph. For some reason I had to use IPV6, which didn't work in nsproxy. I found out an ipv6 address of exmaple.com and put it in the browser, which surprisingly loaded.

The source code of geph shows it doesn't support ipv6. After some wireshark-ing, apparently the browser (librewolf) treated the ipv6 address as a domain, passed it to geph's socks server.

Librewolf is not complying with socks5 protocol, and concidentally sidestepped the code in Geph that throws errors upon ipv6.

After more debugging, it turned out the traffic was sent directly without proxying, because the addr was being labelled as a domain by librewolf, and then catogorized as "should not proxied" by geph.

If I were to keep anonymity, that would be a total disaster.