search

txtsd / DPITunnel

Free, simple and serverless solution against censorship for Linux PCs and routers
GNU General Public License v3.0
17 stars 4 forks source link

Fix systemd unit #32

Open SupinePandora43 opened 1 week ago

SupinePandora43 commented 1 week ago

CAP_NET_ADMIN was required to make it run under systemd (ArchLinux)

txtsd commented 1 week ago

Can you show me the specifics of how you're using it such that it needs CAP_NET_ADMIN? It runs fine for me without it.

SupinePandora43 commented 5 days ago

Can you show me the specifics of how you're using it such that it needs CAP_NET_ADMIN? It runs fine for me without it.

Right now I've been getting

ноя 18 00:34:26 supine dpitunnel[76274]: Sniff raw socket creation failure. Errno: Operation not permitted
ноя 18 00:34:31 supine dpitunnel[76274]: Sniff raw socket creation failure. Errno: Operation not permitted
...

previously I received setsockopt operation not permitted.

txtsd commented 4 days ago

Are you using the dpitunnel package on the AUR?

If not, paste the output of systemctl cat dpitunnel

SupinePandora43 commented 1 day ago

Are you using the dpitunnel package on the AUR?

If not, paste the output of systemctl cat dpitunnel

yes the only differences are:

[Unit]
Wants=network-online.target
After=network-online.target
[Service]
ExecStart=/usr/bin/dpitunnel --ca-bundle-path "/usr/share/ca-certificates/" --desync-attacks "fake,disorder_fake" --split-position 2 --wrong-seq --doh --doh-server https://dns.google/dns-query --wsize 1 --wsfactor 6
[Install]
WantedBy=multi-user.target
systemctl cat dpitunnel ```ini # /usr/lib/systemd/system/dpitunnel.service [Unit] Description=DPITunnel #After=network.target Wants=network-online.target After=network-online.target [Service] SyslogIdentifier=dpitunnel Restart=always RestartSec=5 Type=simple User=root Group=root #ExecStart=/usr/bin/dpitunnel -doh -doh-server https://dns.google/dns-query -ttl 1 -ca-bundle-path "/etc/ssl/certs/ca-bundle.crt" -desync-attacks disorder_fake #ExecStart=/usr/bin/dpitunnel --ca-bundle-path=/etc/ssl/certs/ca-bundle.crt --desync-attacks=fake,disorder_fake --split-position=2 --wrong-seq --doh --doh-server=https://dns.google/dns-query --wsize=1 --wsfactor=6 ExecStart=/usr/bin/dpitunnel --ca-bundle-path "/usr/share/ca-certificates/" --desync-attacks "fake,disorder_fake" --split-position 2 --wrong-seq --doh --doh-server https://dns.google/dns-query --wsize 1 --wsfactor 6 #ExecStart=/usr/bin/dpitunnel --ca-bundle-path=/usr/share/ca-certificates/ --desync-attacks=fake,disorder_fake --split-position=2 --wrong-seq --doh --doh-server=https://dns.google/dns-query --wsize=1 --wsfactor=6 TimeoutStopSec=15 CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN IPAddressAllow=localhost link-local multicast LockPersonality=true MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true PrivateTmp=true ProcSubset=pid ProtectClock=true ProtectControlGroups=true ProtectHome=true ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true ProtectProc=noaccess ProtectSystem=strict RestrictAddressFamilies=AF_INET AF_INET6 RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=@basic-io @file-system @io-event @ipc @network-io @process @signal @system-service [Install] WantedBy=multi-user.target #WantedBy=default.target ```