Skip to content

Transparent http proxy with Golang and tproxy

Transparent http proxy with Golang and tproxy published on No Comments on Transparent http proxy with Golang and tproxy

Recently I started interesting in Go language. First impressions of programming in Go are very good. In short brief, I like simplicity of this language, that you can not complicate the code too much. Goroutines and channels looks promising as solution for concurrency, and it seems simple to use. Static compiled binaries are easy to deploy. Performance is good.

I would like to share description and simple implementation in Go of fully transparent reverse or forward http proxy.

Go standard libraries – net/http and net/http/httputil provides everything needed to implement it.
Below the simplest implementation of http proxy:

Now, we can just set http proxy in browser and it will be working.

Transparent http proxy

But what if we want to to setup fully transparent proxy? For example: when we don’t want to configure manually browser on clients, but all outgoing http traffic should be pass by proxy for some reasons – logging, caching, make security scan for viruses etc. In this scenario transparent proxy is located between the client and the internet. Another use case of transparent http proxy is to set up it inline in communication between services in data center and performing some operations like traffic filtering, checking authorization etc.

System Configuration (routing table, tproxy)

I will describing scenario where http transparent proxy is acting on router which is the default gateway for my local network.
My network looks as follows:

Tproxy will be use to redirect traffic.
Tproxy allows as to redirect traffic designated to remote location to the local process.

From Linux 4.18 tproxy is included in nf_tables.

How tproxy works in details is described here:
https://www.kernel.org/doc/Documentation/networking/tproxy.txt
https://powerdns.org/tproxydoc/tproxy.md.html
https://people.netfilter.org/hidden/nfws/nfws-2008-tproxy_slides.pdf

Configuration of routing table and tproxy:

 

Http proxy in Go

I had to wait for Go 1.11 to be able to create custom socket with IP_TRANSPARENT param. From Go 1.11 there is possible to pass socket option before start listening or dialing. ListenConfig provide this.
https://go-review.googlesource.com/c/go/+/72810
https://golang.org/pkg/net/#ListenConfig

The key in implementation is to create custom listener for http.Serve and use LocalAddrContextKey to get destinetion address to which client want to connect. In fact address:port values from http.LocalAddrContextKey, are the values from local socket dynamicly created by tproxy.

Starting proxy:

Client from local network (192.168.1.6) is connecting to remote site on port 217.73.181.197:80. This connection is handled through the proxy.
Nestat is showing one very interesting thing:

Tproxy created tcp socket with remote site address (217.73.181.197:80) on my local machine. My router has only 192.168.1.1 and 37.247.61.7 addresses, routing table 100 does the job.
Go http proxy after receive request from client (192.168.1.6), made a connection to exactly the same address:port as it received. MAGIC! ๐Ÿ™‚

Securing Asterisk SIP PBX by simple iptables rule checking if the domain is correct

Securing Asterisk SIP PBX by simple iptables rule checking if the domain is correct published on No Comments on Securing Asterisk SIP PBX by simple iptables rule checking if the domain is correct

Hi,

For some time I’ve been looking for a simple way to protect my Asterisk SIP pbx against attacks from bots, scanners which scans and trying dialing to premium numbers. Opening SIP port to the internet causes that there was no one minute without suspect requests hitting my Asterisk. The log was full of that attempts.

While analyzing this problem I noticed that bots, scanners, attackers using everywhere IP address of my server to trying break it. While my proper clients using domain of my Asterisk server. If user is using domain name in his SIP client/phone,this domain is used in further communication on SIP protocol.

Below I will show example of INVITE (INVITE is using to establish VoIP call) SIP request from user using domain name (sip.example.com), and from user using IP address (10.10.10.10) of Asterisk server.

With domain:

With IP address:

Knowing that, I want to block requests to Asterisk server which are NOT contains my domain name. In this point I want to clarify that I have special subdomain for telephones. Bots, scanners, attackers are not knowing about this domain.
Blocking unwanted requests can be done by iptables rules with string matching.

Differences between rules result from different approach between TCP and UDP protocols when establishing a connection. TCP need to do three way handshake to establish connection, UDP not doing this.

After applying these rules, I did not see even one attack ๐Ÿ™‚
At the and we can check increasing iptables counters:

Strongswan IPsec on LEDE/OpenWRT with fast-classifier and shortcut-fe modules

Strongswan IPsec on LEDE/OpenWRT with fast-classifier and shortcut-fe modules published on 5 Comments on Strongswan IPsec on LEDE/OpenWRT with fast-classifier and shortcut-fe modules

I have using TP-Link TL-WDR4300 router with LEDE software. Recently, thanks to fast-classifier and shortcut-fe modules the router got a second life ๐Ÿ™‚ To my surprise after loading fast-classifier modules it can be able to pass 500Mb/s over NAT, which is absolutely great result ๐Ÿ™‚

But after that I noticed that my site-to-site IPsec tunnel, based on Strongswan stopped working properly… Ping was working, tcp connections over tunnel could be established, but after passing some tcp packets the connection freezes. I suspected a problem with MTU, but that was not it.
After unload kmod-fast-classifier and kmod-shortcut-fe tunnel was working properly. I’m started to reading source code of fast-classifier and shortcut-fe modules. I found that:

I realized that the offloading which is doing by fast-classifier and shortcut-fe is basing on conntrack table. The next thought was that conntrack is needed to realize NAT. Only connection between my LAN and internet (WAN) should be tracked and should be in conntrack table. I don’t need to track connection beetween my local nets connected through site-to-site vpn! Connections between my local nets can be realized only based on routing table. I decided to disable conntrack for my local nets and see if it solved my problem.
My network looks as follows:

Strongswan configuration: /etc/ipsec.conf (192.168.0.0/24)

Strongswan configuration: /etc/ipsec.conf (192.168.1.0/24)

File with secrets is the same on booth sides. /etc/ipsec.secrets

Excluding particular connections from conntrack can be done by iptables with raw and conntrack module – I had to install them earlier.

I excluded whole local network class – 192.168.0/0/12

Now my IPsec tunnel started passing traffic properly! ๐Ÿ™‚ And there is no connections from my localnets in conntrack! (so fast-classifier not offloading this connections).
The only issue was that I was unable to connect to LEDE router (192.168.0.1) from my remote network behind IPsec tunnel. I resolved that by exclude IP of router from iptables rule:

I had to install iprange module before:

Now I can enjoy very fast internet connection with fast-classifier and fully working strongswan IPsec vpn connections ๐Ÿ™‚

IKEv2 with Let’s Encrypt- robust IPsec vpn solution for Windows, Android, Linux, macOS and iOS clients

IKEv2 with Let’s Encrypt- robust IPsec vpn solution for Windows, Android, Linux, macOS and iOS clients published on No Comments on IKEv2 with Let’s Encrypt- robust IPsec vpn solution for Windows, Android, Linux, macOS and iOS clients

Hello ๐Ÿ™‚

In this post I will describe how to prepare solid vpn gateway which works flawlessly with many different clients.

I choose the solution based on modern IKEv2 protocol created with Microsoft and Cisco together. In a big simplification – IKEv2 (Internet Key Exchange version 2) is responsible to set up a security association (SA) in the IPsec protocol suite.

Advantages of IKEv2 over IKEv1 protocol:

  • it tolerates interruptions, latency etc. on network connection. For example, if the connection is temporarily lost, or if a user moves a client computer from one network to another, IKEv2 automatically restores the VPN after the network connection is reestablished โ€” in transparent way to the user.
  • EAPย authentication – we can authenticate simply, by username and password
  • better dead peer/tunnel detection
  • consume less bandwidth

IKEv2 has built in client in Windows 7 and newer and on macOS and iOS systems.
For Android there is a StrongSwan client app which is working very well. In Linux we can simply use Strongswan which is one of IPsec implementation for Linux.

In setup below I will use certificate for server obtained from Let’s Encrypt. It is needed because Windows clients will not work with self signed certificate without adding our CA as trusted. My goal is that we don’t have to provide anything other then user name and password ๐Ÿ™‚

I will skip the part describing an obtaining a certificate from Let’s Encrypt. It is well documented in internet.
For server/gateway side I used Strongswan which provides support for IKEv2.

Server configuration

For setup server side we have to:
Install Strongswan:
(I’m installing it on OpenSUSE)

or if you using Debian based Linux distribution

I already have a certificate Let’s Encrypt for my domain. The typical catalog structure with the certificates from Let’s Encrypt looks as follows:

To use it in Strongswan it is necessary to create links to certificates and keys:

W need to provide Let’s Encrypt intermediate certificate:

This is very important step, I was spent a lot of hours to discover that Windows works properly only if we are providing intermediate certificate.

Now we can edit /etc/ipsec.conf
My configuration looks as follows:

After that we have to add private key (/etc/ipsec.d/private/privkey.pem) and define usernames and passwords for vpn clients.

This is the whole Strongswan configuration. To apply configuration Strongswan must be restarted:

If don’t have configured NAT/masquerade your clients will not have internet.

In some cases there is a problem with mtu/mss which can cause for example problem with opening some web pages. Strongswan documentation recommends reduce the MSS for packets transmitded through tunnel. Strongswan documentation
To reduce the mss, add a rule to iptables:

Clients configuration

In most clients it is trivial.
Windows

Android

iPhone – iOS

macOS
Very simple configuration, analogous to iOS/iPhone

Linux
Unfortunately, manual configuration is slightly complicated. But then it works very well.
In newer releases of Linux distribution there is a gui plugin for network manager which provide easy configuration of vpn connection. But I haven’t tried it.

Strongswan configuration: /etc/ipsec.conf

password for user1 i stored in /etc/ipsec.secret:

We have to had intermediate and CA root certyficate in /etc/ipsec.d/cacerts:
intermediate:

root CA certificate is available to copy fromย ย DST Root CA X3
I had to copy it to a file in such way (with adding “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“:

In the default configuration, strongswan does not set the dns addresses provided by the server. This behavior can be changed by editing /etc/strongswan.d/charon/resolv.conf. I uncommented line with “file = /etc/resolv.conf”

Restart Strongswan:

And connection should be start:

We can check connection status:

And disconnect connection: