Add Me!Close Menu Navigation

My technical corner about Linux, Perl, programming, computer networks and network security

Add Me!Open Categories Menu

How to completely hide your network traffic

In this article I explained what may see your Internet Service Provider. Now, I will write some information about how to protect your network traffic.  My solution is based on a bash script on a client and a server. The script works on the client computer, connects to the server and creates tunnel for HTTP/HTTPS and DNS protocols.

Your network traffic will be hidden by your server, because your computer establishes the secure connection to the server throught the SSH protocol. This protocol in the new version can’t be read by any network sniffers. My scripts hide your data in HTTP/HTTPS and DNS protocols.

The distant server, which hides your traffic has it’s own ISP as well. My servers are located in other countries. ISP which provides an internet connection into your server, can seen your internet traffic in this example. The main goal of this project is hiding your traffic from your ISP. It works similar to the TOR project, but TOR project has 3 random unknown servers which hide your traffic. But my solution is really fast in comparision with the TOR project. If you have the server with a good internet connection, your everyday use of the Internet completely won’t suffer.

 

You need the following things:

  • A linux based server which will be masking your network traffic. The server should has internet connection from different ISP.
  • A linux based client computer – it’s possible to make this on Windows (PuTTY), but my script works on linux based systems
  • the OpenSSH on the the server
  • Privoxy on the server to support HTTP/HTTPS connections (it’s the proxy server for your web browsers) – you may use another proxy server, but I’m describing this.
  • Public key based authentication – on the server to establish the ssh tunnel, for security reasons you need to create a new user on your server computer
  • socat program on the client and the server to forward DNS queries
  • Elinks program to check the tunnel (console web browser)

 

The script contains:

1) Scripts which are work on the client:

  • check_tunnel.sh – to check if the tunnel works correctly
  • resume_tunnel.sh – it isn’t required, but on some Internet connections the tunnel may be suspended, so this script to prevent from it.
  • restart_tunnel.sh – is provided to restarts the tunnel and the socat service
  • check_socat_client.sh – to check and start/restart the socat service on the client computer
  • tunnel_dns_ssh.sh – to establish the ssh tunnel for the DNS service
  • tunnel_http_ssh.sh – to establish the ssh tunel for the HTTP/HTTPS service

The check_tunnel.ssh must be added to the crontab – it uses the other scripts. The check_socat_client.sh must be added to the crontab on the root account if an user account doesn’t have CAP_NET_BIND_SERVICE permission

 

2) Script which works on the server:

  • check_socat_server.sh – to check and start/restart the socat service on the server computer. It must be added to the crontab on the root account on the server if a user account doesn’t have CAP_NET_BIND_SERVICE permission

 

 

How it works:

  1. check_tunnel.sh should be started by the crontab.
  2. tunnel_dns_ssh.sh checks if tunnel for DNS (simple check) exists, if not, then it creates new connection.
  3. tunnel_dns_ssh.sh checks if tunnel for HTTP/HTTPS exists, if not then it creates new connection.
  4. check_socat.sh try to run the socat service if it doesn’t work. If the socat service is running, then it checks for requests to restart it. 
  5. restart_tunnel.sh kills all scripts and try to run the check_tunnel.sh afterwards
  6. resume_tunnel.sh is provided to testing the tunnel, if tests fail then it use the restart_tunnel.sh script

 

The server configuration:

1) Privoxy configuration is simple. Edit the main config file (mostly /etc/privoxy/config) and specify the option:

listen-address $HOST_SERVER:$PORT_PRIVOXY

When the $HOST_SERVER and $PORT_PRIVOXY are the same as in the tunnel_http_ssh.sh script

2) Socat configuration is little different from socat on the client, but the default configuration of the check_socat_server.sh script is fine. You don’t need to any modification and you may add this script to the crontab.

 

Security information

1) Port on which privoxy listens on the server, must be closed to any hosts except “127.0.0.1”, because the ssh tunnel on server has address “127.0.0.1”. If you don’t block this, anyone who knows a port in which privoxy is listening, may use your server as proxy!

To block this port I use iptables:

# iptables -t filter -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport $PORT_PRIVOXY -j ACCEPT
# iptables -t filter -A INPUT -i lo -j ACCEPT
# iptables -t filter -A INPUT -p tcp --dport $PORT_PRIVOXY -j DROP

When the $PORT_PRIVOXY is the same as $PORT_PRIVOXY specified in the tunnel_http_ssh.sh script.

 

Download the scripts package

DOWNLOAD: scripts to hide traffic

Leave a Reply

You must be logged in to post a comment.