VPN Replacement: What Is It? Are They Worth It

VPN Replacement: What Is It? Are They Worth It


Recently, VPN (Virtual Private Networks) technology has become quite widespread. In most cases, it is used by people to encrypt information transmitted over a local network (protection against traffic sniffing, which is quite easy to do on a network, even on switches) and / or subsequent transmission of information over the Internet (here the goals will be to hide your IP address, protect from a global sniff of the entire country's traffic.Many people have been using this VPN technology for a long time, but not many people know about its cheaper and more mobile alternative.It's called SSH tunneling.

The principle of this implementation is as follows. All network software on the computer (well, or almost all) is forwarded to the designated port of your local host, on which the service is connected via SSH to the server (and as we know, the connection via the SSH protocol is encrypted) and tunneling all requests, then all your traffic (no longer encrypted, it is forwarded from the server to a proxy (supporting tunneling) or a SOX, which transmits all traffic to the necessary addresses. The presence of a proxy or SOX is mandatory, but if we do not need complete secrecy, then we can organize this service on our server, where we have an SSH account, but more on that later.

Now let's deal with the minimum set of tools and services necessary to organize this process. First of all, we need a program for organizing a tunnel using the SSH protocol. For this task, we can use VanDyke Entunnel or Putty. Further, we can manually prescribe work through a proxy in each program or use a specialized program for redirecting requests, such as Proxycap‌, SocksCap, FreeCap, etc. In my example, Proxycap‌ will be used as the most convenient program. By the way, it is through this program that tunneling can be done even for WebMoney, which is known for protection against this type of software for hiding IP). We will also need an SSH account (on a server preferably located outside your country), which can be obtained without any problems.

The first step is to create an SSH account. Further, it is best to use a socks server, and not a proxy, because. not all proxies support tunneling. It may also turn out that today the proxy is anonymous, and tomorrow it is not (unless, of course, you yourself are responsible for it). As mentioned above, you can use socks on a remote machine (for greater security) and on your own (where the SSH account is). For example, consider how to install a sox daemon. The most popular and advanced daemons for niks are socks5 from Permeo/NEC, Dante and the domestic product 3proxy. For example, let's choose the classic FreeBSD daemon - socks5.

FreeBSD 5th branch was used for testing. You need to install socks5 ports (/usr/ports/net/socks5/), but from the sorts under the frya, everything is also well assembled and installed:

cd /usr/ports/net/socks5Makemake installRehash

For normal operation of the daemon, the configuration for the socks5.conf daemon and the socks5.passwd password file are required (if authentication to the socks server by password is required):

touch /usr/local/etc/socks5.conftouch /usr/local/etc/socks5.passwd

Next, add the following lines to the configuration:

Auth - - Permit u - - - - -SET SOCKS5_BINDINTFC 1.2.3.4:8080SET SOCKS5_CONFFILE /usr/local/etc/socks5.confSET SOCKS5_MAXCHILD 128SET SOCKS5_NOIDENTSET SOCKS5_NOREVERSEMAPSET SOCKS5_NOSERVICENAMESET SOCKS5_V4SUPPORTSET SOCKS5_ENCRYPTSET SOCKS5_FORCE_ENCRYPTSET SOCKS5_UDPPORTRANGE 1023-5000

The first two lines indicate that login and password authentication is required.

SOCKS5_BINDINTFC specifies which IP (if the server has multiple aliases) and port.

Hang a demon. SOCKS5_MAXCHILD is 64 by default, I advise you to increase it to 128 so that all users (if there are many) have enough threads. Next are the lines to speed up the work of the demon.

SOCKS5_V4SUPPORT - support for the 4th version of the protocol.

SOCKS5_ENCRYPT and SOCKS5_FORCE_ENCRYPT encryption support if the client supports it. See the README and INSTALL files for more detailed installation information, and the SOCKS5(1) and SOCKS5.CONF(5) mannas for configuration information.

Next, fill in the password file. It has a plain text format and login/password are separated by spaces:

user passwordRoot toor

Now you can start the daemon and start configuring the client software:

/usr/local/bin/socks5

Launch ProxyCap, right-click on the tray icon, Preference. On the “Proxies” tab, enter 127.0.0.1:8080 and set our login / password to Sox in “Require Authorization”. On the Rules tab, first add a rule for Entunnel, specifying in Rule Type - Force direct connection.

Next, we create a rule for the rest of the software, the traffic from which will be encrypted and tunneled through Sox. In the rule, we specify All Programs, Tunnel through proxy and in the drop-down menu our socks. You can also create a rule not for all software, but only let selective software through the tunnel, or vice versa, create a rule for all software, but for some software make direct Internet access (Force direct connection).

We start Entunnel and create a new SSH connection in it. Next, in the connection properties (Port Forwarding), we add our socks. In the “Local” category, enter 127.0.0.1:8080, and in the “Remote” category, enter the IP and port of our Sox server.

Setup completed! If something does not work, then re-read all the settings again.

Conclusion

What are the advantages of this system:

To organize this scheme, you do not need to install server software‌ (since an SSH account and socks can be easily obtained on the Internet);

Since the traffic is encrypted and compressed during an SSH connection, we get a small increase in the speed of the Internet (this is true when the socks daemon is on the same server);

In the case when the sox server is located on a different host, then we get an additional chain of servers that increase our security and anonymity.






Comments (0)

Leave a comment