Proxy-ify everything through SOCKS on your mobile data plan
Sunday October 23, 2011
First, if you’re planning to rinse the airwaves with megabits of downloads, get yourself an unlimited data plan, or add one on to your existing contract/bill.
Note that this is not proper tethering, you won’t be charged for it. The end result looks a lot like tethering, but it’s not identical.
In the UK, apparently Giffgaff is the top offering for cheap data. £10 and you’re in.
In a nutshell:
each of the following stages adds some extra functionality to the setup, you can stop after any stage if you’re satisfied
- Download a socks proxy for your device
- Pump all your network traffic down the SOCKS proxy
- Set up a fowarding DNS server on your mobile device (in case you cannot tunnel UDP through SOCKS, since you’ll need UDP for DNS queries)
0. Jailbreaking
iPhone users
You will need to jailbreak, unless you want to get involved with the developer SDK and build a non-store app.
After jailbreaking, grab Cydia or a similar package management tool and start going nuts. This will add anything from 5 minutes to 5 hours of extra time, depending on your experience. You will need to install either “SSH” or “Terminal”, preferably both.
Android users
You may not need to root your device, there are many socks proxy implementations out there. I don’t know about rooting because I don’t own an android-based phone (yet…) – Grab and go however suits your style.
1. Install a SOCKS proxy on your phone
CRUCIAL – Configure your phone to have a static IP and no default gateway on the WiFi interface. This typically prevents the phone trying to route internet traffic down the WiFi interface – it will always use a data connection instead.
- Search for a package called socks/srelay and install it
Now either open “Terminal” or an SSH session on your phone, and type socks
(a note for the security-aware, you should look into locking this down, or at least making sure it doesn’t openly listen on your interfaces)
You should now be able to rig a browser like Firefox to use the SOCKS proxy on your phone (192.168.1.2:1080 for example). Note that doing DNS remotely will be necessary.
Stop here if the boredom has already hit, and you’re good to go (sorta), but things like Flash Player and other apps outside of your constrol won’t work – Internet Explorer for example, is utterly useless and won’t support resolving domains at the proxy. What a pile of chuff.
- Go to the “about:config” page in Firefox to configure remote DNS… see the links above for more info on setting “network.proxy.socks_remote_dns”
2. Use OpenVPN and tun2socks / widecap to tunnel all traffic over the proxy
(will wrap Adobe Flash Player and other non-browser traffic)
Note that tun2socks only supports TCP. There is a UDP forwarder extension, but you only really need UDP for DNS. The alternative to using the UDP is to set up your own DNS on your Mobile device (see part 3)
tun2socks+OpenVPN route
- Download and install an appropriate package, and install OpenVPN.
- Have a read of the guide for tun2socks setup.
In this setup, typically the phone will be your proxy directly, but you do have the option of setting up an SSH tunnel to another external server, and running the UDP forwader. If you want to do that, then follow all the routing instrunctions on the tun2socks guide.
If you want to avoid tweaking the routing, then you’ll be wanting to run with the proxy on your phone, on the same subnet, and you’ll need to set up some kind of DNS thoroughfare on your mobile device too.
In my local setup, the following is good enough to set up the tunnel on ‘doze. This also circumvents the need to faff about with routes, as all interfaces involved are on the same subnet:
badvpn-tun2socks.exe --netif-ipaddr 192.168.1.252 --netif-netmask 255.255.255.0 --tundev tap0901:TUN1:192.168.1.253:192.168.1.0:255.255.255.0 --socks-server-addr 192.168.1.2:1080
This same-subnet setup only works if you complete the final phase and have local DNS available too, read on to section 3…
Widecap/Alternatives
- See the other guide if you don’t want to use tun2socks+OpenVPN.
- Google will also throw up some alternatives to these programs if you coax it with the right amount of sweet-talk.
3. Finishing touches – add DNS to your Device
This section also geared for iPhone users.
- Download “bind” from Cydia.
- SSH in and get ready to copypasta the forwarding configuration example from zytrax.org (paste it into /usr/etc/named.conf)
- Set up the example zonefiles mentioned in the fowarding config
- Use “named -c /usr/etc/named.conf -u daemon -g” to start and/or debug (-g) named, DON’T start named as root. The BIND project is one of those things security experts use to tittialate each other and wax lyrical at defcon/schmoocon. Some of them even make friends by using the relevant CVEs as icebreakers.
- Don’t forget to chmod ALL locations appropriately (named will tell you if it can’t access something it needs to)
- Configure your interfaces to use your mobile device as a DNS server
Finished!
You should be good to go. The tun2socks output will look something like this if you’re using it
INFO(tun2socks): 00004 (109.74.246.7:22 192.168.1.253:1765): accepted INFO(tun2socks): 00004 (109.74.246.7:22 192.168.1.253:1765): SOCKS up INFO(tun2socks): 00004 (109.74.246.7:22 192.168.1.253:1765): SOCKS closed ...
Now all your TCP traffic is being pumped through the SOCKS relay, and it’s a fairly seemless setup if you spice it up a little further with some DHCP and or NAT’ing to share your internet connection (not covered here, but if even half of the ramblings above made any sense, you’ll know what’s left to do…)
On a final note, you might need some tricks to dodge overzealous content filters on some data networks…
A little history
The backstory to all this is that Openreach came round the other week and cut off the phone line for nonpayment. Thanks BT, for sending us no sodding letters to that effect. Ironic for a company that specializes in communication. Apparently they still have the cheek to disconnect your line even if you have a pending transfer order in with another provider. What a sack of smacktards.