Posts Tagged ‘vpn’
Raw, Encrypted Tunnel with OpenSSL and NetCat
I use netcat on my local network to transfer files very quickly without the overhead of a more complex protocol.
Just for those who don’t; here’s how:
on my home server, i transfer “myfile” on port “1024″ to the computer named “MacBook”
root@homeserver:~# nc MacBook 1024 < myfile
and on my mac, i receive “myfile”, listening on port 1024
MacBook:~ ejes$ nc -l 1024 >myfile
this works, and is fairly quick. if you need some validation that the file received is the original file, you can use md5 on Mac, and most BSDs;
MacBook:~ ejes$ md5 myfile MD5 (myfile) = 47f7f451e2e6d462a35a3d88b594e283
and md5sum on Linux.
root@homeserver:~# md5sum myfile 47f7f451e2e6d462a35a3d88b594e283 myfile
Sometimes, however, I need to send a file, quickly, ad-hoc across the big ol’ scary internet. this means that i’m sending “private” information across a “public” network. I hate doing that, because anything on the the internet is subject to snooping.
What can we do? Encrypt our transfer. Thankfully, OpenSSL has the ability to help us do that.
So, to repeat the same transfer as above, but encrypted. We setup our “listener first”, I’m listening on my mac, but the same command line would work in most BSD flavors:
MacBook:~ ejes$ nc -l 1024 | openssl enc -d -aes-256-cbc -out myfile enter aes-256-cbc decryption password:
and on the sending machine you need to use:
root@homeserver:~# openssl enc -e -aes-256-cbc -in built | nc MacBook 1024 enter aes-256-cbc encryption password: Verifying - enter aes-256-cbc encryption password:
Of course OpenSSL supports plenty other encryption methods than aes-256, so feel free to explore. list-cipher-commands should help.
root@homeserver:~# openssl list-cipher-commands aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb zlib
Tutorial: Bittorrents in FreeNAS
As you might notice, I have been playing around with FreeNAS a lot lately.
Among the many features that I enjoy in the FreeNAS project, one of my very favorite ones is the Bittorrent Server that it has built in.
Really it’s just a verion of Transmission bittorrent web client which I remember from Mac OS. (http://www.transmissionbt.com/) but running in WebGUI mode (by default on your freeNAS server on port 9091
http://freenas:9091
or similar)
The features that I want specifically is the blocklist feature, which allows you to download a list of blocked ips from known malware locations or otherwise malicious sites, and the ability to encrypt my traffic so that my ISP cannot detect my bittorrent traffic.
So let’s get started:
Step 1: Let’s open our firewall to let incomming bittorrent connections through. This will help the speed of my bittorrent client dramatically. In order to trick my ISP from throttling my connections, I’ll be trying to get bittorrent to look like a VPN. This is accomplished by allowing only encrypted peers and setting the bittorrent traffic to well known VPN TCP port 1723. On the firewall I only need to forward the VPN traffic port TCP/1723 on all WAN connections to my FreeNAS server on the same port.
Step 2: Under System| Advanced | rc.conf tab in the FreeNAS webGUI; add two variables: transmission_blocklist=YES, and transmission_noblocklist=NO.
Step 3: Under Services | Bittorret; set the incomming port the 1723 (the VPN port I set earlier on my firewall), Disable UPNP, and enable Encryption. Then Save and Restart the service.
Step 4: Download the blocklistdl script from my script repo (
http://ejesconsulting.wordpress.com/
blocklistdl/). Its actually the same as the script from (
http://sourceforge.net/apps/phpbb/freenas/viewtopic.php?f=60&t=519&start=40
). Place the script in a conveniant directory. I put mine in my transmission home directory in a subdirectory called “bin”. I changed the attributes to executable, and owned by “transmission:staff”; the user and group that bittorrent runs as.
Step 5: Add a cron job to the System | Advanced | Cron tab of the FreeNAS Web Gui to run the script at a predetermined time. I set min to run every Sunday night at midnight.
Step 6: While in the cron tab, I added a few timed download limits so that while I’m asleep or not home the bittorrent client can take 100% of the network bandwith, but while I’m expected to be at home it would reduce it’s available downloads to a fraction of my maximum bandwitdth.
The command is “/usr/local/bin/transmission-remote –no-uplimit –no-downlimit –auth admin:xxxxxxxx” to unlimit and “/usr/local/bin/transmission-remote –uplimit 20 –downlimit 20 –auth admin:xxxxxxxx” to limit to 20Kbps and 20Kbps upload and download while I’m home – please modify these parameters as you see fit.
As always, if you find this useful or need more info I’d be happy to help.
