ejes consulting

Techincal Consulting Design and Automation

Posts Tagged ‘vpn

Raw, Encrypted Tunnel with OpenSSL and NetCat

leave a comment »

I use netcat on my local network to transfer files very quickly without the overhead of a more complex protocol.

Just for those who don’t; here’s how:

on my home server, i transfer “myfile” on port “1024” to the computer named “MacBook”

root@homeserver:~# nc MacBook 1024 < myfile

and on my mac, i receive “myfile”, listening on port 1024

MacBook:~ ejes$ nc -l 1024 >myfile

this works, and is fairly quick.  if you need some validation that the file received is the original file, you can use md5 on Mac, and most BSDs;

MacBook:~ ejes$ md5 myfile
 MD5 (myfile) = 47f7f451e2e6d462a35a3d88b594e283

and md5sum on Linux.

root@homeserver:~# md5sum myfile
 47f7f451e2e6d462a35a3d88b594e283  myfile

Sometimes, however, I need to send a file, quickly, ad-hoc across the big ol’ scary internet.  this means that i’m sending “private” information across a “public” network.  I hate doing that, because anything on the the internet is subject to snooping.

What can we do?  Encrypt our transfer.  Thankfully, OpenSSL has the ability to help us do that.

So, to repeat the same transfer as above, but encrypted.  We setup our “listener first”, I’m listening on my mac, but the same command line would work in most BSD flavors:

MacBook:~ ejes$ nc -l 1024 | openssl enc -d -aes-256-cbc -out myfile
 enter aes-256-cbc decryption password:

and on the sending machine you need to use:

root@homeserver:~# openssl enc -e -aes-256-cbc -in built | nc MacBook 1024
 enter aes-256-cbc encryption password:
 Verifying - enter aes-256-cbc encryption password:

Of course OpenSSL supports plenty other encryption methods than aes-256, so feel free to explore. list-cipher-commands should help.

root@homeserver:~# openssl list-cipher-commands
aes-128-cbc
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc
aes-256-ecb
base64
bf
bf-cbc
bf-cfb
bf-ecb
bf-ofb
camellia-128-cbc
camellia-128-ecb
camellia-192-cbc
camellia-192-ecb
camellia-256-cbc
camellia-256-ecb
cast
cast-cbc
cast5-cbc
cast5-cfb
cast5-ecb
cast5-ofb
des
des-cbc
des-cfb
des-ecb
des-ede
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-ofb
des-ofb
des3
desx
rc2
rc2-40-cbc
rc2-64-cbc
rc2-cbc
rc2-cfb
rc2-ecb
rc2-ofb
rc4
rc4-40
seed
seed-cbc
seed-cfb
seed-ecb
seed-ofb
zlib

Written by ejes

May 1, 2013 at 9:12 pm

Tutorial: Bittorrents in FreeNAS

with 40 comments

As you might notice, I have been playing around with FreeNAS a lot lately.

Among the many features that I enjoy in the FreeNAS project, one of my very favorite ones is the Bittorrent Server that it has built in.

Really it’s just a verion of Transmission bittorrent web client which I remember from Mac OS.  (http://www.transmissionbt.com/) but running in WebGUI mode (by default on your freeNAS server on port 9091 http://freenas:9091 or similar)

The features that I want specifically is the blocklist feature, which allows you to download a list of blocked ips from known malware locations or otherwise malicious sites, and the ability to encrypt my traffic so that my ISP cannot detect my bittorrent traffic.

So let’s get started:

Step 1:  Let’s open our firewall to let incomming bittorrent connections through.  This will help the speed of my bittorrent client dramatically.  In order to trick my ISP from throttling my connections, I’ll be trying to get bittorrent to look like a VPN.  This is accomplished by allowing only encrypted peers and setting the bittorrent traffic to well known VPN TCP port 1723.  On the firewall I only need to forward the VPN traffic port TCP/1723 on all WAN connections to my FreeNAS server on the same port.

Step 2: Under System| Advanced | rc.conf tab in the FreeNAS webGUI;  add two variables: transmission_blocklist=YES, and transmission_noblocklist=NO.

Step 3: Under Services | Bittorret; set the incomming port the 1723 (the VPN port I set earlier on my firewall), Disable UPNP, and enable Encryption.  Then Save and Restart the service.

Step 4: Download the blocklistdl script from my script repo (https://ejesconsulting.wordpress.com/blocklistdl/).  Its actually the same as the script from (http://sourceforge.net/apps/phpbb/freenas/viewtopic.php?f=60&t=519&start=40).  Place the script in a conveniant directory.  I put mine in my transmission home directory in a subdirectory called “bin”.  I changed the attributes to executable, and owned by “transmission:staff”; the user and group that bittorrent runs as.

Step 5: Add a cron job to the System | Advanced | Cron tab of the FreeNAS Web Gui to run the script at a predetermined time.  I set min to run every Sunday night at midnight.

Step 6: While in the cron tab, I added a few timed download limits so that while I’m asleep or not home the bittorrent client can take 100% of the network bandwith, but while I’m expected to be at home it would reduce it’s available downloads to a fraction of my maximum bandwitdth.

The command is “/usr/local/bin/transmission-remote –no-uplimit –no-downlimit –auth admin:xxxxxxxx” to unlimit and “/usr/local/bin/transmission-remote –uplimit 20 –downlimit 20 –auth admin:xxxxxxxx” to limit to 20Kbps and 20Kbps upload and download while I’m home – please modify these parameters as you see fit.

As always, if you find this useful or need more info I’d be happy to help.

Written by ejes

July 20, 2009 at 10:00 am