Import personal website to git

[personal/website.git] / source / blog / posts / 2012 / 11 / 25-securitykiss---dante----bye-bye-censorship.rst

Title: SecurityKiss + Dante == bye bye censorship
Tags: en, securitykiss, dante, danted, dante-server, foxyproxy, gema, censorship, socks, proxy, germany

I live in Germany, and unfortunately there is something in Germany called
GEMA_, which basically censor any content that "might have copyrighted
music".

Among the sites being censored are Grooveshark_ (completely banned) and
YouTube_ (only banned if the video **might** have copyrighted music according
to some algorithm made by Google_). Basically this is because GEMA_ want these
company to pay royalties for each time some copyrighted song get streamed).
AFAIK Grooveshark_ don't want to pay at all, and Google want to pay a fixed fee
(which is what it does in every other country), because it makes no sense to do
otherwise, since anyone can just endlessly get a song streamed over and over
again just to be paid.

Even when the model is debatable, there is a key aspect and why I call this
censorship: **not all the banned content is copyrighted or protected by GEMA**.

* In Grooveshark_ there are plenty of bands that release their music using more
  friendly license, like CC__.
* There are **official videos** posted in YouTube_ by the bands themselves and
  embedded in the band **official website** that is banned by GEMA_.
* There are videos in YouTube_ that doesn't have copyrighted music at all, but
  they have to cover their asses and ban everything suspicious just in case.
* The personal videos that do have copyrighted music get banned completely, not
  only muted.

__ https://creativecommons.org/

These are just the examples that pop on my mind now.

There are plenty of ways to bypass this censorship and they are the only way to
access legal content in Germany that gets unfairly banned, not only harming the
consumers, but also the artists, because most of the time having their music
exposed in YouTube_ only spreads the word and do more good than harm.

HideMyAss__ is a popular choice for a web proxy. But I like SecurityKiss_,
a free VPN (up to 300MB per day), because it gives a more comprehensive
solution.

__ https://hidemyass.com/proxy/

But here comes the **technical chalenge**! :) I don't want to route all my
traffic through the VPN, or to have to turn the VPN on and off again each time
I want to see the censored content. What I want is to see some websites through
the VPN. A challenge that proved to be harder than I initially thought and why
I'm posting it here.

So the final setup I got working is:

* OpenVPN_ to use SecurityKiss_ free VPN service.
* Dante_ Socks Server to route any application capable of using a socks server
  through the VPN.
* FoxyProxy_ Firefox_ extension to selectively route YouTube_ and Grooveshark_
  through the Socks proxy.

And here is how I did it (in Ubuntu_ 12.10):


OpenVPN_ server
---------------

Install the package::

   sudo apt-get install openvpn

Get the configuration bundle generated for you account in the control panel and
then create a ``/etc/openvpn/sk.conf`` file with this content::

   client
   dev tunsk
   proto udp

   # VPN server IP : PORT
   # (pick the server you want from the README file in the bundle)
   remote 178.238.142.243 123
   nobind

   ca   /etc/ssl/private/openvpn-sk/ca.crt
   cert /etc/ssl/private/openvpn-sk/client.crt
   key  /etc/ssl/private/openvpn-sk/client.key

   comp-lzo yes
   persist-key
   persist-tun

   user openvpn
   group nogroup

   auth-nocache
   script-security 2

   route-noexec
   route-up "/etc/openvpn/sk.setup.sh up"

   down "/usr/bin/sudo /etc/openvpn/sk.setup.sh down"

Install the certificate and key files from the bundle in
``/etc/ssl/private/openvpn-sk/`` with the names specified in the ``sk.conf``
file.

Create the tun device::

   mknod /dev/net/tunsk c 10 200

Start the VPN at system start (optional)::

   echo 'AUTOSTART="sk"' >> /etc/default/openvpn

Add the openvpn system user::

   adduser --system --home /etc/openvpn openvpn

Now we need to route some specific traffic only through the VPN. I choose to
discriminate traffic by the uid/gid of the application that generated it. So
with the ``route-up`` and ``down`` script we will do all the special routing.
I also want my default route table to be untouched, that's why I used
``route-noexec``. Here is how the ``/etc/openvpn/sk.setup.sh`` script looks for
me::

   #!/bin/sh
   # Based on:
   # http://serverfault.com/questions/345111/iptables-target-to-route-packet-to-specific-interface

   #exec >> /tmp/log
   #exec 2>> /tmp/log.err
   #set -x

   # Config
   uid=skvpn
   gid=skvpn
   mark=100
   table=$mark
   priv_dev=br-priv

   env_file="/var/run/openvpn.sk.env"
   umark_rule="OUTPUT -t mangle -m owner --uid-owner $uid -j MARK --set-mark $mark"
   gmark_rule="OUTPUT -t mangle -m owner --gid-owner $gid -j MARK --set-mark $mark"
   masq_rule="POSTROUTING -t nat -o $dev -j SNAT --to-source $ifconfig_local"

   up()
   {
           # Save environment
           env > $env_file

           # Route all traffic marked with $mark through route table $table
           ip rule add fwmark $mark table $table

           # Make all traffic go through the VPN gateway in route table $table
           ip route add table $table default via $route_vpn_gateway dev $dev

           # Except for the internal traffic
           ip route | grep "dev $priv_dev" | \
                           xargs -n1 -d'\n' echo ip route add table $table | sh

           # Flush route tables cache
           ip route flush cache

           # Mark packets originated by processes with owner $uid/$gid with $mark
           iptables -A $umark_rule
           iptables -A $gmark_rule

           # Prevent the packets sent over $dev getting the LAN addr as source IP
           iptables -A $masq_rule

           # Relax the reverse path source validation
           sysctl -w "net.ipv4.conf.$dev.rp_filter=2"
   }

   down()
   {
           # Restore and remove environment
           . $env_file
           rm $env_file

           # Since the device is already removed, there is no need to clean
           # anything that was referencing the device because it was already
           # removed by the kernel.

           # Delete iptable rules
           iptables -D $umark_rule
           iptables -D $gmark_rule

           # Delete route table and rules for lookup
           ip rule del fwmark $mark table $table

           # Flush route tables cache
           ip route flush cache
   }

   if test "$1" = "up"
   then
           up
   elif test "$1" = "down"
   then
           down
   else
           echo "Usage: $0 (up|down)" >&2
           exit 1
   fi

I hope this is clear enough. Finally we need to add the skvpn user/group (for
which all the traffic will be routed via the VPN) and let the openvpn user run
the setup script::

   sudo adduser --system --home /etc/openvpn --group skvpn
   sudo visudo

In the editor, add this line::

   openvpn ALL=(ALL:ALL) NOPASSWD: /etc/openvpn/sk.setup.sh

Now if you do::

   sudo service openvpn start

You should get a working VPN that is only used for processes that runs using the
user/group skvpn. You can try it with::

   sudo -u skvpn wget -qO- http://www.securitykiss.com | grep YOUR.IP

Besides some HTML, you should see the VPN IP there instead of your own (you can
check your own by running the same without ``sudo -u skvpn``).


Dante_ Socks Server
-------------------

This should be pretty easy to configure, if it weren't for Ubuntu_ coming with
an ancient (1.x when there is a 1.4 beta already) BROKEN__ package. So to make
it work you have to compile it yourself. The easiest way is to get a `sightly
more updated package`__ from Debian *experimental*. Here is the quick recipe to
build the package, if you want to learn more about the details behind this,
there is always Google_::

   cd /tmp
   for suffix in .orig.tar.gz -3.dsc -3.debian.tar.bz2
   do
      wget http://ftp.de.debian.org/debian/pool/main/d/dante/dante_1.2.2+dfsg$suffix
   done
   sudo apt-get build-dep dante-server
   dpkg-source -x dante_1.2.2+dfsg-3.dsc
   cd dante_1.2.2+dfsg
   dpkg-buildpackage -rfakeroot
   cd ..
   dpkg -i /tmp/dante-server_1.2.2+dfsg-3_amd64.deb

__ https://bugs.launchpad.net/ubuntu/+source/dante/+bug/816153
__ http://packages.debian.org/experimental/dante-server

Now you can configure Dante_, this is my configuration file as an example, it
just allow unauthenticated access to all clients in the private network::

   logoutput: syslog

   internal: 10.1.1.1 port = 1080
   external: tunsk

   clientmethod: none
   method: none

   user.privileged: skvpn
   user.unprivileged: skvpn
   user.libwrap: skvpn

   client pass {
           from: 10.1.1.0/24 port 1-65535 to: 0.0.0.0/0
           log: error # connect disconnect
   }
   client pass {
           from: 10.1.1.0/24 port 1-65535 to: 0.0.0.0/0
   }

   #generic pass statement - bind/outgoing traffic
   pass {
           from: 0.0.0.0/0 to: 0.0.0.0/0
           command: bind connect udpassociate
           log: error # connect disconnect iooperation
   }
   #generic pass statement for incoming connections/packets
   pass {
           from: 0.0.0.0/0 to: 0.0.0.0/0
           command: bindreply udpreply
           log: error # connect disconnect iooperation
   }

I hope you get the idea...

Now just start dante::

   sudo service danted start

And now you have a socks proxy that output all his traffic through the VPN while
any other network traffic goes through the normal channels!


FoxyProxy_ Addon
----------------

Setting up FoxyProxy_ should be trivial at this point (just create a new proxy
server pointing to dante and set it as SOCKS v5), but just as a pointer, here
are some example rules (set them as *Whitelist* and *Regular Expression*)::

   ^https?://(.*\.)?youtube\.com/.*$
   ^https?://(.*\.)?grooveshark\.com/.*$


.. _Dante: http://www.inet.no/dante/
.. _Firefox: https://www.mozilla.org/firefox
.. _FoxyProxy: http://getfoxyproxy.org/
.. _GEMA: https://en.wikipedia.org/wiki/Gesellschaft_f%C3%BCr_musikalische_Auff%C3%BChrungs-_und_mechanische_Vervielf%C3%A4ltigungsrechte
.. _Grooveshark: http://grooveshark.com/
.. _OpenVPN: http://openvpn.net/
.. _SecurityKiss: http://www.securitykiss.com/
.. _Ubuntu: http://www.ubuntu.com/
.. _YouTube: https://www.youtube.com/
.. _Google: https://www.google.com/


.. vim: set et sw=3 sts=3 tw=80 fo+=lt1n: