7313 11 Jan 2014 at 03:39

Budget SSH tunnel to the underwater world I2P for beginner reindeer herders

4 min

39K

There is no point in reading this text seriously. It is addressed to the happy owners of windows of various versions, who are afraid even of the need to install the JVM. All the operations described in the second part can be performed more correctly and safer, but there should not be anything complicated in our simplification

Introduction:
No matter what anyone says, the ice situation in the domestic segment is becoming more and more difficult. They've taken us seriously, they're covering us with flags, they're blowing up smooth paths trampled across endless ice fields, they're tearing up the usual food delivery routes with icebreakers, and under the pretext of fighting poachers, they're setting traps behind every second hummock. Everything is leading to the fact that passage from one ice floe to another will soon occur only through a checkpoint with machine gunners, upon a preliminary application in writing and after presenting a passport and a mandate from the fisheries inspection. And only disobedient poachers will laugh in their fox collars at the pathetic attempts of geological parties from the mainland to ruin their lives.

Part 1:
Many were afraid of this, while others waited and prepared. Some resigned themselves, some made sacrifices to the pagan gods, and some equipped reserve command posts on decommissioned submarines and established acoustic communication with other similar boats in sub-ice depths that were not yet under the control of geologists and fisheries authorities. And to communicate with the underwater world, ordinary hunters and reindeer herders are offered to spin holes in the pack ice, cast fishing rods into them, stock up on stronger coffee and, using a special attachment on earflaps, convert the vibrations of the fishing line into initial information. But on the one hand, the hole itself is a serious unmasking factor, on the other hand, not everyone has the strength to spin the hole and constantly carry the brace with them, and on the third, the attachment for earflaps cannot be particularly adapted to a robotic spinning rod, not to mention elite polished apple tree fishing rods . Therefore, some invent more exotic options, such as a copper basin constantly submerged under water, which will transmit the vibrations of the fishing line, bypassing the ear flaps, directly into the ear of a polar fox, onto the chrome parts of a spinning rod, or onto the African design of the handle of a foppish fishing rod. In this situation, it will be possible not to sit near the hole, but to leave the brace in a basin submerged under ice. Theoretically, for these purposes, you can take free containers from the secondary color metal warehouse in Anadyr, but the reliability will be below average, sea water will constantly drip onto the high boots and the uptime of the system will become unpredictable. So, to solve this problem, I would advise you to take a chance on a new copper basin from merchants on the other side of the Bereng Strait, or at least a tin one for $9.99 a year. There are currently at least 6 options from 9 to 13 dollars per year. In the search directory of retail warehouses, tin basins are listed under OpenVZ VPS (OpenVZ Virtual Private Servers). You don’t have to pay much attention to the volume of the container and the convenience of the handles - by its nature, information from the underwater world will drip drop by drop and you won’t be able to take much with you anyway. Therefore, let’s look at the features of immersion in water and coupling a basin with a desktop computer and a smartphone using the example of the cheapest option from here. For this we need quite a bit of electrical tape, 18 self-tapping screws, plink.exe, PuTTY and an old compass. And for maximum simplification, let’s play the elusive Joe and perform all operations from root.

Part2:
After payment, we will be sent an IP address, Username and Root pass to access the console in a cover letter. The virtual machine is usually completely bare and everything will have to be done from scratch. connect to the host via PuTTY and:
1. We’re trying to find out what kind of distribution they gave us

lsb_release -a

and find out that it is Debian
2. Let's update the repositories

apt-get update

I have a stupid habit of installing mc first because of its editor

apt-get install mc

and immediately change the ssh port to the standard mail port 110, which is passed everywhere

mcedit /etc/ssh/sshd_config

port 110
F2, F10
but these steps can be completely skipped. If you still decide to change the port, you need to restart SSH

/etc/init.d/ssh restart

and reconnect via the new port

3. install I2P support

mcedit /etc/apt/sources.list

Add

deb http://ppa.launchpad.net/i2p-maintainers/i2p/ubuntu natty main
deb-src http://ppa.launchpad.net/i2p-maintainers/i2p/ubuntu natty main

and save
Update the list and install packages

apt-get update

apt-get install i2p

Let's start

dpkg-reconfigure -plow i2p

do not forget to allocate 32 megabytes of memory

As a result, we now have an I2P proxy on our host, which can be tunneled via SSH with encryption using a simple .bat file next to plink.exe


echo y | plink -ssh -2 -P 110 -C -N -l root -pw пароль -L 2222:127.0.0.1:4444 199.255.255.255

where 199.255.255.255 is the IP address of our basin

In this example, the browser needs to be connected to a proxy 127.0.0.1:2222
Since the default braking gateway false.i2p is used as an outproxy, it is almost impossible to view regular pages through this design. Therefore it is better to use a .pac proxy automatic configuration file with the contents:


function FindProxyForURL(url, host) {
	if (dnsDomainIs(host, ".i2p")) {
		return "PROXY 127.0.0.1:2222";
	} else {
		return "DIRECT";
	}
}

Without adding subscriptions, many resources in I2P will not want to open the first time. To get around this, use the link to jump service on the error page

To use from a mobile phone, you will have to abandon traffic encryption and the SSH tunnel, remove the restriction for access only from host 127.0.0.1 in the settings of the I2P-HTTP proxy running on the remote server (put 0.0.0.0 there) and connect through a proxy 199.255.255.255:4444
It wouldn’t hurt to disable the use of our server as a router in the rest of the I2P network and write some nice interface to ptlink on some autoit. In addition, the remote host can be used as a regular SOCKS5 or HTTPS proxy with traffic encryption to bypass blocking. If anyone is interested in the obvious details, there will be a continuation.

PS For some reason I couldn’t find a search, but it turns out there was already a thread on the same topic and more thoughtfully
habrahabr.ru/post/207208
Sorry for the repeat.

Tags:

Hubs:

+37

Ilya @7313

Staff shaman

Comments 23

Ernillew 11 Jan 2014 at 06:52

cat /proc/version to determine the distribution?

Linux version 3.9.3-x86-linode52 (maker@build) (gcc version 4.4.5 (Debian 4.4.5-8) ) #1 SMP Mon May 20 09:32:28 EDT 2013

What distribution do I have??
But they didn’t guess.

lsb_release -a
To determine the distribution, if suddenly the distribution is crooked and there is no lsb_release, then
ls /etc/*_version
You can also try.
And from /proc/version you will only find out the kernel version, and how and when it was compiled.

tyderh 11 Jan 2014 at 09:28

More or less new ones may also have /etc/os-release.

SkyRE 11 Jan 2014 at 16:54

Hmm, you don’t want new ones...Red Hat Linux 5.1?
Not to be confused with Red Hat Enterprise Linux.

kSx 11 Jan 2014 at 09:55

cat /etc/*release*

shanker 15 Jan 2014 at 01:53

I won’t say it’s a panacea, but on all the Linux systems I’ve encountered so far, this OS definition worked:

cat /etc/issue

TaHKucT 11 Jan 2014 at 07:11

To use from a mobile phone, you will have to refuse traffic encryption ...

And what prevents you from raising OpenVPN on the same basin and using it??

7313 11 Jan 2014 at 07:26

Thanks for lsb_release -a
I tried several methods on that host that were familiar to a novice like me, but none of them worked - so I settled on the approximate cat /proc/version :) With your permission, I’ll correct the text.
As for VPN, it’s still not available on every cheap host, and it’s much more difficult to set up…

flexoid 11 Jan 2014 at 07:30

For some reason I remembered the Hacker magazine. There used to be articles written in this style..

And now you can get a basin much cheaper, for example for $5 per www.digitalocean.com/pricing with very good characteristics.

7313 11 Jan 2014 at 07:54

So it's 5 a month? and here it’s 10 a year :)

flexoid 11 Jan 2014 at 08:33

Ah, that's it :). Then it’s really very cheap, I didn’t look carefully.

zombie_man 11 Jan 2014 at 07:57

yes, 5 per month, and 1TB of traffic, versus 10 per year with 250GB.

cyberXndr 11 Jan 2014 at 10:49

For the selfish option, 250 GB per year is also suitable. But the network lives off transit traffic.

Petrik 11 Jan 2014 at 08:05

Using such a .pac file is very dangerous if you really want to be anonymous. You can go to the i2p page, which has pictures or something else from the regular Internet, and your browser will easily burn your real address. Also, to visit i2p pages, it is strictly recommended to use the NoScript, NoFlash extensions.

cyberXndr 11 Jan 2014 at 10:50

To visit i2p pages, it is recommended to use a separate firefox with a single proxy on 127.0.0.1

dorne 11 Jan 2014 at 14:03

To visit i2p pages, it is recommended to use two virtual machines. One has two network interfaces. One to the Internet, the other to the second virtual machine. An ip2 proxy is installed on it, which is available for the second virtual machine. On the second virtual machine there is a browser. And there is basically no Internet there except i2p. There aren't even dns.

ibex 11 Jan 2014 at 15:54

And why is this better than one virtual machine that looks at the Internet and i2p. And there are two browsers, one for the regular Internet, and the other for i2p with a proxy (such as 192.168.1.5:4444)?

vanxant 11 Jan 2014 at 20:00

Because the software on the internal virtual machine does not know anything at all about “who I am” and “where I am.” Not OS, not fox, no one. Even if there are some sudden channels of information leakage, they will remain useless simply due to the lack of any information.

cyberXndr 11 Jan 2014 at 19:03

I would argue about the advisability of using two virtual machines, but I think it’s not worth it. Everyone determines the boundaries of their own safety.

nebularia 12 Jan 2014 at 04:02

Your paranoia, did you mean? :-D

PS: Although, I’m telling this to the I2P user that it’s me, actually?

dnska 11 Jan 2014 at 13:16

Absolutely solid and beautifully written introduction. :)

andrewsh 11 Jan 2014 at 13:20

dpkg-reconfigure -plow i2p?! SRSLY?

Santal 11 Jan 2014 at 15:00

Judging by the first part, the issue is not only in fisheries supervision, but also in the Ministry of Agriculture (growing crops) and the Ministry of Culture (playing wind instruments) ~~author hand over suppliers~~ :)
The article is very!, but!

All matters should begin with purchasing a SIM card in Mitino/Sovok, purchasing a phone, registering a Qiwi (all this with due precautions, without personal phones, and in crowded places) and so on. Everything, of course, depends on the tasks, but if you want to have the right channel, this needs to be thought through from the very beginning.
And it’s better to have it all in more than one copy, it’s not all that expensive.
And the mandates from the fisheries inspection do not sleep, as long as there is an opportunity, it is necessary ~~hammer~~ drill holes.

ruikarikun 13 Jan 2014 at 06:00

I'm completely confused in all these organizations, Rybnadzor is such LGBTI people?

Only full-fledged users can leave comments. Sign in, Please.