nettricks 🔗

Net Tricks 🔗

Proxy / VPN / Tunnel 🔗

Stealth Proxy 🔗

Use ShadowSocks on port 443 to create a SOCKSv5 proxy which is hard to detect: a firewall can't tell the difference with a normal HTTPS connection.

Combine it with v2ray-plugin to put it behing Nginx: they encapsulate the connection on a websocket so that it can be reverse-proxied.

Policy based routing 🔗

Use Policy based routing if you want to do some fancy routing: you can select how the traffic is routed based on a bunch of stuff.

It works like this: you define a bunch of routing tables and some rules to tell which tables a certain packet matches. A packet tries to find a route starting from the last matching table upwards. You can route based on source/dest address and port, on fwmark (a flag iptables can set arbitrarily) and thus per program/user or whatever else.

See this page for more details.

SOCKS proxy as a network interface 🔗

Use tun2socks:

# creating the tun device
sudo ip tuntap add mode tun dev "$TUN"

# run tun2socks
tun2socks -device "$TUN" -proxy "$PROXY"

# configure the tun device
sudo ip addr add 198.18.0.1/15 dev "$TUN"
sudo ip link set dev "$TUN" up
# and set it as the default gateway
# NOTE: don't do this, or the socks will stop working since it'll use this as default gateway.
sudo ip route add default via 198.18.0.1 dev "$TUN"

See TODO for a complete example which combines ShadowSocks, tun2socks and network namespaces to run programs which transparently connect through the SOCKS proxy without even realizing it.

Easier per-process routing 🔗

Have a network interface you want to use as the default gateway for a program, create a network namespace for it:

NETNS="..."
DEV="..." # the device to use as gateway for $NETNS

# creating the netns
ip netns add "$NETNS"

# move $DEV to $NETNS
# NOTE! $DEV will be removed from the root network namespace!
ip link set "$DEV" netns "$NETNS"

...

# eventually, to remove the namespace and destroy $DEV:
ip netns del "$NETNS"

Then run commands into this network namespace with:

sudo ip netns exec "$NETNS" CMD

# or, to run it as a user...
sudo ip netns exec "$NETNS" sudo -u $USER -- CMD
# or in a script/function:
sudo ip netns exec "$NETNS" sudo -u $USER -- "$@"

You may want to set a different resolv.conf for the namespace, by modifying /etc/netns/$NETNS/resolv.conf.