| blob | 55d03eaf2957806d8d045d0e25dcd3b53c887914 |
1 Using the curvetun tunnel for browsing the web (example howto):
3 curvetun inital setup example:
4 //////////////////////////////
6 If you've never run curvetun before, you need to do an initial setup once.
8 At first, make sure that the servers and clients clocks are periodically
9 synced, i.e. with ntpdate ntp.ubuntu.com pool.ntp.org as a cronjob. This is
10 necessary to protect against replay attacks.
12 Also, make sure if you have read/write access to /dev/net/tun. You should not
13 run curvetun as root!
15 Then, the first step is to create keys and config files. On both, the client
16 and server do:
18 $ curvetun -k
20 You are asked for a username. You can use an email address or whatever. Here,
21 we assume, you've entered 'mysrv1' on the server and 'myclient1' on the client
22 side.
24 Now on the necessary file have been created:
25 ~/.curvetun/priv.key - Your private key
26 ~/.curvetun/pub.key - Your public key
27 ~/.curvetun/username - Your username (here: mysrv1 or myclient1)
28 ~/.curvetun/auth_token - Your server auth token
29 ~/.curvetun/clients - Participants the server accepts
30 ~/.curvetun/servers - Possible servers the client can connect to
32 'clients' and 'servers' are empty at the beginning and need to be filled now.
33 The 'clients' file is meant for the server, so that it knows what clients
34 may connect. The 'servers' file is for the client, where it can select
35 curvetun servers to connect to.
37 Now the client exports it's public key for the server:
39 client$ curvetun -x
41 ... where it prints sth like:
43 myclient1;11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11
44 \_______/ \_____________________________________________________________________________________________/
45 username 32 byte public key for 'myclient1'
47 This line is transferred to the server admin, where the admin add this entry
48 into his 'clients' file like:
50 server$ echo "myclient1;11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11" >> ~/.curvetun/clients
52 The server admin can check, if the server has registered it properly by ...
54 server$ curvetun -C
56 ... which prints all parsed clients from ~/.curvetun/clients.
58 Now, the client 'myclient1' is known to the server; that's it for the server
59 config. The next step is to tell the client what he needs to connect to the
60 server.
62 We hereby assume, the tunnel server has an public IP i.e. 1.2.3.4, runs on
63 port 6666 and uses UDP as a carrier protocol. In case you are behind a NAT,
64 you can use curvetun's --stun option for starting the server, to obtain your
65 mapping. However, in this example we continue with 1.2.3.4 and 6666, UDP.
67 First, the server needs to export its key to the client, as:
69 server$ curvetun -x
71 ... where it prints sth like:
73 mysrv1;22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22
74 \____/ \_____________________________________________________________________________________________/
75 username 32 byte public key for 'mysrv1'
76 ^-- you need this public key
78 Then, the server needs to export its auth token:
80 server$ curvetun -A
82 ... where it prints sth like:
84 33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33
85 \_____________________________________________________________________________________________/
86 32 byte server auth token (for all clients)
87 ^-- you need this auth token, too
89 Now, you give the client your connection information:
90 * IP 1.2.3.4
91 * Port 6666
92 * Proto UDP
93 * Pubkey 22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22
94 * Auth token 33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33
96 ... and the client puts it all together in its config like:
98 client$ echo "myfirstserver;1.2.3.4;6666;udp;22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22;33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33:33" >> ~/.curvetun/servers
100 ... again, where he can check his config with:
102 client$ curvetun -S
104 Okay, assuming we've made it, then we start the server with:
106 server# curvetun -s -p 6666 -u
107 server# ifconfig curves0 up
108 server# ifconfig curves0 10.0.0.1/24
110 Server-side information, errors or warnings will appear in syslog!
112 Then, we start the client with ...
114 client# curvetun -c=myfirstserver
115 client# ifconfig curvec0 up
116 client# ifconfig curvec0 10.0.0.2/24
118 Also, client-side information, errors or warnings will appear in syslog!
119 ... and we're now able to ping the server:
121 client$ ping 10.0.0.1
123 That's it!
125 IPv4 routing example:
126 /////////////////////
128 Server side: your public IP on eth0 is i.e. 1.2.3.4
130 server$ ... start curvetun server ...
131 server# ifconfig curves0 up
132 server# ifconfig curves0 10.0.0.1/24
133 server# echo 1 > /proc/sys/net/ipv4/ip_forward
134 server# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
135 server# iptables -A FORWARD -i eth0 -o curves0 -m state --state RELATED,ESTABLISHED -j ACCEPT
136 server# iptables -A FORWARD -i curves0 -o eth0 -j ACCEPT
138 Client side: your IP on eth0 is i.e. 5.6.7.8
140 client$ ... start curvetun client ...
141 client# ... lookup your default gateway ...
142 -> either stated in route, or
143 -> traceroute google.ch and take the first IP entry
144 -> default gw here i.e. 5.6.7.9
145 client# ifconfig curvec0 up
146 client# ifconfig curvec0 10.0.0.2/24
147 client# route add -net 1.2.3.0 netmask 255.255.255.0 gw 5.6.7.9 dev eth0
148 client# route add default gw 10.0.0.1
149 client# route del default gw 5.6.7.9
151 ... and there you go, now open your browser on the client side and surf the
152 web or do whatever you want. All your traffic will then be tunneled encrypted
153 to your server.