Total Pageviews

Monday, 24 October 2016

利用“IP Over ICMP Proxy”翻墙

下面我将在树莓派上安装并配置hans, 下篇文章再介绍kcptun. 只要把树莓派设为默认网关, 局域网内所有设备科学上网.
ProTip: 首先使用手机3G流量, 开放Hotspot供电脑使用, 安装软件后即可停止.

How It Works

  • GFW(iWiFi):
    • allow: icmp,dns
    • deny: all
  • Server:
    • eth0: 1.2.3.4
    • tun0: 10.1.2.1
  • RPi:
    • eth0: 192.168.31.177
    • tun0: 10.1.2.100
  • Client:
    • eth0: 192.168.31.102
Client(Firefox) -> RPi(ss-local&hans-client) -> GFW -> Server(ss-server&hans-server) -> Internet  

Compile

$ wget https://github.com/friedrich/hans/archive/v0.4.4.tar.gz
$ tar xzf hans-0.4.4.tar.gz
$ cd hans-0.4.4
$ make
$ cp hans /usr/local/bin/

Run

$ hans
Hans - IP over ICMP version 0.4.4

RUN AS SERVER  
  hans -s network [-fvr] [-p password] [-u unprivileged_user] [-d tun_device] [-m reference_mtu] [-a ip]

RUN AS CLIENT  
  hans -c server  [-fv]  [-p password] [-u unprivileged_user] [-d tun_device] [-m reference_mtu] [-w polls]

ARGUMENTS  
  -s network    Run as a server with the given network address for the virtual interface. Linux only!
  -c server     Connect to a server.
  -f            Run in foreground.
  -v            Print debug information.
  -r            Respond to ordinary pings. Only in server mode.
  -p password   Use a password.
  -u username   Set the user under which the program should run.
  -d device     Use the given tun device.
  -m mtu        Use this mtu to calculate the tunnel mtu.
                The generated echo packets will not be bigger than this value.
                Has to be the same on client and server. Defaults to 1500.
  -w polls      Number of echo requests the client sends to the server for polling.
                0 disables polling. Defaults to 10.
  -i            Change the echo id for every echo request.
  -q            Change the echo sequence number for every echo request.
  -a ip         Try to get assigned the given tunnel ip address.

Systemd

Unit File

# /etc/systemd/system/hans.service
[Unit]
Description=IP over ICMP  
After=network.target

[Service]
EnvironmentFile=/etc/default/hans  
ExecStart=/usr/local/bin/hans $HANS_OPTS  
Restart=always  
RestartSec=5

[Install]
WantedBy=multi-user.target  

Server Config

# /etc/default/hans
HANS_OPTS="-f -s 10.1.2.0 -p password"  

Client Config

# /etc/default/hans
HANS_OPTS="-f -c 1.2.3.4 -p password"  

Server Setup

$ systemctl daemon-reload
$ systemctl start hans.service

$ ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.1.2.1  P-t-P:10.1.2.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1467  Metric:1
          RX packets:4629 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4620 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:622863 (608.2 KiB)  TX bytes:3991862 (3.8 MiB)

Client Setup

$ systemctl daemon-reload
$ systemctl start hans.service

$ ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.1.2.100  P-t-P:10.1.2.100  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1467  Metric:1
          RX packets:617 errors:0 dropped:0 overruns:0 frame:0
          TX packets:641 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:441280 (430.9 KiB)  TX bytes:93441 (91.2 KiB)

$ ping 10.1.2.1
PING 10.1.2.1 (10.1.2.1) 56(84) bytes of data.  
64 bytes from 10.1.2.1: icmp_seq=1 ttl=64 time=145 ms  
^C

Socks5 Setup

$ cat /etc/shadowsocks-libev/config.json
{
    "server": "10.1.2.1",
    "server_port": 8388,
    "local_address": "0.0.0.0",
    "local_port": 1080,
    "password": "********",
    "timeout": 60,
    "method": "chacha20",
    "auth": true
}
$ nc -v 10.1.2.1 8388
Connection to 10.1.2.1 8388 port [tcp/*] succeeded!  
^C
$ systemctl start shadowsocks-libev-local@config
$ curl -x socks5h://127.0.0.1:1080 ifconfig.co
1.2.3.4  

SSH Setup

# ~/.ssh/config
Host github.com  
    HostName github.com
    ProxyCommand nc -x 192.168.31.177 %h %p

Default Gateway

Server

$ iptables -t nat -A POSTROUTING -o eth0 -s 10.1.2.0/24 -j MASQUERADE

RPi

$ ip route add 1.2.3.4 via 192.168.31.1                                           $ ip route add 0.0.0.0/1 via 10.1.2.1
$ ip route add 128.0.0.0/1 via 10.1.2.1

$ ip route
0.0.0.0/1 via 10.1.2.1 dev tun0  
default via 192.168.31.1 dev wlan0  
10.1.2.0/24 dev tun0  proto kernel  scope link  src 10.1.2.100  
1.2.3.4 via 192.168.31.1 dev wlan0  
128.0.0.0/1 via 10.1.2.1 dev tun0

$ host ifconfig.co
ifconfig.co has address 188.113.88.193  
ifconfig.co has IPv6 address 2001:16d8:ee03::cafe:d00d

$ ip route get 188.113.88.193
188.113.88.193 via 10.1.2.1 dev tun0  src 10.1.2.100  
    cache

$ curl ifconfig.co
1.2.3.4

$ iptables -t nat -A POSTROUTING -o tun0 -s 192.168.31.0/24 -j MASQUERADE

Client

$ sudo route change default 192.168.31.177
$ sudo networksetup -setdnsservers Wi-Fi 8.8.8.8

$ host ifconfig.co
ifconfig.co has address 188.113.88.193  
ifconfig.co has IPv6 address 2001:16d8:ee03::cafe:d00d

$ route get 188.113.88.193
   route to: 188.113.88.193
destination: 188.113.88.193  
    gateway: 192.168.31.177
  interface: en0

$ curl ifconfig.co
1.2.3.4 
 
from https://easypi.herokuapp.com/ip-over-icmp-proxy/ 

项目地址:https://github.com/friedrich/hans
Hans - IP over ICMP
Hans makes it possible to tunnel IPv4 through ICMP echo packets, so you could call it a “ping tunnel”. This can be useful when you find yourself in the situation that your Internet access is firewalled, but pings are allowed.

相关帖子:http://briteming.blogspot.com/2012/02/ping-tunnel.html