Total Pageviews

Saturday 3 March 2018

Telex服务器的安装

Telex setup: (high level)

    NotBlocked ---- Router ----- ..(internet).. --- Client
                      |
                    Telex Station

=======================
Overview
=======================

Below is an overview of the different pieces to Telex. You will also need to
read the Installing Telex section to compile/install the various components.

The telex-station-x.x.x.tar.gz should be extracted in your home directory on
both the Router and the Telex Station. The station specific code is in
'station', and the router specific in 'router'. The 'common' directory
contains code used by both.

Telex Station
===
The Telex Station has a tap interface off the router - it gets a copy of 
all (interesting/i.e. tcp/443) packets, regardless of what flows are
being blocked in the router. On the Telex Station, you'll run 3 things:
    bro
    bronnect
    service (we chose squid http proxy for our service)

The interface on the Telex station (eth0) should be assigned two IPs - a
public IP used to contact Blocked domains, and a private one used to
communicate to the flow_blocker running on the Router (10.4.0.2)

Our example /etc/networking/interfaces (on Telex Station):
---------------------------
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address 141.212.109.159
  netmask 255.255.255.0
  gateway 141.212.109.1

auto eth0:1
iface eth0:1 inet static
  address 10.4.0.2
  netmask 255.255.255.0
-------------------------


Router
===
The Router has three interfaces:
    eth0 goes to the NotBlocked webserver side
    eth1 goes to the Internet/Client side
    eth2 is the tap to Telex Station

Our example /etc/networking/interfaces (on Router):
----------------------------
auto lo
iface lo inet loopback

auto br0
iface br0 inet static
  address 141.212.109.158   # set this to whatever public IP you'd like for your router
  netmask 255.255.255.0
  gateway 141.212.109.1
  bridge_ports all

auto br0:0
iface br0:0 inet static
  address 10.4.0.1          # used to communicate privately with telex/bronnect (for flow-blocker)
  netmask 255.255.255.0
auto eth0
auto eth1
auto eth2
-----------------------------------
on Router, you'll need to run: (by running ./router.sh)
    flow_blocker


Client
===
Client connects to Internet (via router to something in Internet, e.g.
notblocked.com). Its SSL client random is generated by the tag code and 
telex public key. The Telex Station observes that a particular packet is tagged, 
and commands the Router to block the flow.


NotBlocked
===
Notblocked is just a simple web server serving a page over HTTPS. We went with
apache/mod_ssl, as provided by Ubuntu, though anything that will pick
CBC_AES_256_SHA1_DHE as its favorite cipher suite will work (this is the only
cipher suite supported by Telex so far).


=========================
Installing Telex
=========================

Router install:
===
    flow-blocker listens to commands from bronnect (running on telex), and 
    blocks or unblocks flows when commanded.
    For flow-blocker to work (fast enough) we had to use ipset and iptables.
    We also needed a more recent version of iptables than ubuntu ships with to 
    support the --TEE option (see router.sh)    
 

    sudo apt-get install libevent-dev pkg-config libglib2.0-dev libpcap-dev
    update iptables (Ubuntu):
        add to /etc/apt/sources.list:
            deb http://mirrors.us.kernel.org/ubuntu/ natty main 
        sudo apt-get install iptables
    You may need to compile linux from source to get ipset; I've included our
    config file in net/config-2.6.35.10 (may or may not be useful to you)

    #compile flow_blocker:
    cd ~/telex-station/router/flow-blocker/
    make flow_blocker

    # optionally fix router.fw, our firewall rules that get loaded.
    # (I stripped out most of our deployment specific ones.)
    # update router.sh to have correct public IP for telex
    # and fix paths if needed.


Client install:
===
    See https://telex.cc/software.html

Telex Station install:
===
    linux module:
        We needed a linux module to allow bronnect to spoof a TCP connection 
        mid-stream. For example, we patiently watch the SYN/SYN-ACK/ACK handshake,
        then some data, then we block the connection and want to be able to call
        send/recv on a socket and have it inject packets with correct seq/ack numbers
        in that connection.

        See linuxmod/SETUP and NOTES for more information on installing that
        (you'll need to compile linux from source).

    build tag:
        sudo apt-get install cmake libgmp3-dev
        cd ~/telex-station/tag/ && make tag.o

    build bro:
        sudo apt-get install libpcap-dev libncurses5-dev bison flex python-dev
        cd ~/telex-station/bro-1.5.1/ && ./configure
        make && sudo make install

    build bronnect:
        sudo apt-get install libevent-dev libglib2.0-dev
        cd /home/ewust/telex/net/
        make bronnect 
        sudo make install


===============================================
Telex setup: (how to run/where to run it)
===============================================

NotBlocked
===
    TLS webserver (make sure it supports AES_256_CBC_DHE_RSA_SHA1)


Router
===
    cd ~/telex-station/router/net/
    sudo ./router.sh

Telex Station
===
- run service on telex (must be listening before bro/bronnect start/get first connection):
    e.g. squid http proxy
- run bro/bronnect on telex:
    # make sure you update run_bro_remote.sh before running this.
    # you'll need to set it to use your mac address - see comments in run_bro_remote.sh
    sudo ~/telex-station/run_telex.sh   # may need to update paths to binaries

    - note: make sure brohome dir has privkeys in it
    Generate privkey and corresponding pubkey in the tag folder
    cd ~/telex-station/station/tag/
    make genkeys
    ./genkeys #will create pubkey and privkey. give pubkey to the telex-client.
    To generate a privkeys from privkey (telex currently supports multiple private keys,
    to differentiate multiple services) simply run (from tag folder) 
    ./package_keys.py ./priveky 3128 > ../brohome/privkeys
    # note: 3128 is the default port that the squid http proxy listens on.



Client
====
    # see documentation for more options if needed;
    ./telex-client notblocked.telex.cc
    # now you should be able to use localhost:8888 as an HTTP proxy on your client .
 
from https://github.com/ewust/telex/tree/master/telex-station
https://github.com/ewust/telex 

No comments:

Post a Comment