Build a slightly better home network solution with VPN + static routing

Leave a Comment / 17/05/2022 /

This is a record of network transformation, the article is very simple, and it is very happy to do it.

In Tuki’s article ” Using Raspberry Pi as a Bypass Gateway to Realize Transparency and Scientific Internet Practice of Home Furnishing “, we know that we can realize domestic and foreign traffic diversion and set overseas addresses to automatically go through the proxy by means of SS-Tunnel + Unbound + DNScrypt, but This scheme has some disadvantages, such as:

  1. Single export IP (only the export IP of SS Server), the whole family shares one overseas export IP all the year round, it is easy to be reversely associated with IP -> user
  2. A lot of iptables + ip_set is not easy to debug
  3. Easily interfere with existing services (eg iptables may interfere with Wireguard)
  4. Features like traceroute are completely unavailable due to the use of iptables

In order to solve the above problems, there are the following solutions:

  1. Abandon single IP egress and use dynamic egress solutions (such as commercial VPNs, Someone else’s VPS, a friend’s home , or VPNGate and other similar programs)
  2. Do not use ss-tunnel + iptables, but use VPN + static routing
  3. Do not use Unbound + DNSCrypt, directly use Unbound to go back to the upstream DNS server of the VPN. Of course, Unbound still needs to distinguish domestic domain names from returning to the source

The approximate structure is as follows:

Make OpenVPN file

Here, for the convenience of demonstration, I use OpenVPN as an example.

If you’re in an area where OpenVPN can’t get through… (then you should fix this yourself before moving on)

After we get an OpenVPN file, since we need to share the tunnel within the intranet, the first thing we need to do is to exclude the intranet address segment, otherwise it will be embarrassing and your SSH will also drop after the VPN is connected. It’s very simple. , add the following lines to the file:

 route 127.0.0.1 255.255.255.255 net_gateway route 192.168.0.0 255.255.0.0 net_gateway route 172.16.0.0 255.255.0.0 net_gateway

In addition, in order to prevent the connection of some of your own services (such as those used to help you connect to OpenVPN) from ringing, you also need to exclude the corresponding IP

 route 22.33.44.55 255.255.255.255 net_gateway

Now the intranet IP and some special IPs will not go to the VPN tunnel. The next step is to let the domestic IP not go through the tunnel (but use the default gateway to go out). Here we use https://github.com /fivesheep/chnroutes to get the domestic IP segment:

 wget https://raw.githubusercontent.com/fivesheep/chnroutes/master/chnroutes.py python2 chnroutes.py

This script will generate a routes.txt from the Chinese IP segment on APNIC, the format is similar to:

 route 1.0.1.0 255.255.255.0 net_gateway 5 route 1.0.2.0 255.255.254.0 net_gateway 5 route 1.0.8.0 255.255.248.0 net_gateway 5 route 1.0.32.0 255.255.224.0 net_gateway 5 route 1.1.0.0 255.255.255.0 net_gateway 5 route 1.1.2.0 255.255.254.0 net_gateway 5

Simply paste the content of the entire file to the end of the OVPN file. If you need to keep an IP out of the tunnel later, you can add a record and restart OpenVPN by referring to a similar format.

At this point, the OpenVPN file has been created. If you use Ubuntu as the router like me, put the some-vpn.ovpn file in the /etc/openvpn/some-vpn.conf file of the router. ,Then…

 systemctl start openvpn@some-vpn iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

At this time, your router should be able to start to leak. Let’s set the computer’s gateway to the IP of the router and test it to see the effect:

 traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets 1 _gateway (192.168.233.200) 0.347 ms 0.331 ms * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * (**.**.**.**) 236.233 ms 7 * * * (**.**.**.**) 231.722 ms 8 * * * (**.**.**.**) 190.069 ms 9 cloudflare-sgp.cdn77.com (45.134.215.21) 132.932 ms * 187.737 ms 10 172.70.140.5 (172.70.140.5) 187.430 ms 162.158.168.4 (162.158.168.4) 185.075 ms 192.811 ms 11 one.one.one.one (1.1.1.1) 192.735 ms 191.321 ms 194.676 ms

If you want your tunnel IP to switch dynamically like Tor, consider adding multiple OpenVPN IPs to a domain name and restart OpenVPN periodically.

Unbound DNS

The next step is to install DNS, which is very simple. You can directly refer to the article ” Using Raspberry Pi as a Bypass Gateway to Realize the Practice of Global Transparent and Scientific Internet Access in the Home “, but forward-zone can directly write a reasonable server address here, such as 1.1 .1.1

 forward-zone: name: "." forward-addr: 1.1.1.1 forward-first: no

DHCP

After the above operations are completed, modify the DHCP settings of the router, and issue the gateway and DNS as the IP of this machine.

With the above steps, you should already be able to get one:

  1. pollution-free DNS
  2. A network with automatic offloading of MTR
  3. A public exit reduces some IP associations

monitor

Don’t drive in your dreams, build monitoring as soon as the service is established, and at least monitor the following indicators:

  1. Leaky router-to-exit delay
  2. The delay from the router to a fixed IP of a public service (such as 1.1.1.1), used to compare the delay to the egress
  3. The delay from the router to a fixed IP of a public service that does not use VPN (such as 101.6.6.6), which is used to refer to the domestic network situation

With monitoring, we can detect how different network quality conditions are.

postscript

Only after using OpenVPN did I know that the overhead of this thing is really big, and at the same time I deeply felt that even in areas with normal network, dialing VPN across continents is a very bad experience. If your original export is in Japan, then don’t Find yourself unhappy and dial up a Swedish VPN (unless you have any special tunnel).

Raspberry Pi doesn’t seem to be really suitable as a leak router. The speed of adding 8000+ routes in routes.txt is very slow (it may take at least 20 minutes to start VPN + route change), I don’t know why.

References & Further Reading

  1. Using Raspberry Pi as a bypass gateway to achieve global transparency and scientific Internet practice in the home
  2. Connect to OpenVPN over Shadowsocks
  3. Setting up Ubuntu Server 16.04 as Gateway for OpenVPN Connection

This article is reprinted from https://nova.moe/a-better-vpned-home-network/
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment