I hate ads, but I buy into them all the time. I saw an ad for MGTS at the entrance – 500 megabits for 500 rubles a month, real IP, IPv6. Of the minuses – just the need to drill a wall and hang someone else’s router in the apartment. I think we need to take it – we’ll figure it out somehow. (Actually not, but more on that later). A gigabit router with WiFi 802.11ac (5GHz), but without the possibility of modifying the firmware, installing software and with minimal configuration options via the web interface. The task is to configure a VPN with a different network and transparent use of resources from the onion network (The Onion Router aka TOR) for clients using your server in the local network.
I think this article will not be enough for a complete guide. People have too different capabilities and needs – different hardware. Rather, some signpost of the way to go. For example, for the server, you can use the popular raspberries… Perhaps even with pi-hole… For example, I installed an inexpensive x86 server with a processor soldered on the motherboard, installed ubuntu and use it, including as a file, home assistant, web and application server.
In general, I wanted to be able to use the WiFi interfaces of the router, as well as for the clients of the local network to get transparent access to some resources via vpn or tor without additional configuration on the client side. And I didn’t want to unnecessarily pass all traffic through a third-party server – I wanted normal Internet traffic to go directly to the router, and the special one (tor, vpn) was processed by the server. I decided that I would disable DHCP and DNS server on the router, put DHCP on my server, which will announce the correct routes via DHCP and on which dns, vpn and tor daemon will run. With vpn everything is clear – if another local network has different addresses, then you just need to configure routing. For transparent access to resources through the onion router, I decided to use the dnsmasq + tor.VirtualAddrNetwork + tor.DNS bundle. We configure dnsmasq for the predefined domains from the list so that it uses tor to resolve them. After that, domains from the onion network will have specific addresses from a special dedicated range of private addresses and you can use normal routing rules to redirect this traffic to tor.TransPort using iptables rules. I used wireguard to connect local networks via vpn. In another LAN, there is a regular router with padavan + entware firmware.
Key parameters of my configuration:
Local network – 192.168.2.0/24. The router has a static white IP
Another local network (which we can access via vpn) – 192.168.3.0/24
Router – 192.168.2.1
Ubuntu server is 192.168.2.4, ethernet interface name is enp1s0
private network (VirtualAddrNetwork) – 10.254.0.0/16
dns server (DNSPort) – 127.0.0.1:9053
transparent proxy address (TransPort) – 0.0.0.0:9040
dnscrypt-proxy (DoH) address – 127.0.0.1:9153
wireguard device network (private range of IP addresses from which addresses are assigned to wireguard interfaces) – 10.253.1.0/24
server wireguard address – 10.253.1.2
android client – 10.253.1.10
vpn server of another LAN – 10.253.1.3
My server is a regular x86 with Ubuntu 20.04 LTS.
Install packages (
apt install <packet>):
iptables-persistent– saving and restoring iptables rules
dnsmasq– DNS + DHCP server
dnscrypt-proxy– DoH DNS client
systemd + netplan.io– were installed by default and are used to configure the network interface
Configuring a static network interface – /etc/netplan/eth0-static.yaml and run
netplan apply to apply the changes.
To enable routing, set the kernel parameters:
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
and edit the file /etc/sysctl.conf to save changes after reboot.
Set up iptables – for the filter table, set the default policy ACCEPT for the INPUT and FORWARD chains – /etc/iptables/rules.v4… And reload the rules
netfilter-persistent start or
iptables-restore < /etc/iptables/rules.v4…
We register local devices in /etc/dnsmasq.d/src/lan_hosts.csv.i to set fixed IP addresses.
Domains for access to which we will use tor are registered in /etc/dnsmasq.d/src/dns_tor_domains.txt.i
DHCP option is used to announce routes classless-static-route and microsoft-classless-static-route – 249 (just in case). In principle, one could try and not disable the DHCP server on the router, but simply announce additional routes. The problem occurred on the Android phone Xiaomi Mi 9T. He did not use DHCP routes, he used only one default route. Not sure if all androids have such a problem. I had to make special settings for androids and redirect all traffic from android clients to the server.
Special settings for android – there are no routes, the server is used as the main router.
To apply the settings, run `dnsmasq_reconfig.sh`- is described in more detail in the section” Updating the configuration “.
File / etc / tor / torrc:
Port for socks5 proxy – SocksPort
We prohibit weekend nodes in some countries – ExcludeExitNodes
Port for transparent proxy – TransPort
DNS port – DNSPort
The private range of addresses from which IPs will be assigned for the servers to which we will go through tor – VirtualAddrNetwork
A list of domains that we will resolve through tor and that will have addresses from our private range (see. VirtualAddrNetwork) – AutomapHostsSuffixes – configurable by script dnsmasq_reconfig.sh and saved to /etc/tor/hosts_suffixes.cfg file.
For implementation we use dnscrypt-proxy. To install, we perform
apt install dnscrypt-proxy…
Note: I slightly changed the way dnscrypt-proxy was started because it seemed to me that it did not work for me. In the default settings, it runs through systemd.socket – that is, the port listens to systemd and starts dnscrypt-proxy when needed. I changed the configuration. In my configuration, I run dnscrypt-proxy directly. The port is listening on dnscrypt-proxy. I don’t think it’s necessary. To change the port in the default configuration – when dnscrypt is activated via systemd.socket, you need to execute
systemctl edit dnscrypt-proxy.socket and install
The file should appear /etc/systemd/system/dnscrypt-proxy.socket.d/override.conf
Add the domain to which we want to go through tor to the file /etc/dnsmasq.d/src/dns_tor_domains.txt.i
Add the static address of the local network device to the file /etc/dnsmasq.d/src/lan_hosts.csv.i
Run the script dnsmasq_reconfig.shwhich will generate configuration files for dnsmasq (/etc/dnsmasq.d/ lan_hosts.cfg.i, resolv.conf.i), tor (/etc/tor/hosts_suffixes.cfg) and everything will restart to update the configuration.
Flushing DNS cache
Let’s say you went to the site directly, but looked and decided that it was worth going through tor. Just updating the configuration is not enough – caching DNS addresses in different places. Therefore, after updating the configuration, the caches must be reset.
On a Linux client with systemd-resolve, run
sudo systemd-resolve --flush-caches…
On a windows client, run
ipconfig /flushdns at the command prompt with administrator rights.
In google chrome, open the page
chrome://net-internals/#dns and reset the browser cache.
Wireguard VPN setup
I plan to write about setting up wireguard in the next article.
Well, and finally I will write why all this turned out to be unnecessary
First, at some point MGTS took away the real IP and put everyone behind NAT. For some reason, at this moment the corporate VPN fell off and the support service recommended connecting a dedicated IP.
Secondly, after connecting the dedicated IP, IPv6 stopped working. The support service reported that MGTS, in principle, never supported IPv6. Well, that is, IPv6 seems to work, but it is not guaranteed to work. On the forums there is an explanation on this topic – like they allocate a static IP, but they cannot allocate a static IP, and in order not to confuse anyone when connecting a static IP, they stupidly chop off v6.
The tariff was increased by 100 rubles, but this is the lesser of evils, it doesn’t even count.
Thirdly, the support of MGTS is terrible. At first I had a sercomm rv6699 router – everything seemed to work more or less. And it was not a bad option – there was telnet and access to iptables. They even say it you can reflash… There was a jamb – it was impossible to reach the external IP address from the local network via http and https – but this was solved by deleting two iptables rules. But then I decided to assign a fixed channel of the WiFi 5GHz network. The channel was not assigned – I started jumping, I turned to technical support and they replaced my router with a ZTE ZXHN F680. And that turned out to be the complete end. It did not forward DHCP packets from the local network to WiFi. I could no longer use my scheme. Technical support was sent with the conclusion “in the default configuration, the pages are loaded, everything else is not our problem.” I thought I might try to use DNS from the router, but there is absolutely slag. The maximum can be configured – 10 static addresses in the local network. Static and dynamic addresses must be in the same range. In general, the WiFi router is not used.
Fourth, MGTS has full access to your router. And to have a third party, or rather even a whole company, on your local network is somehow even unhygienic.
Conclusion – you can also MGTS, but turn off WiFi and put the router in bridge mode (not the fact that this can be done, not the fact that it will not fly off after a non-disconnected auto-update, not the fact that it will not be prohibited).
They say that Sercomm RV6699 v4 router you can reflash… I wanted to try it, but I can’t – I don’t have this router anymore – it was replaced with ZTE ZXHN F680.
More they say that you can buy a box for less than 1.5 thousand rubles and it will work as a bridge – I think that’s a good option.