--- - name: Tornet Debian Linux Setup hosts: all tasks: - name: Packages for tor apt: name: - tor - tor-geoipdb - privoxy - bridge-utils - ufw - dnsmasq - dnscrypt-proxy update_cache: no install_recommends: no - name: 'remove dnsmasq from startup' command: systemctl disable dnsmasq args: removes: /etc/systemd/system/multi-user.target.wants/dnsmasq.service - name: 'stop dnsmasq' command: systemctl stop dnsmasq args: removes: /run/dnsmasq/dnsmasq.pid - name: Tor Config blockinfile: path: /etc/tor/torrc create: yes mode: "0444" owner: root group: root insertbefore: BOF marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | # individual Tor-Config BridgeRelay 0 SOCKSPort 0.0.0.0:9050 SOCKSPort [::]:9050 ExitPolicy reject *:* ControlPort 0.0.0.0:9051 ControlPort [::]:9051 HashedControlPassword 16:F7222A0CBC254E536056DCBBD27A7D051D68BCF1E9020681C0A3656B84 # Seting up TOR transparent proxy for tor-router #VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 0.0.0.0:9040 TransPort [::]:9040 DNSPort 0.0.0.0:5353 DNSPort [::]:5353 # Falls outgping geblockt wird und nur 80/443 geht FascistFirewall 1 backup: yes notify: - Restart tor - name: Privoxy Config blockinfile: path: /etc/privoxy/config create: yes mode: "0444" owner: root group: root marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | listen-address 0.0.0.0:3128 listen-address [::1]:3128 # Privoxy-Tor-Connection forward-socks5t / localhost:9050 . backup: yes notify: - Restart privoxy - name: Tor bridge blockinfile: path: /etc/network/interfaces.d/tornet0 create: yes mode: "0444" owner: root group: root marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | auto tornet0 iface tornet0 inet static bridge_ports none address 192.168.43.1 broadcast 192.168.43.255 netmask 255.255.255.0 notify: - Restart tornet0 - name: start tornet0 if not exists ansible.builtin.command: ifup tornet0 args: creates: /proc/sys/net/ipv6/conf/tornet0/disable_ipv6 - ansible.posix.sysctl: name: net.ipv6.conf.tornet0.disable_ipv6 value: '1' state: present - name: ufw firewall rules for transparent tor proxy in tornet0 blockinfile: path: /etc/ufw/before.rules create: yes mode: "0440" owner: root group: root marker: "# {mark} ANSIBLE MANAGED BLOCK for tornet0" insertbefore: BOF block: | *nat :POSTROUTING ACCEPT - [0:0] # Route network 192.168.43.0/24 (tornet0) to transparent Tor-Proxy (udp not supported by Tor) # Activate "normal" routing for non-Internet Networks -A POSTROUTING -s 192.168.43.0/24 -j MASQUERADE -A PREROUTING -i tornet0 -d 127.0.0.0/8 -j RETURN -A PREROUTING -i tornet0 -d 10.0.0.0/8 -j RETURN -A PREROUTING -i tornet0 -d 192.168.0.0/16 -j RETURN -A PREROUTING -i tornet0 -d 172.16.0.0/12 -j RETURN -A PREROUTING -i tornet0 -d 0.0.0.0/8 -j RETURN -A PREROUTING -i tornet0 -d 100.64.0.0/10 -j RETURN -A PREROUTING -i tornet0 -d 169.254.0.0/16 -j RETURN -A PREROUTING -i tornet0 -d 192.0.0.0/24 -j RETURN -A PREROUTING -i tornet0 -d 192.0.2.0/24 -j RETURN -A PREROUTING -i tornet0 -d 192.88.99.0/24 -j RETURN -A PREROUTING -i tornet0 -d 198.18.0.0/15 -j RETURN -A PREROUTING -i tornet0 -d 198.51.100.0/24 -j RETURN -A PREROUTING -i tornet0 -d 203.0.113.0/24 -j RETURN -A PREROUTING -i tornet0 -d 224.0.0.0/4 -j RETURN -A PREROUTING -i tornet0 -d 240.0.0.0/4 -j RETURN -A PREROUTING -i tornet0 -d 255.255.255.255/32 -j RETURN # Redirect all TCP-Connections to transparent Tor-Proxy -A PREROUTING -i tornet0 -s 192.168.43.0/24 -p tcp --syn -j REDIRECT --to-ports 9040 # Redirect DNS to TorDNS -A PREROUTING -i tornet0 -s 192.168.43.0/24 -d 192.168.43.1 -p udp --dport 53 -j REDIRECT --to-ports 5353 # Redirect all non TCP-Connections into nirvana because Tor only speaks TCP -A PREROUTING -i tornet0 -s 192.168.43.0/24 ! -p tcp -j DNAT --to 127.0.0.1:1 COMMIT notify: - Restart ufw - name: Allow Routing community.general.ufw: rule: allow route: yes interface_in: tornet0 - name: Allow all access to tcp port 53/udp (dns) community.general.ufw: rule: allow port: '53' proto: udp interface: tornet0 direction: in - name: Allow access to dhcp server community.general.ufw: rule: allow port: '67' proto: udp interface: tornet0 direction: in - name: Allow access to NTP server community.general.ufw: rule: allow port: '123' proto: udp interface: tornet0 direction: in - name: Allow access to tor community.general.ufw: rule: allow port: '9040' proto: tcp interface: tornet0 direction: in - name: dnsmasq DNS and DHCP for tornet0 blockinfile: path: /etc/dnsmasq-tornet0.conf create: yes mode: "0444" owner: root group: root insertbefore: BOF marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | port=53 interface=tornet0 listen-address=192.168.43.1 bind-interfaces except-interface=lo domain-needed bogus-priv dhcp-range=192.168.43.100,192.168.43.200,255.255.255.0,12h dhcp-option=option:ntp-server,192.168.43.1 log-queries log-dhcp notify: - Restart dnsmasq-tornet0 - name: dnsmasq DNS and DHCP for tornet0 systemd blockinfile: path: /etc/systemd/system/dnsmasq-tornet0.service create: yes mode: "0444" owner: root group: root marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | [Unit] Description=dnsmasq tornet0 DNS and DHCP After=network.target [Service] Type=forking ExecStart=/usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq-tornet0.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -C /etc/dnsmasq-tornet0.conf --local-service PIDFile=/run/dnsmasq/dnsmasq-tornet0.pid KillMode=process Restart=on-failure [Install] WantedBy=multi-user.target notify: - Restart dnsmasq-tornet0 - name: 'add dnsmasq-tornet0 to startup' command: systemctl enable dnsmasq-tornet0 args: creates: /etc/systemd/system/multi-user.target.wants/dnsmasq-tornet0.service - name: 'start dnsmasq-tornet0' command: systemctl start dnsmasq-tornet0 args: creates: /run/dnsmasq/dnsmasq-tornet0.pid #### Prepare DNSCRYPT PROXY FOR DoHoT (DNS over HTTPS over Tor) - name: dnscrypt-proxy configfile blockinfile: path: /etc/dnscrypt-proxy/dnscrypt-proxy.toml create: yes mode: "0444" owner: root group: root marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | # Listen listen_addresses = ['127.0.0.55:5354'] # what kinds of server do we want to resolve from? doh_servers = true ipv4_servers = false ipv6_servers = false dnscrypt_servers = false # do we support IPv6 accressing? Maybe performance issue. block_ipv6 = false # don't let weird queries & typos leak upstream block_unqualified = true block_undelegated = true # TTL for synthetic responses sent when a request has been blocked reject_ttl = 600 # request DoH servers which offer DNSSEC / tamperproofing require_dnssec = true # we are using tor, so we should not care about logging require_nolog = false # request DoH servers that advertise themselves as unfiltered require_nofilter = true # use tor force_tcp = true proxy = 'socks5://127.0.0.1:9050' # how long (ms) a DNS query will wait for a response; reasonable max 10s timeout = 10000 # keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds; default: 30 keepalive = 30 # loadbalancing; p2 strategy, and continuous farming of the list lb_strategy = 'p2' lb_estimator = true # logging: approx 1 month of weekly logs, capped-out/force-rotated at 64Mb log_level = 2 use_syslog = true log_files_max_size = 64 log_files_max_age = 7 log_files_max_backups = 4 # delay, in minutes, after which certificates are reloaded; this also # drives the latency logger, so we poll/log every hour cert_refresh_delay = 60 # less linkability / more privacy at slight performance impact; # see the notes in the above-cited documentation tls_disable_session_tickets = true tls_cipher_suite = [52392, 49199] # for healthcheck, heartbeat and bootstrap, dnscrypt-proxy MUST be # able to probe the internet, so we must configure our firewall so # that it is the only one which can use port 53 to the internet; # dnscrypt-proxy claims that it will only use these services in very # limited circumstances. Regards option naming, see: # https://github.com/DNSCrypt/dnscrypt-proxy/commit/c500287498a05b07c3af8effa23a0ba4c42f00f1 fallback_resolvers = ['46.182.19.48:53'] netprobe_address = '46.182.19.48:53' netprobe_timeout = 60 ignore_system_dns = true # explicit caching cache = true cache_size = 4096 cache_min_ttl = 2400 cache_max_ttl = 86400 cache_neg_min_ttl = 60 cache_neg_max_ttl = 600 # I am not configuring this resolver as a local DoH listener, to do so # requires a TLS certificate and that's a world of pain [query_log] file = '/var/log/dnscrypt-proxy/query.log' # ignored_qtypes = ['DNSKEY', 'NS'] [nx_log] file = '/var/log/dnscrypt-proxy/nx.log' [blocked_names] # blocked_names_file = 'blocked-names.txt' # log_file = '/var/log/dnscrypt-proxy/blocked-names.log' [blocked_ips] # blocked_ips_file = 'blocked-ips.txt' # log_file = '/var/log/dnscrypt-proxy/blocked-ips.log' [allowed_names] # allowed_names_file = 'allowed-names.txt' # log_file = '/var/log/dnscrypt-proxy/allowed-names.log' [allowed_ips] # allowed_ips_file = 'allowed-ips.txt' # log_file = '/var/log/dnscrypt-proxy/allowed-ips.log' [sources] [sources.'public-resolvers'] [sources.'public-resolvers'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md'] minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' cache_file = 'public-resolvers.md' [sources.'onion-services'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/onion-services.md', 'https://download.dnscrypt.info/resolvers-list/v3/onion-services.md'] minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' cache_file = 'onion-services.md' notify: - Restart dnscrypt-proxy - name: 'enable and start dnscrypt-proxy' command: systemctl enable dnscrypt-proxy --now args: creates: /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service handlers: - name: Restart tornet0 ansible.builtin.shell: ifup tornet0 - name: Restart tor service: name: tor state: restarted - name: Restart privoxy service: name: privoxy state: restarted - name: Restart ufw service: name: ufw state: restarted - name: Restart dnsmasq-tornet0 service: name: dnsmasq-tornet0 state: restarted - name: Restart dnscrypt-proxy service: name: dnscrypt-proxy state: restarted