--- - name: Tornet Debian Linux Setup hosts: all tasks: - name: Packages for tor apt: name: - tor - tor-geoipdb - privoxy - bridge-utils - ufw - dnsmasq - dnscrypt-proxy update_cache: no install_recommends: no - name: 'remove dnsmasq from startup' command: systemctl disable dnsmasq args: removes: /etc/systemd/system/multi-user.target.wants/dnsmasq.service - name: 'stop dnsmasq' command: systemctl stop dnsmasq args: removes: /run/dnsmasq/dnsmasq.pid - name: Tor Config blockinfile: path: /etc/tor/torrc create: yes mode: "0444" owner: root group: root insertbefore: BOF marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | # individual Tor-Config BridgeRelay 0 SOCKSPort 0.0.0.0:9050 SOCKSPort [::]:9050 ExitPolicy reject *:* ControlPort 0.0.0.0:9051 ControlPort [::]:9051 HashedControlPassword 16:F7222A0CBC254E536056DCBBD27A7D051D68BCF1E9020681C0A3656B84 # Seting up TOR transparent proxy for tor-router #VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 0.0.0.0:9040 TransPort [::]:9040 DNSPort 0.0.0.0:5353 DNSPort [::]:5353 # Falls outgping geblockt wird und nur 80/443 geht FascistFirewall 1 backup: yes notify: - Restart tor - name: Privoxy Config blockinfile: path: /etc/privoxy/config create: yes mode: "0444" owner: root group: root marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | listen-address 0.0.0.0:3128 listen-address [::1]:3128 # Privoxy-Tor-Connection forward-socks5t / localhost:9050 . backup: yes notify: - Restart privoxy - name: Tor bridge blockinfile: path: /etc/network/interfaces.d/tornet0 create: yes mode: "0444" owner: root group: root marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | auto tornet0 iface tornet0 inet static bridge_ports none address 192.168.43.1 broadcast 192.168.43.255 netmask 255.255.255.0 notify: - Restart tornet0 - name: start tornet0 if not exists ansible.builtin.command: ifup tornet0 args: creates: /proc/sys/net/ipv6/conf/tornet0/disable_ipv6 - ansible.posix.sysctl: name: net.ipv6.conf.tornet0.disable_ipv6 value: '1' state: present - name: ufw firewall rules for transparent tor proxy in tornet0 blockinfile: path: /etc/ufw/before.rules create: yes mode: "0440" owner: root group: root marker: "# {mark} ANSIBLE MANAGED BLOCK for tornet0" insertbefore: BOF block: | *nat :POSTROUTING ACCEPT - [0:0] # Route network 192.168.43.0/24 (tornet0) to transparent Tor-Proxy (udp not supported by Tor) # Activate "normal" routing for non-Internet Networks -A POSTROUTING -s 192.168.43.0/24 -j MASQUERADE -A PREROUTING -i tornet0 -d 127.0.0.0/8 -j RETURN -A PREROUTING -i tornet0 -d 10.0.0.0/8 -j RETURN -A PREROUTING -i tornet0 -d 192.168.0.0/16 -j RETURN -A PREROUTING -i tornet0 -d 172.16.0.0/12 -j RETURN -A PREROUTING -i tornet0 -d 0.0.0.0/8 -j RETURN -A PREROUTING -i tornet0 -d 100.64.0.0/10 -j RETURN -A PREROUTING -i tornet0 -d 169.254.0.0/16 -j RETURN -A PREROUTING -i tornet0 -d 192.0.0.0/24 -j RETURN -A PREROUTING -i tornet0 -d 192.0.2.0/24 -j RETURN -A PREROUTING -i tornet0 -d 192.88.99.0/24 -j RETURN -A PREROUTING -i tornet0 -d 198.18.0.0/15 -j RETURN -A PREROUTING -i tornet0 -d 198.51.100.0/24 -j RETURN -A PREROUTING -i tornet0 -d 203.0.113.0/24 -j RETURN -A PREROUTING -i tornet0 -d 224.0.0.0/4 -j RETURN -A PREROUTING -i tornet0 -d 240.0.0.0/4 -j RETURN -A PREROUTING -i tornet0 -d 255.255.255.255/32 -j RETURN # Redirect all TCP-Connections to transparent Tor-Proxy -A PREROUTING -i tornet0 -s 192.168.43.0/24 -p tcp --syn -j REDIRECT --to-ports 9040 # Redirect DNS to TorDNS -A PREROUTING -i tornet0 -s 192.168.43.0/24 -d 192.168.43.1 -p udp --dport 53 -j REDIRECT --to-ports 5353 # Redirect all non TCP-Connections into nirvana because Tor only speaks TCP -A PREROUTING -i tornet0 -s 192.168.43.0/24 ! -p tcp -j DNAT --to 127.0.0.1:1 COMMIT notify: - Restart ufw - name: Allow Routing community.general.ufw: rule: allow route: yes interface_in: tornet0 - name: Allow all access to tcp port 53/udp (dns) community.general.ufw: rule: allow port: '53' proto: udp interface: tornet0 direction: in - name: Allow access to dhcp server community.general.ufw: rule: allow port: '67' proto: udp interface: tornet0 direction: in - name: Allow access to NTP server community.general.ufw: rule: allow port: '123' proto: udp interface: tornet0 direction: in - name: Allow access to tor community.general.ufw: rule: allow port: '9040' proto: tcp interface: tornet0 direction: in - name: dnsmasq DNS and DHCP for tornet0 blockinfile: path: /etc/dnsmasq-tornet0.conf create: yes mode: "0444" owner: root group: root insertbefore: BOF marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | port=53 interface=tornet0 listen-address=192.168.43.1 bind-interfaces except-interface=lo domain-needed bogus-priv server=127.0.0.53 dhcp-range=192.168.43.100,192.168.43.200,255.255.255.0,12h dhcp-option=option:ntp-server,192.168.43.1 log-queries log-dhcp notify: - Restart dnsmasq-tornet0 - name: dnsmasq DNS and DHCP for tornet0 systemd blockinfile: path: /etc/systemd/system/dnsmasq-tornet0.service create: yes mode: "0444" owner: root group: root marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | [Unit] Description=dnsmasq tornet0 DNS and DHCP After=network.target [Service] Type=forking ExecStart=/usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq-tornet0.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -C /etc/dnsmasq-tornet0.conf --local-service PIDFile=/run/dnsmasq/dnsmasq-tornet0.pid KillMode=process Restart=on-failure [Install] WantedBy=multi-user.target notify: - Restart dnsmasq-tornet0 - name: 'add dnsmasq-tornet0 to startup' command: systemctl enable dnsmasq-tornet0 args: creates: /etc/systemd/system/multi-user.target.wants/dnsmasq-tornet0.service - name: 'start dnsmasq-tornet0' command: systemctl start dnsmasq-tornet0 args: creates: /run/dnsmasq/dnsmasq-tornet0.pid #### Prepare DNSCRYPT PROXY FOR DoHoT (DNS over HTTPS over Tor) - name: create blocked-names.txt command: touch /etc/dnscrypt-proxy/blocked-names.txt args: creates: /etc/dnscrypt-proxy/blocked-names.txt - name: dnscrypt-proxy configfile copy: dest: /etc/dnscrypt-proxy/dnscrypt-proxy.toml mode: "0444" owner: root group: root content: | # Documentation https://github.com/DNSCrypt/dnscrypt-proxy/wiki # listen on all interfaces listen_addresses = ['127.0.0.55:5354'] # DoH server list server_names = ['doh.mullvad.net-194.242.2.2', 'doh.ffmuc.net-185.150.99.255', 'doh.ffmuc.net-5.1.66.255', 'dns.digitale-gesellschaft.ch-185.95.218.42', 'dns.digitale-gesellschaft.ch-185.95.218.43', 'anycast.uncensoreddns.org-91.239.100.100'] # server names to avoid even if they match all criteria # disabled_server_names = [] ## what kinds of server do we want to resolve from? doh_servers = true ipv4_servers = false ipv6_servers = false dnscrypt_servers = false # do we support IPv6 accressing? block_ipv6 = false # don't let weird queries & typos leak upstream block_unqualified = true block_undelegated = true # TTL for synthetic responses sent when a request has been blocked reject_ttl = 600 # request DoH servers which offer DNSSEC / tamperproofing require_dnssec = true # we are using tor, so we should not care about logging require_nolog = false # request DoH servers that advertise themselves as unfiltered require_nofilter = true # use tor force_tcp = true proxy = 'socks5://127.0.0.1:9050' # how long (ms) a DNS query will wait for a response; reasonable max 10s timeout = 10000 # keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds; default: 30 keepalive = 30 # loadbalancing; p2 strategy, and continuous farming of the list lb_strategy = 'p2' lb_estimator = true # logging: approx 1 month of weekly logs, capped-out/force-rotated at 64Mb log_level = 2 use_syslog = false log_files_max_size = 64 log_files_max_age = 7 log_files_max_backups = 4 # delay, in minutes, after which certificates are reloaded; this also # drives the latency logger, so we poll/log every hour cert_refresh_delay = 60 # less linkability / more privacy at slight performance impact; # see the notes in the above-cited documentation tls_disable_session_tickets = true tls_cipher_suite = [52392, 49199] # for healthcheck, heartbeat and bootstrap, dnscrypt-proxy MUST be # able to probe the internet, so we must configure our firewall so # that it is the only one which can use port 53 to the internet; # dnscrypt-proxy claims that it will only use these services in very # limited circumstances. Regards option naming, see: # https://github.com/DNSCrypt/dnscrypt-proxy/commit/c500287498a05b07c3af8effa23a0ba4c42f00f1 fallback_resolvers = ['46.182.19.48:53'] netprobe_address = '46.182.19.48:53' netprobe_timeout = 60 ignore_system_dns = true # explicit caching cache = true cache_size = 4096 cache_min_ttl = 2400 cache_max_ttl = 86400 cache_neg_min_ttl = 60 cache_neg_max_ttl = 600 # I am not configuring this resolver as a local DoH listener, to do so # requires a TLS certificate and that's a world of pain [query_log] file = '/var/log/dnscrypt-proxy/query.log' # ignored_qtypes = ['DNSKEY', 'NS'] [nx_log] file = '/var/log/dnscrypt-proxy/nx.log' [blocked_names] blocked_names_file = 'blocked-names.txt' log_file = '/var/log/dnscrypt-proxy/blocked-names.log' [blocked_ips] # blocked_ips_file = 'blocked-ips.txt' # log_file = '/var/log/dnscrypt-proxy/blocked-ips.log' [allowed_names] # allowed_names_file = 'allowed-names.txt' # log_file = '/var/log/dnscrypt-proxy/allowed-names.log' [allowed_ips] # allowed_ips_file = 'allowed-ips.txt' # log_file = '/var/log/dnscrypt-proxy/allowed-ips.log' # Static DoH DNS Servers from inspired by https://www.kuketz-blog.de/empfehlungsecke/#dns # Stamps from https://dnscrypt.info/stamps/ [static] [static.'doh.mullvad.net-194.242.2.2'] stamp = 'sdns://AgcAAAAAAAAACzE5NC4yNDIuMi4yAA9kb2gubXVsbHZhZC5uZXQKL2Rucy1xdWVyeQ' [static.'doh.ffmuc.net-185.150.99.255'] stamp = 'sdns://AgcAAAAAAAAADjE4NS4xNTAuOTkuMjU1AA1kb2guZmZtdWMubmV0Ci9kbnMtcXVlcnk' [static.'doh.ffmuc.net-5.1.66.255'] stamp = 'sdns://AgcAAAAAAAAACjUuMS42Ni4yNTUADWRvaC5mZm11Yy5uZXQKL2Rucy1xdWVyeQ' [static.'dns.digitale-gesellschaft.ch-185.95.218.42'] stamp = 'sdns://AgcAAAAAAAAADTE4NS45NS4yMTguNDIAHGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gKL2Rucy1xdWVyeQ' [static.'dns.digitale-gesellschaft.ch-185.95.218.43'] stamp = 'sdns://AgcAAAAAAAAADTE4NS45NS4yMTguNDMAHGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gKL2Rucy1xdWVyeQ' [static.'anycast.uncensoreddns.org-91.239.100.100'] stamp = 'sdns://AgcAAAAAAAAADjkxLjIzOS4xMDAuMTAwABlhbnljYXN0LnVuY2Vuc29yZWRkbnMub3JnCi9kbnMtcXVlcnk' notify: - Restart dnscrypt-proxy - name: 'enable and start dnscrypt-proxy' command: systemctl enable dnscrypt-proxy --now args: creates: /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service - name: /usr/local/sbin/autoupdate.d/dnscrypt-proxy-blocklist.update blockinfile: path: /usr/local/sbin/autoupdate.d/dnscrypt-proxy-blocklist.update mode: "0400" owner: root group: root create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK" block: | cd /etc/dnscrypt-proxy touch blocked-names-local-whitelist.txt chmod 660 blocked-names-local-whitelist.txt chown root:sudo blocked-names-local-whitelist.txt # get hosts blocklist from https://github.com/StevenBlack/hosts g_runcmd wget https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling/hosts -O - | grep "^0\.0\.0\.0 " | cut -d" " -f2 | grep "\." | egrep -v '^\.|\.$' | egrep -v -f blocked-names-local-whitelist.txt >${g_tmp}/blocked-names.txt numhosts=$(cat ${g_tmp}/blocked-names.txt | wc -l) if [ "$numhosts" -gt 50000 ] then cat ${g_tmp}/blocked-names.txt >blocked-names.txt else g_echo_error "Not enough lines in hosts blocklist from https://github.com/StevenBlack/hosts" fi touch blocked-names-local-additions.txt chmod 660 blocked-names-local-additions.txt chown root:sudo blocked-names-local-additions.txt [ -s blocked-names-local-additions.txt ] && cat blocked-names-local-additions.txt >>blocked-names.txt systemctl restart dnscrypt-proxy # Check for using DoHoT [ -d /etc/systemd/resolved.conf.d ] || mkdir -p /etc/systemd/resolved.conf.d if [ -s /etc/dontusedohot ] then if [ -e /etc/systemd/resolved.conf.d/DoHoT.conf ] then sudo rm -f /etc/systemd/resolved.conf.d/DoHoT.conf sudo systemctl restart systemd-resolved.service fi else if [ -s /etc/dnscrypt-proxy/blocked-names.txt ] then echo "[Resolve] DNS=127.0.2.1 FallbackDNS=5.9.164.112#dns3.digitalcourage.de 2a01:4f8:251:554::2#dns3.digitalcourage.de 46.182.19.48 9.9.9.11 DNSOverTLS=opportunistic Domains=~." | sudo tee /etc/systemd/resolved.conf.d/DoHoT.conf sudo systemctl restart systemd-resolved.service fi fi cd - backup: yes validate: /bin/bash -n %s handlers: - name: Restart tornet0 ansible.builtin.shell: ifup tornet0 - name: Restart tor service: name: tor state: restarted - name: Restart privoxy service: name: privoxy state: restarted - name: Restart ufw service: name: ufw state: restarted - name: Restart dnsmasq-tornet0 service: name: dnsmasq-tornet0 state: restarted - name: Restart dnscrypt-proxy service: name: dnscrypt-proxy state: restarted