olli/debian.ansible.tornet.network
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
main
debian.ansible.tornet.network/tornet.yml
olli ecf68d774d invalid policy counters
2024-09-07 18:07:59 +02:00

511 lines
17 KiB
YAML
Raw Permalink Blame History

---
- name: Tornet Debian Linux Setup
hosts: all
tasks:
- name: Packages for tor
apt:
name:
- tor
- tor-geoipdb
- privoxy
- bridge-utils
- ufw
- dnsmasq
- dnscrypt-proxy
- ifupdown
update_cache: no
install_recommends: no
- name: 'remove dnsmasq from startup'
command: systemctl disable dnsmasq
args:
removes: /etc/systemd/system/multi-user.target.wants/dnsmasq.service
- name: 'stop dnsmasq'
command: systemctl stop dnsmasq
args:
removes: /run/dnsmasq/dnsmasq.pid
- name: Tor Config
blockinfile:
path: /etc/tor/torrc
create: yes
mode: "0444"
owner: root
group: root
insertbefore: BOF
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
# individual Tor-Config
BridgeRelay 0
SOCKSPort 0.0.0.0:9050
SOCKSPort [::]:9050
ExitPolicy reject *:*
ControlPort 0.0.0.0:9051
ControlPort [::]:9051
HashedControlPassword 16:F7222A0CBC254E536056DCBBD27A7D051D68BCF1E9020681C0A3656B84
# Seting up TOR transparent proxy for tor-router
#VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 0.0.0.0:9040
TransPort [::]:9040
DNSPort 0.0.0.0:5353
DNSPort [::]:5353
# Falls outgping geblockt wird und nur 80/443 geht
FascistFirewall 1
backup: yes
notify:
- Restart tor
- name: restart tor after acpi sleep/resume
blockinfile:
path: /etc/systemd/system/tor-resume-restart.service
create: yes
mode: "0444"
owner: root
group: root
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
# restart tor after acpi sleep/resume
[Unit]
Description=Restart Tor after acpi resume
After=suspend.target
[Service]
Type=simple
ExecStart=/usr/bin/systemctl --no-block restart tor.service
[Install]
WantedBy=suspend.target
- name: enable restart tor after acpi sleep/resume
command: systemctl enable tor-resume-restart.service
args:
creates: /etc/systemd/system/suspend.target.wants/tor-resume-restart.service
- name: Privoxy Config
blockinfile:
path: /etc/privoxy/config
create: yes
mode: "0444"
owner: root
group: root
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
listen-address 0.0.0.0:3128
listen-address [::1]:3128
# Privoxy-Tor-Connection
forward-socks5t / localhost:9050 .
backup: yes
notify:
- Restart privoxy
- name: Tor bridge
blockinfile:
path: /etc/network/interfaces.d/tornet0
create: yes
mode: "0444"
owner: root
group: root
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
auto tornet0
iface tornet0 inet static
bridge_ports none
address 192.168.43.1
broadcast 192.168.43.255
netmask 255.255.255.0
notify:
- Restart tornet0
- name: start tornet0 if not exists
ansible.builtin.command: ifup tornet0
args:
creates: /proc/sys/net/ipv6/conf/tornet0/disable_ipv6
- ansible.posix.sysctl:
name: net.ipv6.conf.tornet0.disable_ipv6
value: '1'
state: present
- name: ufw firewall rules for transparent tor proxy in tornet0
blockinfile:
path: /etc/ufw/before.rules
create: yes
mode: "0440"
owner: root
group: root
marker: "# {mark} ANSIBLE MANAGED BLOCK for tornet0"
insertbefore: BOF
block: |
*nat
#:POSTROUTING ACCEPT - [0:0]
:POSTROUTING ACCEPT
# Route network 192.168.43.0/24 (tornet0) to transparent Tor-Proxy (udp not supported by Tor)
# Activate "normal" routing for non-Internet Networks
-A POSTROUTING -s 192.168.43.0/24 -j MASQUERADE
-A PREROUTING -i tornet0 -d 127.0.0.0/8 -j RETURN
-A PREROUTING -i tornet0 -d 10.0.0.0/8 -j RETURN
-A PREROUTING -i tornet0 -d 192.168.0.0/16 -j RETURN
-A PREROUTING -i tornet0 -d 172.16.0.0/12 -j RETURN
-A PREROUTING -i tornet0 -d 0.0.0.0/8 -j RETURN
-A PREROUTING -i tornet0 -d 100.64.0.0/10 -j RETURN
-A PREROUTING -i tornet0 -d 169.254.0.0/16 -j RETURN
-A PREROUTING -i tornet0 -d 192.0.0.0/24 -j RETURN
-A PREROUTING -i tornet0 -d 192.0.2.0/24 -j RETURN
-A PREROUTING -i tornet0 -d 192.88.99.0/24 -j RETURN
-A PREROUTING -i tornet0 -d 198.18.0.0/15 -j RETURN
-A PREROUTING -i tornet0 -d 198.51.100.0/24 -j RETURN
-A PREROUTING -i tornet0 -d 203.0.113.0/24 -j RETURN
-A PREROUTING -i tornet0 -d 224.0.0.0/4 -j RETURN
-A PREROUTING -i tornet0 -d 240.0.0.0/4 -j RETURN
-A PREROUTING -i tornet0 -d 255.255.255.255/32 -j RETURN
-A PREROUTING -i tornet0 -s 192.168.43.0/24 -p udp --dport 53 -j RETURN
# Redirect all TCP-Connections to transparent Tor-Proxy
-A PREROUTING -i tornet0 -s 192.168.43.0/24 -p tcp --syn -j REDIRECT --to-ports 9040
# Redirect all non TCP-Connections into nirvana because Tor only speaks TCP
-A PREROUTING -i tornet0 -s 192.168.43.0/24 ! -p tcp -j DNAT --to 127.0.0.1:1
COMMIT
notify:
- Restart ufw
- name: Allow Routing
community.general.ufw:
rule: allow
route: yes
interface_in: tornet0
- name: Allow all access to tcp port 53/udp (dns)
community.general.ufw:
rule: allow
port: '53'
proto: udp
interface: tornet0
direction: in
- name: Allow access to dhcp server
community.general.ufw:
rule: allow
port: '67'
proto: udp
interface: tornet0
direction: in
- name: Allow access to NTP server
community.general.ufw:
rule: allow
port: '123'
proto: udp
interface: tornet0
direction: in
- name: Allow access to tor
community.general.ufw:
rule: allow
port: '9040'
proto: tcp
interface: tornet0
direction: in
- name: dnsmasq DNS and DHCP for tornet0
blockinfile:
path: /etc/dnsmasq-tornet0.conf
create: yes
mode: "0444"
owner: root
group: root
insertbefore: BOF
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
port=53
interface=tornet0
listen-address=192.168.43.1
bind-interfaces
except-interface=lo
domain-needed
bogus-priv
server=127.0.0.53
dhcp-range=192.168.43.100,192.168.43.200,255.255.255.0,12h
dhcp-option=option:ntp-server,192.168.43.1
log-queries
log-dhcp
notify:
- Restart dnsmasq-tornet0
- name: dnsmasq DNS and DHCP for tornet0 systemd
blockinfile:
path: /etc/systemd/system/dnsmasq-tornet0.service
create: yes
mode: "0444"
owner: root
group: root
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
[Unit]
Description=dnsmasq tornet0 DNS and DHCP
After=network.target
[Service]
Type=forking
ExecStart=/usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq-tornet0.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -C /etc/dnsmasq-tornet0.conf --local-service
PIDFile=/run/dnsmasq/dnsmasq-tornet0.pid
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.target
notify:
- Restart dnsmasq-tornet0
- name: 'add dnsmasq-tornet0 to startup'
command: systemctl enable dnsmasq-tornet0
args:
creates: /etc/systemd/system/multi-user.target.wants/dnsmasq-tornet0.service
- name: 'start dnsmasq-tornet0'
command: systemctl start dnsmasq-tornet0
args:
creates: /run/dnsmasq/dnsmasq-tornet0.pid
#### Prepare DNSCRYPT PROXY FOR DoHoT (DNS over HTTPS over Tor)
- name: create blocked-names.txt
command: touch /etc/dnscrypt-proxy/blocked-names.txt
args:
creates: /etc/dnscrypt-proxy/blocked-names.txt
- name: dnscrypt-proxy configfile
copy:
dest: /etc/dnscrypt-proxy/dnscrypt-proxy.toml
mode: "0444"
owner: root
group: root
content: |
# Documentation https://github.com/DNSCrypt/dnscrypt-proxy/wiki
# listen on all interfaces
listen_addresses = ['127.0.0.55:5354']
# DoH server list
server_names = ['doh.mullvad.net-194.242.2.2', 'doh.ffmuc.net-185.150.99.255', 'doh.ffmuc.net-5.1.66.255', 'dns.digitale-gesellschaft.ch-185.95.218.42', 'dns.digitale-gesellschaft.ch-185.95.218.43', 'anycast.uncensoreddns.org-91.239.100.100']
# server names to avoid even if they match all criteria
# disabled_server_names = []
## what kinds of server do we want to resolve from?
doh_servers = true
ipv4_servers = false
ipv6_servers = false
dnscrypt_servers = false
# do we support IPv6 accressing?
block_ipv6 = false
# don't let weird queries & typos leak upstream
block_unqualified = true
block_undelegated = true
# TTL for synthetic responses sent when a request has been blocked
reject_ttl = 600
# request DoH servers which offer DNSSEC / tamperproofing
require_dnssec = true
# we are using tor, so we should not care about logging
require_nolog = false
# request DoH servers that advertise themselves as unfiltered
require_nofilter = true
# use tor
force_tcp = true
proxy = 'socks5://127.0.0.1:9050'
# how long (ms) a DNS query will wait for a response; reasonable max 10s
timeout = 10000
# keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds; default: 30
keepalive = 30
# loadbalancing; p2 strategy, and continuous farming of the list
lb_strategy = 'p2'
lb_estimator = true
# logging: approx 1 month of weekly logs, capped-out/force-rotated at 64Mb
log_level = 2
use_syslog = false
log_files_max_size = 64
log_files_max_age = 7
log_files_max_backups = 4
# delay, in minutes, after which certificates are reloaded; this also
# drives the latency logger, so we poll/log every hour
cert_refresh_delay = 60
# less linkability / more privacy at slight performance impact;
# see the notes in the above-cited documentation
tls_disable_session_tickets = true
tls_cipher_suite = [52392, 49199]
# for healthcheck, heartbeat and bootstrap, dnscrypt-proxy MUST be
# able to probe the internet, so we must configure our firewall so
# that it is the only one which can use port 53 to the internet;
# dnscrypt-proxy claims that it will only use these services in very
# limited circumstances. Regards option naming, see:
# https://github.com/DNSCrypt/dnscrypt-proxy/commit/c500287498a05b07c3af8effa23a0ba4c42f00f1
fallback_resolvers = ['46.182.19.48:53']
netprobe_address = '46.182.19.48:53'
netprobe_timeout = 60
ignore_system_dns = true
# explicit caching
cache = true
cache_size = 4096
cache_min_ttl = 2400
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600
# I am not configuring this resolver as a local DoH listener, to do so
# requires a TLS certificate and that's a world of pain
[query_log]
file = '/var/log/dnscrypt-proxy/query.log'
# ignored_qtypes = ['DNSKEY', 'NS']
[nx_log]
file = '/var/log/dnscrypt-proxy/nx.log'
[blocked_names]
blocked_names_file = 'blocked-names.txt'
log_file = '/var/log/dnscrypt-proxy/blocked-names.log'
[blocked_ips]
# blocked_ips_file = 'blocked-ips.txt'
# log_file = '/var/log/dnscrypt-proxy/blocked-ips.log'
[allowed_names]
# allowed_names_file = 'allowed-names.txt'
# log_file = '/var/log/dnscrypt-proxy/allowed-names.log'
[allowed_ips]
# allowed_ips_file = 'allowed-ips.txt'
# log_file = '/var/log/dnscrypt-proxy/allowed-ips.log'
# Static DoH DNS Servers from inspired by https://www.kuketz-blog.de/empfehlungsecke/#dns
# Stamps from https://dnscrypt.info/stamps/
[static]
[static.'doh.mullvad.net-194.242.2.2']
stamp = 'sdns://AgcAAAAAAAAACzE5NC4yNDIuMi4yAA9kb2gubXVsbHZhZC5uZXQKL2Rucy1xdWVyeQ'
[static.'doh.ffmuc.net-185.150.99.255']
stamp = 'sdns://AgcAAAAAAAAADjE4NS4xNTAuOTkuMjU1AA1kb2guZmZtdWMubmV0Ci9kbnMtcXVlcnk'
[static.'doh.ffmuc.net-5.1.66.255']
stamp = 'sdns://AgcAAAAAAAAACjUuMS42Ni4yNTUADWRvaC5mZm11Yy5uZXQKL2Rucy1xdWVyeQ'
[static.'dns.digitale-gesellschaft.ch-185.95.218.42']
stamp = 'sdns://AgcAAAAAAAAADTE4NS45NS4yMTguNDIAHGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gKL2Rucy1xdWVyeQ'
[static.'dns.digitale-gesellschaft.ch-185.95.218.43']
stamp = 'sdns://AgcAAAAAAAAADTE4NS45NS4yMTguNDMAHGRucy5kaWdpdGFsZS1nZXNlbGxzY2hhZnQuY2gKL2Rucy1xdWVyeQ'
[static.'anycast.uncensoreddns.org-91.239.100.100']
stamp = 'sdns://AgcAAAAAAAAADjkxLjIzOS4xMDAuMTAwABlhbnljYXN0LnVuY2Vuc29yZWRkbnMub3JnCi9kbnMtcXVlcnk'
notify:
- Restart dnscrypt-proxy
- name: 'enable and start dnscrypt-proxy'
command: systemctl enable dnscrypt-proxy --now
args:
creates: /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service
- name: /usr/local/sbin/autoupdate.d/dnscrypt-proxy-blocklist.update
blockinfile:
path: /usr/local/sbin/autoupdate.d/dnscrypt-proxy-blocklist.update
mode: "0400"
owner: root
group: root
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK"
block: |
cd /etc/dnscrypt-proxy
touch blocked-names-local-whitelist.txt
chmod 660 blocked-names-local-whitelist.txt
chown root:sudo blocked-names-local-whitelist.txt
# get hosts blocklist from https://github.com/StevenBlack/hosts
g_runcmd wget https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling/hosts -O - | grep "^0\.0\.0\.0 " | cut -d" " -f2 | grep "\." | egrep -v '^\.|\.$' | egrep -v -f blocked-names-local-whitelist.txt >${g_tmp}/blocked-names.txt
numhosts=$(cat ${g_tmp}/blocked-names.txt | wc -l)
if [ "$numhosts" -gt 50000 ]
then
cat ${g_tmp}/blocked-names.txt >blocked-names.txt
else
g_echo_error "Not enough lines in hosts blocklist from https://github.com/StevenBlack/hosts"
fi
touch blocked-names-local-additions.txt
chmod 660 blocked-names-local-additions.txt
chown root:sudo blocked-names-local-additions.txt
[ -s blocked-names-local-additions.txt ] && cat blocked-names-local-additions.txt >>blocked-names.txt
systemctl restart dnscrypt-proxy
# Check for using DoHoT
[ -d /etc/systemd/resolved.conf.d ] || mkdir -p /etc/systemd/resolved.conf.d
if [ -s /etc/dontusedohot ]
then
if [ -e /etc/systemd/resolved.conf.d/DoHoT.conf ]
then
sudo rm -f /etc/systemd/resolved.conf.d/DoHoT.conf
sudo systemctl restart systemd-resolved.service
fi
else
if [ -s /etc/dnscrypt-proxy/blocked-names.txt ]
then
echo "[Resolve]
DNS=127.0.2.1
FallbackDNS=5.9.164.112#dns3.digitalcourage.de 2a01:4f8:251:554::2#dns3.digitalcourage.de 46.182.19.48 9.9.9.11
DNSOverTLS=opportunistic
Domains=~." | sudo tee /etc/systemd/resolved.conf.d/DoHoT.conf
sudo systemctl restart systemd-resolved.service
fi
fi
cd -
backup: yes
validate: /bin/bash -n %s
handlers:
- name: Restart tornet0
ansible.builtin.shell: ifup tornet0
- name: Restart tor
service:
name: tor
state: restarted
- name: Restart privoxy
service:
name: privoxy
state: restarted
- name: Restart ufw
service:
name: ufw
state: restarted
- name: Restart dnsmasq-tornet0
service:
name: dnsmasq-tornet0
state: restarted
- name: Restart dnscrypt-proxy
service:
name: dnscrypt-proxy
state: restarted
Reference in New Issue View Git Blame Copy Permalink