411 lines
13 KiB
YAML
411 lines
13 KiB
YAML
---
|
|
- name: Tornet Debian Linux Setup
|
|
hosts: all
|
|
tasks:
|
|
|
|
- name: Packages for tor
|
|
apt:
|
|
name:
|
|
- tor
|
|
- tor-geoipdb
|
|
- privoxy
|
|
- bridge-utils
|
|
- ufw
|
|
- dnsmasq
|
|
- dnscrypt-proxy
|
|
update_cache: no
|
|
install_recommends: no
|
|
|
|
- name: 'remove dnsmasq from startup'
|
|
command: systemctl disable dnsmasq
|
|
args:
|
|
removes: /etc/systemd/system/multi-user.target.wants/dnsmasq.service
|
|
|
|
- name: 'stop dnsmasq'
|
|
command: systemctl stop dnsmasq
|
|
args:
|
|
removes: /run/dnsmasq/dnsmasq.pid
|
|
|
|
- name: Tor Config
|
|
blockinfile:
|
|
path: /etc/tor/torrc
|
|
create: yes
|
|
mode: "0444"
|
|
owner: root
|
|
group: root
|
|
insertbefore: BOF
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
block: |
|
|
# individual Tor-Config
|
|
BridgeRelay 0
|
|
SOCKSPort 0.0.0.0:9050
|
|
SOCKSPort [::]:9050
|
|
ExitPolicy reject *:*
|
|
ControlPort 0.0.0.0:9051
|
|
ControlPort [::]:9051
|
|
HashedControlPassword 16:F7222A0CBC254E536056DCBBD27A7D051D68BCF1E9020681C0A3656B84
|
|
# Seting up TOR transparent proxy for tor-router
|
|
#VirtualAddrNetwork 10.192.0.0/10
|
|
AutomapHostsOnResolve 1
|
|
TransPort 0.0.0.0:9040
|
|
TransPort [::]:9040
|
|
DNSPort 0.0.0.0:5353
|
|
DNSPort [::]:5353
|
|
# Falls outgping geblockt wird und nur 80/443 geht
|
|
FascistFirewall 1
|
|
backup: yes
|
|
notify:
|
|
- Restart tor
|
|
|
|
- name: Privoxy Config
|
|
blockinfile:
|
|
path: /etc/privoxy/config
|
|
create: yes
|
|
mode: "0444"
|
|
owner: root
|
|
group: root
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
block: |
|
|
listen-address 0.0.0.0:3128
|
|
listen-address [::1]:3128
|
|
# Privoxy-Tor-Connection
|
|
forward-socks5t / localhost:9050 .
|
|
backup: yes
|
|
notify:
|
|
- Restart privoxy
|
|
|
|
- name: Tor bridge
|
|
blockinfile:
|
|
path: /etc/network/interfaces.d/tornet0
|
|
create: yes
|
|
mode: "0444"
|
|
owner: root
|
|
group: root
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
block: |
|
|
auto tornet0
|
|
iface tornet0 inet static
|
|
bridge_ports none
|
|
address 192.168.43.1
|
|
broadcast 192.168.43.255
|
|
netmask 255.255.255.0
|
|
notify:
|
|
- Restart tornet0
|
|
|
|
- name: start tornet0 if not exists
|
|
ansible.builtin.command: ifup tornet0
|
|
args:
|
|
creates: /proc/sys/net/ipv6/conf/tornet0/disable_ipv6
|
|
|
|
- ansible.posix.sysctl:
|
|
name: net.ipv6.conf.tornet0.disable_ipv6
|
|
value: '1'
|
|
state: present
|
|
|
|
- name: ufw firewall rules for transparent tor proxy in tornet0
|
|
blockinfile:
|
|
path: /etc/ufw/before.rules
|
|
create: yes
|
|
mode: "0440"
|
|
owner: root
|
|
group: root
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK for tornet0"
|
|
insertbefore: BOF
|
|
block: |
|
|
*nat
|
|
:POSTROUTING ACCEPT - [0:0]
|
|
# Route network 192.168.43.0/24 (tornet0) to transparent Tor-Proxy (udp not supported by Tor)
|
|
# Activate "normal" routing for non-Internet Networks
|
|
-A POSTROUTING -s 192.168.43.0/24 -j MASQUERADE
|
|
-A PREROUTING -i tornet0 -d 127.0.0.0/8 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 10.0.0.0/8 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 192.168.0.0/16 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 172.16.0.0/12 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 0.0.0.0/8 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 100.64.0.0/10 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 169.254.0.0/16 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 192.0.0.0/24 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 192.0.2.0/24 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 192.88.99.0/24 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 198.18.0.0/15 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 198.51.100.0/24 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 203.0.113.0/24 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 224.0.0.0/4 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 240.0.0.0/4 -j RETURN
|
|
-A PREROUTING -i tornet0 -d 255.255.255.255/32 -j RETURN
|
|
# Redirect all TCP-Connections to transparent Tor-Proxy
|
|
-A PREROUTING -i tornet0 -s 192.168.43.0/24 -p tcp --syn -j REDIRECT --to-ports 9040
|
|
# Redirect DNS to TorDNS
|
|
-A PREROUTING -i tornet0 -s 192.168.43.0/24 -d 192.168.43.1 -p udp --dport 53 -j REDIRECT --to-ports 5353
|
|
# Redirect all non TCP-Connections into nirvana because Tor only speaks TCP
|
|
-A PREROUTING -i tornet0 -s 192.168.43.0/24 ! -p tcp -j DNAT --to 127.0.0.1:1
|
|
COMMIT
|
|
notify:
|
|
- Restart ufw
|
|
|
|
- name: Allow Routing
|
|
community.general.ufw:
|
|
rule: allow
|
|
route: yes
|
|
interface_in: tornet0
|
|
|
|
- name: Allow all access to tcp port 53/udp (dns)
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '53'
|
|
proto: udp
|
|
interface: tornet0
|
|
direction: in
|
|
|
|
- name: Allow access to dhcp server
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '67'
|
|
proto: udp
|
|
interface: tornet0
|
|
direction: in
|
|
|
|
- name: Allow access to NTP server
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '123'
|
|
proto: udp
|
|
interface: tornet0
|
|
direction: in
|
|
|
|
- name: Allow access to tor
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '9040'
|
|
proto: tcp
|
|
interface: tornet0
|
|
direction: in
|
|
|
|
- name: dnsmasq DNS and DHCP for tornet0
|
|
blockinfile:
|
|
path: /etc/dnsmasq-tornet0.conf
|
|
create: yes
|
|
mode: "0444"
|
|
owner: root
|
|
group: root
|
|
insertbefore: BOF
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
block: |
|
|
port=53
|
|
interface=tornet0
|
|
listen-address=192.168.43.1
|
|
bind-interfaces
|
|
except-interface=lo
|
|
domain-needed
|
|
bogus-priv
|
|
dhcp-range=192.168.43.100,192.168.43.200,255.255.255.0,12h
|
|
dhcp-option=option:ntp-server,192.168.43.1
|
|
log-queries
|
|
log-dhcp
|
|
notify:
|
|
- Restart dnsmasq-tornet0
|
|
|
|
- name: dnsmasq DNS and DHCP for tornet0 systemd
|
|
blockinfile:
|
|
path: /etc/systemd/system/dnsmasq-tornet0.service
|
|
create: yes
|
|
mode: "0444"
|
|
owner: root
|
|
group: root
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
block: |
|
|
[Unit]
|
|
Description=dnsmasq tornet0 DNS and DHCP
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=forking
|
|
ExecStart=/usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq-tornet0.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -C /etc/dnsmasq-tornet0.conf --local-service
|
|
PIDFile=/run/dnsmasq/dnsmasq-tornet0.pid
|
|
KillMode=process
|
|
Restart=on-failure
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
notify:
|
|
- Restart dnsmasq-tornet0
|
|
|
|
- name: 'add dnsmasq-tornet0 to startup'
|
|
command: systemctl enable dnsmasq-tornet0
|
|
args:
|
|
creates: /etc/systemd/system/multi-user.target.wants/dnsmasq-tornet0.service
|
|
|
|
- name: 'start dnsmasq-tornet0'
|
|
command: systemctl start dnsmasq-tornet0
|
|
args:
|
|
creates: /run/dnsmasq/dnsmasq-tornet0.pid
|
|
|
|
#### Prepare DNSCRYPT PROXY FOR DoHoT (DNS over HTTPS over Tor)
|
|
|
|
- name: dnscrypt-proxy configfile
|
|
blockinfile:
|
|
path: /etc/dnscrypt-proxy/dnscrypt-proxy.toml
|
|
create: yes
|
|
mode: "0444"
|
|
owner: root
|
|
group: root
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
block: |
|
|
|
|
# Listen
|
|
listen_addresses = ['127.0.0.55:5354']
|
|
|
|
# what kinds of server do we want to resolve from?
|
|
doh_servers = true
|
|
ipv4_servers = false
|
|
ipv6_servers = false
|
|
dnscrypt_servers = false
|
|
|
|
# do we support IPv6 accressing? Maybe performance issue.
|
|
block_ipv6 = false
|
|
|
|
# don't let weird queries & typos leak upstream
|
|
block_unqualified = true
|
|
block_undelegated = true
|
|
|
|
# TTL for synthetic responses sent when a request has been blocked
|
|
reject_ttl = 600
|
|
|
|
# request DoH servers which offer DNSSEC / tamperproofing
|
|
require_dnssec = true
|
|
|
|
# we are using tor, so we should not care about logging
|
|
require_nolog = false
|
|
|
|
# request DoH servers that advertise themselves as unfiltered
|
|
require_nofilter = true
|
|
|
|
# use tor
|
|
force_tcp = true
|
|
proxy = 'socks5://127.0.0.1:9050'
|
|
|
|
# how long (ms) a DNS query will wait for a response; reasonable max 10s
|
|
timeout = 10000
|
|
|
|
# keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds; default: 30
|
|
keepalive = 30
|
|
|
|
# loadbalancing; p2 strategy, and continuous farming of the list
|
|
lb_strategy = 'p2'
|
|
lb_estimator = true
|
|
|
|
# logging: approx 1 month of weekly logs, capped-out/force-rotated at 64Mb
|
|
log_level = 2
|
|
use_syslog = true
|
|
log_files_max_size = 64
|
|
log_files_max_age = 7
|
|
log_files_max_backups = 4
|
|
|
|
# delay, in minutes, after which certificates are reloaded; this also
|
|
# drives the latency logger, so we poll/log every hour
|
|
cert_refresh_delay = 60
|
|
|
|
# less linkability / more privacy at slight performance impact;
|
|
# see the notes in the above-cited documentation
|
|
tls_disable_session_tickets = true
|
|
tls_cipher_suite = [52392, 49199]
|
|
|
|
# for healthcheck, heartbeat and bootstrap, dnscrypt-proxy MUST be
|
|
# able to probe the internet, so we must configure our firewall so
|
|
# that it is the only one which can use port 53 to the internet;
|
|
# dnscrypt-proxy claims that it will only use these services in very
|
|
# limited circumstances. Regards option naming, see:
|
|
# https://github.com/DNSCrypt/dnscrypt-proxy/commit/c500287498a05b07c3af8effa23a0ba4c42f00f1
|
|
fallback_resolvers = ['46.182.19.48:53']
|
|
netprobe_address = '46.182.19.48:53'
|
|
netprobe_timeout = 60
|
|
ignore_system_dns = true
|
|
|
|
# explicit caching
|
|
cache = true
|
|
cache_size = 4096
|
|
cache_min_ttl = 2400
|
|
cache_max_ttl = 86400
|
|
cache_neg_min_ttl = 60
|
|
cache_neg_max_ttl = 600
|
|
|
|
# I am not configuring this resolver as a local DoH listener, to do so
|
|
# requires a TLS certificate and that's a world of pain
|
|
|
|
[query_log]
|
|
file = '/var/log/dnscrypt-proxy/query.log'
|
|
# ignored_qtypes = ['DNSKEY', 'NS']
|
|
|
|
[nx_log]
|
|
file = '/var/log/dnscrypt-proxy/nx.log'
|
|
|
|
[blocked_names]
|
|
# blocked_names_file = 'blocked-names.txt'
|
|
# log_file = '/var/log/dnscrypt-proxy/blocked-names.log'
|
|
|
|
[blocked_ips]
|
|
# blocked_ips_file = 'blocked-ips.txt'
|
|
# log_file = '/var/log/dnscrypt-proxy/blocked-ips.log'
|
|
|
|
[allowed_names]
|
|
# allowed_names_file = 'allowed-names.txt'
|
|
# log_file = '/var/log/dnscrypt-proxy/allowed-names.log'
|
|
|
|
[allowed_ips]
|
|
# allowed_ips_file = 'allowed-ips.txt'
|
|
# log_file = '/var/log/dnscrypt-proxy/allowed-ips.log'
|
|
|
|
[sources]
|
|
|
|
[sources.'public-resolvers']
|
|
|
|
|
|
[sources.'public-resolvers']
|
|
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
|
|
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
|
|
cache_file = 'public-resolvers.md'
|
|
|
|
[sources.'onion-services']
|
|
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/onion-services.md', 'https://download.dnscrypt.info/resolvers-list/v3/onion-services.md']
|
|
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
|
|
cache_file = 'onion-services.md'
|
|
|
|
notify:
|
|
- Restart dnscrypt-proxy
|
|
|
|
- name: 'enable and start dnscrypt-proxy'
|
|
command: systemctl enable dnscrypt-proxy --now
|
|
args:
|
|
creates: /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service
|
|
|
|
|
|
handlers:
|
|
|
|
- name: Restart tornet0
|
|
ansible.builtin.shell: ifup tornet0
|
|
|
|
- name: Restart tor
|
|
service:
|
|
name: tor
|
|
state: restarted
|
|
|
|
- name: Restart privoxy
|
|
service:
|
|
name: privoxy
|
|
state: restarted
|
|
|
|
- name: Restart ufw
|
|
service:
|
|
name: ufw
|
|
state: restarted
|
|
|
|
- name: Restart dnsmasq-tornet0
|
|
service:
|
|
name: dnsmasq-tornet0
|
|
state: restarted
|
|
|
|
- name: Restart dnscrypt-proxy
|
|
service:
|
|
name: dnscrypt-proxy
|
|
state: restarted
|