Proxying » Danted Perfect Setup

Proxying » Danted Perfect Setup

secure Danted setup, but without authentication

Razlog za ovako nešto je to što Chrome ne podržava SOCKS5 authentication, pa sam morao da smislim neki bolji način.

Ukratko, prvo poseti “https://orotec … /_socks.php” a zatim će SOCKS5 proxy da radi.

Determine main interface name in Ubuntu

There are two one-liners, both equally efficient and elegant. They are based on the principle of discarding all virtual network interfaces and then taking the first remaining one. Both one-liners will assign the interface name to the variable iname.

1
2
3
4
5
# more robust method that checks for the actual existence of the interface
iname=$(ls /sys/class/net | while read -r iface; do if [[ -d /sys/class/net/$iface/device ]]; then echo $iface; break; fi; done)

# more elegant as it discards virtual interfaces based on whether the phrase `virtual` appears in the symlink
iname=$(find /sys/class/net -type l -not -lname '*virtual*' -printf '%f\n' | head -n 1)

Install danted

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

# install dante
apt update && apt install -y dante-server

# assign variables
iname=$(find /sys/class/net -type l -not -lname '*virtual*' -printf '%f\n' | head -n 1)
port="22333"  # SOCKS5 port number

# folder
mkdir /etc/danted

# backup the original conf file
sudo mv /etc/danted.conf /etc/danted/danted.conf.backup

# ensure that file exists
sudo touch /etc/danted/danted.whitelist

# create /etc/danted.conf as elevated user
cat << EOF | sudo tee "/etc/danted.conf" > /dev/null
logoutput: stderr
internal: $iname port = $port
external: $iname
socksmethod: none
clientmethod: none
user.privileged: proxy
user.notprivileged: nobody
user.libwrap: nobody

socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: connect disconnect error
}

# client pass rules are below this line

EOF

# and use it also as a template
sudo cp /etc/danted.conf /etc/danted/danted.conf.template

# create a script that will combine ip's into dante rules
cat << 'EOF' | sudo tee "/etc/danted/danted.combine.sh" > /dev/null
#!/bin/bash

# start with a template
cp "/etc/danted/danted.conf.template" "/etc/danted.conf"

# and apend whitelisted ips
while IFS= read -r IP; do

cat << MARKER >> "/etc/danted.conf"
client pass {
    from: $IP/32 to: 0.0.0.0/0
    log: connect disconnect error
}
MARKER
done < "/etc/danted/danted.whitelist"

# restart service
sudo systemctl restart danted
EOF

# make it executable
chmod +x /etc/danted/danted.combine.sh

# restart to apply the changes
sudo systemctl restart danted


# firewall must have port opened
# for example: sudo ufw allow $port

# verify that Dante is running and listening on the correct port:
sudo systemctl status danted
sudo netstat -tuln | grep $port

Now, I’ll monitor file changes and regenerate config and restart dante on change. I’m implementing it this way as I don’t want web server user to have sudo access for the systemctl command. Tako da otpada da moj PHP skript sam restartuje danted proces i zato radim ovaj file monitoring. Odlučio sam ovo da uradim koristeći systemd a ne inotify.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

# systemd.service Unit File

sudo tee "/etc/systemd/system/danted-reconfigure.service" > /dev/null << 'EOF'
[Unit]
Description=Reload danted when whitelist changes

[Service]
Type=oneshot
ExecStart=/etc/danted/danted.combine.sh
EOF

# systemd.path Unit File

sudo tee "/etc/systemd/system/danted-reconfigure.path" > /dev/null << 'EOF'
[Unit]
Description=Monitor /etc/danted/danted.whitelist for changes

[Path]
PathModified=/etc/danted/danted.whitelist

[Install]
WantedBy=multi-user.target
EOF

# Reload the configuration
sudo systemctl daemon-reload

# Enable and start our service
sudo systemctl enable --now danted-reconfigure.path

Now everything is working perfectly. Specifically, every time there is a change in the /etc/danted/danted.whitelist file, the entire danted system is reconfigured. I just need a simple way to add my IP address to the whitelist, and I will do this using PHP.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
cat << 'EOF' | sudo tee "/home/orotec/htdocs/orotec.jao.rs/_socks.php" > /dev/null
<?php

# Display all errors on screen
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

# username is the most left part of domain
$expectedUsername = strtok($_SERVER['HTTP_HOST'], '.');

# password is filename
$expectedPassword = pathinfo(basename($_SERVER['REQUEST_URI']), PATHINFO_FILENAME);

# If not authenticated, send a 401 Unauthorized header and exit
$isAuthenticated = $_SERVER['PHP_AUTH_USER'] === $expectedUsername && $_SERVER['PHP_AUTH_PW'] === $expectedPassword;
if (!$isAuthenticated) {
    header('WWW-Authenticate: Basic realm="Restricted Area"');
    header('HTTP/1.0 401 Unauthorized');
    exit('Authorization Required.');
}

# Get the client IP address from the server superglobal
$clientIP = $_SERVER['REMOTE_ADDR'];

# If "clear" query parameter is present, clear the file, otherwise append the IP
file_put_contents('/etc/danted/danted.whitelist', $clientIP . PHP_EOL, isset($_GET['clear']) ? 0 : FILE_APPEND);

# Output just the client IP
echo $clientIP . "\n";

EOF

just change owner user

sudo chown orotec /etc/danted/danted.whitelist

and add /etc/danted folder to PHP open_basedir

so add an IP by visiting

https://orotec.jao.rs/systools/_socks.php

user: ‘orotec’, pass: ‘_socks’

Za US (aqua): http://dummy.a.savioko.com/systools/_socks.php Za Germany (server): https://koviljaca.rs/systools/_socks.php Za Germany (otto): https://orotec.jao.rs/systools/_socks.php

date 02. Oct 2023 | modified 03. Dec 2024
filename: Scraping » Proxying » Danted