Configuring IP over DNS with iodine

2

2

What I am trying to do

I am trying to implement a IP-over-DNS tunnel using iodine by following both this tutorial and this one (further in this question I outline exactly which steps I took). I want to be able to use something like andIodine as a client on my rooted Lollipop smartphone.

I have a Debian 7 server instance where I already run a OpenVPN server on it, it works fine and it's currently active.

When I run iodined -c -f 10.0.0.1 -P <password> iodine.<yourdomain>.com on the server, and then iodine -f -P <password> iodine.<yourdomain>.com on my Ubuntu home PC, it says

Connection setup complete, transmitting data.

What goes wrong

After that, I am able to ping 10.0.0.1 from my PC, and even SSH into it. However, I am not succeeding in setting up a iodine client and getting internet connection.

On the android client, I get ping replies from the iodine server, but no pings from an external host, and have no internet connectivity.

Android tests

On the server, I run the same iodined -c -f 10.0.0.1 -P <password> iodine.<yourdomain>.com command. On my rooted stock 5.1 Lollipop XT1040 Motorola phone, i run andIodine 1.3.

andIodine settings

  • Tunnel topdomain: iodine.<domain>.tk
  • Password: <password>
  • Tunnel nameserver: <empty>
  • Nameserver mode: LEAVE_DEFAULT
  • Nameserver: <empty>
  • Request type: AUTODETECT
  • Lazy mode: enabled
  • Raw mode: disabled
  • default rote: enabled

Connection log

enter image description here

Connectivity test

I get ping replies from the iodine server, but no pings from example.org (example.org is a real domain that responds to pings on my local machine -- Notice I can still somehow get its correct IP).

enter image description here

Detailed configurations

The server has a free .tk domain and free DNS provided by NameCheap. These are the DNS entries:

A Record    @           <PUBLIC IP>
A Record    tunnel      <PUBLIC IP>
A Record    www         <PUBLIC IP>
NS Record   iodine      tunnel.<domain>.tk.

IP Forwarding is enabled:

# cat /proc/sys/net/ipv4/ip_forward
1

These were my iptables rules already present because of OpenVPN:

# I have no idea WTF this is and what's doing here
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <PUBLIC IP>

# OpenVPN on port 53 UDP
#iptables -t nat -A PREROUTING -p udp -d <PUBLIC IP> --dport 53 -j REDIRECT --to-port 1194

# OpenVPN on port 80 UDP
iptables -t nat -A PREROUTING -p udp -d <PUBLIC IP> --dport 80 -j REDIRECT --to-port 1194

These are the new iptalbes rules i set according to the tutorial. I have changed the interface names because they don't match on my server.

### iodine
# Allow the DNS server to send and receive queries
iptables -A INPUT -p udp -m multiport --dports 53 -i venet0:0 -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dports 53 -o venet0:0 -j ACCEPT

# Allow the connected clients to talk to the server machine
iptables -A INPUT -i dns0 -j ACCEPT
iptables -A OUTPUT -o dns0 -j ACCEPT

# Forward Internet traffic
iptables -A FORWARD -i dns0 -o venet0:0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i venet0:0 -o dns0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o venet0:0 -j MASQUERADE
### /iodine

These are my networking devices prior to running iodine: 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:180728 errors:0 dropped:0 overruns:0 frame:0
          TX packets:244367 errors:0 dropped:41 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:15273264 (14.5 MiB)  TX bytes:289916435 (276.4 MiB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:499243 errors:0 dropped:0 overruns:0 frame:0
          TX packets:495596 errors:0 dropped:13593 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:334524346 (319.0 MiB)  TX bytes:339530859 (323.8 MiB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:<PUBLIC IP>  P-t-P:<PUBLIC IP>  Bcast:<PUBLIC IP>  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

venet0:1  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.16.77.18  P-t-P:172.16.77.18  Bcast:172.31.255.255  Mask:255.240.0.0
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

These are my networking devices after running iodine: 

dns0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.0.0.1  P-t-P:10.0.0.1  Mask:255.255.255.224
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1130  Metric:1
          RX packets:745 errors:0 dropped:0 overruns:0 frame:0
          TX packets:215 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:59256 (57.8 KiB)  TX bytes:18060 (17.6 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:180728 errors:0 dropped:0 overruns:0 frame:0
          TX packets:244367 errors:0 dropped:41 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:15273264 (14.5 MiB)  TX bytes:289916435 (276.4 MiB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:498943 errors:0 dropped:0 overruns:0 frame:0
          TX packets:495359 errors:0 dropped:13549 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:334489804 (318.9 MiB)  TX bytes:339492035 (323.7 MiB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:<PUBLIC IP>  P-t-P:<PUBLIC IP>  Bcast:<PUBLIC IP>  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

venet0:1  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.16.77.18  P-t-P:172.16.77.18  Bcast:172.31.255.255  Mask:255.240.0.0
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

That Brazilian Guy

Posted 2016-01-08T17:36:34.097

Reputation: 5 880

Where is the question here? – BowlesCR – 2016-01-08T18:26:59.923

Answers

1

After that, I am able to ping 10.0.0.1 from my PC, and even SSH into it. However, I am not succeeding in setting up a iodine client and getting internet connection.

On the android client, I get ping replies from the iodine server, but no pings from an external host, and have no internet connectivity.

I think you misunderstood what iodine does.

If you can SSH to your server at 10.0.0.1, then iodine did its thing and everything works as expected.

Now, you can use SSH to create a SOCKS5 proxy (ssh -N -C -D 4321 login@10.0.0.1). After that, tell your browser (for example) to use the SOCKS proxy at 127.0.0.1:4321 instead of accessing the web directly.

p4bl0

Posted 2016-01-08T17:36:34.097

Reputation: 11

0

I had similar problems: ssh'ing into (iodined) host worked well but no internet for the client. After setting up the following rules, it worked quite well (though really slow :D).

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t filter -A FORWARD -i eth0 -o dns0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i dns0 -o eth0 -j ACCEPT

See also: https://sarwiki.informatik.hu-berlin.de/IPoverDNS for persisting. And for some explanation to the table rules you could watch this https://www.youtube.com/watch?v=p5W8fuHoWM4. Good luck!

milkpirate

Posted 2016-01-08T17:36:34.097

Reputation: 1

What's your DNS setup like? I have followed every tutorial but AndIodine doesn't work. It keeps saying handshake failed and the log is always quickly cleared for me too see what the hell it logged :/ – chx101 – 2019-10-25T12:00:10.970

Asked: 2016-01-08T17:36:34.097

Viewed: 3 617 times

Active: 2019-05-03T18:58:40.860