Luca's meaningless thoughts  

SecurityKiss + Dante == bye bye censorship

by Leandro Lucarella on 2012- 11- 25 20:00 (updated on 2012- 11- 28 21:28)
tagged censorship, dante, dante-server, danted, en, foxyproxy, gema, germany, proxy, securitykiss, socks - with 3 comment(s)

I live in Germany, and unfortunately there is something in Germany called GEMA, which basically censor any content that "might have copyrighted music".

Among the sites being censored are Grooveshark (completely banned) and YouTube (only banned if the video might have copyrighted music according to some algorithm made by Google). Basically this is because GEMA want these company to pay royalties for each time some copyrighted song get streamed). AFAIK Grooveshark don't want to pay at all, and Google want to pay a fixed fee (which is what it does in every other country), because it makes no sense to do otherwise, since anyone can just endlessly get a song streamed over and over again just to be paid.

Even when the model is debatable, there is a key aspect and why I call this censorship: not all the banned content is copyrighted or protected by GEMA.

  • In Grooveshark there are plenty of bands that release their music using more friendly license, like CC.
  • There are official videos posted in YouTube by the bands themselves and embedded in the band official website that is banned by GEMA.
  • There are videos in YouTube that doesn't have copyrighted music at all, but they have to cover their asses and ban everything suspicious just in case.
  • The personal videos that do have copyrighted music get banned completely, not only muted.

These are just the examples that pop on my mind now.

There are plenty of ways to bypass this censorship and they are the only way to access legal content in Germany that gets unfairly banned, not only harming the consumers, but also the artists, because most of the time having their music exposed in YouTube only spreads the word and do more good than harm.

HideMyAss is a popular choice for a web proxy. But I like SecurityKiss, a free VPN (up to 300MB per day), because it gives a more comprehensive solution.

But here comes the technical chalenge! :) I don't want to route all my traffic through the VPN, or to have to turn the VPN on and off again each time I want to see the censored content. What I want is to see some websites through the VPN. A challenge that proved to be harder than I initially thought and why I'm posting it here.

So the final setup I got working is:

And here is how I did it (in Ubuntu 12.10):

OpenVPN server

Install the package:

sudo apt-get install openvpn

Get the configuration bundle generated for you account in the control panel and then create a /etc/openvpn/sk.conf file with this content:

client
dev tunsk
proto udp

# VPN server IP : PORT
# (pick the server you want from the README file in the bundle)
remote 178.238.142.243 123
nobind

ca   /etc/ssl/private/openvpn-sk/ca.crt
cert /etc/ssl/private/openvpn-sk/client.crt
key  /etc/ssl/private/openvpn-sk/client.key

comp-lzo yes
persist-key
persist-tun

user openvpn
group nogroup

auth-nocache
script-security 2

route-noexec
route-up "/etc/openvpn/sk.setup.sh up"

down "/usr/bin/sudo /etc/openvpn/sk.setup.sh down"

Install the certificate and key files from the bundle in /etc/ssl/private/openvpn-sk/ with the names specified in the sk.conf file.

Create the tun device:

mknod /dev/net/tunsk c 10 200

Start the VPN at system start (optional):

echo 'AUTOSTART="sk"' >> /etc/default/openvpn

Add the openvpn system user:

adduser --system --home /etc/openvpn openvpn

Now we need to route some specific traffic only through the VPN. I choose to discriminate traffic by the uid/gid of the application that generated it. So with the route-up and down script we will do all the special routing. I also want my default route table to be untouched, that's why I used route-noexec. Here is how the /etc/openvpn/sk.setup.sh script looks for me:

#!/bin/sh
# Based on:
# http://serverfault.com/questions/345111/iptables-target-to-route-packet-to-specific-interface

#exec >> /tmp/log
#exec 2>> /tmp/log.err
#set -x

# Config
uid=skvpn
gid=skvpn
mark=100
table=$mark
priv_dev=br-priv

env_file="/var/run/openvpn.sk.env"
umark_rule="OUTPUT -t mangle -m owner --uid-owner $uid -j MARK --set-mark $mark"
gmark_rule="OUTPUT -t mangle -m owner --gid-owner $gid -j MARK --set-mark $mark"
masq_rule="POSTROUTING -t nat -o $dev -j SNAT --to-source $ifconfig_local"

up()
{
        # Save environment
        env > $env_file

        # Route all traffic marked with $mark through route table $table
        ip rule add fwmark $mark table $table

        # Make all traffic go through the VPN gateway in route table $table
        ip route add table $table default via $route_vpn_gateway dev $dev

        # Except for the internal traffic
        ip route | grep "dev $priv_dev" | \
                        xargs -n1 -d'\n' echo ip route add table $table | sh

        # Flush route tables cache
        ip route flush cache

        # Mark packets originated by processes with owner $uid/$gid with $mark
        iptables -A $umark_rule
        iptables -A $gmark_rule

        # Prevent the packets sent over $dev getting the LAN addr as source IP
        iptables -A $masq_rule

        # Relax the reverse path source validation
        sysctl -w "net.ipv4.conf.$dev.rp_filter=2"
}

down()
{
        # Restore and remove environment
        . $env_file
        rm $env_file

        # Since the device is already removed, there is no need to clean
        # anything that was referencing the device because it was already
        # removed by the kernel.

        # Delete iptable rules
        iptables -D $umark_rule
        iptables -D $gmark_rule

        # Delete route table and rules for lookup
        ip rule del fwmark $mark table $table

        # Flush route tables cache
        ip route flush cache
}

if test "$1" = "up"
then
        up
elif test "$1" = "down"
then
        down
else
        echo "Usage: $0 (up|down)" >&2
        exit 1
fi

I hope this is clear enough. Finally we need to add the skvpn user/group (for which all the traffic will be routed via the VPN) and let the openvpn user run the setup script:

sudo adduser --system --home /etc/openvpn --group skvpn
sudo visudo

In the editor, add this line:

openvpn ALL=(ALL:ALL) NOPASSWD: /etc/openvpn/sk.setup.sh

Now if you do:

sudo service openvpn start

You should get a working VPN that is only used for processes that runs using the user/group skvpn. You can try it with:

sudo -u skvpn wget -qO- http://www.securitykiss.com | grep YOUR.IP

Besides some HTML, you should see the VPN IP there instead of your own (you can check your own by running the same without sudo -u skvpn).

Dante Socks Server

This should be pretty easy to configure, if it weren't for Ubuntu coming with an ancient (1.x when there is a 1.4 beta already) BROKEN package. So to make it work you have to compile it yourself. The easiest way is to get a sightly more updated package from Debian experimental. Here is the quick recipe to build the package, if you want to learn more about the details behind this, there is always Google:

cd /tmp
for suffix in .orig.tar.gz -3.dsc -3.debian.tar.bz2
do
   wget http://ftp.de.debian.org/debian/pool/main/d/dante/dante_1.2.2+dfsg$suffix
done
sudo apt-get build-dep dante-server
dpkg-source -x dante_1.2.2+dfsg-3.dsc
cd dante_1.2.2+dfsg
dpkg-buildpackage -rfakeroot
cd ..
dpkg -i /tmp/dante-server_1.2.2+dfsg-3_amd64.deb

Now you can configure Dante, this is my configuration file as an example, it just allow unauthenticated access to all clients in the private network:

logoutput: syslog

internal: 10.1.1.1 port = 1080
external: tunsk

clientmethod: none
method: none

user.privileged: skvpn
user.unprivileged: skvpn
user.libwrap: skvpn

client pass {
        from: 10.1.1.0/24 port 1-65535 to: 0.0.0.0/0
        log: error # connect disconnect
}
client pass {
        from: 10.1.1.0/24 port 1-65535 to: 0.0.0.0/0
}

#generic pass statement - bind/outgoing traffic
pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bind connect udpassociate
        log: error # connect disconnect iooperation
}
#generic pass statement for incoming connections/packets
pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bindreply udpreply
        log: error # connect disconnect iooperation
}

I hope you get the idea...

Now just start dante:

sudo service danted start

And now you have a socks proxy that output all his traffic through the VPN while any other network traffic goes through the normal channels!

FoxyProxy Addon

Setting up FoxyProxy should be trivial at this point (just create a new proxy server pointing to dante and set it as SOCKS v5), but just as a pointer, here are some example rules (set them as Whitelist and Regular Expression):

^https?://(.*\.)?youtube\.com/.*$
^https?://(.*\.)?grooveshark\.com/.*$

Los Reyes Paraguayos

by Leandro Lucarella on 2012- 03- 29 20:53 (updated on 2012- 03- 29 20:53)
tagged 1/1000s, 5.2 mm, alemania, auto, berlin, deutscheland, disco, es, f/2.8, germany, iso100, los reyes paraguayos, mauerpark, music, n900, photo, pic - with 3 comment(s)

Joyita encontrada en el mercado de pulgas del Mauerpark.

Los Reyes Paraguayos

Los Reyes Paraguayos

[ N900 1/1000s f/2.8 iso100 5.2 mm Auto ]

Un día más en Alemania

by Leandro Lucarella on 2012- 02- 27 21:14 (updated on 2012- 02- 27 21:14)
tagged 1/80s, 19.5 mm, 2011-12-18, auto, berlin, canon powershot sx210 is, f/5.0, full auto, germany, iso500, mauerwerg, medieval, pankow, photo, pic, soldiers - with 0 comment(s)

Un día más en Alemania

Un día más en Alemania

2011-12-18 13:19:57 CET
[ Canon PowerShot SX210 IS 1/80s f/5.0 iso500 19.5 mm Auto Full auto ]

Bondage Fairies @ White Trash Fast Food Berlin (2012-02-04)

by Leandro Lucarella on 2012- 02- 05 16:19 (updated on 2012- 02- 05 16:19)
tagged 1/15s, 5.2 mm, auto, berlin, bondage fairies, es, f/2.8, germany, iso800, live, mitte, music, n900, photo, pic, white trash fast food berlin - with 0 comment(s)

Ya no recuerdo como conocí a los Bondage Fairies, juraría que via Esteirfri, pero ahora no logro encontrar ningún post relacionado.

Bondage Fairies @ White Trash Fast Food Berlin (2012-02-04) (1)

Bondage Fairies @ White Trash Fast Food Berlin (2012-02-04) (1)


[ N900 1/15s f/2.8 iso800 5.2 mm Auto ]

La cosa es que se presentaron en Berlín, los fui a ver y me fui más que satisfecho con su performance! Se presentan siempre con máscaras (incluso en todas las fotos que vi sobre la banda) y están muy limados. El guitarrista en especial cada tanto se acercaba al público y se ponía a mirar fijamente a algún seguidor de forma bastante perturbante.

Bondage Fairies @ White Trash Fast Food Berlin (2012-02-04) (2)

Bondage Fairies @ White Trash Fast Food Berlin (2012-02-04) (2)


[ N900 1/15s f/2.8 iso800 5.2 mm Auto ]

La máscara del baterista también es muy buena, y el tipo la acompaña muy bien con su actitud y sus bailes espásticos.

Los tipos distribuyeron un tema via Dead Drops (USB sticks inclustados y cementados en cantidades de ciudades, también conocido como red P2P anónima offline). Si quieren escuchar más, pueden hacerlo en Musicuo (la alternativa a Grooveshark que, todavía, anda en Alemania).

Bondage Fairies @ White Trash Fast Food Berlin (2012-02-04) (3)

Bondage Fairies @ White Trash Fast Food Berlin (2012-02-04) (3)


[ N900 1/15s f/2.8 iso800 5.2 mm Auto ]

Perdón por la baja calidad de las fotos y video, pero me olvidé la cámara así que fueron tomadas con el celular.

Una poca de nieve

by Leandro Lucarella on 2012- 02- 03 13:59 (updated on 2012- 02- 03 13:59)
tagged 0s, 2012-02-03, 5.2 mm, auto, berlin, cold, es, f/2.8, germany, iso100, mitte, n900, nokia, photo, pic, sharing-cli, snow, standard - with 0 comment(s)

Una poca de nieve

Creedme, se ve mas copado en persona

Germany Berlin Mitte 2012-02-03 11:38:22
[ Nokia N900 0s f/2.8 iso100 5.2 mm Auto Standard ]

It's finally here

by Leandro Lucarella on 2012- 01- 16 08:30 (updated on 2012- 01- 16 08:30)
tagged 2012-01-16, 3/100s, 5.2 mm, auto, berlin, en, f/2.8, germany, iso114, mitte, n900, nokia, photo, pic, sharing-cli, snow, standard, street - with 4 comment(s)

It's finally here

A little snow in Berlin

Germany Berlin Mitte 2012-01-16 09:28:03
[ Nokia N900 3/100s f/2.8 iso114 5.2 mm Auto Standard ]

Lübars

by Leandro Lucarella on 2012- 01- 15 17:23 (updated on 2012- 01- 15 17:23)
tagged 1/1000s, 2012-01-15, 5.2 mm, auto, berlin, es, f/2.8, germany, iso100, lake, landscape, lübars, n900, nature, nokia, photo, pic, sharing-cli, travel, tree - with 0 comment(s)

Lübars

Reserva natural dentro de Berlin

Germany Berlin Lübars 2012-01-15 12:52:42
[ Nokia N900 1/1000s f/2.8 iso100 5.2 mm Auto Landscape ]

Sí, sigo en Berlin

by Leandro Lucarella on 2012- 01- 10 11:56 (updated on 2012- 01- 10 11:56)
tagged 1/1024s, 2012-01-10, 5.2 mm, auto, berlin, f/2.8, fernsehturm, germany, iso100, mitte, n900, nokia, photo, pic, sharing-cli, standard, street, tower - with 0 comment(s)

Sí, sigo en Berlin

Torre de TV

Germany Berlin Mitte 2012-01-10 12:36:47
[ Nokia N900 1/1024s f/2.8 iso100 5.2 mm Auto Standard ]

Lobo está?

by Leandro Lucarella on 2012- 01- 08 22:06 (updated on 2012- 01- 08 22:06)
tagged 1/5s, 2012-01-08, 5.2 mm, auto, berlin, church, clouds, es, f/2.8, germany, iso800, kreuzberg, moon, n900, night, night scene, nokia, photo, pic, sharing-cli, südstern - with 2 comment(s)

Lobo está?

Südstern con luna llena

Germany Berlin Kreuzberg 2012-01-08 18:46:42
[ Nokia N900 1/5s f/2.8 iso800 5.2 mm Auto Night scene ]