What I'm trying to achieve:
(Clients)<IPSec Xauth PSK>(Server 1)<SSH-based SOCKS5>(Server 2) --> Free Internet
How is that possible for both UDP and TCP traffics?
What I've done:
I ran this on Server1:
ssh -N -D 1080 user@Server2:7999
I used gost for transparent proxying, and copy-pasted and modified a few lines of iptables script from their docs:
For TCP
gost -L "red://:12345?sniffing=true&tproxy=true" -F socks5://127.0.0.1:1080 &
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -N GOST
iptables -t mangle -A GOST -p tcp -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A GOST -p tcp -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A GOST -p tcp -m mark --mark 100 -j RETURN
iptables -t mangle -A GOST -p tcp -j TPROXY --tproxy-mark 0x1/0x1 --on-ip 127.0.0.1 --on-port 12345
iptables -t mangle -A PREROUTING -p tcp ! --dport 22 ! --sport 22 -j GOST
iptables -t mangle -N GOST_LOCAL
iptables -t mangle -A GOST_LOCAL -p tcp -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A GOST_LOCAL -p tcp -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A GOST_LOCAL -p tcp -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A GOST_LOCAL -p tcp -m mark --mark 100 -j RETURN
iptables -t mangle -A GOST_LOCAL -p tcp -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -p tcp ! --dport 22 ! --sport 22 -j GOST_LOCAL
I excluded port 22 to not lose SSH connection to VPS.
This is for TCP. Now IPSec clients can connect and some websites can show that their IP addresses have changed to that of the Server2. This seems OK for some Web-browsing. But I need to do it for UDP traffics too, and my problem starts when I run this:
For UDP
gost -L redu://:13579?ttl=10s -F socks5://127.0.0.1:1080 &
ip rule add fwmark 2 lookup 200
ip route add local 0.0.0.0/0 dev lo table 200
iptables -t mangle -N GOST
iptables -t mangle -A GOST -p udp -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A GOST -p udp -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A GOST -p udp -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A GOST -p udp -m mark --mark 200 -j RETURN
iptables -t mangle -A GOST -p udp -j TPROXY --tproxy-mark 0x2/0x2 --on-ip 127.0.0.1 --on-port 13579
iptables -t mangle -A PREROUTING -p udp -m multiport ! --destination-ports 500,50,51,4500,1701 -m multiport ! --source-ports 500,50,51,4500,1701 -j GOST
iptables -t mangle -N GOST_LOCAL
iptables -t mangle -A GOST_LOCAL -p udp -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A GOST_LOCAL -p udp -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A GOST_LOCAL -p udp -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A GOST_LOCAL -p udp -m mark --mark 200 -j RETURN
iptables -t mangle -A GOST_LOCAL -p udp -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p udp -m multiport ! --destination-ports 500,50,51,4500,1701 -m multiport ! --source-ports 500,50,51,4500,1701 -j GOST_LOCAL
Now clients can't even browse web. DNS doesn't work (I'm wondering why it even worked previously because Server1 itself receives censored DNS queries, but clients could open those websites anyway; which is good).
Since I'm not familiar with these tools -specially iptables- can anyone guide me to an easier solution or help me with what I've done so far?
