Category Archives: Technology

Securing DNS Traffic in China

Overview

DNS poisoning is one of the most common cause of nuisance when accessing websites
that are outside this 1.4 billion-people Oriental country. So far, the best way to protect yourself from this trouble is to route all your DNS traffic through an encrypted channel, and the method I am going to introduce is DNSCrypt. There is not yet a standard for encrypted DNS, DNSCrypt is a project done by OpenDNS. According my experience, DNSCrypt is very reliable and robust, the cryptography of the protocol is called DNSCurve, which is a public-key crypto that employes an extremely strong elliptic-curve cryptography called Curve25519.

If you have read my previous writing, you should know my setup is a Raspberry Pi, and so the rest of this article is based on that, running Raspbian. Dnsmasq will be used as the first DNS caching proxy to serve incoming DNS queries from machines on the network. If the queried domain name is a China one, the request will be served by a China DNS. This is necessary because for some domains, answers from DNS servers in China and global ones could be different. If the requested domain does not belong to any known China domains, the request will be forwarded to dnscrypt-proxy, which will ask a DNSCrypt server for an answer.

After DNSCrypt is used, your DNS traffic will look like this:

Setting up DNSCrypt

As illustrated in the above diagram, dnscrypt-proxy is the piece of software that handles DNSCrypt, but it is not available in Raspbian’s Wheezy and Jessie releases, only in testing (currently Stretch). You can either compile it yourself, or grab the debian package I built and install it. You can find the package here. It is based on the Raspbian package in testing repo, with some modification to debian packaging files, since the one in testing depends on systemd, which had not yet been adopted when Wheezy was released.

If you really want to build the package yourself, first install the libsodium packages. The package are also not available in Wheezy repo but the ones from testing, libsodium13_1.0.3-1_armhf.deb and libsodium-dev_1.0.3-1_armhf.deb, can be installed without any problem. Download and install them, then follow these steps to build your dnscrypt-proxy package:

After dnscrypt-proxy is installed, you have to update the port it uses. Change DNSCRYPT_PROXY_LOCAL_ADDRESS in /etc/default/dnscrypt-proxy to another port other than 53 (as it will be used by dnsmasq later), like this:

You can also change the remote DNSCrypt server, but since the default (cisco) works well for me, I left it unchanged.

Now test it to make sure it works as expected:

Setting up dnsmasq

Dnsmasq is very common and is available in Raspbian, installing it is easy:

Now we have to do some configuration in /etc/dnsmasq.conf. These are my recommended settings. Please note that the interface option is the network interface that dnsmasq will serve, and in my case that is wlan0. You have to change it to the one that applies to your case.

Now comes the interesting part. We are going to tell dnsmasq to use a China DNS server (114.114.114.114 in my example) for China domains and DNSCrypt server for all others. This is done by using the server option in /etc/dnsmasq.conf. Here is an example:

This is pretty straightforward. The last line tells dnsmasq to use your dnscrypt proxy if the domain you query does not match any China domains. In my config file there are 12238 lines for China domains so I’m not going to post them all here, you can get the snippet of my dnsmasq.conf here, and put it into your own dnsmasq.conf. The problem is to maintain the list for all China hosts. I am now using the list from the fqrouter project, it has been serving me well, since most common domains are already there. What’s worrying is due to the abandon of the project by it’s author, the list is now unmaintained. If you know a more updated list, please let me know!

Obfuscated SSH tunnel

VPN providers were cracked down, open source anti-censorship tools were eliminated. This is what’s happening in China and has become even more severe than ever. Shadowsocks alone is no longer reliable due to more powerful deep packet inspection implemented at the GFW.

I am now replacing shadowsocks on my gateway with obfuscated SSH tunnel, based on Tor‘s obfsproxy. To the impatient ones, I will first give a concise summary of the necessary steps of my set up. You can follow it without drilling down the details. I will explain in more details later. But please note that you have to follow the other instructions in this blog post to complete the whole set up.

Quick Set up

On your server

Assume your server runs Debian 8 (jessie) or Ubuntu, and its IP is 1.2.3.4, run these commands:

On Raspberry Pi gateway

Edit ~/.ssh/config:

Run these commands:

Boost WIFI Speed by Forcing 40 MHz Channels in hostapd on RPi

802.11n can double the channel bandwidth of 802.11g from 20 MHz to 40 MHz, but this operation mode is not recommended in areas that the spectrums are congested and likely interfere with existing WIFI and bluetooth devices. As a result, hostapd will not enable 40 MHz when it finds other channels are being used, like what is seen from the hostapd log below:

However, this is unrealistic in modern cities. You should be grateful the primary channel you choose has not been used already, let alone the additional one for 40 MHz. What can we do? We have to force hostapd to turn on 40 MHz anyway. But since hostapd does not have any configuration options for that, we have to recompile hostapd from source. Actually, this has been done in other distros. For example, OpenWRT and Arch has patched their hostapd with the noscan patch, which adds an option to force 40MHz mode regardless of the environment.

Before turning on 40 MHz, the iwconfig on my laptop is like this, notice the bit rate is only 54 Mb/s:

Now let us start. First you need to add a deb-src source to apt so that we can download source packages. Note that I am still using Raspbian Wheezy. If you use Jessie, change the deb-src line according to your original deb line.

Save the following patch into a file:

Because we are going to create a new hostapd package, it’d be a good practice to increment the version number by adding a new section at the top of debian/changelog, like this:

Now we are ready to compile the packages:

If it succeeds, install the new package with dpkg -i.

Restart hostapd, it should now force 40 MHz mode:

And my iwconfig output now shows Bit Rate is 150 Mb/s, yay!

解決 WordPress 中 Google Web Font 被 GFW 屏蔽問題

自從本 blog 的 wordpress 升級並更換 theme 後,偶爾發現 page load 得很慢,用 chrome 自帶的 developer tool 查了一下才發現原來 theme 用了 google web font,因爲 google service 被牆了所以在大陸瀏覽就像卡住了一樣。由於我絕大部份時間都是科學上網,所以一開始沒有發現問題。

Google font is blocked in China

既然 google web font 不能用,最簡單就是乾脆不用,把相關代碼拿掉就行,不過這樣做的後果是網站會極其難看。上策還是把 google web font 放到 wordpress server,再將 CSS 配置好。Google 一下發現有個很棒的 shell script 能幫個大忙:https://neverpanic.de/blog/2014/03/19/downloading-google-web-fonts-for-local-hosting/,它能幫你把需要的字體下載下來並產生一個立馬能用的 CSS 文檔。

WordPress 最少有兩個地方會加載 google web font,第一是 wordpress 本身用到的 Open Sans,另外是個別 theme 可能會用到的字體。視乎你的 theme 有沒有用 google font,有可能兩個地方都要處理。

目前我用的 theme 基於 twentyfourteen(我把原來左邊的 navigation 拿掉,header 加了 facebook, twitter 等幾個 icon),best practice 是在 wordpress 的 themes 目錄開一個叫 twentyfourteen-child 的新目錄,裏面只放用來 override parent theme 的東西。

解決問題的具體步驟如下:

  1. 下載剛才介紹過的網站的 shell script,我把它命名爲 downloadgooglefont.sh
  2. 先下載 wordpress 會下載的所有 Open Sans 字體(包括不同粗幼和斜體),在 downloadgooglefont.sh 裏要指定它們:

  3. 針對你使用的 theme,需要把 theme 用到的 google 字體寫進去。你要查一下你的 theme 會用到什麼字體,例如 twentyfourteen 會用到的字體在 themes/twentyfourteen/functions.php 的 215 行有提到:

    總共有7個字體,所以 script 需要加上:

  4. 執行該 script:

    這些就是下載完的所有文檔,包括適用於 chrome/chromium, firefox, safari 會用到的字體,還有一個 CSS file:

  5. 把上面所有的字體上傳到 wordpress server 的 wp-content/themes/twentyfourteen-child/ 目錄。
  6. 把 font.css 複製到 wp-content/themes/twentyfourteen-chile/style.css。
  7. 由於 twentyfourteen 在 functions.php 通過 wp_enqueue_style 加上 fonts.googleapis.com 的 link 來加載 Lato 字體,要想辦法把它拿掉:

    不過我不喜歡直接修改 parent theme,所以我選擇在 twentyfourteen-child 把它 dequeue 掉。注意 add_action 的 priority 必須低於 10,dequeue 才會成功。 theme_enqueue_styles 的前兩行是用來禁止 Open Sans 字體從 google server 加載,第3行才是禁止 Lato。
    _twentyfourteen-child/functions.php:

Compile kernel module on Linode Debian VPS

Connection to linode hosts from within China can be poor from time to time. Choosing a suitable TCP congestion algorithm may alleviate that from insignificant to a great deal, your mileage may vary. Trying it out is always the best way to find out. Here I will show you how to do that step by step.

  1. Login to your VPS and find out the version of the running kernel

    # uname -a
    Linux jhelom 3.12.6-x86_64-linode36 #2 SMP Mon Jan 13 18:54:10 EST 2014 x86_64 GNU/Linux
    

    That is 3.12.6.

  2. Go get the 3.12.6 from kernel.org at https://www.kernel.org/pub/linux/kernel/v3.x/
  3. Extract it and copy the kernel config over from the current one.

    # tar xf linux-3.12.6.tar.xz
    # zcat /proc/config.gz > .config
    # make oldconfig
    
  4. Now, edit .config with an editor such as vi, look for the line CONFIG_TCP_CONG_ADVANCED, remove the line, and add the following lines there:

    CONFIG_TCP_CONG_ADVANCED=y
    CONFIG_TCP_CONG_BIC=m
    CONFIG_TCP_CONG_WESTWOOD=m
    CONFIG_TCP_CONG_HTCP=m
    CONFIG_TCP_CONG_HSTCP=m
    CONFIG_TCP_CONG_HYBLA=m
    CONFIG_TCP_CONG_VEGAS=m
    CONFIG_TCP_CONG_SCALABLE=m
    CONFIG_TCP_CONG_LP=m
    CONFIG_TCP_CONG_VENO=m
    CONFIG_TCP_CONG_YEAH=m
    CONFIG_TCP_CONG_ILLINOIS=m
    CONFIG_DEFAULT_CUBIC=y
    # CONFIG_DEFAULT_RENO is not set
    
  5. Now compile the kernel and the modules.

    # make -j4
    # make modules SUBDIRS=net/ipv4
    
  6. If everything goes well, you will be able to load the module.

    # sudo insmod net/ipv4/tcp_hybla.ko
    

    Check with lsmod and make sure the kernel module is loaded successfully. If not, check dmesg for any errors.

That’s it!