Howto add Transparent Proxy to JonDo
JonDo and JonDoDaemon do not offer a transparent proxy port nor DNS port. To redirect the traffic with firewall rules to JonDo you have to use a transparent proxy tool like tranSOCKS_ev and a local DNS server like HTTPSDNS daemon. Both tools can use JonDo like a upstream proxy for traffic anonymisation. tranSOCKS_ev works only with JonDonym premium services, HTTPSDNS daemon can use free mix cascades too.
The following tutorial is not for beginners.
Howto use tranSOCKS_ev
tranSOCKS_ev provides a transparent proxy port and forward incoming traffic to a SOCKS5 proxy like JonDo. It is developed at tiggersWelt.net. You can download an extented source archive transocks_ev.tar.bz2 (OpenPGP signature) from our server.
Howto use HTTPSDNS daemon
HTTPSDNS daemon is a small local DNS server. It redirects DNS queries over the HTTPS protocol to a HTTPSDNS server and uses JonDo proxy client for anonymisation of traffic. You can download the archive httpsdnsd.tar.bz2 (OpenPGP signature) from our server.
Improve performance of DNS resolution by using a DNS caching daemon
To improve the performance of DNS resolution you may use a DNS caching daemon like pdnsd or bind. The subdirectory "misc" contains sample configurations for both DNS servers. We recommed the light-weight daemon pdnsd, bind is overkill. Install pdnsd with the package manager of your distribution and copy the sample configuration to "/usr/share/pdnsd".> sudo aptitude install pdnsd
> sudo cp misc/pdnsd-httpsdns.conf /usr/share/pdnsd/
Edit the line AUTO_MODE in the file "/etc/default/pdnsd" and choose the httpsdns configuration.AUTO_MODE=httpsdns
After restart of pdnsd the daemon is listen at port 2053. In case of cache missmatch it will ask the httpsdns daemon listen at port 4053 for DNS resolution. Adapt the firewall rules below and replace "4053" by "2053".
If tranSOCKS_ev and HTTPSDNS daemon were running you can add rules to your firewall to redirect the traffic of a user or a group to JonDo or JonDoDaemon. The following example for iptables redirects all outgoing TCP traffic of the user with UID anonuser over transocks_ev to JonDo, DNS traffic to HTTPSDNS daemon and rejects all other traffic of this user. You may use --gid-owner to redirect the traffic by group.iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonuser -m udp --dport 53 -j REDIRECT --to-ports 4053
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonuser -m tcp --dport 53 -j REDIRECT --to-ports 4053
iptables -t nat -A OUTPUT ! -o lo -p tcp -m owner --uid-owner anonuser -m tcp -j REDIRECT --to-ports 4008
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner anonuser -m udp --dport 4053 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner anonuser -m tcp --dport 4053 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner anonuser -m tcp --dport 4008 -j ACCEPT
iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner anonuser -j REJECT
Hint: JonDo proxy client must not running with UID anonuser or may not running on the same computer!