Section 1
A note to the programmer:
You need to create following shell scripts and folders in order to contribute any tactics:
register.sh This will add the name of the tactic in
indexfile and will add tactic folder in the 'working' directory of the repository. It shall be run only once by the programmer to add the tactic to the repository when the tactic is full and is ready to be used. Else just manually paste the tactic in the repository, it wont be used by automation scripts 'server.sh' and 'client.sh'
install.sh This will install the necessary packages for the tactic. Both client and server need to run this. It shall be run only once.
stop.sh This will stop the tactic which is running in the client and server. Both client and server need to run this to stop the ongoing service.
client This folder will contain shell scripts as following which start the client: > aprior.sh - This script contains all the stuff necessary to set up the client. It will contain commands to copy all the files which are generated by server tactic to be used by client to establish tunnel between client and server. > initialize_client.sh - This is the final script which will start client. > parameters - This is the file which contains parameters to start client. The parameteres change from client to client.
server This folder will contain shell scripts as following which start the server: > aprior.sh - This script contains all the stuff necessary to set up the server. It will contain commands to generate all the files which are used by client to establish tunnel between client and server. > initialize_server.sh - This is the final script which will start server. > parameters - This is the file which contains parameters to start server. The parameteres change from server to server.
Section 2
Some guidance to github (Getting a repository, making changes and uploading in git):
- Clone a repository
git clone https://github.com/signposts/tactics.git
- Make changes to the repository (add/delete/modify files/folders)
cd tactics
- Add changes
git add ./
- Commit changes
git commit
- Push back the repository
git push origin master
NOTE: If a file/folder is deleted do git commit -a instead of git commit
Section 3
Generating keys between client and server:
Keys are needed so that all the file transfers and necessary communication between client and server is done without password.
First, make sure there exists a directory /root/.ssh. This can be checked by:
sudo su
cd
cd .ssh (When you type 'pwd' you should get, '/root/.ssh' as output)
If you are able to cd to .ssh directory being a root, then there exists .ssh directory in root. If you are not able to do cd, then you need to make .ssh directory. For this:
sudo su
cd
mkdir .ssh
Type following commands at client [Before this, make sure /root/.ssh exists as mentioned above]:
ssh-keygen After this, you will be asked to specify name of the key file with full path. Give name as /home/machine_name/.ssh/key_file_name (machine_name is the name of machine. Check it by typing: echo $HOME at terminal). Don't enter any passphrase, when prompted to do so.
ssh-add /home/machine_name/.ssh/key_file_name This will add the keys to authentication agent.
ssh-copy-id -i /home/machine_name/.ssh/key_file_name.pub server_name@server_IP This will copy public key from client as 'authorized_keys' file at server machine
sudo cp /home/machine_name/.ssh/key_file_name /root/.ssh/ This will copy private key to root .ssh directory. This is needed when scp or ssh is done with sudo.
Section 4
Files in this folder other than available tactics
index This file contains list of tactics which are available. When register.sh in each tactic folder is run, it registers each tactic and its name is displayed in this file and tactic folder is pasted in this the repository.
config This file contains parameters which are not any tactic specific and are needed to connect client and server. Till now 3 parameters are there: > server_name: machine name of the server > server_ip: IP of the server > path_to_key: Give full path to the private key as created above in client (example: /root/.ssh/key_file_name)
NOTE: All the values to the above parameters must be given with 1 tab space.
client.sh This shell script will run the following scripts of each existing tactic in the 'working' directory of repository: > install.sh: This will install all the packages necessary for each tactic. > aprior.sh: This will do all the stuff necessary to set the client of each tactic like copying files which are generated by server to be used by client. > initialize_client.sh: This will start the clients of each tactic.
NOTE: BEFORE RUNNING client.sh, server.sh SHOULD BE RUN AT SERVER ie SERVER SHOULD BE UP AND RUNNING BEFORE CLIENT
server.sh This shell script will run the following scripts of each existing tactic in the 'working' directory of repository: > install.sh: This will install all the packages necessary for each tactic. > aprior.sh: This will do all the stuff necessary to set the server of each tactic like generating files which are needed by client. > initialize_server.sh: This will start the servers for each tactic.
NOTE: BEFORE RUNNING client.sh, server.sh SHOULD BE RUN AT SERVER ie SERVER SHOULD BE UP AND RUNNING BEFORE CLIENT
client_stop.sh This will stop all the tactics running at client side
server_stop.sh This will stop all the tactics running at server side
NOTE: BEFORE RUNNING client_stop.sh, server_stop.sh should run
Section 5
Cloning the repository and registering the tactics:
Clone the repository:
git clone https://github.com/signposts/tactics.git
sh your_path_to_folder_containg_tactic/register.sh name_of_tactic -> Run this once from any system. It need not be a client or server system. ->This will copy entire folder of the tactic to 'working' directory of repository signposts/tactics and also will add name of the tactic in the $HOME/tactics/index file.
NOTE: DO NOT run register.sh with sudo. Register a tactic only if its complete and ready to be used. Else you can put tactic in the repository OUTSIDE 'working' directory. It won't be used.
Section 6
Parameters which need to be changed in available tactics:
All parameters which are tactic specific and shall be changed according to different client and server systems are given in the tactic_name/client/parameters and tactic_name/server/parameters
- Iodine
Server: -> Password: It is used to connect server to a client. Both client and server need to give same password. -> Domain: Queries made by client on this domain name will be responded by server.
Client:
-> Password: It is used to connect server to a client. Both client and server need to give same password.
-> Domain: Client should make query using this domain name as server will respond only to the queries with this name.
NOTE: If amazon instance is started from terminated stage, its public IP changes. Update the public IP in zone file of BIND or at freedns.afraid.org/subdomain/edit.php whichever applicable.
- openVPN
Server: -> Country_name: Give country name. It must be exactly of 2 alphabets. -> Province_name: Give province name. It must be exactly of 2 alphabets. -> City_name: Give city name. -> Origin_name: Give origin name. -> Email: Give email id with proper syntax. -> Host_name1: Give name of first client. Client shall also give the same name in its parameters file. -> Host_name2: Give name of second client. Client shall also give the same name in its parameters file. -> Port: Give port on which openVPN server is listening. Currently, its 5060.
Client: -> Port: Give port on which openVPN client is connecting to server. Both client and server should mention same port. Currently, its 5060. -> Host_name: Give name of the client as mentioned in the server Host_name1/Host_name2.
NOTE: NAMES(Host_name1 and Host_name2 parameter in server) FOR BOTH THE CLIENTS SHOULD BE DIFFERENT. Country_name and Province_name (parameters in server) MUST BE EXACTLY OF 2 ALPHABETS.
- Tor
Server: -> Port: Mention the port number on which hidden service needs to run. Currently, its 5061.
Client: -> Port: Mention the port number on which hidden service at server is running. Currently, its 5061.
- ssh_tap
Server:
NOTE: Make changes to /etc/ssh/sshd_config (open /etc/ssh/sshd_config with any editor) Add PermitTunnel yes PermitRootLogin yes Restart ssh (so that changes get reflected) > sudo /etc/init.d/ssh restart
Parameters: -> Dev_num1: Give the device number for the tap interface (eg. tap0, tap1 etc.) to connect to first client. The SAME number shall be mentioned by client in its Dev_num parameter. -> Dev_num2: Give the device number for the tap interface (eg. tap0, tap1 etc.) to connect to second client. The SAME number shall be mentioned by client in its Dev_num parameter.
Client: -> Dev_num: Give the device number for the tap interface (eg. tap0, tap1 etc.) to connect to server.
NOTE: Dev_num1 and Dev_num2 SHALL BE DIFFERENT.
After setting a tunnel between client and server, both the clients need to add routes to reach to each other, like:
> sudo route add -net NET_ID_OF OTHER_CLIENT_NETWORK netamsk x.x.x.x gw IP_OF_SERVER_INTERFACE_FROM_CLIENT
- ssh_tun
Server:
NOTE: Make changes to /etc/ssh/sshd_config (open /etc/ssh/sshd_config with any editor) Add PermitTunnel yes PermitRootLogin yes Restart ssh (so that changes get reflected) > sudo /etc/init.d/ssh restart
Parameters: -> Dev_num1: Give the device number for the tun interface (eg. tun0, tun1 etc.) to connect to first client. The SAME number shall be mentioned by client in its Dev_num parameter. -> Dev_num2: Give the device number for the tun interface (eg. tun0, tun1 etc.) to connect to second client. The SAME number shall be mentioned by client in its Dev_num parameter.
Client: -> Dev_num: Give the device number for the tun interface (eg. tun0, tun1 etc.) to connect to server.
NOTE: Dev_num1 and Dev_num2 SHALL BE DIFFERENT.
There is no script such as 'initialize_server' for this tactic as, it was not feasible to create persistent tun interface using tunctl. So, client need to login as 'root'. So, only in this tactic, client needs to run first using 'initialize_client.sh'. This will start ssh and configure tun interface at client. Then run 'config_iface' at server which will configure tun interface at server.
After setting a tunnel between client and server, both the clients need to add routes to reach to each other, like:
> sudo route add -net NET_ID_OF OTHER_CLIENT_NETWORK netamsk x.x.x.x gw IP_OF_SERVER_INTERFACE_FROM_CLIENT
Steps to be followed:
- Generate keys as mentioned above (Section 3).
- Optional step: Clone the repository and register a tactic(Section 5). Make sure tactic name is displayed in $HOME/tactics/index file (Section 4).
- Change general parameters in $HOME/tactics/config file (Section 4).
- Change tactic specific parameters both in $HOME/tactics/tactic_name/server/parameters and $HOME/tactics/tactic_name/client/parameters at server and client respectively.
- Run $HOME/tactics/server.sh at server first.
- Run $HOME/tactics/client.sh at client.
- In order to stop running tactics at server, run server_stop.sh.
- In order to stop running tactics at client, run client_stop.sh.
- If any new tactic is registered, add it to github (Section 2).
Special Notes
-> If any changes to repository are made by adding or deleting a tactics, don’t forget to add and commit those changes and pushing the repository back. -> Make sure SERVER is up and RUNNING before CLIENT. -> Carefully follow all the NOTES in the respective sessions.