Skip to content

DNAT Setup

Jump to bottom Edit New page
jamiees2 edited this page Dec 31, 2014 · 7 revisions

DNAT (Advanced Setup)

DNAT mode enables DNS-unblocking for multimedia players (or applications) which can't handle SNI but still using just a single IP address using DNAT trickery. See here for more information on this mode.

Non-conclusive list of devices which don't understand SNI:

  • Xbox 360
  • PS3
  • All Sony Bravia TVs and Blu-ray players
  • Older Samsung TVs

As some devices do not support SNI, we instead use DNS to point to a specific IP address for each domain, which all point to a virtual interface for some router, and then the router redirects each IP to a specific port on our proxy server. This has a few caveats, most importantly:

  • You will either need the money for an IPv4 block, which is quite expensive
  • Or you will need DD-WRT or similar firmware on your router, which is somewhat advanced.
  • Another option is using a Raspberry PI for the iptables routing, which is as advanced as DD-WRT.

In short, you should consider the SNI mode first.

In any case, for setting up multiple IP addresses on a single interface, refer to here

##Setting up config.json Make sure that you have created config.json and it is correct. There is a sample, config-sample.json, which you can base your configuration on. Importantly, make sure public_ip, base_ip, and base_port are all correct.

  • public_ip should be set to the public IP of your HAproxy server.
  • base_ip is the first IP to use, and then it will incrementally use the next IP address. The script will print out all these IP addresses, which you must make sure are virtual interfaces of your iptables router.
  • base_port is the first port to use, after which it will use the next port incrementally. These ports must be open on your HAproxy server for incoming traffic, along with being open for outgoing traffic on your local network.

Make sure to sync config.json across all the servers/devices, as these commands are intended to be run on different servers/devices.

##Setting up HAproxy:

First, provision a server from any VPS provider, but make sure it is located in the country you would like your location to come from. A 128 MB VPS is enough. Run these commands on that server.

Clone the repo: git clone https://github.com/jamiees2/dnsproxy.git.

Run the generator: python dnsproxy.py -o haproxy --dnat The generator will create the file output/haproxy.conf

Install HAproxy. On Ubuntu you can do the following (as root):

apt-get update -qq && apt-get install -y software-properties-common
add-apt-repository -y ppa:vbernat/haproxy-1.5
apt-get update -qq && apt-get install -y haproxy

Copy output/haproxy.conf to /etc/haproxy.cfg.

Restart HAproxy. sudo service haproxy restart.

##Setting up DNSMasq First of all, generate the configuration by running python dnsproxy.py -o dnsmasq --dnat

If you are running dnsmasq on a server, like a Raspberry PI, install dnsmasq with sudo apt-get install dnsmasq. Then set it up by copying output/dnsmasq-haproxy.conf to /etc/dnsmasq.d/. If /etc/dnsmasq.d/ doesn't exist, you might want to copy it to /etc/dnsmasq.conf instead.

If you would like to setup dnsmasq on your router, assuming it is running DD-WRT, you can simply append the contents to the DNSMasq textbox under Services->DNSMasq.

##Setting up the hosts file (Optional, only neccessary if you didn't bother setting up dnsmasq) You can also use a hosts file, which will only work locally though.

Generate it with python dnsproxy.py -o hosts --dnat. Append the contents of output/hosts-haproxy.txt to /etc/hosts or to %SystemRoot%\system32\drivers\etc\hosts, depending if your local computer is Linux or Windows.

##Setting up iptables Generate the iptables script with python dnsproxy.py -o iptables --dnat

If you have an iptables server: You can setup iptables by running iptables-haproxy.sh on your router, but keep in mind that those changes will not persist after restarting. Be sure to add it to the startup scripts so that it will persist.

You will need to enable IP forwarding. See here

For DD-WRT, simply paste the contents of iptables-haproxy.sh into the textbox under Administration->Commands and click Save Firewall.

Test your new setup with http://trick77.com/dns-unblocking-setup-tester/

Add a custom footer
Add a custom sidebar
Clone this wiki locally