Многоходовочка
- Russian banks and Public Services (Gosuslugi) gradually stopped working reliably from foreign IPs
- Russian banks and Public Services are migrating to certificates issued by the Russian Ministry of Digital Development
- Installing the Russian CA systemwide would generally open almost all your other connections to be decrypted and snooped on by the Russian authorities (Man-in-the-Middle attacks)
- Using a public shared VPN or proxy for banks and services will likely result in a justified ban due to security concerns on the service side
Solution:
- Tunneling all necessary communication with Russian websites through a private Russian server with a clean unique IP
- Isolating usage of Russian Certificate Authority to a special containerized browser
- Configuring the designated browser to be always exiting via Russia by default, while the rest of the system continues to work as usual
Tested on VDSina.
Don't forget to point a domain's DNS record to the newly created VPS!
SSH with root.
Update:
apt update && apt dist-upgrade -y
Install nano and wireguard:
apt -y install nano wireguard
Burn snap with fire:
systemctl stop snapd
apt remove --purge --assume-yes snapd
nano /etc/apt/preferences.d/nosnap.pref
# paste:
Package: snapd
Pin: release a=*
Pin-Priority: -10
# save and exit (Ctrl+O, Enter, Ctrl+X)
Remove rests:
apt autoremove
Enable automatic updates:
apt install -y unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades
# type "yes"
Add new user:
sudo adduser mmuser
Add to sudo:
usermod -aG sudo mmuser
Allow ssh into new user:
su - mmuser
mkdir ~/.ssh
sudo apt install nano
nano ~/.ssh/authorized_keys
# paste your public ssh key
Relogin with new user.
Disable ssh with root and password login:
sudo nano /etc/ssh/sshd_config
# change or add lines
PermitRootLogin no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
Reboot server:
sudo reboot
Add repo:
sudo apt install -y ca-certificates curl gnupg lsb-release
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Install:
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
Add user to docker group:
sudo groupadd docker
sudo usermod -aG docker $USER
sudo reboot
Create a folder for docker compose:
mkdir ~/dockerworld
Create docker-compose:
nano ~/dockerworld/docker-compose.yaml
Contents, replace vars <DOMAIN>,<PASSWORD>,<EMAIL>
with your data:
version: "3.4"
services:
wg-easy:
environment:
- WG_HOST=<DOMAIN>
- PASSWORD=<PASSWORD>
- WG_PERSISTENT_KEEPALIVE=15
# Yandex DNS https://dns.yandex.com/
- WG_DEFAULT_DNS=77.88.8.8
- WG_MTU=1280
image: weejewel/wg-easy
container_name: wg-easy
hostname: wg-easy
volumes:
- ./wg-easy:/etc/wireguard
ports:
- "51820:51820/udp"
dns:
- 77.88.8.8
- 77.88.8.1
restart: always
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
labels:
- traefik.enable=true
- traefik.http.routers.wg-easy.entrypoints=websecure
- traefik.http.routers.wg-easy.rule=Host(`<DOMAIN>`)
- traefik.http.routers.wg-easy.service=wg-easy
- traefik.http.services.wg-easy.loadbalancer.server.port=51821
traefik:
image: traefik:v2.8
container_name: traefik
command:
- "--certificatesresolvers.http.acme.email=<EMAIL>"
- "--certificatesresolvers.http.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.http.acme.tlschallenge=true"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.websecure.http.tls=true"
- "--entrypoints.websecure.http.tls.certResolver=http"
- "--log.level=INFO"
- "--providers.docker=true"
- "--providers.docker.exposedByDefault=false"
- "--serverstransport.insecureskipverify=true"
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/traefik_certs:/letsencrypt
ports:
- "443:443"
socks5:
image: serjs/go-socks5-proxy
container_name: socks5
restart: always
network_mode: 'service:wg-easy'
Start:
cd ~/dockerworld
docker compose up -d
Install UFW:
sudo apt install ufw
Configure rules:
sudo ufw default deny incoming
sudo ufw default allow outgoing
# ssh
sudo ufw allow 22
# https
sudo ufw allow 443
# wg
sudo ufw allow 51820
Enable UFW:
sudo ufw enable
- Log into wg-easy on your domain
- Create a new client
- Scan QR code
- :)
Creating a separate isolated RU-only browser KGBfox
.
Note: WebRTC doesn't work through a proxy. Use full VPN for WebRTC applications.
Create a new client in wg-easy, download config and set up a Wireguard connection with your instrument of choice. Change allowed IPs from 0.0.0.0/0
to 10.8.0.0/24
and remove DNS setting, so that only the isolated browser exits through Russia. Otherwise don't adjust the config and simply connect and disconnect at will to pipe all traffic through Russia.
Suggestion to configure WG via CLI:
sudo gedit /etc/wireguard/wg0.conf
# paste your config with adjusted AllowedIPs
sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service
Assuming you already have Flatpak with added Flathub, install Firefox:
flatpak install flathub org.mozilla.firefox
or follow the official guide.
Force Firefox to run as Wayland, if you wish:
sudo flatpak override --socket=wayland --env=MOZ_ENABLE_WAYLAND=1 org.mozilla.firefox
Create a separate profile for KGBfox with a name kgbfox
:
flatpak run org.mozilla.firefox -p
After creating the profile exit without starting, do not switch your default profile to kgbfox
. If you switched, close all Firefox windows and run the above command again to select a proper default profile for non-isolated Firefox and start it.
Download an icon for KGBfox, for example:
sudo wget -O /opt/kgbfox.png https://upload.wikimedia.org/wikipedia/commons/thumb/d/d9/Coat_of_arms_of_the_Soviet_Union_%281956%E2%80%931991%29.svg/745px-Coat_of_arms_of_the_Soviet_Union_%281956%E2%80%931991%29.svg.png
From Wikipedia, not subject to copyright as a state symbol
Create a separate launcher for the KGBfox. The launcher will also set Moscow timezone for the browser, to help blend in even better.
gedit ~/.local/share/applications/kgbfox.desktop
Contents:
[Desktop Entry]
Version=1.0
Name=KGBfox
GenericName=KGB Browser
Comment=Browse the Cheburnet
Exec=env TZ="Europe/Moscow" /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=firefox org.mozilla.firefox --name kgbfox --class kgbfox -p kgbfox -no-remote
Icon=/opt/kgbfox.png
Terminal=false
Type=Application
StartupNotify=true
Categories=Network;WebBrowser;
Keywords=web;browser;internet;
StartupWMClass=kgbfox
Temporary fix for icon-matching in GNOME, in case you don't use main launcher for Firefox Flatpak (or create a separate one for your main profile):
echo "[Desktop Entry]" > ~/.local/share/applications/org.mozilla.firefox.desktop
Now search and open KGBfox from the app list.
Set the proxy: go to Settings, scroll down to Network settings and set manual a SOCKS5 proxy with address 10.8.0.1
and port 1080
. In addition, check the box for sending DNS requests via proxy to avoid DNS leaks.
Disable Tracking Protection, so that it doesn't interfere. Go to Privacy settings (about:preferences#privacy
) and adjust accordingly.
Optional additional configuration for functions which will not be used:
# in about:config disable Sync, Pocket and sponsored content
identity.fxaccounts.enabled = false
extensions.pocket.enabled = false
browser.newtabpage.activity-stream.showSponsored = false
browser.newtabpage.activity-stream.showSponsoredTopSites = false
browser.disableResetPrompt = true
If you want to separate the KGBfox visually even further, set a theme. The link to themes:
https://addons.mozilla.org/ru/firefox/themes/
Download and install the two certificate authorities from the Russian Ministry of Digital Development into KGBfox:
https://gu-st.ru/content/Other/doc/russian_trusted_root_ca.cer
https://gu-st.ru/content/Other/doc/russian_trusted_sub_ca.cer
The certificates are to be imported under Settings (about:preferences#privacy
) -> Privacy & Security -> Certificates -> View certificates -> Authorities.
DO NOT INSTALL THESE CERTIFICATES OUTSIDE OF KGBFOX!
Check them working on a Sberbank test page:
https://www.sberbank.ru/ru/certificates