Skip to content

Instantly share code, notes, and snippets.

@thermatk

thermatk/moremover.md

Last active October 3, 2022 16:14
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save thermatk/2c8f1e88c4f0d27604cba3bbf5fe3ccd to your computer and use it in GitHub Desktop.
Save thermatk/2c8f1e88c4f0d27604cba3bbf5fe3ccd to your computer and use it in GitHub Desktop.
Download ZIP
Project Moremover
Raw
moremover.md

Project Moremover

Многоходовочка

  • Russian banks and Public Services (Gosuslugi) gradually stopped working reliably from foreign IPs
  • Russian banks and Public Services are migrating to certificates issued by the Russian Ministry of Digital Development
    • Installing the Russian CA systemwide would generally open almost all your other connections to be decrypted and snooped on by the Russian authorities (Man-in-the-Middle attacks)
  • Using a public shared VPN or proxy for banks and services will likely result in a justified ban due to security concerns on the service side

Solution:

  • Tunneling all necessary communication with Russian websites through a private Russian server with a clean unique IP
  • Isolating usage of Russian Certificate Authority to a special containerized browser
  • Configuring the designated browser to be always exiting via Russia by default, while the rest of the system continues to work as usual

image

Get a KVM-based VPS with Ubuntu in Russia

Tested on VDSina.

Don't forget to point a domain's DNS record to the newly created VPS!

First steps

SSH with root.

Update:

apt update && apt dist-upgrade -y

Install nano and wireguard:

apt -y install nano wireguard

Burn snap with fire:

systemctl stop snapd
apt remove --purge --assume-yes snapd
nano /etc/apt/preferences.d/nosnap.pref
# paste:
Package: snapd
Pin: release a=*
Pin-Priority: -10
# save and exit (Ctrl+O, Enter, Ctrl+X)

Remove rests:

apt autoremove

Enable automatic updates:

apt install -y unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades
# type "yes"

Add new user:

sudo adduser mmuser

Add to sudo:

usermod -aG sudo mmuser

Allow ssh into new user:

su - mmuser
mkdir ~/.ssh
sudo apt install nano
nano ~/.ssh/authorized_keys
# paste your public ssh key

Relogin with new user.

Disable ssh with root and password login:

sudo nano /etc/ssh/sshd_config
# change or add lines
PermitRootLogin no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Reboot server:

sudo reboot

Install docker and compose

Add repo:

sudo apt install -y ca-certificates curl gnupg lsb-release
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Install:

sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin

Add user to docker group:

sudo groupadd docker
sudo usermod -aG docker $USER
sudo reboot

Install wg-easy

Create a folder for docker compose:

mkdir ~/dockerworld

Create docker-compose:

nano ~/dockerworld/docker-compose.yaml

Contents, replace vars <DOMAIN>,<PASSWORD>,<EMAIL> with your data:

version: "3.4"

services:
  wg-easy:
    environment:
      - WG_HOST=<DOMAIN>
      - PASSWORD=<PASSWORD>
      - WG_PERSISTENT_KEEPALIVE=15
      # Yandex DNS https://dns.yandex.com/
      - WG_DEFAULT_DNS=77.88.8.8
      - WG_MTU=1280
    image: weejewel/wg-easy
    container_name: wg-easy
    hostname: wg-easy
    volumes:
      - ./wg-easy:/etc/wireguard
    ports:
      - "51820:51820/udp"
    dns:
      - 77.88.8.8
      - 77.88.8.1
    restart: always
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    labels:
      - traefik.enable=true
      - traefik.http.routers.wg-easy.entrypoints=websecure
      - traefik.http.routers.wg-easy.rule=Host(`<DOMAIN>`)
      - traefik.http.routers.wg-easy.service=wg-easy
      - traefik.http.services.wg-easy.loadbalancer.server.port=51821
  traefik:
    image: traefik:v2.8
    container_name: traefik
    command:
      - "--certificatesresolvers.http.acme.email=<EMAIL>"
      - "--certificatesresolvers.http.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.http.acme.tlschallenge=true"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls=true"
      - "--entrypoints.websecure.http.tls.certResolver=http"
      - "--log.level=INFO"
      - "--providers.docker=true"
      - "--providers.docker.exposedByDefault=false"
      - "--serverstransport.insecureskipverify=true"
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/traefik_certs:/letsencrypt
    ports:
      - "443:443"
  socks5:
    image: serjs/go-socks5-proxy
    container_name: socks5
    restart: always
    network_mode: 'service:wg-easy'

Start:

cd ~/dockerworld
docker compose up -d

Install firewall

Install UFW:

sudo apt install ufw

Configure rules:

sudo ufw default deny incoming
sudo ufw default allow outgoing
# ssh
sudo ufw allow 22
# https
sudo ufw allow 443
# wg
sudo ufw allow 51820

Enable UFW:

sudo ufw enable

On mobile

  1. Log into wg-easy on your domain
  2. Create a new client
  3. Scan QR code
  4. :)

Isolated configuration on desktop

Creating a separate isolated RU-only browser KGBfox.

Note: WebRTC doesn't work through a proxy. Use full VPN for WebRTC applications.

Configuring WG for isolated browser

Create a new client in wg-easy, download config and set up a Wireguard connection with your instrument of choice. Change allowed IPs from 0.0.0.0/0 to 10.8.0.0/24 and remove DNS setting, so that only the isolated browser exits through Russia. Otherwise don't adjust the config and simply connect and disconnect at will to pipe all traffic through Russia.

Suggestion to configure WG via CLI:

sudo gedit /etc/wireguard/wg0.conf
# paste your config with adjusted AllowedIPs
sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service

Configuring KGBfox

Assuming you already have Flatpak with added Flathub, install Firefox:

flatpak install flathub org.mozilla.firefox

or follow the official guide.

Force Firefox to run as Wayland, if you wish:

sudo flatpak override --socket=wayland --env=MOZ_ENABLE_WAYLAND=1 org.mozilla.firefox

Create a separate profile for KGBfox with a name kgbfox:

flatpak run org.mozilla.firefox -p

After creating the profile exit without starting, do not switch your default profile to kgbfox. If you switched, close all Firefox windows and run the above command again to select a proper default profile for non-isolated Firefox and start it.

Download an icon for KGBfox, for example:

sudo wget -O /opt/kgbfox.png https://upload.wikimedia.org/wikipedia/commons/thumb/d/d9/Coat_of_arms_of_the_Soviet_Union_%281956%E2%80%931991%29.svg/745px-Coat_of_arms_of_the_Soviet_Union_%281956%E2%80%931991%29.svg.png

drawing

From Wikipedia, not subject to copyright as a state symbol

Create a separate launcher for the KGBfox. The launcher will also set Moscow timezone for the browser, to help blend in even better.

gedit ~/.local/share/applications/kgbfox.desktop

Contents:

[Desktop Entry]
Version=1.0
Name=KGBfox
GenericName=KGB Browser
Comment=Browse the Cheburnet
Exec=env TZ="Europe/Moscow" /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=firefox org.mozilla.firefox --name kgbfox --class kgbfox -p kgbfox -no-remote
Icon=/opt/kgbfox.png
Terminal=false
Type=Application
StartupNotify=true
Categories=Network;WebBrowser;
Keywords=web;browser;internet;
StartupWMClass=kgbfox

Temporary fix for icon-matching in GNOME, in case you don't use main launcher for Firefox Flatpak (or create a separate one for your main profile):

echo "[Desktop Entry]" > ~/.local/share/applications/org.mozilla.firefox.desktop

Now search and open KGBfox from the app list.

Set the proxy: go to Settings, scroll down to Network settings and set manual a SOCKS5 proxy with address 10.8.0.1 and port 1080. In addition, check the box for sending DNS requests via proxy to avoid DNS leaks.

Disable Tracking Protection, so that it doesn't interfere. Go to Privacy settings (about:preferences#privacy) and adjust accordingly.

Optional additional configuration for functions which will not be used:

# in about:config disable Sync, Pocket and sponsored content
identity.fxaccounts.enabled = false
extensions.pocket.enabled = false
browser.newtabpage.activity-stream.showSponsored = false
browser.newtabpage.activity-stream.showSponsoredTopSites = false
browser.disableResetPrompt = true

If you want to separate the KGBfox visually even further, set a theme. The link to themes:

https://addons.mozilla.org/ru/firefox/themes/

Download and install the two certificate authorities from the Russian Ministry of Digital Development into KGBfox:

https://gu-st.ru/content/Other/doc/russian_trusted_root_ca.cer
https://gu-st.ru/content/Other/doc/russian_trusted_sub_ca.cer

The certificates are to be imported under Settings (about:preferences#privacy) -> Privacy & Security -> Certificates -> View certificates -> Authorities.

DO NOT INSTALL THESE CERTIFICATES OUTSIDE OF KGBFOX!

Check them working on a Sberbank test page:

https://www.sberbank.ru/ru/certificates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment