Measuring I2P Censorship at a Global Scale (FOCI 19) about bbs HOT 2 OPEN

Is there any software for doing arbitrary measurement from VPN Gate (or other similar residential-based proxies like Luminati, Hola, etc). I think it'd be super useful to have a tool that lets a researcher craft a packet/connection, submit it to N hosts in country X, and then gets back a pcap or results for each host. One cool way could be a container of some kind (maybe docker, or even just a standard go API) that is setup to redirect its traffic to some measurement controller that (given a configuration) gets the traffic to exit from whatever residential-based proxies in country X and returns results (stdout logs from your custom script and/or pcaps).

Does anything approaching this already exist? I'm often finding myself asking questions like "I wonder what GFW/Iran/Country X does right now if you send a TLS/TCP/UDP/IP/IPv6 packet with the following features..." and usually the best answer is to spin up a VPS in the country which is often somewhat slow turnaround.

from bbs.

Is there any software for doing arbitrary measurement from VPN Gate (or other similar residential-based proxies like Luminati, Hola, etc). I think it'd be super useful to have a tool that lets a researcher craft a packet/connection, submit it to N hosts in country X, and then gets back a pcap or results for each host. One cool way could be a container of some kind (maybe docker, or even just a standard go API) that is setup to redirect its traffic to some measurement controller that (given a configuration) gets the traffic to exit from whatever residential-based proxies in country X and returns results (stdout logs from your custom script and/or pcaps).

Does anything approaching this already exist? I'm often finding myself asking questions like "I wonder what GFW/Iran/Country X does right now if you send a TLS/TCP/UDP/IP/IPv6 packet with the following features..." and usually the best answer is to spin up a VPS in the country which is often somewhat slow turnaround.

VPN Gate uses standard VPN protocols, so anything you can make work with OpenVPN should also work with VPN Gate. The problem, of course, with standard VPN software is that by default it wants to take over your computer's default route, which is annoying and unhygienic when you're trying to run experiments. I don't exactly want my own web browsing, system updates, etc. to run over the VPN while I'm doing the experiment.

A few days ago I needed a vantage in Kazakhstan to check a web site that is only accessible from inside the country (Ref). To do it, I used a VPN Gate server in a Debian VM with OpenVPN. (Actually, it was Hoang et al.'s paper that reminded me VPN Gate could work for one-off tests like this.) First, I downloaded multiple samples from the VPN Gate server list:

while true; do wget http://www.vpngate.net/api/iphone/; sleep 900; done

Wget will create multiple files index.html, index.html.1, index.html.2... I let that run for a few hours until grep -i ,KZ, index.html* found a match. Then I took the OpenVPN_ConfigData_Base64 data, base64-decoded it, and saved it as kz.ovpn. Inside the VM, I installed the network-manager-openvpn-gnome package, which gives you an "Import a saved VPN configuration..." option under the Network Manager taskbar icon. After loading kz.ovpn, I could toggle the VPN on and off using Network Manager.

It may be possible to do something similar without a VM, using Linux network namespaces. I've used them before to capture the traffic of just a single process, without contamination from the rest of the system. I learned the trick from https://askubuntu.com/a/499850. $INTERFACE is your external network interface (e.g. eth0, wlan0) and $ADDRESS is your local LAN IP address (e.g. 192.168.0.100).

ip netns add net0
ip link add veth-a type veth peer name veth-b
ip link set veth-a netns net0
ip netns exec net0 ip address add 127.0.0.1/8 dev lo
ip netns exec net0 ip link set lo up
ip netns exec net0 ip address add 192.168.2.2/24 dev veth-a
ip netns exec net0 ip link set veth-a up
ip address add 192.168.2.1/24 dev veth-b
ip link set veth-b up
ip netns exec net0 ip route add default via 192.168.2.1 dev veth-a

mkdir -p /etc/netns/net0/
ln -sf /etc/resolv.conf /etc/netns/net0/

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o $INTERFACE -j SNAT --to-source $ADDRESS

Now you can run commands inside the namespace with ip netns exec net0 <command>.

ip netns exec net0 ping example.com
ip netns exec net0 su myuser sh -c 'wget example.com'

You can even run a shell, and then everything that happens in that shell will be isolated to the network namespace.

ip netns exec net0 bash

To capture packets, just tcpdump -i veth-b from outside the namespace, or tcpdump -i veth-a from inside the namespace.

I haven't tried it, but likely you can run the openvpn command-line daemon inside the namespace, along with whatever command you want. To capture the in-VPN traffic, you'll have to tcpdump -i tun0 inside the network namespace.

from bbs.