OpenRC/Stacked runlevel

This page documents a tutorial for setting up complicated networking with the help of stacked runlevel. Along the tutorial other tricked for OpenRC are also expected.

The short version is that

Scenario
We have a university library providing wireless network, with the following steps to use:
 * 1) associate with the AP with no authentication
 * 2) setup a PPTP VPN through NAT against an internal server
 * 3) using an HTTP proxy to access the websites

There are big disadvantages:
 * GRE protocol used by PPTP uses source IP to identify client, thus do not support tunneling through NAT. There is enhanced GRE for such purpose, but routers has different implementations and only considered PPTP clients for Microsoft Windows and Apple Mac OS X, not for Linux.
 * The author, as a server administrator, need ssh at least. HTTP proxy, a limit gateway to the internet, sucks.

Besides complaining to library manager and network technician, then waiting forever, we can hack our own reliable way out.

Solution

 * For Linux box not being able to use PPTP VPN through NAT, the author selected his phone to do the job. Apple's Iphone has Mac OS X, and it's PPTP client happens to work with the router in the library.


 * Actually we can also use a virtual machine running Windows for the PPTP connection. That would be another story. The author's laptop is too weak to have virtual machine running smoothly.


 * For pushing the limit of http proxy, the author selected tinc to connect to his home router as the full functioned gateway.

Tutorial
The solution is there. The procedures are complex and very boring and error-prone to set it up manually. OpenRC's stacked runlevel comes as a rescue.

We can make a new runlevel right away for the remaining tutorial:

Add our default runlevel into it:

iPhone tethering
Documented at Iphone USB Tethering and we use static configuration instead of dhcp.

The entry in routes_eth1 is the network of cellular mobile, which can be identified by whois containing dns_servers_eth1. We set this up because there is no other easily reachable DNS server. Tinc, in later step, needs DNS to query IP address of its entry node.

Now associate the library wifi with iPhone, and dial PPTP VPN. Consult your iPhone manual for details.

socks proxy on iPhone
iPhone has an ill design: during tethering, packets can only be routed to cellular mobile network, even if you set up a wifi connection. Therefore we cannot just access the http proxy directly through eth1, a socks proxy server is needed to transmit it.

There are many methods to set up a socks proxy in iPhone. One way to achieve is by sshd.


 * First by all means install an sshd in iPhone.


 * Next, use public key to access the sshd. Details here.


 * Finally, write a OpenRC initscript file.

and add it to our runlevel

proxychains
We are in an interesting realm: an http proxy is behind a socks proxy. Hopefully, can carry us out.

and set up its config file.

In the ProxyList, the first one is our socks proxy in the previous section, the second one happens to be http proxy provided by the library.

tinc initscript
We need to adjust tinc initscript to make use of proxychains.

The keyidea, though, is to set proxychains in LD_PRELOAD. Write you own version if necessary.

Add this one into our runlevel.

set up tinc
Notice that the http proxy only allows CONNECT to port 443 (https protocol), our first hop node should have tinc listening on port 443.

For how to configure and use tinc, refer to tinc

test this all out
Pluggin the phone and fire it up.

Now that we have access to our own VPN, we can access any host inside and use any node as our gateway. The possibility is limitless. From now on the library becomes our second home ;-)