Difference between revisions of "Sample TLS Configuration"

From Mudlet
Jump to navigation Jump to search
(Created page with "To add TLS (secure connection) support to your game without changing your code base, while still having your server see the originating IP address, see below. (Normal SSL tunn...")
 
Line 53: Line 53:
  
 
   $ sudo sh -c "echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter"
 
   $ sudo sh -c "echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter"
 +
 +
10.  Turn on <code>route_localnet</code> (depends on OS)
 +
 +
  sysctl -w net.ipv4.conf.default.route_localnet=1
 +
  sysctl -w net.ipv4.conf.all.route_localnet=1
 +
 +
  
 
{{Note}} These rules are not permanent by default. Test and then use your preferred method to restore on reboot.
 
{{Note}} These rules are not permanent by default. Test and then use your preferred method to restore on reboot.

Revision as of 03:27, 3 February 2019

To add TLS (secure connection) support to your game without changing your code base, while still having your server see the originating IP address, see below. (Normal SSL tunnels will show the IP of the proxy server). This has been tested on a fresh Debian stable install.

Credit to Paul Saindon from Iron Realms for writing this up.

1. Install Stunnel4

  $ sudo apt-get install stunnel4

2. Create stunnel4 file /etc/stunnel/rapture.conf (rapture is an example, replace with any server engine.)

  pid = /run/rapture-stunnel.pid
  [rapture]
  cert = /etc/stunnel/localhost.crt
  key = /etc/stunnel/localhost.open.key
  accept = 6003
  connect = 127.0.0.1:6002
  transparent = source

Note Note: In this example, 6003 is the port for ssl requests and 6002 is the normal server port. Change accordingly. You must also replace the cert and key with your own cert/key.

3. Enable stunnel. Open file /etc/default/stunnel4 and change

  ENABLED=0
  -- to --
  ENABLED=1

4. Start stunnel

   $ sudo systemctl start stunnel4.service

5. Install ipset

   $ sudo apt-get install ipset

6. Create ipset to use

   $ sudo ipset create stunneled hash:ip,port -exist timeout 300

7. Configure IPTables

  $ sudo iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 6003 -j SET --add-set stunneled src,srcport
  $ sudo iptables -t mangle -N DIVERT
  $ sudo iptables -t mangle -A OUTPUT -p tcp -m set --match-set stunneled dst,dstport -m tcp --sport 6002 -j DIVERT
  $ sudo iptables -t mangle -A DIVERT -j MARK --set-mark 1
  $ sudo iptables -t mangle -A DIVERT -j ACCEPT

8. Add routing rule

  $ sudo ip rule add fwmark 1 lookup 100
  $ sudo ip route add local 0.0.0.0/0 dev lo table 100

9. Disable RP Filter for lo

  $ sudo sh -c "echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter"

10. Turn on route_localnet (depends on OS)

  sysctl -w net.ipv4.conf.default.route_localnet=1
  sysctl -w net.ipv4.conf.all.route_localnet=1


Note Note: These rules are not permanent by default. Test and then use your preferred method to restore on reboot.