Ever connected to an open WiFi somewhere, like hotels or airports, and you realize that it isn't open after all. Your browser is being redirected to a site which requires payment or some kind of authentication (Captive Portal). In this guide, I'll show you how to bypass these portals and freely surf the web.
The hack is to send traffic through the DNS protocol, disguising your surfing as a harmless DNS request. This guide does not endorce illegal activity.
 |
| A client bypassing the Captive Portal using DNS Tunneling |
For this to work, you'll need the following:
- A Linux machine which will act as a server (A Windows machine is also possible, but not recommended). This server must have internet access and should be the computer which is always on, or better: a server. NOTE! If your server is already running a DNS service, this will not work.
- A client computer for testing.
- Port UDP 53 forwarded to server. Check Portforward.com for how to do this.
Let's begin..
1. Setting up domain
Our tunnel is going to request your domain name to be solved many times (it's in this traffic we send our web traffic). Therefore we need to register a domain. For this to work, it's required that the domain is registert as a NS type. For a free subdomain, visit freedns.afraid.org/subdomain, register an account and create your subdomain.
2. Setting up server
First you need to install iodine. You can install it from this .deb package (dpkg -i [package path]), or use either of these commands:
$ sudo aptitude install iodine
$ sudo apt-get install iodine
$ sudo apt-get install iodine
Once installed, edit the configuration file: /etc/default/iodine:
# Default settings for iodine. This file is sourced from
# /etc/init.d/iodined
START_IODINED="true"
IODINED_ARGS="192.168.10.101 mydomain.it.cx"
IODINED_PASSWORD="secret"
# /etc/init.d/iodined
START_IODINED="true"
IODINED_ARGS="192.168.10.101 mydomain.it.cx"
IODINED_PASSWORD="secret"
Start_iodined: This must be true to allow iodine daemon to start
Iodine_args: Arguments to pass iodine. First one is a local ip-address for your server, NOT THE ONE YOU USE! This address must be in a complete different range; this is iodine's network. Second one is the domain you registered.
Iodined_password: It's excactly what you think. Leave blank for no password.
Save your configuration file. We can now start iodine:
$ sudo /etc/init.d/iodined start
Check if your iodine server is available and correctly set-up here:
3. Setting up client
NOTE! The client must be set-up before you arrive at the Captive Portal WiFi!
3a. For iodine to work on Windows, you'll need to install TAP32 driver. Download OpenVPN at www.openvpn.net/index.php/open-source/downloads.html. You only need the TAP32 driver, so no need to install the rest.
 |
| TAP Virtual Ethernet Adapter |
3b. After that, download iodine for Windows. It can be found here: code.kryo.se/iodine/. Excract the zip-file (7zip etc) and open an elevated prompt window in the iodine-0.6.0-rc1-win32\bin folder. Run the command:
C:\iodine\bin> iodine.exe -P secret mydomain.it.cx
Change "secret" with the password you wrote on the server and change "mydomain.it.cx" with the domain you registered.
Test your connection. Open another command window and ping your iodine server ip:
C:\iodine\bin> ping 192.168.10.101
3c. If you were successful the server will reply. Next we need to make this tunnel available for our system. Download Kitty (based on Putty), exctract and run it. Under Connection -> SSH -> Tunnels, set destination to Dynamic and Auto. Set Source Port to 9999 add click add.
Now click on top of the list, Session, and type the iodine server ip (in this example: 192.168.10.101) and click Connect. Log on with your normal server credentials and leave the window open.
3d. Last thing we need is to set our browser to use this tunnel. On Google Chrome, you may use Proxy Switchy! On Mozilla Firefox, open Options -> Advanced -> Network -> Connection -> Configure. Set configuration as shown on the picture bellow:
Kitty opens a socket proxy, 127.0.0.1 is a loopback address (meaning yourself), and the port 9999 was the port we chose in Kitty. As long as your Kitty stays connected to your server, this tunnel should be open for business, your business!
Image bellow shows speed achieved using iodine tunnel between work and home:
Image bellow shows speed achieved using iodine tunnel between work and home:
So there you go! If there is any question, just comment!
Regards
Tomas
Tomas
Does it work with internet speed of this server where I have iodine or with the speed of this captive portal internet connection?
ReplyDeleteSince it goes through both, either with the lowest connection speed sets the overall speed
ReplyDeleteCan u tell about the speed in details. By this method can we normal speed 60 kbps above or slow like 10 to 15?
ReplyDeleteWell, that depends on several thing, but mainly:
Delete1. Bandwidth were your server is
2. Bandwidth (and/or bandwidth limitations) on the site were the captive portal is
3. And how large package size the firewall allows, the larger the better
I've testet the tunnel at work against my iodine at home, and got 32 Mbps down and 44 Mbps up. I've tried it several other places too where there are live captive portal, and achieved everything between 10 Kpbs to 4 Mbps.
Link to image from speedtest.net testing my tunnel between work and home.
http://www.speedtest.net/result/3074834026.png
PLease am a little confused with the need for forwarded port and the local IP address to actually use, will appreciate your help
DeleteForward (NAT) UDP port 53 to the local ip of your iodine-server. Check out Portforward.com for how to do this on your router/firewall.
DeleteI've got iodine setup on a server. The tunnel is created properly, but once it is setup I cannot ping the server side of the tunnel.
ReplyDeletemy friend using the same iodine server is able to connect with a jailbroken ipod.
I've tried wireshark, two different internet connections and changing some of the syntaxes. if you have any suggestions, I'd love to pick your brain. Cheers
Could be a firewall problem on your server (iptables).. What OS do you use, what is your config?
Deletehi dude i get error like this Analyzing DNS setup for tunnel domain 'lets.linuxx.org'... (might take some time)
ReplyDeleteLooking for nameserver for linuxx.org.. got ns4.afraid.org (at 70.39.97.253).
Resolving delegation of lets.linuxx.org at 70.39.97.253... to supriadi.ga (at 202.138.232.39).
Expecting iodined to be accessible at 202.138.232.39... no reply.
Error: Make sure iodined is running and the firewall accepts UDP port 53. Also check any port forwards in use.
what is wrong dude ?
thanks in advanced
Is the server running? Have you forwarded UDP port 53 correctly? What firewall are you using?
Deleteyes dude iodine server is running
Deleteim using ubuntu 14 as server and iptables as firewall
Yeah, but you probably have a firewall (or modem) from your ISP? You need to setup NAT on this one.
Deletehttp://pasteboard.co/sqzGk4l.png
Deleteno dude i put directly my public address on iodine server
ReplyDeletehere my public ip address on iodine server dude
ReplyDeleteLink encap:Ethernet HWaddr 08:00:27:2d:1e:08
inet addr:202.138.232.39 Bcast:202.138.232.63 Mask:255.255.255.192
inet6 addr: fe80::a00:27ff:fe2d:1e08/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2435 errors:0 dropped:2 overruns:0 frame:0
TX packets:141 errors:0 dropped:0 overruns:0 carrier:0
I haven't tried using iodine with a public facing ubuntu-server and IP-tables, so I don't have any suggestion right now
Deleteheeeemm thank you dude
Deleteany sugestion so this can works ?
what is server dou you use on this case (on your tutorial) ===> netcros ?
How you reach that speed. It's theoretically impossible because of the length of DNS packet.
ReplyDeleteIn my test, I had fiber broadband in both ends. The packet size is determined by Iodine.
Deletehttp://code.kryo.se/iodine/
"Packet size is automatically probed for maximum downstream throughput."
Linux.?
ReplyDeleteOn the server? Yes, Ubuntu
Delete