How to bypass a firewall using a VPS on AWS

Types of firewall blocking

Who wants to bypass a firewall?

  • Wants to browse in certain kind of web pages
  • Wants to use specific application that are blocked such a torrent
  • Needs to access a school or work environment behind a firewall

Disclaimer

Before begin

  • Squid proxy on port 80/tcp
  • SSH server on port 22/tcp
  • OpenVPN on port 443/tcp
  • Wireguard VPN on port 53/udp

Configure VPS on AWS

Access to VPS

$ mv ~/Downloads/aws.pem ~/.ssh/
$ chmod 400 ~/.ssh/aws.pem
$ ssh -i ~/.ssh/aws.pem ubuntu@<public_ip_address>
$ apt-get update && apt-get upgrade -y

Install needed packages

$ apt-get install wireguard squid fail2ban qrencode apache2-utils -y

Configure fail2ban

[sshd]
enabled = true
maxretry = 3
findtime = 1d
bantime = 4w
ignoreip = 127.0.0.1/8
$ systemctl restart fail2ban
$ fail2ban-client status sshd

Configure SSH server

AllowTcpForwarding yes
GatewayPorts yes
$ systemctl restart sshd

Configure squid proxy on 80/tcp

$ htpasswd -c /etc/squid/passwd client1
$ mv /etc/squid/squid.conf /etc/squid/squid.conf.bk
$ cat <<EOF > /etc/squid/squid.conf
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
http_access deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*http_access allow localhosthttp_access deny allhttp_port 80coredump_dir /var/spool/squidrefresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern . 0 20% 4320
EOF
$ systemctl restart squid

Configure Wireguard at 53/udp

$ sysctl -w net.ipv4.ip_forward=1
$ sed -i '/net.ipv4.ip_forward/s/^#//g' /etc/sysctl.conf
$ ss -ulpn4
$ systemctl disable --now systemd-resolved
nameserver 1.1.1.1
nameserver 1.0.0.1
$ ss -ulpn4
$ ip -o -4 route show to default | cut -d ' ' -f 5
[Interface]
Address = 10.20.0.1/24
ListenPort = 53
PrivateKey = <your_private_key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = true
$ sed -i "s/<your_private_key>/$(wg genkey)/" /etc/wireguard/wgserver.conf
$ sudo systemctl enable --now wg-quick@wgserver
[Interface]
PrivateKey = <private_key>
Address = 10.20.0.xxx/32
[Peer]
PublicKey = <server_public_key>
Endpoint = <public_ip_address>:53
AllowedIPs = 0.0.0.0/0, ::/0
$ wg show wgserver | awk '/public key:/{print $3}'
$ sed -i "s/<public_ip_address>/$(curl -s ifconfig.me/ip)/" ~/wgclients/template.conf
$ mkdir -p ~/wgcliets/client1
$ cp ~/wgclients/template.conf ~/wgcliets/client1/client1.conf
$ cd ~/wgclients/client1
$ wg genkey | tee private-key | wg pubkey > public-key
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.20.0.10/32
$ su -c "wg addconf wgserver <(wg-quick strip wgserver)"
$ qrencode -t ansiutf8 < ~/wgclients/client1/client1.conf

Configure OpenVPN at 443/tcp

$ git clone https://github.com/Nyr/openvpn-install.git
$ cd openvpn-install
$ bash openvpn-install.sh
  • Use IPV4 address in eth0 in my case 172.31.14.144
  • Put public ipv4 address
  • Protocol: TCP
  • Port: 443
  • DNS: 1.1.1.1
$ mkdir ~/ovpnclients
$ mv /root/client1.ovpn /home/ubuntu/ovpnclients/
$ chown ubuntu:ubuntu ~/ovpnclients/client1.ovpn
$ scp -i ~/.ssh/aws.pem ubuntu@<public_ip_address>:~/ovpnclients/client1.ovpn ~/ovpnclients

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ivan Moreno

Ivan Moreno

Engineer || MSc student || DevOps in progress