What is Iodine?
Basically it’s a server that allows you to tunnel traffic through DNS
Why would I want this?
There are multiple uses for this, the ones that come to mind are:
- – Get free internet from paid wifi hotspots
- – Access internet on mobile that has no data
- – Exfiltrate data from behind a SOC, firewall or IDS
How to
This took me a while to figure out, although there are guides available they all seem to miss bits of information and need piecing together. Hopefully this will make things easier.
Things you will need:
- – New Debian server (this guide is written from base debian with nothing installed)
- – Domain name with access to change records
For this guide we have the domain “domain.tld” and the server has an external IP of “1.2.3.4”.
First things first lets configure the DNS. You will need to create 2 records, one “A” record and one “NS” record (note the . after the tld – I recommend namecheap for this and have heard you can’t add the period with godaddy). Create them as follows:
dns IN A 1.2.3.4 tunnel IN NS dns.domain.tld.
Now wait for the domain to propagate. Once it has connect to the server install iodine, screen and start iodine in a screen session:
apt-get install iodine screen screen -S iodine iodined -fP Password 10.0.0.1 tunnel.domain.tld
To exit the screen session press CTRL+A then CTRL+D, to re-attach to it type “screen -r”, to kill it from within the screen session type “exit”. Iodine can be stopped with CTRL+C.
On your client install iodine (apt-get install iodine) and run the following command:
iodine -fP Password tunnel.domain.tld
If all went well you should now be connected to your iodine server. check “ifconfig” to confirm there is a DNS0 interface with an IP address in the 10.0.0.x range. also try pinging 10.0.0.1, you should get a response.
At this point you should also be able to run the official test without it giving errors.
Just a couple more things to do before it’s all ready to use. Time to get the tunneling of data working. Create iptables rules as follows and allow IP forwarding:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t filter -A FORWARD -i eth0 -o dns0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t filter -A FORWARD -i dns0 -o eth0 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward
Restart Iodine server and test again. If all went well I recommend making these permanent with the following:
iptables-save > /etc/iptables.rules echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/60-ipv4-forward.conf
There are multiple ways to start the client from creating a SOCKS5 proxy via SSH to installing network-manager-iodine and network-manager-iodine-gnome. However I have found these to be clunky and not work great. I would recommend cloning the following git repository: https://github.com/barak/iodine-client-start.
For this to work we need to create the following config file:
/etc/default/iodine-client
subdomain=tunnel.domain.tld passwd=Password
There are more configuration options for this script, I would recommend reading it’s source-code.
And that’s all. You should be able to run “./iodine-client-start” and have a working iodine tunnel. This can be tested by visiting ipchicken before connecting and after, you should see your IP address change.
Useful tip
A good way to check if things are working correctly is to start Iodined with debugging enabled -DDD on the server and keep that window open. you can then use dig to check it’s response from the client.
root[/opt/iodine-client-start]: dig -t TXT z123.tunnel.domain.tld -snip- ;; ANSWER SECTION: z123.tunnel.domain.tld. 0 IN TXT "tpjzwizro" ;; Query time: 56 msec ;; SERVER: 192.168.1.254#53(192.168.1.254) ;; WHEN: Thu Mar 02 13:54:22 GMT 2017 ;; MSG SIZE rcvd: 65
The tunnel should respond with random data to any request starting with “z” (z123 in example above)
Links
Tips on setting up iodine
Official set-up guide
Official test script
More help on setting up
Setting up with SSH tunnel
Flags for client / server
Useful debugging help
i didn’t knew that iodine server is this much useful and could be used in variety of ways.
Glad I could help 🙂
please help i’m stuck at 16 max concurrent connections. do you know how to increase it?
Sorry I don’t know too much. I would recommend enabling debug mode and seeing if their are any errors when more people connect?
It could be to do with the tunnel_ip (netmask)
http://www.huge-man-linux.net/man8/iodine.html
Maybe that will help.
Best of luck
Hi. I love this post .please i am trying o use to the tunnel with my phone hotspot but its not working. the client connects with the server only when i have data. I can ping website at zero balance. please help, how do i use the tunnel with zero balance
Can you do a DNS lookup without balance? try dig or nslookup
Hi. My phone is able to do DNS lookups with zero balance. In fact, I can sometimes establish TCP connections and even send a few bytes back and forth until an RST packet gets injected. It seems something triggers the packet injection.
For HTTP/HTTPS protocols, the connection get dropped (Connection Reset) right away. However, if I run netcat and telnet from my phone, I can push random amount of data back and forth until the connection gets dropped. I feel there could also be another way to get around the packet inspection.
But, back to AndIodine, is simply doesn’t work. I have setup iodine server correctly and even used the test tool which returns successful test results. When pinging.
I have two domains,
domain1:
Running nothing. Parked. No external IP
A t1ns.domain1.com 1.2.3.4
NS t1.domain1.com -> t1ns.domain1.com
domain2:
IP: 1.2.3.4
Running Iodine server on a VPS
So the I connect when I connect andiodine to t1.domain1.com, it doesn’t work.
What could be the problem here?
I wish AndIodine saved its logs
I have a domain name on Godaddy but it uses its own NS servers therefor not able to test IOdine server although I have created A and CName record in godaddy.
delete the free web hosting
Hello Ross Marks, thanks for the nice post. Unfortunately, I have merely little programming skills but would wish to use iodine for free internet. I mean, I just want to install the app client in my phone then connect. Can you help me on that?
> just want to install the app client
without a server?
propagate?
* and wait for the Negative Caching to expire
‘