Setting up an Iodine server

iodineWhat is Iodine?

Basically it’s a server that allows you to tunnel traffic through DNS

Why would I want this?

There are multiple uses for this, the ones that come to mind are:

  • – Get free internet from paid wifi hotspots
  • – Access internet on mobile that has no data
  • – Exfiltrate data from behind a SOC, firewall or IDS

How to

This took me a while to figure out, although there are guides available they all seem to miss bits of information and need piecing together. Hopefully this will make things easier.

Things you will need:

  • – New Debian server (this guide is written from base debian with nothing installed)
  • – Domain name with access to change records

For this guide we have the domain “domain.tld” and the server has an external IP of “1.2.3.4”.

First things first lets configure the DNS. You will need to create 2 records, one “A” record and one “NS” record (note the . after the tld – I recommend namecheap for this and have heard you can’t add the period with godaddy). Create them as follows:

	dns           IN  A      1.2.3.4 
	tunnel        IN  NS     dns.domain.tld.

Now wait for the domain to propagate. Once it has connect to the server install iodine, screen and start iodine in a screen session:

	apt-get install iodine screen
	screen -S iodine
	iodined -fP Password 10.0.0.1 tunnel.domain.tld 

To exit the screen session press CTRL+A then CTRL+D, to re-attach to it type “screen -r”, to kill it from within the screen session type “exit”. Iodine can be stopped with CTRL+C.

On your client install iodine (apt-get install iodine) and run the following command:

	
	iodine -fP Password tunnel.domain.tld

If all went well you should now be connected to your iodine server. check “ifconfig” to confirm there is a DNS0 interface with an IP address in the 10.0.0.x range. also try pinging 10.0.0.1, you should get a response.

At this point you should also be able to run the official test without it giving errors.

Just a couple more things to do before it’s all ready to use. Time to get the tunneling of data working. Create iptables rules as follows and allow IP forwarding:

	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
	iptables -t filter -A FORWARD -i eth0 -o dns0 -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -t filter -A FORWARD -i dns0 -o eth0 -j ACCEPT
	echo 1 > /proc/sys/net/ipv4/ip_forward

Restart Iodine server and test again. If all went well I recommend making these permanent with the following:

	iptables-save > /etc/iptables.rules
	echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/60-ipv4-forward.conf

There are multiple ways to start the client from creating a SOCKS5 proxy via SSH to installing network-manager-iodine and network-manager-iodine-gnome. However I have found these to be clunky and not work great. I would recommend cloning the following git repository: https://github.com/barak/iodine-client-start.

For this to work we need to create the following config file:

/etc/default/iodine-client

subdomain=tunnel.domain.tld
passwd=Password

There are more configuration options for this script, I would recommend reading it’s source-code.

And that’s all. You should be able to run “./iodine-client-start” and have a working iodine tunnel. This can be tested by visiting ipchicken before connecting and after, you should see your IP address change.

Useful tip

A good way to check if things are working correctly is to start Iodined with debugging enabled -DDD on the server and keep that window open. you can then use dig to check it’s response from the client.

root[/opt/iodine-client-start]: dig -t TXT z123.tunnel.domain.tld

-snip-    

;; ANSWER SECTION:
z123.tunnel.domain.tld.         0       IN      TXT     "tpjzwizro"

;; Query time: 56 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu Mar 02 13:54:22 GMT 2017
;; MSG SIZE  rcvd: 65

The tunnel should respond with random data to any request starting with “z” (z123 in example above)

Links

Tips on setting up iodine
Official set-up guide
Official test script
More help on setting up
Setting up with SSH tunnel
Flags for client / server
Useful debugging help

Sharing is caring!

12 thoughts on “Setting up an Iodine server

  1. Hi. I love this post .please i am trying o use to the tunnel with my phone hotspot but its not working. the client connects with the server only when i have data. I can ping website at zero balance. please help, how do i use the tunnel with zero balance

      • Hi. My phone is able to do DNS lookups with zero balance. In fact, I can sometimes establish TCP connections and even send a few bytes back and forth until an RST packet gets injected. It seems something triggers the packet injection.

        For HTTP/HTTPS protocols, the connection get dropped (Connection Reset) right away. However, if I run netcat and telnet from my phone, I can push random amount of data back and forth until the connection gets dropped. I feel there could also be another way to get around the packet inspection.

        But, back to AndIodine, is simply doesn’t work. I have setup iodine server correctly and even used the test tool which returns successful test results. When pinging.

        I have two domains,

        domain1:

        Running nothing. Parked. No external IP

        A t1ns.domain1.com 1.2.3.4
        NS t1.domain1.com -> t1ns.domain1.com

        domain2:

        IP: 1.2.3.4
        Running Iodine server on a VPS

        So the I connect when I connect andiodine to t1.domain1.com, it doesn’t work.

        What could be the problem here?

        I wish AndIodine saved its logs

  2. I have a domain name on Godaddy but it uses its own NS servers therefor not able to test IOdine server although I have created A and CName record in godaddy.

  3. Hello Ross Marks, thanks for the nice post. Unfortunately, I have merely little programming skills but would wish to use iodine for free internet. I mean, I just want to install the app client in my phone then connect. Can you help me on that?

Leave a Reply