On my server (Debian 9) I have installed it like this:
Code: Select all
sudo apt install iodine
sudo nano /etc/default/iodine
Code: Select all
# Default settings for iodine. This file is sourced from
# /etc/init.d/iodined
START_IODINED="true"
# -l <IP address> specifies on which address Iodine listens
# I am running Dnsmasq, but dnsmasq is listening on tun0 device only. Outside IP is used by Iodine.
IODINED_ARGS="-l 12.34.56.78 10.0.1.1 -c iodine.myserver.com"
IODINED_PASSWORD="mypassword"
Code: Select all
sudo systemctl unmask iodined.service
sudo systemctl enable iodined.service
I am also running OpenVPN. My config is:
Code: Select all
mode server
tls-server
local 10.0.1.1
proto tcp4
port 443
port-share 127.0.0.1 4443
dev tun
ca /etc/openvpn/serverkeys/ca.crt
cert /etc/openvpn/serverkeys/myvpn.crt
key /etc/openvpn/serverkeys/myvpn.key
dh /etc/openvpn/serverkeys/dh4096.pem
crl-verify /etc/openvpn/serverkeys/crl.pem
tls-auth /etc/openvpn/serverkeys/ta.key 0
tls-version-min 1.2
remote-cert-tls client
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
auth SHA256
cipher AES-256-CBC
server 10.10.8.0 255.255.255.0
persist-key
persist-tun
topology subnet
push "topology subnet"
push "redirect-gateway def1"
push "route 10.10.9.0 255.255.255.0"
client-to-client
push "dhcp-option DNS 10.10.8.1"
mtu-disc maybe
user nobody
group nogroup
client-config-dir /etc/openvpn/ccd_tcp
keepalive 10 120
verb 1
status /var/log/openvpn/status_iodine.log
log /var/log/openvpn/openvpn_iodine.log
log-append /var/log/openvpn/openvpn_iodine.log
mute 20
Let's go to the client now.
First, I start Iodine client:
Code: Select all
sudo iodine -f -P mypassword iodine.myserver.com
Code: Select all
Opened dns0
Opened IPv4 UDP socket
Sending DNS queries for iodine.myserver.com to 127.0.0.53
Autodetecting DNS query type (use -T to override).iodine: Got NOTIMP as reply: server does not support our request
...
Connection setup complete, transmitting data.
iodine: Hmm, getting some out-of-sequence DNS replies. Setting interval to 1 (use -I1 next time on this network). If data traffic still has large hiccups, try if -L0 works better.
Code: Select all
dns0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1130
inet 10.0.1.2 netmask 255.255.255.224 destination 10.0.1.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 107 bytes 55122 (55.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 124 bytes 41676 (41.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Code: Select all
client
remote 10.0.1.1 443
proto tcp
dev tun
mute-replay-warnings
tls-version-min 1.2
remote-cert-tls server
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>
key-direction 1
auth SHA256
cipher AES-256-CBC
auth-nocache
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
ping 10
ping-restart 60
verb 4
mute 20
Code: Select all
openvpn --config IodineVPN.conf
Code: Select all
Mon Nov 6 20:02:00 2017 us=477837 Attempting to establish TCP connection with [AF_INET]10.0.1.1:443 [nonblock]
Mon Nov 6 20:02:18 2017 us=480192 TCP connection established with [AF_INET]10.0.1.1:443
Mon Nov 6 20:02:18 2017 us=480235 TCP_CLIENT link local: (not bound)
Mon Nov 6 20:02:18 2017 us=480245 TCP_CLIENT link remote: [AF_INET]10.0.1.1:443
Mon Nov 6 20:02:18 2017 us=512286 TLS: Initial packet from [AF_INET]10.0.1.1:443, sid=d65e4a18 6379d54e
Mon Nov 6 20:02:25 2017 us=72275 Validating certificate key usage
Mon Nov 6 20:02:25 2017 us=72285 ++ Certificate has key usage 00a0, expects 00a0
Mon Nov 6 20:02:25 2017 us=72293 VERIFY KU OK
Mon Nov 6 20:02:25 2017 us=72301 Validating certificate extended key usage
Mon Nov 6 20:02:25 2017 us=72308 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Nov 6 20:02:25 2017 us=72314 VERIFY EKU OK
...
Mon Nov 6 20:02:35 2017 us=297267 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mon Nov 6 20:02:35 2017 us=297324 [IodineVPN] Peer Connection Initiated with [AF_INET]10.0.1.1:443
Mon Nov 6 20:02:36 2017 us=449382 SENT CONTROL [IodineVPN]: 'PUSH_REQUEST' (status=1)
Mon Nov 6 20:02:41 2017 us=677947 SENT CONTROL [IodineVPN]: 'PUSH_REQUEST' (status=1)
Mon Nov 6 20:02:47 2017 us=101376 SENT CONTROL [IodineVPN]: 'PUSH_REQUEST' (status=1)
Mon Nov 6 20:02:52 2017 us=506578 SENT CONTROL [IodineVPN]: 'PUSH_REQUEST' (status=1)
Mon Nov 6 20:02:58 2017 us=32778 SENT CONTROL [IodineVPN]: 'PUSH_REQUEST' (status=1)
Mon Nov 6 20:03:03 2017 us=287006 SENT CONTROL [IodineVPN]: 'PUSH_REQUEST' (status=1)
Mon Nov 6 20:03:08 2017 us=648275 SENT CONTROL [IodineVPN]: 'PUSH_REQUEST' (status=1)
Mon Nov 6 20:03:14 2017 us=15972 SENT CONTROL [IodineVPN]: 'PUSH_REQUEST' (status=1)
Mon Nov 6 20:03:19 2017 us=757218 SENT CONTROL [IodineVPN]: 'PUSH_REQUEST' (status=1)
Mon Nov 6 20:03:24 2017 us=6526 SENT CONTROL [IodineVPN]: 'PUSH_REQUEST' (status=1)
Mon Nov 6 20:03:29 2017 us=15836 SENT CONTROL [IodineVPN]: 'PUSH_REQUEST' (status=1)
Mon Nov 6 20:03:34 2017 us=25045 SENT CONTROL [IodineVPN]: 'PUSH_REQUEST' (status=1)
Mon Nov 6 20:03:35 2017 us=183322 [IodineVPN] Inactivity timeout (--ping-restart), restarting
Mon Nov 6 20:03:35 2017 us=183748 TCP/UDP: Closing socket
Mon Nov 6 20:03:35 2017 us=183817 SIGUSR1[soft,ping-restart] received, process restarting
Mon Nov 6 20:03:35 2017 us=183863 Restart pause, 5 second(s)