Merge branch 'build-test' into 'no-masters'

content/en/tutorials, .gitlab-ci.yml - update docs to include different modes, minor typo, style fixes, fix build pipeline See merge request !14

Merge branch 'build-test' into 'no-masters'
d56e5aae · cyberta · 82564082 · 687581a8 · d56e5aae · d56e5aae
Commit d56e5aae authored 4 months ago by cyberta
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
 stages:
  - build_and_deploy
-image: floryn90/hugo:ext-asciidoctor-ci
+image: 
+  name: floryn90/hugo:ext-asciidoctor-ci
+  docker:
+    user: root

 variables:
  GIT_SUBMODULE_STRATEGY: recursive

--- a/content/en/tutorials/obfsvpn-part-1.adoc
+++ b/content/en/tutorials/obfsvpn-part-1.adoc
@@ -183,7 +183,7 @@ cp /usr/share/doc/openvpn/examples/configs/server.conf .
 Then edit server.conf to look like:

 ```vim
-proto tcp
+proto udp

 ca easy-rsa/pki/ca.crt
 cert easy-rsa/pki/issued/server.crt
@@ -257,21 +257,57 @@ Remember to open the port for your bridge in the machine firewall.

 === Start the bridge!

-```Shell
+==== Option 1: In obfs4 mode
+
+{{< highlight Bash >}}
 ./server --udp --addr ${LHOST} --port ${LPORT} --remote ${RHOST} --state test_data --config test_data/obfs4.json
-```
+{{< /highlight >}}
+
+==== Option 2: In kcp mode
+
+{{< highlight Bash >}}
+./server --kcp --udp --addr ${LHOST} --port ${LPORT} --remote ${RHOST} --state test_data --config test_data/obfs4.json
+{{< /highlight >}}
+
+==== Option 3: In QUIC mode
+
+QUIC requires a cert and key, you can generate one using openssl:
+{{< highlight Bash >}}
+openssl genpkey -algorithm Ed25519 -out quic.key
+openssl req -x509 -new -key quic.key -out quic.crt -subj "/CN=quic"
+./server --quic --udp --addr ${LHOST} --port ${LPORT} --remote ${RHOST} --state test_data --config test_data/obfs4.json --quic-tls-key-file quic.key --quic-tls-cert-file quic.crt
+{{< /highlight >}}
+
+

 === Running the obfs4 client

 On any machine you want to connect from:

-```Shell
+==== Prepare binaries
+
+{{< highlight Bash >}}
 apt install golang make git
 git clone https://0xacab.org/leap/obfsvpn
 cd obfsvpn
 go build -o obfsvpn-client  ./cmd/client
+{{< /highlight >}}
+
+==== Option 1: Connecting to server running on obfs4 mode
+
+{{< highlight bash >}}
 ./obfsvpn-client -c <certificate string from your statedir/obfs4_bridgeline.txt> -r <your bridge ip, LHOST> -rp <your bridge port, LPORT>
-```
+{{< /highlight >}}
+
+==== Option 2: Connecting to server running on kcp mode
+{{< highlight bash >}}
+./obfsvpn-client -kcp -c <certificate string from your statedir/obfs4_bridgeline.txt> -r <your bridge ip, LHOST> -rp <your bridge port, LPORT>
+{{< /highlight >}}
+
+==== Option 3: Connecting to server running on QUIC mode
+{{< highlight bash >}}
+./obfsvpn-client -quic -c <certificate string from your statedir/obfs4_bridgeline.txt> -r <your bridge ip, LHOST> -rp <your bridge port, LPORT>
+{{< /highlight >}}

 If all goes good, this reports that the port is open at 8080. However, to be able to use it, we need to set up our openvpn client.

@@ -291,7 +327,7 @@ Repeat the steps for openvpn server but stop after generation of pki dir.
 * Edit it to point to your files and to your gateway

 {{< highlight vim "linenos=table" >}}
-proto tcp
+proto udp
 remote <gateway host> <gateway port>

 ca easy-rsa/pki/ca.crt
@@ -330,11 +366,11 @@ Is it working? Yes? You are golden! No? Send us your error so we write a trouble

 === Appendix: Making your own obfs4 certificate

-```Shell
+{{< highlight Bash >}}
 apt install python3-pysodium
 wget -O gen-shapeshifter-state.py https://0xacab.org/leap/container-platform/lilypad/-/raw/main/playbooks/scripts/gen-obfs4-state.py
 python3 gen-shapeshifter-state.py statedir
-```
+{{< /highlight >}}

 And fetch your files from the `statedir` folder.


--- a/content/en/tutorials/obfsvpn-part-2-hopping.adoc
+++ b/content/en/tutorials/obfsvpn-part-2-hopping.adoc
@@ -63,10 +63,28 @@ cipher AES-256-CBC

 Make a new `obfs4` bridge, following the instructions in the first part of the tutorial until it is time to link:{{< ref "obfsvpn-part-1/#_start_the_bridge" >}}[start the bridge up].

+==== Option 1: obfs4-hopping mode
+
+{{< highlight Bash >}}
+./server --hop --addr ${LHOST} --remote {RHOST} --state test_data --config test_data/obfs4.json
+{{< /highlight >}}
+
+==== Option 2: kcp-hopping mode
+
+{{< highlight Bash >}}
+./server --kcp --hop --addr ${LHOST} --remote ${RHOST} --state test_data --config test_data/obfs4.json
+{{< /highlight >}}
+
+==== Option 3: QUIC-hopping mode
+
+QUIC requires a cert and key, you can generate one using openssl:
+{{< highlight Bash >}}
+openssl genpkey -algorithm Ed25519 -out quic.key
+openssl req -x509 -new -key quic.key -out quic.crt -subj "/CN=quic"
+./server --quic --udp --addr ${LHOST} --remote ${RHOST} --state test_data --config test_data/obfs4.json --quic-tls-key-file quic.key --quic-tls-cert-file quic.crt
+{{< /highlight >}}
+

-```Shell
-./server --hop --addr ${LHOST} --port ${LPORT} --remote {RHOST} --state test_data --config test_data/obfs4.json
-```
 While running the bridge in hopping-pt mode, you can adjust a few additional environment variables to specify the port range, the number of ports, and other related settings as follows:

 ```Shell
@@ -75,26 +93,40 @@ export OBFSVPN_MAX_HOP_PORT=<upper limit of port range to use for port hopping>
 export OBFSVPN_PORT_SEED=<seed to deduce randomized ports from for port hopping>
 export OBFSVPN_PORT_COUNT=<number of ports to be allocated for port hopping>
 ```
-=== Start the obfsvpn client in port hopping Mode
+== Start the obfsvpn client in port hopping Mode

 Back at your client machine, we will make adjustments to obfsvpn:

 * First, stop the client by pressing `ctrl+c` in the terminal with the running client.
 * Restart the client with new arguments: 

-```Shell
-./client -h -c <bridge_cert> -r <bridge_ip> -v
-```
+==== Option 1: Connecting to server running on obfs4-hopping mode
+
+{{< highlight bash >}}
+./obfsvpn-client -c <certificate string from your statedir/obfs4_bridgeline.txt> -r <your bridge ip, LHOST> -h
+{{< /highlight >}}
+
+==== Option 2: Connecting to server running on kcp-hopping mode
+{{< highlight bash >}}
+./obfsvpn-client -c <certificate string from your statedir/obfs4_bridgeline.txt> -r <your bridge ip, LHOST> -h -kcp
+{{< /highlight >}}
+
+==== Option 3: Connecting to server running on QUIC-hopping mode
+{{< highlight bash >}}
+./obfsvpn-client -c <certificate string from your statedir/obfs4_bridgeline.txt> -r <your bridge ip, LHOST> -h -quic
+{{< /highlight >}}
+
+
 While running the server in hopping-pt mode, if you have adjusted the port parameters, you can use the following flags on the client side to specify those settings:

-{{< highlight Shell "linenos=table" >}}
-./client -h -c <bridge_cert> -r <bridge_ip> -min-port <OBFSVPN_MIN_HOP_PORT> -max-port <OBFSVPN_MAX_HOP_PORT> -ps <OBFSVPN_PORT_SEED> -pc <OBFSVPN_PORT_COUNT> -v
+{{< highlight Bash >}}
+./obfsvpn-client -h -c <bridge_cert> -r <bridge_ip> -min-port <OBFSVPN_MIN_HOP_PORT> -max-port <OBFSVPN_MAX_HOP_PORT> -ps <OBFSVPN_PORT_SEED> -pc <OBFSVPN_PORT_COUNT> -v
 {{< /highlight >}}


 Now the client will hop between different ports of the same bridge.

-=== Adjust Your OpenVPN Client
+== Adjust Your OpenVPN Client

 {{< highlight Bash >}}
 sudo su
@@ -126,19 +158,21 @@ openvpn --config client-hopping.conf --remote 127.0.0.1:8080 --route <bridge_ip>

 Hopefully, this ended up with a successful tunnel initialization. From the point of view of `openvpn`, using the hopping mode should not make any difference.

-=== For Hopping between IP's Adjust the first bridge too
+== For Hopping between IP's Adjust the first bridge too

 * Connect to your first bridge, and stop it if it is running
 * Then, restart the bridge following link:{{< ref "obfsvpn-part-2-hopping/#_set_up_a_bridge_in_port_hopping_mode" >}}[set up bridge in port hopping mode]. as above to restart it.
+* Make sure both the bridges are setup to run in same mode and same port configurations.
 * After restarting the bridge, connect the client using the below command to hop between both the bridges(IP's).
+* Add flags `-kcp` or `-quic` with respect to the server mode.

-{{< highlight Shell "linenos=table" >}}
+{{< highlight Bash >}}

-./client -h -c <bridge_cert1,bridge_cert2> -r <bridge_ip1,bridge_ip2> -min-port <OBFSVPN_MIN_HOP_PORT> -max-port <OBFSVPN_MAX_HOP_PORT> -ps <OBFSVPN_PORT_SEED> -pc <OBFSVPN_PORT_COUNT> -v
+./obfsvpn-client -h -c <bridge_cert1,bridge_cert2> -r <bridge_ip1,bridge_ip2> -min-port <OBFSVPN_MIN_HOP_PORT> -max-port <OBFSVPN_MAX_HOP_PORT> -ps <OBFSVPN_PORT_SEED> -pc <OBFSVPN_PORT_COUNT> -v
 {{< /highlight >}}

 Of course, you have to re-run the OpenVPN client command, but this time you need to ensure to add routes for both the bridges as below:
-{{< highlight Shell "linenos=table" >}}
+{{< highlight Bash >}}
 openvpn --config client-hopping.conf --remote 127.0.0.1:8080 --route <bridge_ip1> 255.255.255.255 net_gateway --route <bridge_ip2> 255.255.255.255 net_gateway

 {{< /highlight >}}