Standard Communication Relay Node

Well, this particular IP address (the DNS A record associated with fangfufu.co.uk) is now blocked by a certain organisation. I have rented yet another VPS to act as this physical server's relay, so I can access this physical server in a certain hostile environment. In this document, I describe the configuration for my standard communication node.

Operating system

Debian Stable (Current Stretch) - this is the standard operating system across all computers that I have control of.

List of software

tinc

Tinc stands for “There Is No Cabal”. It is a VPN software that supports mesh topology. Nodes can be configured to communicate with each other. This is different to the star topology of OpenVPN. You can also configure certain nodes to relay traffic between nodes that cannot directly communicate with each other. My existing tinc network runs on tun. I can't remember why I decided that running it on tun mode is a good idea. In hindsight, I should have run it in tap mode.

openvpn

I configure my OpenVPN on static key mode. In this mode, I think it doesn't negotiate cipher encryption cipher using plaintext. This helps me to evade the firewall. I run my OpenVPN in tap mode, so I can bridge the virtual adapter to my router, and create a hotspot that tunnels all traffic. I also run my OpenVPN over TCP, so it works with kcptun.

squid

I use squid for creating an application level load balancing proxy. It supports weighted round robin for load balancing. The weight is done by ping time to upstream proxy.

kcptun

kcptun provides an alternative transmission control mechanism to tcp. It basically transports tcp traffic over udp.

exim4

git

cron-apt

shadowsocks

kcptun

iptables-persistent