wiki:TipsAndTricks

Tips and tricks

Running iodine side-by-side with another DNS server

iodine must be running on a port different than 53, and iptables can be configured to inspect packets and filter based on specific strings found inside them. This can be used to filter out iodine traffic from other DNS traffic and send it to the iodine port:

iptables -t nat -A PREROUTING -p udp --dport 53 -m string --algo bm --from 20 --hex-string "|024a4a0364615000|" -j REDIRECT --to-ports 5353

The hex string is your subdomain in network byte order, and can be found by inspecting your iodine traffic with tcpdump(8). See more here  http://www.wormnet.eu/dns/vpn

The 'raw mode' does not use DNS, just the same port, so it will not contain the domain name. But it starts with a static 3 byte header which can be used:

iptables -t nat -A PREROUTING -p udp --dport 53 -m string --algo bm --from 0 --hex-string "|10d19e|" -j REDIRECT --to-ports 5353

Running iodine behind BIND9

iodined must be started with "-p 5353" since 53/udp is used by BIND

and BIND must be configured to forward requests:

zone "i.xxx.yyy" {
 type forward;
 forwarders{
  127.0.0.1 port 5353;
 };
};

Note that doing this requires recursion to be enabled for the client. This can be enabled by inserting

allow-recursion { any; };

into your named.conf (/etc/bind/named.conf.options by default on Debian), but be aware that this will turn your DNS server into an open relay, and as such it is discouraged.

Running on another port

If your port 53 is taken on a specific interface by an application that does not use it, use -p on iodined to specify an alternate port (like -p 5353) and use for instance iptables (on Linux) to forward the traffic:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to :5353

(Sent in by Tom Schouten)

Routing script for OS X, Linux and FreeBSD

 http://www.doeshosting.com/code/NStun.sh
(by krzee)

iodine-jigger script from the debian package

 http://svn.toastfreeware.priv.at/wsvn/ToastfreewareDebian/iodine/trunk/debian/iodine-jigger

Routing script for WIN32

It's a shell script. You need  Unix Tools, and to set the path environnement variable. (Note, the script seems to be made for french version of Windows, you may need to adjust the strings)
To launch it, use the command "sh iodine.sh" . If you got a problem, launch with the command "sh -xv iodine.sh", and we will be able to help you on irc!
The server must have the "-c" option.
After closing the tunnel, you can restore routes with theses commands "ipconfig /release" + "ipconfig /renew".

iodine.sh :

DOMAIN=mytunnel.mydomain.com
PASSWORD=XXXXX

PATH="$PATH;./"
IODINE=`which iodine.exe`
GREP=`which grep`
CUT=`which cut`
RT=`which route`
IPCONFIG=`which ipconfig`
GATEWAY=`$IPCONFIG /all | grep "Passerelle" | cut -d ":" -f2`
DNS=`$IPCONFIG /all | grep "Serveurs DNS" | cut -d ":" -f2`

$RT delete 0.0.0.0
#$RT add $DNS MASK 255.255.255.255 $GATEWAY
$RT add $DNS $GATEWAY

$IODINE -fP $PASSWORD $DNS $DOMAIN