Dowse is a minimalistic script that can turn an old PC into a transparent proxy for home network privacy. It facilitates the setup of a LAN masquerading firewall, web proxy and functions as gateway to dark web hidden networks as Tor or I2P.
The main components used in Dowse are fairly common software applications found in most GNU/Linux and BSD distributions:
- Easy to configure DHCP server with local hostname resolution on LAN
- Hardcode MAC entries of known hosts to protect from arp spoofing
- Basic, fairly secure, iptables firewall configured on the fly for NAT
- Fast caching of HTTP traffic also helps to save bandwidth
- Eliminates most Internet advertisements from all websites
- Transparent proxy avoid the need to configure browsers proxies
- Usable and easy to administer with basic GNU/Linux sysadmin skills
Dowse is a snappy solution for shared LANs with many users that do not want to be bombarded by cookies and advertisements from all kinds of Internet spam, while being able to browse the dark webs with a reasonable degree of anonymity. Ideal for medialabs, hackerspaces and such.
Installation and activation takes a few steps and needs root:
- Download dowse on a GNU/Linux box (we use Debian 7)
- Install ZSh, needed to run all scripts in Dowse, then go into the dowse directory (cd /usr/src/dowse in our example)
- Run ./utils/debian-install.sh as root, it fires up some commands: apt-get, update-rc.d and invoke-rc.d to install dependencies like dnsmasq, privoxy, squid, tor
- Configure the files in the conf/ folder: settings and network. The files are plain text and include documentation in comments.
- Launch the dowse script as root, using full path. In our example:
# /usr/src/dowse/dowse start
- Dowse will launch all daemons dropping root privileges and using the user configured (default user is ‘proxy’)
- Deactivate the DHCP service (Automatic IP configuration) on any other object on the network, typically your ADSL router.
If all went well now one should be able to connect any device to the
internet as you did before, but now all the traffic is passing via
Dowse’s transparent proxy configuration, which weeds out adverts and
takes care of browser’s privacy.
To make sure that dowse is started at every boot, just add it to the
/etc/rc.local file, in our example that would be the line:
Other commands accepted for now: stop or restart.
Dowse sourcecode can be cloned from GitHub, but stable releases are distributed in .tar.gz source format on our download zone, signed with Jaromil’s GnuPG key for authenticity.
For the literates out there, the source code of dowse is pretty simple to read and made available on-line to check what this script does, with comments and documentation. Just in case one likes to be sure what is running as root on his or her own computer: its always good to be questioning.Literate code documentation
If you care about the reliability of your local network, Dowse is a good start. More can be done by using more software that integrates nicely and helps monitoring or refining the firewall system. Here below a non-exaustive list of software we recommend using:
- DNSCrypt – secure communications between clients and DNS resolvers
- PeerGuardian - maintains blocklists on the firewall
- Tiger - audits the system’s security
- SshGuard - bans failed attempts to log into ssh
Dowse configuration is pretty simple and requires only a superficial understanding of TCP/IP networking and addressing, basically limited to the setup of a C class local network.
The default for it is the 10.0.0.0-255 range. The following configuration is included in the source distribution and should be customised as needed.
# configuration for our network # values are assigned with equals, no spaces in between # comments are prefixed with hashes, just like this. # which addresses we take for dowse dowse=10.0.0.254 # which interface is connected to the network interface=eth0 # hostname by which dowse will be known to the network hostname=dowse # what connects us to the internet (i.e. adsl router) # make sure dhcp is deactivated there, we will give it! wan=10.0.0.1 # what is the domain name of the internal network lan=home.net # should we setup a firewall, flush it or don't touch? firewall=yes # yes, no or flush (blank open) ######################### # SAFE TO LEAVE UNCHANGED # in most cases, if you don't know what you are doing # its better to not change the values below. # under which system UID and GID dowse will run dowseuid=proxy dowsegid=proxy # what network range we choose for our LAN (class C) dowsenet=10.0.0.0/24 # which netmask to be applied (default is class C) netmask=255.255.255.0 # ip range reserved for guests (first,last,leasetime) dowseguests=10.0.0.101,10.0.0.199,48h
Dowse was first conceptualized under the name of Ghettobox and refined in on-line and on-site exchanges within the Italian hackmeeting community.
Its (fairly minimal) codebase is designed, written and maintained by Jaromil.
Its realization was inspired by the fine howtos on antagonism.org.
Dowse depends from various free and open source software components redistributed under the GNU GPLv2 and GPLv3, MIT/BSD or Apache
licenses. Their sources are the property of the respective authors and are used by Dowse in the binary form offered by major distributions.