technical

Vodacom: internetvpn APN

Update This is no longer available, the internet APN has public IPs.

A quick tip for Vodacom 3G / GPRS / EDGE users in South Africa.

There is a special APN called “internetvpn” for laptop users who connect to corporate VPNs. While this probably doesn’t interest most readers, it is a useful APN to use because:

  • You get a real Public IP address, not a private NATted one.
  • You get lower latency.
  • The cost is the same. (i.e. regular data bundles work fine)

If you use a VPN, this will probably make it more reliable, and if you don’t it will at least make your ssh use more comfortable.

Unfortunately, the following vodacom issues will still be present:

  • No incoming TCP connections (i.e. you can’t serve web pages from or ssh into your laptop)
  • Often you get “martian” DNS servers (10.11.12.13 and 10.11.12.14). Either reconnect, or manually set your DNS servers to 196.43.46.190 (SAIX) and 196.207.40.165 (Vodacom).
  • TCP connections are regularly reset. (Overloaded NAT/Firewall hardware?)

How to get it:

  1. Call vodacom customer care (111).
  2. Follow the IVR menu options in the directions of data cards.
  3. Ask them to enable the “internetvpn APN” (you might have to explain it to them)
  4. Reconfigure your phone / chat script / “data card driver” to use “internetvpn” instead of “internet”
  5. Profit! :-)

Easy home transparent proxy

Everyone in South Africa wants to save a little more bandwidth, as low traffic caps are the rule of the day (esp if you are hanging off an expensive 3G connection).

While the "correct" thing to do is to use wpad autodetection, and thus politely request that users use your proxy, this isn't always an option:

  • Firefox doesn't Autodetect Proxies by default
  • Autodetection doesn't behave well for many roaming users (firefox should talk to network-manager)
  • Many programs simply don't support wpad.
  • Your upstream ISP transparently proxies anyway (the norm in ZA), so it's not like we have any end-to-endness to protect.

So, here's how you do it:

  1. Lets assume your network is 10.1.1.0/24, and the squid box is 10.1.1.1 on eth0
  2. Install squid (aptitude install squid), configure it to have a reasonably large storage pool, give it some sane ACLs, etc.
  3. Add http_port 8080 transparent to squid.conf(or http_port 10.1.1.1:8080 transparent if you are using explicit http_port options)
  4. invoke-rc.d squid reload
  5. Add the following to your iptables script:
iptables -t nat -A PREROUTING -i eth0 -s 10.1.1.0/24 -d ! 10.20.1.1 -p tcp --dport 80 -j REDIRECT --to 8080

If you run squid on your network's default gateway, then you are done. Otherwise, if you have a separate router, you need to do the following on the router:

  1. Add a new transprox table to /etc/iproute2/rt_tables, i.e. 1 transprox
  2. Pick a new netfilter MARK value, i.e. 0x04
  3. Add the following to the router's iptables script:
# Transparent proxy
iptables -t mangle -F PREROUTING
iptables -t mangle -A PREROUTING -i br-lan -s ! 10.1.1.1 -d ! 10.1.1.0/24 -p tcp --dport 80 -j MARK --set-mark 0x04
ip route del table transprox
ip route add default via 10.1.1.1 table transprox
ip rule del table transprox
ip rule add fwmark 0x04 pref 10 table transprox
  1. Done: test and tail your squid logs

The reason we use iproute rules rather than iptables DNAT is that you lose destination-IP information with a DNAT (like the envelope of an e-mail).

An alternative solution is to run tinyproxy on the router (with the transparent option, enabled in ubuntu but not debian), use the REDIRECT rule above on the router, to redirect to the tinyproxy, and have that upstream to the squid. But tinyproxy requires some RAM, and on a WRT54 or the likes, you don't have any of that to spare...

Should you need to temporarily disable this for any reason:

  • With all-in-one-router: iptables -t nat -F PREROUTING
  • With the separate router: iptables -t mangle -F PREROUTING
Syndicate content