wiki:doc/TorBOX/BareMetalHints

Version 55 (modified by cypherpunks, 7 years ago) (diff)

updates across the page

TorBOX Homepage

WARNING: This article currently lacks information about TorBOX-Gateway's and TorBOX-Workstation's MAC address. See also TorBOX's Protocol-Leak-Protection and Fingerprinting-Protection, Mac addresses on Bare Metal and Mac address in public networks.

NOTE: The terminology "Bare Metal TorBOX" is no longer accurate. We do not refer to running a software on bare metal vs on a hypervisor. What this set up is actually about is to install TorBOX-Gateway and TorBOX-Workstation on two physical systems vs on a single one. We could need a better name for that...

  • TorBOXπ or TorBOX-Pi for "physical isolation" - too cheesy?
  • π = ?
    • π = 3.141592653589... ;)
  • Perhaps TorBOX-PI, TorBOX-pI, TorBOX-PhyIso, TorBOX Physical Isolation Edition, TorBOX-PIE. I don't really like any of them much. But agreed, has not much to do with bare metal anymore. It's about physical isolation.

Introduction

When setting up TorBOX in the form of two VMs running on the same host, exploits targeting the VM implementation or the host can still break out of the torified Client VM and expose the IP of a user. Malware running on the host has full control over all VMs. To prevent against such attacks we need a different approach: In this context we called it "bare metal" because the gateway system is installed on separate hardware ("metal"). This drastically reduces the TCB by more than the half.

In total we'll be installing and configuring two computers and set up an isolated point to point network between them (you could also set up a an ordinary, completely isolated, LAN behind the TorBOX-Gateway but read this NOTE). One computer acts as the client or "TorBOX-Workstation", the other as a proxy or "TorBOX-Gateway" which will transparently route all of the TorBOX-Workstation's traffic through Tor.

The TorBOX-Gateway on its own physical device can be running either directly on "bare metal" or inside a virtual machine. Both options have advantages and disadvantages. We recommend to use no additional Virtual Machine for the TorBOX-Gateway.

The TorBOX-Workstation should always be installed in a Virtual Machine: A VM hides hardware serial numbers. See also Recommendation to use multiple VM Snapshots.

Using spare hardware + Virtual Machine

Advantages:

  • You can install a graphical host.
  • Use the TorBOX download version.
  • You can use the graphical network manager on the host, for example to connect to WiFi.
  • You can setup easily a VPN on the host. Tor will be tunneled through the VPN.

Disadvantages:

  • Higher attack surface, because the Virtual Machine code get's involved.

Using spare hardware without Virtual Machine

Advantages:

  • More secure, because less code is involved.

Disadvantages:

  • Slightly more complicated setup
  • More difficult to set up VPN
  • More difficult to set up 3G networking compared to using a Windows host

Prerequisites

  • TorBOX-Gateway: A device with at least two network adapters, at least one of them ethernet1, capable of running Linux. It will run Ubuntu Server.2

1 The other one may be either an anonymous 3G modem; anonymous wifi adapter, another ethernet or wifi connected to your modem/router.
2 Theoretically you could use any OS that supports iptables or pf. If you don't want to use Ubuntu Oneiric you will have to edit the shell script. This will be easy for Debian derivatives but much more difficult for *BSD for example. In any case, the choice of OS shouldn't really matter because this system isn't used for anything but running Tor. A cheap plug computer, something like Raspberry Pi or the hardware used by Torouter would be sufficient.

  • TorBOX-Workstation: A device connected via ethernet to the TorBOX-Gateway. It must only have this one NIC and no other network connectivity! Must be connected by wire.3 This will be the torified client system or TorBOX-Workstation. It must be capable of running Ubuntu Server.4
    We recommend to use a VM as the client, the same5 VM build6 as the non-bare metal TorBOX uses.

3 If you don't connect by wire, you significantly weaken isolation and security. One the TorBOX-Workstation were infected, it could jump onto another network and start leaking.
4 Any OS can be used. But this is not recommended! If you do anyway, read warning, especially for Windows: Transparent Proxy Leaks.
5 A generic VM image can neither leak identifying hardware serial numbers nor unique software fingerprints. (e.g. trough software updates).
6 This ensures that you get the latest security features and most secure configurations. (Such as stream isolation that protects against Identity correlation through circuit sharing, IRC hardening or TorBOX's Protocol-Leak-Protection and Fingerprinting-Protection.).

Time syncing

Please read and apply Network Time Syncing on both computers. This is a required step on the client computer because ntp doesn't work at all behind tor (it uses UDP) and if it did, it couldn't be trusted! It's also removed on both TorBOX-Workstation and TorBOX-Gateway by the the shell scripts.

Installation

General advice from Build Security and Host preparation apply

How To Install TorBOX-Gateway on bare metal [RECOMMENDED]

  • Install Ubuntu Server 12.04 and chose following settings:
    In the boot menu press F4 and select "Install a minimal system"
    Language English
    United States
    keyboard layout English (US) (don't autodetect)
    Primary network interface: eth0 (depends on hardware layout?)
    Hostname: ubuntu
    Full name for the new user: user
    Username for your account: user
    Choose a password for the new user: <Set up a strong password>
    encrypt home directory: No
    Timezone:UTC
    Partitioning: It's a good idea to set up cryptsetup based FDE at this point.
    No proxy
    No automatic updates 
    tasksel (Choose software to install): select nothing
    
    • The external interface (usually eth0) may need to be configured according to the requirements of your local network, e.g. static or simply left to use dhcp if the gateway is connected to a dhcp capable router. For wlan follow the upstream documentations: debian wiki, Ubuntu help
  • Make sure the internet is working
  • Install all security updates and reboot
  • Transfer the TorBOX-Gateway to the Gateway
  • Before running the TorBOX-Gateway script make sure eth1 and eth0 refer to the correct interfaces. Otherwise you have to change the variables in the script ('dmesg | grep eth' may be helpful).
  • Run the with the "-install" option, not the "-vm" flag as this option is only suited for VMs! sudo TorBOX-Gatewa -install

For the TorBOX-Gateway follow these instructions (ignoring VirtualBox sepecific steps) but:

How To Install TorBOX-Gateway in a VM [UNTESTED / NOT RECOMMEND]

It is advised to install a new OS just for hosting the Gateway VM, any OS that can run VirtualBox works but we recommend an Open Source system.

Download or build the TorBOX-Gateway image.

Adapter 1 can be set up as a NAT network. Adapter 2 must either be set to NAT as well (but you will need to forward ports from the host to the guest) or much simpler: use bridged networking and set it to the second physical interface (the one that goes into the isolated network/point to point ethernet). See "NAT vs Bridging" below.

This configuration is entirely untested and not recommended unless you need to run Tor through a VPN (can't that be done without VMs?) or an unsupported 3G modem and can't afford a 3rd physical device.

Install TorBOX-Workstation

If the physical network (between TorBOX-Gateway and a router) uses 192.168.0.* you need to review and edit all shell scripts you are going to use and switch the internal network to something else!

Install and update a host OS. The host can be any OS that can run VirtualBox but be aware of Transparent Proxy Leaks. It is not recommended to use Windows or another other commercial proprietary system.

Download or build the TorBOX-Workstation image.

  • Instead of setting Adapter 1 (eth0) to internal, you'll need to use bridged or NAT networking!

NAT vs Bridging

Since TorBOX-Workstation can see the MAC address of whatever adapter it is connected to, if you use bridget networking you should change the MAC address of the internal interface on the Gateway: https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#TorBOXinpublicnetworksMACAddress

If you use NAT you will have to edit the TorBOX-Workstation so it uses dhcp or static IP for VBox NAT. The host has to be set to use the static IP configuration as configured in the TorBOX-Workstation script. When using NAT for a virtualized Gateway you need to set up port forwarding in VirtualBox.

If you use bridget networking things will (or should, we haven't tested anything yet) just work, the host will have to be configured to use a static IP as well.

Further hints and recommendations

We recommend that you use two dedicated computers for TorBOX that are never used for activities that could lead back to your identity. Alternatively you can use an already existing and otherwise used computer for the TorBOX-Gateway. To offer some isolation you should disconnect all internal and external drives and boot from a eSATA, USB or another internal drive into a clean environment.

non-anonymous use

  • non-anonymous box (leave it as is is, like you want)
  • non-anonymous home dial up internet router (leave it as is is, like you want)

anonymous use

  • TorBOX-Gateway
    • This really does not have to be a big desktop computer or ordinary server. There are alternatives.
    • smartphone 1, UMPC, pad, tablet, notebook, netbook, Raspberry Pi, router 2, set top box, etc.
    • how to utilize such a device as a linux server is beyond the scope of this guide, there are already better resources
  • anonymous 3G modem (see below) or anonymous wifi adapter (see below)
  • TorBOX-Workstation
    • You get the idea. Use a device which suits you.1

1 Just some hints to get started. It is difficult and beyond the scope of TorBOX, because you don't have an ethernet interface. Some (after market) firmwares support USB-host. (You can plug USB devices into your phone, such as an USB ethernet card. For example some rooted android smartphones can install Ubuntu Linux.
2 something like OpenWRT

anonymous 3G modem

Normally your dial up or broadband provider knows your name, postal address and non-anonymous payment method. This is bad. Suppose Tor or TorBOX are compromised. An adversary just has to pressure your provider and can very easily find our your identity. This is not the case here.

  • plugged or integrated into TorBOX-Gateway
  • Buy the 3G modem anonymously [in a store, second hand, on street, no personal data].
    • Be sure to have never used it for non-anonymous use before.
      • This is because, in many countries the telecommunication company log the phone serial number (IMEI), the SIM serial number and the phone number for each network login.
  • Also be sure to buy the SIM-card anonymously.
    • Prepaid is better.
    • Buy cash codes in different stores anonymously.
    • Be sure, to never have used this anonymous SIM-card with a non-anonymous phone or 3G model.
      • This is because, in many countries the telecommunication company log the phone serial number (IMEI), the SIM serial number and the phone number for each network login.
  • Optionally use from distant random spots only. (security vs. comfort)
    • Check of cameras and witnesses.
  • 3G users often get only a shared IP. Due to scarcity of IPv4 IP's, thousands of users share the same external IP (IPv4). Some providers do not log yet users (NAT) ports. Consequently they can not identify them, when they are given an IP and timestamp. Nice to have, but don't rely on it! (Some providers assign additional IPv6 IP's to their users, which are unique. Tor does not use IPv6 yet.)

anonymous wifi adapter

Normally your dial up or broadband provider knows your name, postal address and non-anonymous payment method. This is bad. Suppose Tor or TorBOX are compromised. An adversary just has to pressure your provider and can very easily find our your identity. This is not the case here.

  • Plugged or integrated into TorBOX-Gateway.
  • Buy the wifi adapter anonymously [in a store, second hand, on street, no personal data].
    • Be sure to have never used it for non-anonymous use before.
      • This is because a few providers or hotspot providers log the mac address and the username (for paid hotspots) for each dial up.
  • Use only free hotspots or pay them anonymously (if that's possible, otherwise abstain from paid hotspots).
  • Optionally use from distant random spots only. (security vs. comfort)
    • Check of cameras and witnesses.

Further required reading

Readme. The Host section applies to both computers!