wiki:doc/TorBOX/BareMetalHints

Version 63 (modified by proper, 7 years ago) (diff)

update

aos Homepage

WARNING: Instructions for aos 0.3.0 with Physical Isolation are still under development. Advanced Linux users can already understand them. Read "In Development" below...

WARNING: This article currently lacks information about aos-Gateway's and aos-Workstation's MAC address. See also

NOTE: The terminology "Bare Metal aos" is no longer accurate. We do not refer to running a software on virtualizers vs physical systems. What this setup is actually about, is installing aos-Gateway and aos-Workstation on a single physical system vs installing on two different physical systems and using virtualization, i.e. Physical Isolation.

Introduction

When setting up aos in the form of two VMs running on the same host, exploits targeting the VM implementation or the host can still break out of the torified Client VM and expose the IP of a user. Malware running on the host has full control over all VMs. To prevent against such attacks we need a different approach: In this context we called it "bare metal" because the gateway system is installed on separate hardware ("metal"). This drastically reduces the TCB by more than the half.

In total we'll be installing and configuring two computers and set up an isolated point to point network between them (you could also set up a an ordinary, completely isolated, LAN behind the aos-Gateway but read this NOTE). One computer acts as the client or "aos-Workstation", the other as a proxy or "aos-Gateway" which will transparently route all of the aos-Workstation's traffic through Tor.

The aos-Gateway on its own physical device can be running either directly on "bare metal" or inside a virtual machine. Both options have advantages and disadvantages. We recommend to use no additional Virtual Machine for the aos-Gateway.

The aos-Workstation should always be installed in a Virtual Machine: A VM hides hardware serial numbers. See also Recommendation to use multiple VM Snapshots.

Using spare hardware + Virtual Machine

Advantages:

  • You can install a graphical host.
  • Use the aos download version.
  • You can use the graphical network manager on the host, for example to connect to WiFi.
  • You can setup easily a VPN on the host. Tor will be tunneled through the VPN.

Disadvantages:

  • Higher attack surface, because the Virtual Machine code get's involved.

Using spare hardware without Virtual Machine

Advantages:

  • More secure, because less code is involved.

Disadvantages:

  • Slightly more complicated setup
  • More difficult to set up VPN
  • More difficult to set up 3G networking compared to using a Windows host

Prerequisites

  • aos-Gateway: A device with at least two network adapters, at least one of them ethernet1, capable of running Linux. It will run Ubuntu Server.2

1 The other one may be either an anonymous 3G modem; anonymous wifi adapter, another ethernet or wifi connected to your modem/router.
2 Theoretically you could use any OS that supports iptables or pf. If you don't want to use Ubuntu Oneiric you will have to edit the shell script. This will be easy for Debian derivatives but much more difficult for *BSD for example. In any case, the choice of OS shouldn't really matter because this system isn't used for anything but running Tor. A cheap plug computer, something like Raspberry Pi or the hardware used by Torouter would be sufficient.

  • aos-Workstation: A device connected via ethernet to the aos-Gateway. It must only have this one NIC and no other network connectivity! Must be connected by wire.3 This will be the torified client system or aos-Workstation. It must be capable of running Ubuntu Server.4
    We recommend to use a VM as the client, the same aos-Workstation, that most non Physical Isolation users use. 7

3 If you don't connect by wire, you significantly weaken isolation and security. One the aos-Workstation were infected, it could jump onto another network and start leaking.
4 Any OS can be used. But this is not recommended! If you do anyway, read warning, especially for Windows: Transparent Proxy Leaks.
5 A generic VM image can neither leak identifying hardware serial numbers nor unique software fingerprints. (e.g. trough software updates).
6 This ensures that you get the latest security features and most secure configurations. (Such as stream isolation that protects against Identity correlation through circuit sharing, IRC hardening or aos's Protocol-Leak-Protection and Fingerprinting-Protection.).
7 From the download page or build yourself from source.

Time syncing

Please read and apply Network Time Syncing on both computers. This is a required step on the client computer because ntp doesn't work at all behind tor (it uses UDP) and if it did, it couldn't be trusted! It's also removed on both aos-Workstation and aos-Gateway by the the shell scripts.

Installation

General advice from Build Security and Host preparation apply

How To Install aos-Gateway on bare metal [RECOMMENDED]

These instructions were never updated for aos 0.2.1. Version 0.3.0 is currently in development. 1

1 The aos source code should be much more easy to understand, because there are no longer two immensely huge scripts, but all configuration files within their own files.

  1. Install Ubuntu Server 12.04 and chose following settings:
    In the boot menu press F4 and select "Install a minimal system"
    Language English
    United States
    keyboard layout English (US) (don't autodetect)
    Primary network interface: eth0 (depends on hardware layout?)
    Hostname: ubuntu
    Full name for the new user: user
    Username for your account: user
    Choose a password for the new user: <Set up a strong password>
    encrypt home directory: No
    Timezone:UTC
    Partitioning: It's a good idea to set up cryptsetup based FDE at this point.
    No proxy
    No automatic updates 
    tasksel (Choose software to install): select nothing
    
  1. The external interface (usually eth0) may need to be configured according to the requirements of your local network, e.g. static or simply left to use dhcp if the gateway is connected to a dhcp capable router. For wlan follow the upstream documentations: debian wiki, Ubuntu help.
  1. Make sure the internet is working.
  1. Install all security updates and reboot.
  1. Before running the aos_createvm 2 script make sure eth1 and eth0 refer to the correct interfaces. Otherwise you have to change the variables in the configuration files. ('dmesg | grep eth' may be helpful) TODO: elaborate which files. 2 Do not get concerned about the "vm" within aos_createvm. The name is historically and the functionalty for building an aos-Gateway featuring Physical Isolation has been added later.
  1. On your aos-Gateway: It is assumed you created user account named "user".
    su user
    cd ~
    
  1. Get latest source code. When 0.3.0 gets released there will be a signed release tag, if you wish a signed release tag of a snapshot in meanwhile please get in contact.
    git clone https://github.com/adrelanos/aos.git
    
  1. Get into aos source folder.
    cd aos
    
  1. Most configuration files work well inside Virtual Machines and on Bare Metal. Only minor things such as deactivating powersaving, passwordless reboot, shutdown etc. are only recommend for Virtual Machines. You can easily comment them out by putting a hash # in front of them. They are marked, to find them, grep can be used.
    grep -r VMONLY *
    
  1. Copy the pre files on aos-Gateway from the aos source folder to their correct place.
    sudo ./aos_createvm -tg-bare-metal-pre
    
  1. Reboot.
    sudo reboot
    
  1. aos_internal_install_script will be automatically started, wait until it finishes. If all goes well, system will power off automatically.
  1. Power on again. Copy the post files on aos-Gateway from the aos source folder to their correct place.
    sudo ./aos_createvm -tg-bare-metal-post
    
  1. Reboot.
    sudo reboot
    
  1. Done.

How To Install aos-Gateway in a VM [UNTESTED / NOT RECOMMEND]

It is advised to install a new OS just for hosting the Gateway VM, any OS that can run VirtualBox works but we recommend an Open Source system.

Download or build the aos-Gateway image.

Adapter 1 can be set up as a NAT network. Adapter 2 must either be set to NAT as well (but you will need to forward ports from the host to the guest) or much simpler: use bridged networking and set it to the second physical interface (the one that goes into the isolated network/point to point ethernet). See "NAT vs Bridging" below.

This configuration is entirely untested and not recommended unless you need to run Tor through a VPN (can't that be done without VMs?) or an unsupported 3G modem and can't afford a 3rd physical device.

Install aos-Workstation

If the physical network (between aos-Gateway and a router) uses 192.168.0.* you need to review and edit all shell scripts you are going to use and switch the internal network to something else!

Install and update a host OS. The host can be any OS that can run VirtualBox but be aware of Transparent Proxy Leaks. It is not recommended to use Windows or another other commercial proprietary system.

Download or build the aos-Workstation image.

  • Instead of setting Adapter 1 (eth0) to internal, you'll need to use bridged or NAT networking!

NAT vs Bridging

Since aos-Workstation can see the MAC address of whatever adapter it is connected to, if you use bridget networking you should change the MAC address of the internal interface on the Gateway: https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#aosinpublicnetworksMACAddress

If you use NAT you will have to edit the aos-Workstation so it uses dhcp or static IP for VBox NAT. The host has to be set to use the static IP configuration as configured in the aos-Workstation script. When using NAT for a virtualized Gateway you need to set up port forwarding in VirtualBox.

If you use bridget networking things will (or should, we haven't tested anything yet) just work, the host will have to be configured to use a static IP as well.

Further hints and recommendations

We recommend that you use two dedicated computers for aos that are never used for activities that could lead back to your identity. Alternatively you can use an already existing and otherwise used computer for the aos-Gateway. To offer some isolation you should disconnect all internal and external drives and boot from a eSATA, USB or another internal drive into a clean environment.

non-anonymous use

  • non-anonymous box (leave it as is is, like you want)
  • non-anonymous home dial up internet router (leave it as is is, like you want)

anonymous use

  • aos-Gateway
    • This really does not have to be a big desktop computer or ordinary server. There are alternatives.
    • smartphone 1, UMPC, pad, tablet, notebook, netbook, Raspberry Pi, router 2, set top box, etc.
    • how to utilize such a device as a linux server is beyond the scope of this guide, there are already better resources
  • anonymous 3G modem (see below) or anonymous wifi adapter (see below)
  • aos-Workstation
    • You get the idea. Use a device which suits you.1

1 Just some hints to get started. It is difficult and beyond the scope of aos, because you don't have an ethernet interface. Some (after market) firmwares support USB-host. (You can plug USB devices into your phone, such as an USB ethernet card. For example some rooted android smartphones can install Ubuntu Linux.
2 something like OpenWRT

anonymous 3G modem

Normally your dial up or broadband provider knows your name, postal address and non-anonymous payment method. This is bad. Suppose Tor or aos are compromised. An adversary just has to pressure your provider and can very easily find our your identity. This is not the case here.

  • plugged or integrated into aos-Gateway
  • Buy the 3G modem anonymously [in a store, second hand, on street, no personal data].
    • Be sure to have never used it for non-anonymous use before.
      • This is because, in many countries the telecommunication company log the phone serial number (IMEI), the SIM serial number and the phone number for each network login.
  • Also be sure to buy the SIM-card anonymously.
    • Prepaid is better.
    • Buy cash codes in different stores anonymously.
    • Be sure, to never have used this anonymous SIM-card with a non-anonymous phone or 3G model.
      • This is because, in many countries the telecommunication company log the phone serial number (IMEI), the SIM serial number and the phone number for each network login.
  • Optionally use from distant random spots only. (security vs. comfort)
    • Check of cameras and witnesses.
  • 3G users often get only a shared IP. Due to scarcity of IPv4 IP's, thousands of users share the same external IP (IPv4). Some providers do not log yet users (NAT) ports. Consequently they can not identify them, when they are given an IP and timestamp. Nice to have, but don't rely on it! (Some providers assign additional IPv6 IP's to their users, which are unique. Tor does not use IPv6 yet.)

anonymous wifi adapter

Normally your dial up or broadband provider knows your name, postal address and non-anonymous payment method. This is bad. Suppose Tor or aos are compromised. An adversary just has to pressure your provider and can very easily find our your identity. This is not the case here.

  • Plugged or integrated into aos-Gateway.
  • Buy the wifi adapter anonymously [in a store, second hand, on street, no personal data].
    • Be sure to have never used it for non-anonymous use before.
      • This is because a few providers or hotspot providers log the mac address and the username (for paid hotspots) for each dial up.
  • Use only free hotspots or pay them anonymously (if that's possible, otherwise abstain from paid hotspots).
  • Optionally use from distant random spots only. (security vs. comfort)
    • Check of cameras and witnesses.

Further required reading

Readme. The Host section applies to both computers!