Changes between Version 166 and Version 167 of doc/TorBOX/OptionalConfigurations

Sep 27, 2012, 11:44:52 PM (7 years ago)



  • doc/TorBOX/OptionalConfigurations

    v166 v167  
    1 [[TOC(noheading, depth=0)]]
    2 [ aos Homepage]
     1TorBOX has been renamed to Whonix.
    4 {{{
    5 #!html
    6 <h3 style="text-align: left; color: blue">
    7 These are all OPTIONAL configurations. If you would like to use any of these features, go ahead and follow the instructions. However, you do not have to add any of those additional functions if you see no need for them.
    8 </h1>
    9 }}}
     3This page has been moved. The History of this page might still be interesting.
    11 = Using Tor's SocksProxy in aos-Workstation =
    12 #OptionalFeatureNr.4#
    14 Moved to [ Identity correlation through circuit sharing].
    16 = Best possible protection against Identity correlation through circuit sharing =
    17 #OptionalFeatureNr.5#
    19 Moved to [ Identity correlation through circuit sharing].
    21 = More than one aos-Workstation =
    22 Moved to [ Recommendations to use multiple aos-Workstation VM's and Snapshots].
    24 = Tunneling Tor through proxy, VPN or SSH =
    25 '''user -> proxy/VPN/SSH -> Tor'''
    27 Read first: [ Tor Plus VPN] and [ TorBOX VPN disclaimer].
    29 This section is not fully tested/complete. Please give feedback if it worked for you.
    31 Sometimes you are '''forced to use a proxy or VPN''' to make outgoing connections, some ISP's force you, or you are in a LAN with a proxy (router), or in a cooperate environment.
    33 A proxy, VPN or SSH can also be possibly '''used to circumvent Tor blocks''' or to '''hide the fact you are using Tor'''. VPN and SSH are preferred choice, as they support secure encryption between you and them. It's a question, how much you can trust the server, they'll see, that you are using Tor, but thanks to Tor, they won't see what you are doing. If you use your own server in a safe country, while you are in a dangerous country, that's probable your best bet. Anyway, not so many people seem to do use a tunnel before they connect to Tor, therefore it's not so well tested, do not rely on it too much.
    35 If nothing above applies for you, skip this section.
    37 == Tunnel Tor through proxy ==
    38 '''user -> proxy -> Tor'''
    40 Depending on your proxy configuration, add the settings you'll need to your /etc/torrc. For more information on these settings, have a look in the [ Tor manual] and read the [ FAQ]. 'nano /etc/tor/torrc'
    42 {{{
    43 HTTPProxy host[:port]
    44 HTTPProxyAuthenticator username:password
    45 HTTPSProxy host[:port]
    46 HTTPSProxyAuthenticator username:password
    47 Socks4Proxy host[:port]
    48 Socks5Proxy host[:port]
    49 Socks5ProxyUsername username
    50 Socks5ProxyPassword password
    51 }}}
    52 == Tunnel Tor through SSH ==
    53 ''' user -> SSH -> Tor'''
    55 This chapter is about tunneling Tor through a SSH tunnel.
    57 First we have to install the ssh client.
    59 {{{
    60 apt-get install ssh
    61 }}}
    62 Then be sure that your SSH connection itself is working well. SSH to your ssh server using 'ssh yourusername@your.ssh.server'. It's recommend to set up public key authentication. (TODO: how to create a private and public key) 'cd /home/yourusername', 'mkdir .ssh', 'nano authorized_keys', paste line beginning with 'ssh-rsa ...' (your public key) (TODO: how to create that line).
    64 'exit' (terminate SSH connection) and login again using public key authentication. (TODO: how to do that) When that is working install your favorite text mode browser, for example 'apt-get install lynx' and test if the shell's external internet connection is working. 'lynx' You're done with the pre-requriements. Exit your shell. 'exit'
    66 Now we will tell the SSH client to start a socks5 proxy server listening on localhost port 1080. The following command has to be run in background (TODO: add line how to do that) on each start up, before Tor starts (TODO: to which file, to do that). It would be wise to activate public key authentication (TODO: how to add private key to use public key authentication).
    68 {{{
    69 ssh -C -D 1080 your.ssh.server
    70 }}}
    71 Now we have to tell Tor to use the new local ssh server. 'nano /etc/torrc' and add
    73 {{{
    74 Socks5Proxy
    75 }}}
    76 We are done, from now Tor will connect through the SSH server.
    78 (TODO: any new firewall rules needed?)
    80 == Tunnel Tor through VPN ==
    81 '''user -> VPN -> Tor'''
    83 There are too many different VPN protocols. To many to add all of them to this guide. If you are forced to use a VPN server or if you are already using a VPN server, you most likely know how you can connect to it. You must know how to connect to your VPN server from the linux command line. Use the following order, start the firewall, connect to your VPN and start Tor afterwards.
    85 If you are using VPN not '''because you are forced to use VPN by your ISP''', but to '''hide the fact that you are using Tor''' or want to '''add an additional layer of protection''', then be sure, that your VPN software is secure (ex: OpenVPN, not pptp). When your VPN is properly set up, all your connections are forced through the VPN. If you start Tor at the top of that, tunneling Tor through VPN will work.
    87 TODO: protection on linux needed. Do not to send something in clear, [[BR]]
    88 - when VPN connection breaks down [[BR]]
    89 - when VPN client crashes or gets terminated [[BR]]
    91 = Tunneling Proxy/SSH/VPN through Tor =
    92 '''user -> Tor -> Proxy/SSH/VPN'''
    94 Read first: [ Tor Plus VPN] and [ aos VPN disclaimer].
    96 You can tunnel through Tor first and add an additional proxy, SSH or VPN hop at the very end of that chain as your "exit node". The services you connect to, will not know, that you are using Tor (unless it's a "transparent proxy" in sense of sending http forwarded for, covered in the article linked above). This can be useful to '''evade Tor bans''', for example, to visit websites or IRC networks who blacklisted Tor. Beware of the risks, this adds a "permanent exit node", read [ the related wiki article].
    98 To do that, go to your aos-Workstation and add the proxy, SSH or VPN normally, like you would have to do, if you wouldn't use the aos-Gateway.
    100 [ Protocol leaks] still apply, thought to a lesser extend. Leaks would 'only' leak through Tor and you have best possible [ Protocol-Leak-Protection and Fingerprinting-Protection].
    102 == Tunneling proxy through Tor ==
    103 '''user -> Tor -> proxy'''
    105 Note, that the connection, between the Tor exit node and the proxy, is in most cases, not encrypted.
    107 === Proxy Settings Method ===
    108 Very simply to set up. Simply add a proxy to your application's proxy settings or use a [ socksifier].
    110 === Transparent Proxying ===
    111 [ wiki version 129] contains an old example using privoxy, JonDo and httpsdnsd. The new example uses redsocks and is simpler.
    113 ==== Introduction ====
    114 You always have to keep in mind, which kind of data and which kind of proxy you are using. There are CGIproxies, http(s) proxies and socks4/4a/5 proxies.
    116 In case you redirect the network layer directly with iptables, you need a TransPort. Unfortunately very few applications, do offer a TransPort. For example, Tor supports a TransPort. In most other cases, you need to translate the different kinds of data.
    118 Due to the nature of Transparent Proxying, we need to redirect with iptables and end up with a "Trans data stream". Because most proxies are either http or socks we need to translate this. Below we discuss a few tools which help here, not all are required, depending on what you want to do.
    120 Required reading: [[BR]]
    121 [ proxy] [[BR]]
    122 [ Tor + VPN or Proxy] [[BR]]
    124 ===== Tools =====
    125 Tor is a socks proxy and also has a TransPort. Unfortunately, Tor can not be directly used as a http proxy. You must also keep in mind, that Tor does not support UDP, although it offers a DnsPort..
    127 [ redsocks] can also accept "Trans data streams" and can forward them to http'''s''', socks4 and socks5 proxies. If you were to use a http proxy (no https, without connect-method, see proxy article), you could access only http sites, no https sites. Rather redsocks can convert UDP DNS queries to TCP DNS queries.
    129 ===== DNS resolution =====
    130 The complication (and also advantage/feature) with transparent proxying is, that the internet application (browser, etc.) is not aware of the proxy. Therefore the internet application will attempt to do the DNS resolution itself using the system, not using the proxy. The DNS requests also must be considered. Since Tor does not support UDP, we have to transmit DNS queries via TCP.
    132 It is impossible to resolve DNS directly on the proxy, when using the proxy as a transparent proxy, see [ TorBOX/OtherAnonymizingNetworks#TransparentProxyingMethod] for explanation. You need an extra DNS server, which answers over TCP.
    134 You have several options to resolve DNS.
    136 Either leave the setup as it is, Tor's DnsPort and therefore the Tor exit nodes will still do the DNS requests. (See DNS rule 1.) This is probable not what you want, since you wanted to cloak your identity with an additional proxy after Tor.
    138 Alternatively you can use a public DNS resolver. The instructions for [ DNSCrypt by OpenDNS]^4^ should work out of the box (tested). (See DNS rule 2..) (See footnotes ^1^, ^2^ and ^3^ if you are looking for other alternatives.)
    140 Read the [ DNS related warnings].
    142 ,,
    143 ^1^ Also [ httpsdnsd by JonDos]^4^ might work, but you'd need to make some changes (use httpsdnsd as a system wide, aos-Workstation wide, DNS resolver, not just for a specific user account). [[BR]]
    144 ^2^ Or perhaps also [ ttdnsd] with Google could work. All [ DNS resolvers] should work, as long TCP is supported and as long you are querying a TCP enabled DNS server. [[BR]]
    145 ^3^ You can't simply add another public DNS resolver (i.e. OpenDNS or Google) to /etc/resolv.conf in aos-Workstation (i.e. Tor -> public DNS resolver), it would have no effect, as explained under [ aos-Workstation is firewalled]. [[BR]]
    146 ,,
    147 ^4^ DNSCrypt and httpsdnsd add the advantage, that neither the proxy nor the Tor exit node can sniff or manipulate your DNS requests, since they are encrypted and authenticated.
    149 ==== HowTo ====
    150 Everything on aos-Workstation.
    152 Get a working proxy and test if it works reliable.
    154 Install [ redsocks].
    156 Config redsocks. TODO: share config.
    158 Add user redsocks.
    159 {{{
    160 sudo adduser redsocks
    161 }}}
    163 Start redsocks.
    164 {{{
    165 sudo -u redsocks ./redsocks
    166 }}}
    168 Create a and use this firewall rules.
    169 {{{
    170 # These iptables rules redirect the traffic for all users,
    171 # including root, with the exception of the user redsocks,
    172 # through the proxy.
    174 ## TODO: these iptables rules need review.
    176 # Choose either DNS rule #1 or DNS rule #2.
    178 # For debugging/testing use this command in console.
    179 # tail -f /var/log/syslog
    181 # Flush old rules.
    182 iptables -F
    183 iptables -t nat -F
    184 iptables -X
    186 # Allow unlimited traffic on the loopback interface.
    187 iptables -A INPUT -i lo -j ACCEPT
    188 iptables -A OUTPUT -o lo -j ACCEPT
    189 iptables -A OUTPUT --dst -j ACCEPT
    191 # Established incoming connections are accepted.
    192 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    194 # Established outgoing connections are accepted.
    195 iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    197 # DNS rule #1.
    198 # Allow DNS directly through aos-Gateway.
    199 iptables -A OUTPUT --dst -p udp --dport 53 -j ACCEPT
    201 # DNS rule #2.
    202 # For DNSCrypt set /etc/resolv.conf to
    203 # nameserver
    204 #
    205 # sudo dnscrypt-proxy --tcp-only --user=user
    206 #
    207 # DNSCrypt listening on port 53
    208 iptables -t nat -A OUTPUT --dst -p udp --dport 53 -j ACCEPT
    209 iptables -t nat -A OUTPUT --dst -p tcp --dport 53 -j ACCEPT
    211 # redsocks must be allowed to establish direct connections.
    212 iptables -A OUTPUT -j ACCEPT -m owner --uid-owner redsocks
    213 iptables -t nat -A OUTPUT -j ACCEPT -m owner --uid-owner redsocks
    215 # Redirect remaining traffic to redsocks.
    216 iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-port 12345
    218 # TODO: UDP rule untested.
    219 #iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-port 10053
    221 # Log blocked traffic for debugging.
    222 iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "iptables: "
    224 # Reject all other traffic.
    225 iptables -A OUTPUT -j REJECT
    226 }}}
    228 Make the firewall script executable.
    229 {{{
    230 sudo chmod +x
    231 }}}
    233 Apply the firewall rules.
    234 {{{
    235 sudo ./
    236 }}}
    238 == Tunneling SSH through Tor ==
    239 '''user -> Tor -> SSH'''
    241 This chapter is not about connecting to a SSH server as a client (see aos in general and the Torify HOWTO). It is about adding an extra SSH tunnel after Tor.
    243 Note, that even though SSH supports socks5, SSH is still not able to forward UDP on its own. Have a look the the [ source] of that information. To summarize: to tunnel UDP over SSH client and shell admin need a special setup, which is for most shells, not going to happen.
    245 A SSH tunnel will provide a local socks5 proxy. Create the SSH tunnel in the aos-Workstation. From there you'll end up with a local socks5 proxy. You can use this socks5 proxy following the proxy instructions above. Once the SSH tunnel is established, there are not many differences, besides the difference already clarified above about UDP and that the warning about missing encryption to the proxy does not apply to SSH tunnels, since SSH is encrypted. The SSH process needs to be allowed to access the internet directly, if you use transparent proxying, run the SSH process under an account, which is privileged to access the internet directly.
    247 Another untested method may be [ sshuttle].
    249 == Tunneling VPN through Tor ==
    250 '''user -> Tor -> VPN'''
    252 Note, that you have to choose TCP transport, because Tor does not support UDP.
    254 '''Warning:''' [[BR]]
    255 For users who configured applications to use SocksPort, instant of TransPort. (aos's aos-Gateway default setting for some applications, Tor Browser, ...!)
    257 SocksPort is used to prevent [ Identity correlation through circuit sharing]. As [ Tor Plus VPN] explains, you have to keep in mind, a VPN behind Tor adds a permanent exit node.
    259 Rather, all applications, which are configured to use SocksPort, will not be tunneled through the VPN. They will be "only" tunneled through Tor. This is because, the VPN will not touch connections to, which is the aos-Gateway. For example, if you wish to tunnel through Tor -> VPN, you have to remove all proxy settings from Tor Browser. will tell you then "You are not using Tor." and you'll see your VPN's IP. In fact your VPN was tunneled through Tor first. (Because aos-Workstation can not make any non-Tor connections by design, everything is tunneled over Tor.) When you stop your VPN for test reasons ('sudo /etc/init.d/openvpn stop'), it will show "You are using Tor." again.
    261 While you are using a VPN behind Tor, you probable also may not be able to make use of the upcoming stream isolation feature, which is planed Tor Browser. (#3455) This is because Tor Browser would not talk to Tor directly anymore. Tor Browser would connect to the VPN instant.
    263 VPN servers and VPN software can occasionally break down without announcement. aos-Workstation will seamlessly continue to make "direct" connections through Tor once the VPN breaks down. This is not a aos specific problem. Most users are simply not aware of it. This happens also with the common setup, where the VPN simply runs on a host. If you want to enforce, that the VPN is always tunneled over Tor, have a look at the modified routing table [ here].
    265 Also note, that once aos-Workstation gets rooted by malware, the VPN can be easily circumvented by the attacker and you are left to the protections by aos and Tor.
    267 By design, a VPN routes all your applications (those without any proxy settings, as explained above) through the VPN. You may not want this, as explained above (Identity correlation through circuit sharing). To circumvent that, you should use this aos-Workstation only for the particular application you want to route through the VPN, read [ Recommendation to use multiple aos-Workstations].
    269 = A Free example VPN working with aos for testing purposes =
    270 Read first [ aos VPN disclaimer].
    272 Can be either:
    273  * [ Tunnel VPN through Tor]. (Read first!) (Install on aos-Workstation.)
    274  * [ Tunnel Tor through VPN]. (Read first!) (Install on aos-Gateway.)
    276 The purpose of this chapter is mainly to demonstrate, how easy it is, to add a VPN to aos. Unfortunately drops many TCP and UDP ports beside ports 80 and 443. That limits it's usefulness for testing purposes, such as [ Tunneling UDP over Tor]. If you know a less restrictive free VPN provider, we'd be thankful for a comment.
    278 Install openvpn.
    279 {{{
    280 apt-get install openvpn
    281 }}}
    283 Register at and leaf no personal information. Use an extra e-mail address for registration, which you will never use for anything else. Login and download their OpenVPN package to /home/user. Unpack. The folder contains contains ca.cert, client.cert, client.key, README.txt (with list of their servers and ports). Rename the folder to securitykiss. Structure should be like /home/user/ca.cert etc.
    285 'nano /etc/openvpn/client.conf', edit server IP and port and past it. (It's almost only the default openvpn client.conf with minor changes.)
    286 {{{
    287 ##############################################
    288 # Sample client-side OpenVPN 2.0 config file #
    289 # for connecting to multi-client server.     #
    290 #                                            #
    291 # This configuration can be used by multiple #
    292 # clients, however each client should have   #
    293 # its own cert and key files.                #
    294 #                                            #
    295 # On Windows, you might want to rename this  #
    296 # file so it has a .ovpn extension           #
    297 ##############################################
    299 # Specify that we are a client and that we
    300 # will be pulling certain config file directives
    301 # from the server.
    302 client
    304 # Use the same setting as you are using on
    305 # the server.
    306 # On most systems, the VPN will not function
    307 # unless you partially or fully disable
    308 # the firewall for the TUN/TAP interface.
    309 ;dev tap
    310 dev tun
    312 # Windows needs the TAP-Win32 adapter name
    313 # from the Network Connections panel
    314 # if you have more than one.  On XP SP2,
    315 # you may need to disable the firewall
    316 # for the TAP adapter.
    317 ;dev-node MyTap
    319 # Are we connecting to a TCP or
    320 # UDP server?  Use the same setting as
    321 # on the server.
    322 proto tcp
    323 ;proto udp
    325 # The hostname/IP and port of the server.
    326 # You can have multiple remote entries
    327 # to load balance between the servers.
    328 remote 443
    329 ;remote my-server-2 1194
    331 # Choose a random host from the remote
    332 # list for load-balancing.  Otherwise
    333 # try hosts in the order specified.
    334 ;remote-random
    336 # Keep trying indefinitely to resolve the
    337 # host name of the OpenVPN server.  Very useful
    338 # on machines which are not permanently connected
    339 # to the internet such as laptops.
    340 resolv-retry infinite
    342 # Most clients don't need to bind to
    343 # a specific local port number.
    344 nobind
    346 # Downgrade privileges after initialization (non-Windows only)
    347 user nobody
    348 group nogroup
    350 # Try to preserve some state across restarts.
    351 persist-key
    352 persist-tun
    354 # If you are connecting through an
    355 # HTTP proxy to reach the actual OpenVPN
    356 # server, put the proxy server/IP and
    357 # port number here.  See the man page
    358 # if your proxy server requires
    359 # authentication.
    360 ;http-proxy-retry # retry on connection failures
    361 ;http-proxy [proxy server] [proxy port #]
    363 # Wireless networks often produce a lot
    364 # of duplicate packets.  Set this flag
    365 # to silence duplicate packet warnings.
    366 ;mute-replay-warnings
    368 # SSL/TLS parms.
    369 # See the server config file for more
    370 # description.  It's best to use
    371 # a separate .crt/.key file pair
    372 # for each client.  A single ca
    373 # file can be used for all clients.
    374 ca /home/user/securitykiss/ca.crt
    375 cert /home/user/securitykiss/client.crt
    376 key /home/user/securitykiss/client.key
    378 # Verify server certificate by checking
    379 # that the certicate has the nsCertType
    380 # field set to "server".  This is an
    381 # important precaution to protect against
    382 # a potential attack discussed here:
    383 #
    384 #
    385 # To use this feature, you will need to generate
    386 # your server certificates with the nsCertType
    387 # field set to "server".  The build-key-server
    388 # script in the easy-rsa folder will do this.
    389 ns-cert-type server
    391 # If a tls-auth key is used on the server
    392 # then every client must also have the key.
    393 ;tls-auth ta.key 1
    395 # Select a cryptographic cipher.
    396 # If the cipher option is used on the server
    397 # then you must also specify it here.
    398 ;cipher x
    400 # Enable compression on the VPN link.
    401 # Don't enable this unless it is also
    402 # enabled in the server config file.
    403 comp-lzo
    405 # Set log file verbosity.
    406 verb 3
    408 # Silence repeating messages
    409 ;mute 20
    410 }}}
    412 To initially start the VPN type:
    413 {{{
    414 sudo /etc/init.d/openvpn start
    415 sudo openvpn /etc/openvpn/client.conf
    416 }}}
    418 After rebooting the VPN will be automatically started.
    420 If you do not wish to start the VPN automatically for some reason: 'nano /etc/default/openvpn'
    421 {{{
    422 AUTOSTART=="none"
    423 }}}
    425 = Connect to a Tor Gateway on your local network using PPTP VPN =
    426 For what this is useful: PPTP is used because it's very easy to configure and well supported by all kind of devices. Compared to a proper set up with a hardware gateway between the internet and the devices you want to torify it's less secure but doesn't require any kind of hardware or network layout changes.
    428 Moved to [ aos/PPTP].
    430 = Hosting hidden services =
    431 Read first: [ aos/SecurityAndHardening].
    433 == Hidden webserver ==
    434 #OptionalFeatureNr.2#
    436 === aos 0.2.1 and above ===
    437 On your aos-Gateway:
    439 Open torrc.
    440 {{{
    441 nano /etc/tor/torrc
    442 }}}
    444 Look for #OptionalFeatureNr.2#. Read the comments, which explain where to find your .onion URL and to backup your hidden service keys. Comment in the following two lines.
    445 {{{
    446 HiddenServiceDir /var/lib/tor/hidden_service/
    447 HiddenServicePort 80
    448 }}}
    450 Restart Tor.
    451 {{{
    452 sudo service tor reload
    453 }}}
    455 On your aos-Workstation:
    457 Run the following command. It will install lighttpd.
    458 {{{
    459 sudo TorBOX-Workstation -hiddenserver
    460 }}}
    462 Done.
    464 = Vidalia for aos =
    465 Not recommend. Better use arm. (See Readme.)
    467 You have two possibility to get Vidalia. 1. Vidalia on the Host and 2. Vidalia on the aos-Gateway. Each option has it's pros and cons, we'll discuss here.
    469 == 1. Vidalia on the Host ==
    470 Ok, this is an ugly hack, but it works. Vidalia can be installed on the host, in this example on a Windows host but you can most likely do it also on a Linux host. We have to 'trick' Vidalia because Vidalia really wants to start Tor.
    472 You will be able to stop Tor using Vidalia, but not be able to start it again. Restarting Tor has to be done manually in console or ssh. "Start proxy application when Tor starts" will probable work (untested) but it will start it on the host and not on the aos-Gateway. What also won't work are all settings which modify torrc, because our torrc will be just a dummy one and the real torrc is inside the aos-Gateway. All settings in the settings, network tab won't work. Neither the "Sharing/Setup Relaying" tab will work (there will be instructions how to do it manually in torrc for the aos-Gateway). Services tab will also not work, this is covered above under Hosting Hidden Services. The "Start Tor" button will actually not start Tor, but connect to the Control Port inside the aos-Gateway. "View the network", "Use a New Identity" and "Message Log" should be functional.
    474 0. You need to ensure yourself, that port 9051 is firewalled on your host. It must not be accessible from the internet.
    475 1. Create a folder Vidalia somewhere you like it. Ensure that your current user account has the neccessary rights read, create, modify. [[BR]]
    476 2. Grab some dummy exe, for example cmd.exe from C:\Windows\System32\cmd.exe and copy it to your new Vidalia folder. [[BR]]
    477 3. Login as root 'sudo su'. Go to your aos-Gateway and type in console.
    478 {{{
    479 tor --hash-password password
    480 }}}
    481 This will result in something like
    482 {{{
    483 16:E61CFDC2FF3FDCDE605D8EDC3631F268B554612B0721E99F95588282B5
    484 }}}
    485 copy it into the clipboard.
    487 4. 'nano /etc/tor/torrc' and add
    488 {{{
    489 ControlPort 9051
    490 ControlListenAddress
    491 HashedControlPassword 16:E61CFDC2FF3FDCDE605D8EDC3631F268B554612B0721E99F95588282B5
    492 }}}
    494 5. 'nano /etc/' and look out for the following
    495 {{{
    496 # Allow incoming SSH connections on the external interface
    497 iptables -A INPUT -i $EXT_IF -p tcp --dport 22 -j ACCEPT
    498 }}}
    499 and add additionally the following below
    500 {{{
    501 # Allow incomming Tor ControlPort connections on the external interface
    502 iptables -A INPUT -i $EXT_IF -p tcp --dport 9051 -j ACCEPT
    503 }}}
    505 6. Then go to your host and create a file named 'control_auth_cookie' inside your Vidalia folder. Insert the password only, this example we used "password". Choose your secure password. control_auth_cookie has no file extension, be sure that Windows will normally show you file extensions (like .exe, .pdf...), otherwise you will be probable unable to create a file without extension.
    507 7. We need a start file, otherwise Vidalia will use the default documents and settings folder. Call it 'vidalia.bat' and create it inside your Vidalia folder. The content of vidalia.bat must be
    508 {{{
    509 start do_not_start.exe --datadir .\\
    510 }}}
    512 8. And of course you will be needing the Vidalia binaries. Download the Tor Browser Bundle for your platform. Go to '\Tor Browser\App\' and copy the following files into your Vidalia directory.
    513 {{{
    514 libeay32.dll
    515 libgcc_s_dw2-1.dll
    516 libgnurx-0.dll
    517 mingwm10.dll
    518 QtCore4.dll
    519 QtGui4.dll
    520 QtNetwork4.dll
    521 QtXml4.dll
    522 ssleay32.dll
    523 vidalia.exe
    524 }}}
    525 tor.exe and tor-resolv.exe will not be needed (we have our own dummy tor.exe).
    527 9. Rename vidalia.exe to do_not_start.exe.
    529 10. Create a file called 'vidalia.conf' inside your Vidalia directory. The content must be
    530 {{{
    531 [Tor]
    532 TorExecutable=.\\tor.exe
    533 Torrc=.\\torrc
    534 DataDirectory=.\\
    535 UseRandomPassword=false
    536 ControlPassword=password
    537 Changed=true
    538 ControlPort=9052
    539 ControlAddr=
    540 }}}
    542 11. Create a file torrc inside your Vidalia directory, leave it empty, it's just another dummy file for Vidalia's fate.
    544 12. In the aos-Gateway VM network settings. Set up Port Forwarding: within the "Adapter 1" tab click "Advanced", then Port Forwarding. Insert a new rule as follows: Name: Vidalia; Protocol: TCP; Host IP:; Host Port: 9052; Guest IP: leave blank; Guest Port: 9051
    546 13. That's it. From now you can vidalia.bat. For your convinience create a shortcut of vidalia.bat on your desktop.
    548 ((Optional, for debugging if you have problems. [[BR]]
    549 We test if the IP/Port is reachable from the host. 'telnet 9051', press enter should say "514 Authenication required."))
    551 (([ Vidalia FAQ]))
    553 == 2. Vidalia on the aos-Gateway ==
    554 Install a "minimal" desktop environment on the aos-Gateway:
    555 {{{
    556 sudo apt-get install xinit xterm openbox vidalia
    557 }}}
    558 You'll be asked to add your user to the debian-tor group. Do so! To apply this change you need to log out (type 'exit') and log in again. Then use 'startx' from the console to launch the graphical desktop. Right-click on the desktop to open the menu, open a terminal and from that launch vidalia. A more user-friendly graphical environment would drastically increase RAM requirements and [ attack surface].
    560 Do not be tempted to use aos-Gateway as a client OS! Also remember that anything you do on the gateway is NOT routed through Tor.
    562 = How to safely transfer files between Host, aos-Gateway and aos-Workstation =
    563 Using filesharing built into the VM isn't very secure. Between the gateway and the host you can use ssh and scp but the aos-Gateway is firewalled tightly (and you should leave it that way). A secure and quick way to transfer files to the client vm is to use iso files:
    564 On the host install genisoimage: [[BR]]
    565 {{{ sudo apt-get install genisoimage }}} [[BR]]
    566 To create an iso "files.iso" containing the content of "folder": [[BR]]
    567 {{{ mkisofs -o files.iso /path/to/folder }}} [[BR]]
    568 Now attach the iso to the VM. Mount it with [[BR]]
    569 {{{ sudo mount /dev/sr0 /media/cdrom }}} [[BR]][[BR]]
    570 This is intentionally one-way as the aos-Workstation is inherently untrusted and should remain isolated to prevent side-channel attacks and covert channel leaks.
    572 = aos implementation with just a single VM (Tor runs on host) =
    573 More info on [ aos/OneVM]
    575 = Using (private) (obfuscated) bridges =
    576 More info on [ aos/bridges]
    578 = Hosting a (private) (obfuscated) bridge or (exit) relay =
    579 You can still volunteer to Tor and host a bridge, private bridge, obfuscated bridge, private obfuscated bridge, middle node or exit relay when you are using aos. Either inside the aos-Gateway or directly on the host.
    581 == Inside the aos-Gateway ==
    582 Simply follow all the usual instructions given on inside the aos-Gateway just as you would, if Tor wouldn't run inside a virtual machine. The only additional thing to do is to set up a port forwarding from the host to the virtual machine. That is simple. For a similar example see [ Step 3 – How To Install - Install and Configure aos-Gateway], under 'Set up Port Forwarding'. Just exchange the name and the ports, the rest is the same.
    584 What's left are the firewall rules. On the aos-Gateway 'sudo nano /etc/' and look out for
    585 {{{
    586 # Allow incoming SSH connections on the external interface
    587 iptables -A INPUT -i $EXT_IF -p tcp --dport 22 -j ACCEPT
    588 }}}
    589 below that simply add similar
    590 {{{
    591 # Tor
    592 iptables -A INPUT -i $EXT_IF -p tcp --dport YOURPORT -j ACCEPT
    593 }}}
    594 == On the host ==
    595 And if you do not like using the aos-Gateway for this purpose, you can still host it directly on the host, simply follow the usual instructions on
    597 = Hide the fact that you are using Tor/aos =
    598 Depending on how restricted your area is and how paranoid you are, you may want to hide the fact from your provider, that you are a Tor user. That's very tricky to archive. Be very careful. Here are some tips:
    600 aos users are most likely Tor power users. They are more paranoid then normal Tor users. And adversaries might ask themselves why. aos users most likely [ host hidden services] or do other fancy stuff over Tor.
    602 This isn't a step by step tutorial. It's recommend to read the whole chapter.
    604 Use either private and obfuscated bridges or a VPN/SSH proxy. It's most secure if you combine both ways.
    606 == Warnings ==
    607  * Download Tor through a trusted internet service provider (in your [home] country) or through SSH or VPN (or before entering a hostile environment).
    608  * Setup the SSH/VPN tunnel or the private obfuscated bridges first. (Depending on what you want to use, read below.)
    609  * Remove your internet connection while installing. (Tor starts and connects automatically after installing the .deb.)
    610  * First, think about, how do you obtain the Tor Browser Bundle and obfuscated bridges and/or VPN and/or SSH, without your ISP noticing it? It's a chicken egg problem. You most likely have to get it from a trusted source. This isn't a problem, which aos could solve, it's a Tor upstream question.
    611  * Another issue for hiding your aos usage is installing and/or downloading aos.
    612  * Download.
    613   * If you download aos form that download will go unencrypted and your internet service provider (or SSH/VPN provider) will learn, that you downloaded aos.
    614     * A workaround could be, to download aos through the official Tor Browser Bundle.
    615     * You have to turn off your network connection while starting it for the first time. Then set everything to hide your Tor/aos usage. See #OptionalFeatureNr.1# and below.
    616  * Building from Source.
    617   * You can learn everything about building aos, using the Tor Browser Bundle.
    618   * If you are building aos from source, the build scripts, will execute a specific set of apt-get commands, and your internet service provider could notice, that you are building aos from source.
    619    * If you understand the build scripts, you can also manually build aos, by applying the commands (or edit the script).
    620     * aos-Gateway script Don't execute most of the apt-get commands.
    621     * aos-Workstation script: Choose -custom and check, that the remaining essential modules, do not issue suspicious network connectivity. For example, the config_torbrowser module would download specific GPG public keys from the keyserver and execute specific wget commands.
    623 == Using a Proxy ==
    624 Impossible! (The connection between you and your proxy is unencrypted. That goes for all proxies, http, https, socks4, socks4a, socks5.) Your ISP could still see, that you are connecting to the Tor network.
    626 == Using SSH or VPN ==
    627 WARNING. some of this may be outdated. By default all traffic of aos-Gateway is routed through Tor! You need to route all that through SSH/VPN.
    629 See warnings above first. Tunnel all Tor related traffic first through a [ VPN] or [ SSH] server, this will hide the fact that you use Tor from your ISP. If the server is outside a national firewall this is also a way to circumvent Tor censorship.
    631 If you do not trust any SSH or VPN providers, then anonymously host your own in a safe place.
    633 == Using private and obfuscated bridges ==
    634 See warnings above first. Set up Tor to use [ private and obfuscated bridges]. This makes it harder for ISPs and national firewalls to detect and block Tor but it does not prevent a dedicated adversary to find out that you are using Tor (research is ongoing, see obfsproxy).
    636 = aos on Bare Metal =
    637 Using hardware instant of virtual machines. More secure. See [ Bare Metal Hints].
    639 = Leak Testing =
    640 #OptionalFeatureNr.6# Leak Testing, see [ aos/LeakTests].
    642 = Anonymous 3G modem =
    643 Improves anonymity. See [ anonymous 3G modem].
    645 = Anonymous wifi adapter =
    646 Improves anonymity. See [ anonymous wifi adapter].
    648 = Other Anonymizing Networks =
    649 It's possible to use other anonymizing networks in together with aos. Either in addition (tunneled through Tor) or as a replacement for Tor. See [ Other Anonymizing Networks].
    651 = Tunneling UDP over Tor =
    652 The Tor software does not support UDP itself yet. aos provides a limited workaround for using UDP anyway, in the best possible secure manner.
    654 Moved to [ aos/OptionalConfigurations/TunnelingUDPoverTor].
    656 = Secondary DNS resolver =
    657 Normally Tor is used for DNS resolution. If you suspect a Tor exit node to tamper with DNS, you can get a second opinion from another non-Tor DNS server.
    659 You shouldn't use other DNS resolvers than Tor over an extended amount of time. Although it's technically possible to replace DNS resolution completely (not using Tor for DNS resolution anymore), that is not recommend. That would add too much power to a single DNS server. Using a permanent DNS server is not recommend as not using a permanent Tor exit node.
    661 Note, that even if you correctly set up all settings, it might happen that this won't work. Sometimes Tor or the DNS server causes a timeout. This gets even worse, when you additionally tunnel the DNS request (for example: Tor -> JonDonym -> DNS server).
    663 == DNSCrypt by OpenDNS ==
    664 Although the official [ DNSCrypt website] states, that a Linux version does not exit, this [ blog post] suggests there is one.
    666 This has nothing to do with [ DNSSEC], the differences of DNSSEC and DNSCrypt are well explained on the [ DNSCrypt website].
    668 These instructions completely replace Tor's DNS resolver with opendns's dnscrypt for all users and the whole system. Not recommend for a longer amount of time, see warning above. Some hints are included how to do it only for a specific user account.
    670 1. Download the [ dnscrypt source code] and unpack. You have to compile it. Get into the dnscrypt directory 'cd dnscrypt-proxy-...". Configure './configure", make 'make'.
    672 2. Start dnscrypt-proxy. ^1^ ^2^ ^3^ ^4^ ^5^ ^6^
    673 {{{
    674 sudo dnscrypt-proxy --tcp-only
    675 }}}
    676 ^1^ '--tcp-only' is required since Tor does not support UDP. The UDP DNS request will immediately get truncated reply and a RFC-compliant resolver should repeat same query via TCP in this case. This is the case for Ubuntu's default DNS resolver. You can get some more information on UDP/TCP/DNS on the unrelated [ redsocks] website. [[BR]]
    677 ^2^ To start it later in background (after debugging) add '--daemonize'. [[BR]]
    678 ^3^ '--help' to see all options. [[BR]]
    679 ^4^ Start up takes a few seconds "[INFO] Generating a new key pair", this is normal, wait. Until it's done, DNS will not work. [[BR]]
    680 ^5^ '--user=username' can and should be used to start the dnscrypt-proxy under a specific user account. [[BR]]
    681 ^6^ Since this instructions completely replace Tor's DNS resolver with opendns's dnscrypt for all users and the whole system, you could add '--local-port=5800' to let dnscrypt-proxy listen on port 5800. You would be able to add iptables rules to redirect only the DNS requests of a specific user account to opendns's dnscrypt, you can get some hints how to do that in the 'httpsdnsd by JonDos' chapter below, which would be a very similar setup. [[BR]]
    683 3. Edit your resolv.conf 'nano /etc/resolv.conf', comment out everything and add 'nameserver'.
    685 4. Check if it's working, there are several [ test pages] on
    687 5. To shut it down you can use 'sudo killall dnscrypt-proxy' and don't forget to revert the changes in /etc/resolv.conf.
    689 == httpsdnsd by JonDos ==
    690 Source: [] and also use it as a more verbose tutorial, but keep in mind that their tutorial is JonDonym specific, while this tutorial is Tor specific.
    692 Everything inside your aos-Workstation.
    694 === Installation ===
    695 Install dependencies.
    696 {{{
    697 sudo apt-get install libnet-ssleay-perl libnet-server-perl libnet-dns-perl libxml-simple-perl liblog-log4perl-perl
    698 }}}
    700 Download httpsdnsd. (See source above in case download link changed.)
    701 {{{
    702 wget
    703 }}}
    705 Unpack.
    706 {{{
    708 }}}
    710 Go into the httpsdnsd folder.
    711 {{{
    712 cd httpsdnsd
    713 }}}
    715 Install httpsdnsd. ^1^
    716  ,, ^1^ (It contains also a, if you want to uninstall it later.)
    718 {{{
    719 sudo
    720 }}}
    722 Add a new user for httpsdnsd.
    723 {{{
    724 sudo adduser --system --disabled-password --group httpsdns_daemon
    725 }}}
    727 Editing /etc/resolv.conf is not required. (You still could out comment everything against DNS leaks.)
    729 Create a firewall script.
    730 {{{
    731 nano
    732 }}}
    734 Insert these firewall rules.
    735 {{{
    736 # Flush old rules
    737 iptables -F
    738 iptables -t nat -F
    739 iptables -X
    741 # Redirect DNS traffic to httpdnsd.
    742 iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonuser --dport 53 -j REDIRECT --to-ports 4053
    744 # Accept connections to the httpdnsd.
    745 iptables -t filter -A OUTPUT -p udp -m owner --uid-owner anonuser --dport 4053 -j ACCEPT
    747 # Reject all other traffic for anonuser.
    748 iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner anonuser -j REJECT
    749 }}}
    751 Install Privoxy. ^1^ [[BR]]
    752  ,, ^1^ [ Wiki Version 95] of this site contains a working example using Polipo. Changed later to Privoxy, because Privoxy can be useful for other tasks as well. (Incomming: TransPort, http proxy; forwarding: http and socks.)
    754 {{{
    755 sudo apt-get install privoxy
    756 }}}
    758 Open the privoxy configuration file.
    759 {{{
    760 nano /etc/privoxy/config
    761 }}}
    763 Add the following to your privoxy configuration file. Note [ Identity correlation through circuit sharing] and change the port from 9100 to something else.
    764 {{{
    765 # Theoretically you can tunnel through any
    766 # http or socks proxy. Local or remote proxy.
    767 # Inside aos-Workstation, due to design,
    768 # everything will be tunneled through Tor first.
    770 # Using Tor's socks5 proxy, running on aos-Gateway.
    771 # Change the port, see above...
    772 forward-socks5 / .
    774 # Another example using a http proxy.
    775 # (In this case, JonDo running on localhost.)
    776 # forward /
    777 }}}
    779 Restart privoxy to enable the changes.
    780 {{{
    781 sudo /etc/init.d/privoxy restart
    782 }}}
    784 Privoxy is now listening on ^2^ [[BR]]
    785  ,, ^2^ For debugging you can enter this IP/port into Tor Browser as http proxy and try if you can still reach Deactivate after testing.
    787 === Starting ===
    788 Run httpsdnsd. ^1^ ^2^ ^3^ ^4^ [[BR]]
    789  ,, ^1^ For debugging, kill httpsdnsd and drop the --runasdaemon. [[BR]]
    790  ,, ^2^ Run 'httpsdnsd --help' or 'man httpsdnsd' for help. [[BR]]
    791  ,, ^3^ Httpsdnsd will by default listen on localhost port 4053 for DNS queries.
    792  ,, ^4^ --https_proxy_port=8118 will redirect traffic to port 8118, where Privoxy is listening. This is necessary because Tor offers a socks proxy and httpsdnsd requires a http proxy. Privoxy translates from http to socks. [[BR]]
    794 {{{
    795 sudo httpsdnsd --https_proxy_port=8118 --runasdaemon
    796 }}}
    798 Activate the firewall. Shouldn't show any errors.
    799 {{{
    800 sudo ./
    801 }}}
    803 === Using ===
    804 Open a console and switch to anonuser.
    805 {{{
    806 su anonuser
    807 }}}
    809 Resolve DNS.
    810 {{{
    811 nslookup
    812 }}}
    814 = OnionCat =
    815 Untested. Not done yet. In development. Please leave feedback if it worked for you.
    817 Introduction into OnionCat [[BR]]
    818 [ torproject wiki about OnionCat] [[BR]]
    819 [] [[BR]]
    820 [ about OnionCat] [[BR]]
    822 OnionCat (Tor) might work with aos. GarliCat (i2p) might partially work with aos.
    824 General debugging hints: there at multiple sources for issues, you might stumble upon. Therefore it's recommend, before you try using OnionCat with aos, try first to successfully test OnionCat without aos. As soon as you learnt that, it eliminated one source for possible issues (OnionCat) and can start learning how to use it with aos (which might introduce new issues, but enhanced security will be your reward). You also have to learn first, how to use hidden services with aos, see [ aos/OptionalConfigurations#Hostinghiddenservices] for reference.
    826 == Over Tor ==
    827 As long you want to use OnionCat over Tor, it may work.
    829 IPv6 is currently disabled on aos-Gateway, because Tor doesn't support IPv6 yet, and we didn't see need for it. We also have no IPv6 firewall for aos-Gateway yet, because it's disabled. Anyway, that will be probable no issue. IPv6 on aos-Workstation, where OnionCat will be running, is enabled. Since only OnionCat's underlying operating system requires IPv6, but not the Tor process there will be probable no problem. OnionCat on aos-Workstation will probable translate the IPv6 requests to IPv4 to the Tor process which is running on aos-Gateway. Therefore probable no IPv6 on aos-Gateway is required.
    831 There instructions on [] look very promising. To use them with aos, minor modifications are required. Follow the instructions on [] but execute the steps on the right machine, either on aos-Gateway or on aos-Workstation.
    833 0. Install ocat <-- on aos-Workstation
    835 1. Create a hidden service <-- on aos-Gateway
    837 2. Create the directory /etc/tor/ocat <-- on aos-Gateway
    839 3. Find the hostname of your hidden service <-- on aos-Gateway [[BR]]
    840 Also possibly see [ aos/OptionalConfigurations#Hostinghiddenservices] for reference. Debugging: It's recommend to test if your hidden service is reachable first (for example, use test wise a hidden webserver), before you proceed with OnionCat.
    842 4. Start ocat <-- on aos-Workstation
    844 5. Final nodes. <-- on aos-Workstation
    846 == Over i2p ==
    847 GarliCat over i2p might only work, if you use [ ip2 over Tor].
    849 There was the idea to create an [ i2pBOX], but it never came to live due to lack of community interest, which means GarliCat directly over i2p will not be supported by aos.
    851 As soon as i2p over Tor is working, you can probable follow the instructions on [] without modifications.
    853 = Mozilla Thunderbird with TorBirdy =
    854 Experimental! Potentially unsafe, since both, [ TorBirdy] and TorBirdy's integration into aos, are still experimental! If you want to try it anyway, keep on reading...
    856 Unfinished!
    858 The following everything on your aos-Workstation.
    860 2. Install Mozilla Thunderbird and privoxy.
    861 {{{
    862 sudo apt-get install thunderbird privoxy
    863 }}}
    865 3. Open /etc/privoxy/config
    866 {{{
    867 sudo nano /etc/privoxy/config
    868 }}}
    870 4. Safe the following content.
    871 {{{
    872 # Generally, this file goes in /etc/privoxy/config
    873 #
    874 # Tor listens as a SOCKS4a proxy here:
    875 forward-socks4a / .
    876 forward-socks5  / .
    877 forward-socks5  .onion         .
    878 confdir /etc/privoxy
    879 logdir /var/log/privoxy
    880 #actionsfile standard         # Internal purpose, recommended
    881 #actionsfile default.action   # Main actions file
    882 #actionsfile user.action      # User customizations
    883 #filterfile default.filter
    885 # Don't log interesting things, only startup messages, warnings and errors
    886 logfile logfile
    887 #jarfile jarfile
    888 #debug   0   # show each GET/POST/CONNECT request
    889 debug   4096 # Startup banner and warnings
    890 debug   8192 # Errors - *we highly recommended enabling this*
    892 listen-address
    893 toggle  1
    894 enable-remote-toggle 0
    895 enable-edit-actions 0
    896 enable-remote-http-toggle 0
    897 buffer-limit 4096
    899 forwarded-connect-retries               2
    900 accept-intercepted-requests             0
    902 keep-alive-timeout                      5
    903 socket-timeout                          300
    904 }}}
    906 ,, Source: [ tor-talk TorBirdy 0.0.10 released - testing and feedback requested!] (modified by proper for aos).
    908 5. Restart privoxy.
    909 {{{
    910 sudo service privoxy restart
    911 }}}
    913 6. Go to Tools -> Addons -> Plugins -> deactivate all.
    915 7. Go to Tools -> Addons -> Addons -> deactivate all.
    917 8. Download the most recent .xpi of [ TorBirdy] from github.
    919 9. Also download the corresponding signature.
    921 10. Get Jacob Appelbaums GPG key. (Bug: #6382)
    923 11. GPG verify. Example will follow. You should use the most recent version.
    924 {{{
    925 gpg --verify torbirdy-0.0.10.xpi.asc torbirdy-0.0.10.xpi
    926 }}}
    928 Must be "Good Signature".
    930 12. Go to Mozilla Firefox -> Tools -> Addons -> Install Addon from file (button in the upper right) -> choose torbirdy.xpi.
    932 13. Go to Mozilla Thunderbird -> View -> Preferences -> Config Editor and change the following values:
    933 {{{
    934 network.proxy.socks
    935 network.proxy.socks_port 9102
    936 }}}
    938 = VirtualBox Guest Additions =
    939 == Introduction ==
    940 Written and tested with aos 0.2.1 (Ubuntu precise). Many things can go wrong and none or the very least of them will be caused by aos. This has only limited support by the aos developers, because 1. it's not recommend, for security reasons and 2. the guest additions related bugs and instructions are somewhat out of the scope of the aos project.
    942 Installation is somewhat difficult and no packages exist. Just search the internet and you'll see, that loads of people having issues installing the VirtualBox guest additions. People having problems for years. VMware is of no alternative, people are also having trouble installing the VMware tools into Linux guests. The issue with the guest additions is ridiculous. For years no solution has been found. With each kernel update, recompilation is required, and quite often, due to some updates, complication becomes difficult or impossible for a long time.
    944 Also see article, [ The VirtualBox Kernel Driver Is Tainted Crap].
    946 If you are having trouble, than in most cases not because of aos. The aos setup is a regular Ubuntu Linux and VirtualBox. You can try asking the regular VirtualBox and Ubuntu resources if you have trouble.
    948 == Installing VirtualBox Guest Additions ==
    949 '''Warning: Not recommend!''' Weakens security as per [ aos/SecurityAndHardening].
    951 On the host:
    952 {{{
    953 sudo apt-get install virtualbox-guest-additions-iso
    954 }}}
    956 Inside aos-Workstation:
    958 Execute the following commands. They can take a very long time, due to the Ubuntu upstream bug [ Unpacking linux-headers unbelievably slow in Lubuntu Precise (Beta 1)] (affects Ubuntu precise final as well).
    959 {{{
    960 sudo apt-get update
    961 sudo apt-get dist-upgrade
    962 sudo apt-get install dkms build-essential linux-headers-generic linux-headers-generic-pae
    963 }}}
    965 Insert the guest additions iso by clicking on the VM -> devices -> install guest additions.
    967 {{{
    968 sudo mkdir -p /mnt/sr0
    969 sudo mount /dev/sr0 /mnt/sr0
    970 sudo sh /mnt//sr0/
    971 }}}
    973 Or start (not with a console, strange bug!).
    975 Force remove CD eject.
    977 Reboot. Done.
    979 == Shared Folder ==
    980 And if you want to use the shared folder read ahead... Go to VirtualBox -> machine -> change -> shared folder -> choose a folder -> use folder name "share". Choose mount automatically and create permanently. Press ok. Use the following commands to mount to folder.
    982 {{{
    983 sudo mkdir /mnt/share
    984 sudo chmod 777 /mnt/share
    985 sudo mount -t vboxsf -o uid=1000,gid=1000 share /mnt/share
    986 }}}
    988 If you run into a ''Protocol Error'' try using a different name, do not use ''share'', use something else, anything.
    990 After reboot, you have to repeat the mount command. If you want to mount the folder automatically, have a look at the [ source] of that information.
    992 = Even more restrictive firewall rules =
    993 #OptionalFeatureNr.3# is explained under [ aos-Workstation is firewalled].
    995 = Using bridges =
    996 Read and understand what a [ bridge] and what a [ obfuscated bridge] is. Also read [ bridge vs non-bridge users anonymity]!
    998 Read the comments in the [ aos-Gateway] script.
    1000 = Isolate streams by destination port and/or destination address =
    1001 #OptionalFeatureNr.1# in [ aos-Gateway script] allows you to isolate streams either by destination port or by destination address. To make use of the feature requires some deeper understanding of applications and protocols. Examples:
    1003 Isolate by destination address:
    1004  * Let's assume SSH goes over port 22 and you want to connect to different SSH servers and do not want an observer to be able to correlate that activity to the same pseudonym. If the SSH servers run on different IP's isolate by destination address might help.
    1006 Isolate by destination port:
    1007  * This doesn't seem to be useful for anything in aos, applications using different protocols (and therefore different ports) are already isolated through using different SOCKSPorts.
    1009 Isolate by destination port doesn't really achieve anything for web browsing: [ tor-talk Tor's stream isolation features defaults].
    1011 If you want to do this, you have to comment the feature in and to setup your applications on aos-Workstation to use that SocksPort. In torrc you could even combine IsolateDestPort IsolateDestAddr by entering in a line, if that makes sense in your thread model.
    1013 Instead of activating this feature, you could also add those isolation flags to one of the other Trans,- Dns-, or SocksPorts.
    1015 For more information refer to the Tor manual.
    1016 {{{
    1017 # Tor stable manual.
    1018 # Tor alpha manual.
    1019 }}}
    1021 [ Identity correlation through circuit sharing]
    1023 = Grow Virtual Harddisk =
    1024 In case you need more disk space on your virtual harddisk... Good news is, you are still a Virtual Box user. Aos is nothing special. It's just another vm image. Any suggestions you find about Virtual Box will also work for aos.
    1026 Somewhat difficult, there is no easy upstream solution such as a gui, there is also no better (free, Open Source) virtualizer with this feature. However, you do not need to be a genious. If you build aos from source this is a easier, since we create vdi images by default and it's easier to grow them. In case you are using the download version it's a bit more difficult. You have vmdk disk, because this is by the ova standard (exported virtual applicances).
    1028 Unfortunately ''vboxmanage modifyhd <uuid|filename> --resize <size in mb>'' does not support vmdk images yet. (Perhaps that changes or has changed at your time of reading.)
    1030 First of all make a clone of your existing virtual machine in case something goes wrong.
    1032 Find the folder of your virtual hdd.
    1033 {{{
    1034 vboxmange list hdds
    1035 }}}
    1036 Go into that folder.
    1038 Convert from vmdk to vdi.
    1039 {{{
    1040 VBoxManage clonehd "TorBOX-Workstation-disk1.vmdk" --format vdi "TorBOX-Workstation-disk1.vdi"
    1041 }}}
    1043 Grow the disk.
    1044 {{{
    1045 VBoxManage modifyhd "TorBOX-Workstation-disk1.vdi" --resize 30000
    1046 }}}
    1048 Go to Virtual Box VM settings, remove the old .vmdk, add the new .vdi.
    1050 Boot up and look if it's still working. Until now we have only grew the physical size, we haven't changed the filesystem. Power off again.
    1052 You have to boot from a boot cd and use some tool such as gparted to grow the filesystem.