Changes between Version 166 and Version 167 of doc/TorBOX/OptionalConfigurations


Ignore:
Timestamp:
Sep 27, 2012, 11:44:52 PM (7 years ago)
Author:
proper
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorBOX/OptionalConfigurations

    v166 v167  
    1 [[TOC(noheading, depth=0)]]
    2 [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX aos Homepage]
     1TorBOX has been renamed to Whonix.
    32
    4 {{{
    5 #!html
    6 <h3 style="text-align: left; color: blue">
    7 These are all OPTIONAL configurations. If you would like to use any of these features, go ahead and follow the instructions. However, you do not have to add any of those additional functions if you see no need for them.
    8 </h1>
    9 }}}
     3This page has been moved. The History of this page might still be interesting.
    104
    11 = Using Tor's SocksProxy in aos-Workstation =
    12 #OptionalFeatureNr.4#
    13 
    14 Moved to [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#Identitycorrelationthroughcircuitsharing Identity correlation through circuit sharing].
    15 
    16 = Best possible protection against Identity correlation through circuit sharing =
    17 #OptionalFeatureNr.5#
    18 
    19 Moved to [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#Identitycorrelationthroughcircuitsharing Identity correlation through circuit sharing].
    20 
    21 = More than one aos-Workstation =
    22 Moved to [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#RecommendationtousemultipleVMSnapshots Recommendations to use multiple aos-Workstation VM's and Snapshots].
    23 
    24 = Tunneling Tor through proxy, VPN or SSH =
    25 '''user -> proxy/VPN/SSH -> Tor'''
    26 
    27 Read first: [https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN Tor Plus VPN] and [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#TorBOXVPNdisclaimer TorBOX VPN disclaimer].
    28 
    29 This section is not fully tested/complete. Please give feedback if it worked for you.
    30 
    31 Sometimes you are '''forced to use a proxy or VPN''' to make outgoing connections, some ISP's force you, or you are in a LAN with a proxy (router), or in a cooperate environment.
    32 
    33 A proxy, VPN or SSH can also be possibly '''used to circumvent Tor blocks''' or to '''hide the fact you are using Tor'''. VPN and SSH are preferred choice, as they support secure encryption between you and them. It's a question, how much you can trust the server, they'll see, that you are using Tor, but thanks to Tor, they won't see what you are doing. If you use your own server in a safe country, while you are in a dangerous country, that's probable your best bet. Anyway, not so many people seem to do use a tunnel before they connect to Tor, therefore it's not so well tested, do not rely on it too much.
    34 
    35 If nothing above applies for you, skip this section.
    36 
    37 == Tunnel Tor through proxy ==
    38 '''user -> proxy -> Tor'''
    39 
    40 Depending on your proxy configuration, add the settings you'll need to your /etc/torrc. For more information on these settings, have a look in the [https://www.torproject.org/docs/tor-manual.html.en Tor manual] and read the [https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#MyInternetconnectionrequiresanHTTPorSOCKSproxy FAQ]. 'nano /etc/tor/torrc'
    41 
    42 {{{
    43 HTTPProxy host[:port]
    44 HTTPProxyAuthenticator username:password
    45 HTTPSProxy host[:port]
    46 HTTPSProxyAuthenticator username:password
    47 Socks4Proxy host[:port]
    48 Socks5Proxy host[:port]
    49 Socks5ProxyUsername username
    50 Socks5ProxyPassword password
    51 }}}
    52 == Tunnel Tor through SSH ==
    53 ''' user -> SSH -> Tor'''
    54 
    55 This chapter is about tunneling Tor through a SSH tunnel.
    56 
    57 First we have to install the ssh client.
    58 
    59 {{{
    60 apt-get install ssh
    61 }}}
    62 Then be sure that your SSH connection itself is working well. SSH to your ssh server using 'ssh yourusername@your.ssh.server'. It's recommend to set up public key authentication. (TODO: how to create a private and public key) 'cd /home/yourusername', 'mkdir .ssh', 'nano authorized_keys', paste line beginning with 'ssh-rsa ...' (your public key) (TODO: how to create that line).
    63 
    64 'exit' (terminate SSH connection) and login again using public key authentication. (TODO: how to do that) When that is working install your favorite text mode browser, for example 'apt-get install lynx' and test if the shell's external internet connection is working. 'lynx check.torproject.org' You're done with the pre-requriements. Exit your shell. 'exit'
    65 
    66 Now we will tell the SSH client to start a socks5 proxy server listening on localhost 127.0.0.1 port 1080. The following command has to be run in background (TODO: add line how to do that) on each start up, before Tor starts (TODO: to which file, to do that). It would be wise to activate public key authentication (TODO: how to add private key to use public key authentication).
    67 
    68 {{{
    69 ssh -C -D 1080 your.ssh.server
    70 }}}
    71 Now we have to tell Tor to use the new local ssh server. 'nano /etc/torrc' and add
    72 
    73 {{{
    74 Socks5Proxy 127.0.0.1:1080
    75 }}}
    76 We are done, from now Tor will connect through the SSH server.
    77 
    78 (TODO: any new firewall rules needed?)
    79 
    80 == Tunnel Tor through VPN ==
    81 '''user -> VPN -> Tor'''
    82 
    83 There are too many different VPN protocols. To many to add all of them to this guide. If you are forced to use a VPN server or if you are already using a VPN server, you most likely know how you can connect to it. You must know how to connect to your VPN server from the linux command line. Use the following order, start the firewall, connect to your VPN and start Tor afterwards.
    84 
    85 If you are using VPN not '''because you are forced to use VPN by your ISP''', but to '''hide the fact that you are using Tor''' or want to '''add an additional layer of protection''', then be sure, that your VPN software is secure (ex: OpenVPN, not pptp). When your VPN is properly set up, all your connections are forced through the VPN. If you start Tor at the top of that, tunneling Tor through VPN will work.
    86 
    87 TODO: protection on linux needed. Do not to send something in clear, [[BR]]
    88 - when VPN connection breaks down [[BR]]
    89 - when VPN client crashes or gets terminated [[BR]]
    90 
    91 = Tunneling Proxy/SSH/VPN through Tor =
    92 '''user -> Tor -> Proxy/SSH/VPN'''
    93 
    94 Read first: [https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN Tor Plus VPN] and [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#aosVPNdisclaimer aos VPN disclaimer].
    95 
    96 You can tunnel through Tor first and add an additional proxy, SSH or VPN hop at the very end of that chain as your "exit node". The services you connect to, will not know, that you are using Tor (unless it's a "transparent proxy" in sense of sending http forwarded for, covered in the article linked above). This can be useful to '''evade Tor bans''', for example, to visit websites or IRC networks who blacklisted Tor. Beware of the risks, this adds a "permanent exit node", read [https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN the related wiki article].
    97 
    98 To do that, go to your aos-Workstation and add the proxy, SSH or VPN normally, like you would have to do, if you wouldn't use the aos-Gateway.
    99 
    100 [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO Protocol leaks] still apply, thought to a lesser extend. Leaks would 'only' leak through Tor and you have best possible [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#aossProtocol-Leak-ProtectionandFingerprinting-Protection Protocol-Leak-Protection and Fingerprinting-Protection].
    101 
    102 == Tunneling proxy through Tor ==
    103 '''user -> Tor -> proxy'''
    104 
    105 Note, that the connection, between the Tor exit node and the proxy, is in most cases, not encrypted.
    106 
    107 === Proxy Settings Method ===
    108 Very simply to set up. Simply add a proxy to your application's proxy settings or use a [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO socksifier].
    109 
    110 === Transparent Proxying ===
    111 [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations?version=129#TransparentProxying wiki version 129] contains an old example using privoxy, JonDo and httpsdnsd. The new example uses redsocks and is simpler.
    112 
    113 ==== Introduction ====
    114 You always have to keep in mind, which kind of data and which kind of proxy you are using. There are CGIproxies, http(s) proxies and socks4/4a/5 proxies.
    115 
    116 In case you redirect the network layer directly with iptables, you need a TransPort. Unfortunately very few applications, do offer a TransPort. For example, Tor supports a TransPort. In most other cases, you need to translate the different kinds of data.
    117 
    118 Due to the nature of Transparent Proxying, we need to redirect with iptables and end up with a "Trans data stream". Because most proxies are either http or socks we need to translate this. Below we discuss a few tools which help here, not all are required, depending on what you want to do.
    119 
    120 Required reading: [[BR]]
    121 [https://trac.torproject.org/projects/tor/wiki/doc/proxy proxy] [[BR]]
    122 [https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN#VPNSSHversusProxy Tor + VPN or Proxy] [[BR]]
    123 
    124 ===== Tools =====
    125 Tor is a socks proxy and also has a TransPort. Unfortunately, Tor can not be directly used as a http proxy. You must also keep in mind, that Tor does not support UDP, although it offers a DnsPort..
    126 
    127 [http://darkk.net.ru/redsocks/ redsocks] can also accept "Trans data streams" and can forward them to http'''s''', socks4 and socks5 proxies. If you were to use a http proxy (no https, without connect-method, see proxy article), you could access only http sites, no https sites. Rather redsocks can convert UDP DNS queries to TCP DNS queries.
    128 
    129 ===== DNS resolution =====
    130 The complication (and also advantage/feature) with transparent proxying is, that the internet application (browser, etc.) is not aware of the proxy. Therefore the internet application will attempt to do the DNS resolution itself using the system, not using the proxy. The DNS requests also must be considered. Since Tor does not support UDP, we have to transmit DNS queries via TCP.
    131 
    132 It is impossible to resolve DNS directly on the proxy, when using the proxy as a transparent proxy, see [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OtherAnonymizingNetworks#TransparentProxyingMethod TorBOX/OtherAnonymizingNetworks#TransparentProxyingMethod] for explanation. You need an extra DNS server, which answers over TCP.
    133 
    134 You have several options to resolve DNS.
    135 
    136 Either leave the setup as it is, Tor's DnsPort and therefore the Tor exit nodes will still do the DNS requests. (See DNS rule 1.) This is probable not what you want, since you wanted to cloak your identity with an additional proxy after Tor.
    137 
    138 Alternatively you can use a public DNS resolver. The instructions for [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#DNSCryptbyOpenDNS DNSCrypt by OpenDNS]^4^ should work out of the box (tested). (See DNS rule 2..) (See footnotes ^1^, ^2^ and ^3^ if you are looking for other alternatives.)
    139 
    140 Read the [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#SecondaryDNSresolver DNS related warnings].
    141 
    142 ,,
    143 ^1^ Also [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#httpsdnsdbyJonDos httpsdnsd by JonDos]^4^ might work, but you'd need to make some changes (use httpsdnsd as a system wide, aos-Workstation wide, DNS resolver, not just for a specific user account). [[BR]]
    144 ^2^ Or perhaps also [http://www.mulliner.org/collin/ttdnsd.php ttdnsd] with Google could work. All [https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software DNS resolvers] should work, as long TCP is supported and as long you are querying a TCP enabled DNS server. [[BR]]
    145 ^3^ You can't simply add another public DNS resolver (i.e. OpenDNS or Google) to /etc/resolv.conf in aos-Workstation (i.e. Tor -> public DNS resolver), it would have no effect, as explained under [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#TorBOXsTorBOX-Workstationisfirewalled aos-Workstation is firewalled]. [[BR]]
    146 ,,
    147 ^4^ DNSCrypt and httpsdnsd add the advantage, that neither the proxy nor the Tor exit node can sniff or manipulate your DNS requests, since they are encrypted and authenticated.
    148 
    149 ==== HowTo ====
    150 Everything on aos-Workstation.
    151 
    152 Get a working proxy and test if it works reliable.
    153 
    154 Install [http://darkk.net.ru/redsocks/ redsocks].
    155 
    156 Config redsocks. TODO: share config.
    157 
    158 Add user redsocks.
    159 {{{
    160 sudo adduser redsocks
    161 }}}
    162 
    163 Start redsocks.
    164 {{{
    165 sudo -u redsocks ./redsocks
    166 }}}
    167 
    168 Create a fw.sh and use this firewall rules.
    169 {{{
    170 # These iptables rules redirect the traffic for all users,
    171 # including root, with the exception of the user redsocks,
    172 # through the proxy.
    173 
    174 ## TODO: these iptables rules need review.
    175 
    176 # Choose either DNS rule #1 or DNS rule #2.
    177 
    178 # For debugging/testing use this command in console.
    179 # tail -f /var/log/syslog
    180 
    181 # Flush old rules.
    182 iptables -F
    183 iptables -t nat -F
    184 iptables -X
    185 
    186 # Allow unlimited traffic on the loopback interface.
    187 iptables -A INPUT -i lo -j ACCEPT
    188 iptables -A OUTPUT -o lo -j ACCEPT
    189 iptables -A OUTPUT --dst 127.0.0.1 -j ACCEPT
    190 
    191 # Established incoming connections are accepted.
    192 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    193 
    194 # Established outgoing connections are accepted.
    195 iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    196 
    197 # DNS rule #1.
    198 # Allow DNS directly through aos-Gateway.
    199 iptables -A OUTPUT --dst 192.168.0.1 -p udp --dport 53 -j ACCEPT
    200 
    201 # DNS rule #2.
    202 # For DNSCrypt set /etc/resolv.conf to
    203 # nameserver 127.0.0.1
    204 #
    205 # sudo dnscrypt-proxy --tcp-only --user=user
    206 #
    207 # DNSCrypt listening on port 53
    208 iptables -t nat -A OUTPUT --dst 127.0.0.1 -p udp --dport 53 -j ACCEPT
    209 iptables -t nat -A OUTPUT --dst 127.0.0.1 -p tcp --dport 53 -j ACCEPT
    210 
    211 # redsocks must be allowed to establish direct connections.
    212 iptables -A OUTPUT -j ACCEPT -m owner --uid-owner redsocks
    213 iptables -t nat -A OUTPUT -j ACCEPT -m owner --uid-owner redsocks
    214 
    215 # Redirect remaining traffic to redsocks.
    216 iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-port 12345
    217 
    218 # TODO: UDP rule untested.
    219 #iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-port 10053
    220 
    221 # Log blocked traffic for debugging.
    222 iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "iptables: "
    223 
    224 # Reject all other traffic.
    225 iptables -A OUTPUT -j REJECT
    226 }}}
    227 
    228 Make the firewall script executable.
    229 {{{
    230 sudo chmod +x fw.sh
    231 }}}
    232 
    233 Apply the firewall rules.
    234 {{{
    235 sudo ./fw.sh
    236 }}}
    237 
    238 == Tunneling SSH through Tor ==
    239 '''user -> Tor -> SSH'''
    240 
    241 This chapter is not about connecting to a SSH server as a client (see aos in general and the Torify HOWTO). It is about adding an extra SSH tunnel after Tor.
    242 
    243 Note, that even though SSH supports socks5, SSH is still not able to forward UDP on its own. Have a look the the [http://zarb.org/~gc/html/udp-in-ssh-tunneling.html source] of that information. To summarize: to tunnel UDP over SSH client and shell admin need a special setup, which is for most shells, not going to happen.
    244 
    245 A SSH tunnel will provide a local socks5 proxy. Create the SSH tunnel in the aos-Workstation. From there you'll end up with a local socks5 proxy. You can use this socks5 proxy following the proxy instructions above. Once the SSH tunnel is established, there are not many differences, besides the difference already clarified above about UDP and that the warning about missing encryption to the proxy does not apply to SSH tunnels, since SSH is encrypted. The SSH process needs to be allowed to access the internet directly, if you use transparent proxying, run the SSH process under an account, which is privileged to access the internet directly.
    246 
    247 Another untested method may be [https://github.com/apenwarr/sshuttle sshuttle].
    248 
    249 == Tunneling VPN through Tor ==
    250 '''user -> Tor -> VPN'''
    251 
    252 Note, that you have to choose TCP transport, because Tor does not support UDP.
    253 
    254 '''Warning:''' [[BR]]
    255 For users who configured applications to use SocksPort, instant of TransPort. (aos's aos-Gateway default setting for some applications, Tor Browser, ...!)
    256 
    257 SocksPort is used to prevent [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#Identitycorrelationthroughcircuitsharing Identity correlation through circuit sharing]. As [https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN Tor Plus VPN] explains, you have to keep in mind, a VPN behind Tor adds a permanent exit node.
    258 
    259 Rather, all applications, which are configured to use SocksPort, will not be tunneled through the VPN. They will be "only" tunneled through Tor. This is because, the VPN will not touch connections to 192.168.0.1, which is the aos-Gateway. For example, if you wish to tunnel through Tor -> VPN, you have to remove all proxy settings from Tor Browser. check.torproject.org will tell you then "You are not using Tor." and you'll see your VPN's IP. In fact your VPN was tunneled through Tor first. (Because aos-Workstation can not make any non-Tor connections by design, everything is tunneled over Tor.) When you stop your VPN for test reasons ('sudo /etc/init.d/openvpn stop'), it will show "You are using Tor." again.
    260 
    261 While you are using a VPN behind Tor, you probable also may not be able to make use of the upcoming stream isolation feature, which is planed Tor Browser. (#3455) This is because Tor Browser would not talk to Tor directly anymore. Tor Browser would connect to the VPN instant.
    262 
    263 VPN servers and VPN software can occasionally break down without announcement. aos-Workstation will seamlessly continue to make "direct" connections through Tor once the VPN breaks down. This is not a aos specific problem. Most users are simply not aware of it. This happens also with the common setup, where the VPN simply runs on a host. If you want to enforce, that the VPN is always tunneled over Tor, have a look at the modified routing table [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OtherAnonymizingNetworks#UsingVPNsasaTorreplacementonaos-Gateway here].
    264 
    265 Also note, that once aos-Workstation gets rooted by malware, the VPN can be easily circumvented by the attacker and you are left to the protections by aos and Tor.
    266 
    267 By design, a VPN routes all your applications (those without any proxy settings, as explained above) through the VPN. You may not want this, as explained above (Identity correlation through circuit sharing). To circumvent that, you should use this aos-Workstation only for the particular application you want to route through the VPN, read [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#Recommendationtousemultipleaos-Workstations Recommendation to use multiple aos-Workstations].
    268 
    269 = A Free example VPN working with aos for testing purposes =
    270 Read first [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#aosVPNdisclaimer aos VPN disclaimer].
    271 
    272 Can be either:
    273  * [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#TunnelingVPNthroughTor Tunnel VPN through Tor]. (Read first!) (Install on aos-Workstation.)
    274  * [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#TunnelingTorthroughproxyVPNorSSH Tunnel Tor through VPN]. (Read first!) (Install on aos-Gateway.)
    275 
    276 The purpose of this chapter is mainly to demonstrate, how easy it is, to add a VPN to aos. Unfortunately securityKISS.com drops many TCP and UDP ports beside ports 80 and 443. That limits it's usefulness for testing purposes, such as [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#TunnelingUDPoverTor Tunneling UDP over Tor]. If you know a less restrictive free VPN provider, we'd be thankful for a comment.
    277 
    278 Install openvpn.
    279 {{{
    280 apt-get install openvpn
    281 }}}
    282 
    283 Register at securitykiss.com and leaf no personal information. Use an extra e-mail address for registration, which you will never use for anything else. Login and download their OpenVPN package to /home/user. Unpack. The folder contains contains ca.cert, client.cert, client.key, README.txt (with list of their servers and ports). Rename the folder to securitykiss. Structure should be like /home/user/ca.cert etc.
    284 
    285 'nano /etc/openvpn/client.conf', edit server IP and port and past it. (It's almost only the default openvpn client.conf with minor changes.)
    286 {{{
    287 ##############################################
    288 # Sample client-side OpenVPN 2.0 config file #
    289 # for connecting to multi-client server.     #
    290 #                                            #
    291 # This configuration can be used by multiple #
    292 # clients, however each client should have   #
    293 # its own cert and key files.                #
    294 #                                            #
    295 # On Windows, you might want to rename this  #
    296 # file so it has a .ovpn extension           #
    297 ##############################################
    298 
    299 # Specify that we are a client and that we
    300 # will be pulling certain config file directives
    301 # from the server.
    302 client
    303 
    304 # Use the same setting as you are using on
    305 # the server.
    306 # On most systems, the VPN will not function
    307 # unless you partially or fully disable
    308 # the firewall for the TUN/TAP interface.
    309 ;dev tap
    310 dev tun
    311 
    312 # Windows needs the TAP-Win32 adapter name
    313 # from the Network Connections panel
    314 # if you have more than one.  On XP SP2,
    315 # you may need to disable the firewall
    316 # for the TAP adapter.
    317 ;dev-node MyTap
    318 
    319 # Are we connecting to a TCP or
    320 # UDP server?  Use the same setting as
    321 # on the server.
    322 proto tcp
    323 ;proto udp
    324 
    325 # The hostname/IP and port of the server.
    326 # You can have multiple remote entries
    327 # to load balance between the servers.
    328 remote 91.121.208.218 443
    329 ;remote my-server-2 1194
    330 
    331 # Choose a random host from the remote
    332 # list for load-balancing.  Otherwise
    333 # try hosts in the order specified.
    334 ;remote-random
    335 
    336 # Keep trying indefinitely to resolve the
    337 # host name of the OpenVPN server.  Very useful
    338 # on machines which are not permanently connected
    339 # to the internet such as laptops.
    340 resolv-retry infinite
    341 
    342 # Most clients don't need to bind to
    343 # a specific local port number.
    344 nobind
    345 
    346 # Downgrade privileges after initialization (non-Windows only)
    347 user nobody
    348 group nogroup
    349 
    350 # Try to preserve some state across restarts.
    351 persist-key
    352 persist-tun
    353 
    354 # If you are connecting through an
    355 # HTTP proxy to reach the actual OpenVPN
    356 # server, put the proxy server/IP and
    357 # port number here.  See the man page
    358 # if your proxy server requires
    359 # authentication.
    360 ;http-proxy-retry # retry on connection failures
    361 ;http-proxy [proxy server] [proxy port #]
    362 
    363 # Wireless networks often produce a lot
    364 # of duplicate packets.  Set this flag
    365 # to silence duplicate packet warnings.
    366 ;mute-replay-warnings
    367 
    368 # SSL/TLS parms.
    369 # See the server config file for more
    370 # description.  It's best to use
    371 # a separate .crt/.key file pair
    372 # for each client.  A single ca
    373 # file can be used for all clients.
    374 ca /home/user/securitykiss/ca.crt
    375 cert /home/user/securitykiss/client.crt
    376 key /home/user/securitykiss/client.key
    377 
    378 # Verify server certificate by checking
    379 # that the certicate has the nsCertType
    380 # field set to "server".  This is an
    381 # important precaution to protect against
    382 # a potential attack discussed here:
    383 #  http://openvpn.net/howto.html#mitm
    384 #
    385 # To use this feature, you will need to generate
    386 # your server certificates with the nsCertType
    387 # field set to "server".  The build-key-server
    388 # script in the easy-rsa folder will do this.
    389 ns-cert-type server
    390 
    391 # If a tls-auth key is used on the server
    392 # then every client must also have the key.
    393 ;tls-auth ta.key 1
    394 
    395 # Select a cryptographic cipher.
    396 # If the cipher option is used on the server
    397 # then you must also specify it here.
    398 ;cipher x
    399 
    400 # Enable compression on the VPN link.
    401 # Don't enable this unless it is also
    402 # enabled in the server config file.
    403 comp-lzo
    404 
    405 # Set log file verbosity.
    406 verb 3
    407 
    408 # Silence repeating messages
    409 ;mute 20
    410 }}}
    411 
    412 To initially start the VPN type:
    413 {{{
    414 sudo /etc/init.d/openvpn start
    415 sudo openvpn /etc/openvpn/client.conf
    416 }}}
    417 
    418 After rebooting the VPN will be automatically started.
    419 
    420 If you do not wish to start the VPN automatically for some reason: 'nano /etc/default/openvpn'
    421 {{{
    422 AUTOSTART=="none"
    423 }}}
    424 
    425 = Connect to a Tor Gateway on your local network using PPTP VPN =
    426 For what this is useful: PPTP is used because it's very easy to configure and well supported by all kind of devices. Compared to a proper set up with a hardware gateway between the internet and the devices you want to torify it's less secure but doesn't require any kind of hardware or network layout changes.
    427 
    428 Moved to [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/PPTP aos/PPTP].
    429 
    430 = Hosting hidden services =
    431 Read first: [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening aos/SecurityAndHardening].
    432 
    433 == Hidden webserver ==
    434 #OptionalFeatureNr.2#
    435 
    436 === aos 0.2.1 and above ===
    437 On your aos-Gateway:
    438 
    439 Open torrc.
    440 {{{
    441 nano /etc/tor/torrc
    442 }}}
    443 
    444 Look for #OptionalFeatureNr.2#. Read the comments, which explain where to find your .onion URL and to backup your hidden service keys. Comment in the following two lines.
    445 {{{
    446 HiddenServiceDir /var/lib/tor/hidden_service/
    447 HiddenServicePort 80 192.168.0.2:12345
    448 }}}
    449 
    450 Restart Tor.
    451 {{{
    452 sudo service tor reload
    453 }}}
    454 
    455 On your aos-Workstation:
    456 
    457 Run the following command. It will install lighttpd.
    458 {{{
    459 sudo TorBOX-Workstation -hiddenserver
    460 }}}
    461 
    462 Done.
    463 
    464 = Vidalia for aos =
    465 Not recommend. Better use arm. (See Readme.)
    466 
    467 You have two possibility to get Vidalia. 1. Vidalia on the Host and 2. Vidalia on the aos-Gateway. Each option has it's pros and cons, we'll discuss here.
    468 
    469 == 1. Vidalia on the Host ==
    470 Ok, this is an ugly hack, but it works. Vidalia can be installed on the host, in this example on a Windows host but you can most likely do it also on a Linux host. We have to 'trick' Vidalia because Vidalia really wants to start Tor.
    471 
    472 You will be able to stop Tor using Vidalia, but not be able to start it again. Restarting Tor has to be done manually in console or ssh. "Start proxy application when Tor starts" will probable work (untested) but it will start it on the host and not on the aos-Gateway. What also won't work are all settings which modify torrc, because our torrc will be just a dummy one and the real torrc is inside the aos-Gateway. All settings in the settings, network tab won't work. Neither the "Sharing/Setup Relaying" tab will work (there will be instructions how to do it manually in torrc for the aos-Gateway). Services tab will also not work, this is covered above under Hosting Hidden Services. The "Start Tor" button will actually not start Tor, but connect to the Control Port inside the aos-Gateway. "View the network", "Use a New Identity" and "Message Log" should be functional.
    473 
    474 0. You need to ensure yourself, that port 9051 is firewalled on your host. It must not be accessible from the internet.
    475 1. Create a folder Vidalia somewhere you like it. Ensure that your current user account has the neccessary rights read, create, modify. [[BR]]
    476 2. Grab some dummy exe, for example cmd.exe from C:\Windows\System32\cmd.exe and copy it to your new Vidalia folder. [[BR]]
    477 3. Login as root 'sudo su'. Go to your aos-Gateway and type in console.
    478 {{{
    479 tor --hash-password password
    480 }}}
    481 This will result in something like
    482 {{{
    483 16:E61CFDC2FF3FDCDE605D8EDC3631F268B554612B0721E99F95588282B5
    484 }}}
    485 copy it into the clipboard.
    486 
    487 4. 'nano /etc/tor/torrc' and add
    488 {{{
    489 ControlPort 9051
    490 ControlListenAddress 10.0.2.15:9051
    491 HashedControlPassword 16:E61CFDC2FF3FDCDE605D8EDC3631F268B554612B0721E99F95588282B5
    492 }}}
    493 
    494 5. 'nano /etc/firewall.sh' and look out for the following
    495 {{{
    496 # Allow incoming SSH connections on the external interface
    497 iptables -A INPUT -i $EXT_IF -p tcp --dport 22 -j ACCEPT
    498 }}}
    499 and add additionally the following below
    500 {{{
    501 # Allow incomming Tor ControlPort connections on the external interface
    502 iptables -A INPUT -i $EXT_IF -p tcp --dport 9051 -j ACCEPT
    503 }}}
    504 
    505 6. Then go to your host and create a file named 'control_auth_cookie' inside your Vidalia folder. Insert the password only, this example we used "password". Choose your secure password. control_auth_cookie has no file extension, be sure that Windows will normally show you file extensions (like .exe, .pdf...), otherwise you will be probable unable to create a file without extension.
    506 
    507 7. We need a start file, otherwise Vidalia will use the default documents and settings folder. Call it 'vidalia.bat' and create it inside your Vidalia folder. The content of vidalia.bat must be
    508 {{{
    509 start do_not_start.exe --datadir .\\
    510 }}}
    511 
    512 8. And of course you will be needing the Vidalia binaries. Download the Tor Browser Bundle for your platform. Go to '\Tor Browser\App\' and copy the following files into your Vidalia directory.
    513 {{{
    514 libeay32.dll
    515 libgcc_s_dw2-1.dll
    516 libgnurx-0.dll
    517 mingwm10.dll
    518 QtCore4.dll
    519 QtGui4.dll
    520 QtNetwork4.dll
    521 QtXml4.dll
    522 ssleay32.dll
    523 vidalia.exe
    524 }}}
    525 tor.exe and tor-resolv.exe will not be needed (we have our own dummy tor.exe).
    526 
    527 9. Rename vidalia.exe to do_not_start.exe.
    528 
    529 10. Create a file called 'vidalia.conf' inside your Vidalia directory. The content must be
    530 {{{
    531 [Tor]
    532 TorExecutable=.\\tor.exe
    533 Torrc=.\\torrc
    534 DataDirectory=.\\
    535 UseRandomPassword=false
    536 ControlPassword=password
    537 Changed=true
    538 ControlPort=9052
    539 ControlAddr=127.0.0.1
    540 }}}
    541 
    542 11. Create a file torrc inside your Vidalia directory, leave it empty, it's just another dummy file for Vidalia's fate.
    543 
    544 12. In the aos-Gateway VM network settings. Set up Port Forwarding: within the "Adapter 1" tab click "Advanced", then Port Forwarding. Insert a new rule as follows: Name: Vidalia; Protocol: TCP; Host IP: 127.0.0.1; Host Port: 9052; Guest IP: leave blank; Guest Port: 9051
    545 
    546 13. That's it. From now you can vidalia.bat. For your convinience create a shortcut of vidalia.bat on your desktop.
    547 
    548 ((Optional, for debugging if you have problems. [[BR]]
    549 We test if the IP/Port is reachable from the host. 'telnet 192.168.1.5 9051', press enter should say "514 Authenication required."))
    550 
    551 (([https://trac-vidalia.torproject.org/projects/vidalia/wiki/FAQ Vidalia FAQ]))
    552 
    553 == 2. Vidalia on the aos-Gateway ==
    554 Install a "minimal" desktop environment on the aos-Gateway:
    555 {{{
    556 sudo apt-get install xinit xterm openbox vidalia
    557 }}}
    558 You'll be asked to add your user to the debian-tor group. Do so! To apply this change you need to log out (type 'exit') and log in again. Then use 'startx' from the console to launch the graphical desktop. Right-click on the desktop to open the menu, open a terminal and from that launch vidalia. A more user-friendly graphical environment would drastically increase RAM requirements and [https://en.wikipedia.org/wiki/Attack_surface attack surface].
    559 
    560 Do not be tempted to use aos-Gateway as a client OS! Also remember that anything you do on the gateway is NOT routed through Tor.
    561 
    562 = How to safely transfer files between Host, aos-Gateway and aos-Workstation =
    563 Using filesharing built into the VM isn't very secure. Between the gateway and the host you can use ssh and scp but the aos-Gateway is firewalled tightly (and you should leave it that way). A secure and quick way to transfer files to the client vm is to use iso files:
    564 On the host install genisoimage: [[BR]]
    565 {{{ sudo apt-get install genisoimage }}} [[BR]]
    566 To create an iso "files.iso" containing the content of "folder": [[BR]]
    567 {{{ mkisofs -o files.iso /path/to/folder }}} [[BR]]
    568 Now attach the iso to the VM. Mount it with [[BR]]
    569 {{{ sudo mount /dev/sr0 /media/cdrom }}} [[BR]][[BR]]
    570 This is intentionally one-way as the aos-Workstation is inherently untrusted and should remain isolated to prevent side-channel attacks and covert channel leaks.
    571 
    572 = aos implementation with just a single VM (Tor runs on host) =
    573 More info on [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OneVM aos/OneVM]
    574 
    575 = Using (private) (obfuscated) bridges =
    576 More info on [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/bridges aos/bridges]
    577 
    578 = Hosting a (private) (obfuscated) bridge or (exit) relay =
    579 You can still volunteer to Tor and host a bridge, private bridge, obfuscated bridge, private obfuscated bridge, middle node or exit relay when you are using aos. Either inside the aos-Gateway or directly on the host.
    580 
    581 == Inside the aos-Gateway ==
    582 Simply follow all the usual instructions given on torproject.org inside the aos-Gateway just as you would, if Tor wouldn't run inside a virtual machine. The only additional thing to do is to set up a port forwarding from the host to the virtual machine. That is simple. For a similar example see [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/HowToInstall#Step3InstallandConfigureaos-Gateway Step 3 – How To Install - Install and Configure aos-Gateway], under 'Set up Port Forwarding'. Just exchange the name and the ports, the rest is the same.
    583 
    584 What's left are the firewall rules. On the aos-Gateway 'sudo nano /etc/firewall.sh' and look out for
    585 {{{
    586 # Allow incoming SSH connections on the external interface
    587 iptables -A INPUT -i $EXT_IF -p tcp --dport 22 -j ACCEPT
    588 }}}
    589 below that simply add similar
    590 {{{
    591 # Tor
    592 iptables -A INPUT -i $EXT_IF -p tcp --dport YOURPORT -j ACCEPT
    593 }}}
    594 == On the host ==
    595 And if you do not like using the aos-Gateway for this purpose, you can still host it directly on the host, simply follow the usual instructions on torproject.org.
    596 
    597 = Hide the fact that you are using Tor/aos =
    598 Depending on how restricted your area is and how paranoid you are, you may want to hide the fact from your provider, that you are a Tor user. That's very tricky to archive. Be very careful. Here are some tips:
    599 
    600 aos users are most likely Tor power users. They are more paranoid then normal Tor users. And adversaries might ask themselves why. aos users most likely [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#hostinghiddenservicesOPTIONAL host hidden services] or do other fancy stuff over Tor.
    601 
    602 This isn't a step by step tutorial. It's recommend to read the whole chapter.
    603 
    604 Use either private and obfuscated bridges or a VPN/SSH proxy. It's most secure if you combine both ways.
    605 
    606 == Warnings ==
    607  * Download Tor through a trusted internet service provider (in your [home] country) or through SSH or VPN (or before entering a hostile environment).
    608  * Setup the SSH/VPN tunnel or the private obfuscated bridges first. (Depending on what you want to use, read below.)
    609  * Remove your internet connection while installing. (Tor starts and connects automatically after installing the .deb.)
    610  * First, think about, how do you obtain the Tor Browser Bundle and obfuscated bridges and/or VPN and/or SSH, without your ISP noticing it? It's a chicken egg problem. You most likely have to get it from a trusted source. This isn't a problem, which aos could solve, it's a Tor upstream question.
    611  * Another issue for hiding your aos usage is installing and/or downloading aos.
    612  * Download.
    613   * If you download aos form sf.net that download will go unencrypted and your internet service provider (or SSH/VPN provider) will learn, that you downloaded aos.
    614     * A workaround could be, to download aos through the official torproject.org Tor Browser Bundle.
    615     * You have to turn off your network connection while starting it for the first time. Then set everything to hide your Tor/aos usage. See #OptionalFeatureNr.1# and below.
    616  * Building from Source.
    617   * You can learn everything about building aos, using the Tor Browser Bundle.
    618   * If you are building aos from source, the build scripts, will execute a specific set of apt-get commands, and your internet service provider could notice, that you are building aos from source.
    619    * If you understand the build scripts, you can also manually build aos, by applying the commands (or edit the script).
    620     * aos-Gateway script Don't execute most of the apt-get commands.
    621     * aos-Workstation script: Choose -custom and check, that the remaining essential modules, do not issue suspicious network connectivity. For example, the config_torbrowser module would download specific GPG public keys from the keyserver and execute specific wget commands.
    622 
    623 == Using a Proxy ==
    624 Impossible! (The connection between you and your proxy is unencrypted. That goes for all proxies, http, https, socks4, socks4a, socks5.) Your ISP could still see, that you are connecting to the Tor network.
    625 
    626 == Using SSH or VPN ==
    627 WARNING. some of this may be outdated. By default all traffic of aos-Gateway is routed through Tor! You need to route all that through SSH/VPN.
    628 
    629 See warnings above first. Tunnel all Tor related traffic first through a [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#TunnelTorthroughVPNVPN-Tor VPN] or [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#TunnelTorthroughSSHSSH-Tor SSH] server, this will hide the fact that you use Tor from your ISP. If the server is outside a national firewall this is also a way to circumvent Tor censorship.
    630 
    631 If you do not trust any SSH or VPN providers, then anonymously host your own in a safe place.
    632 
    633 == Using private and obfuscated bridges ==
    634 See warnings above first. Set up Tor to use [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/bridges#Usingobfuscatedbridges private and obfuscated bridges]. This makes it harder for ISPs and national firewalls to detect and block Tor but it does not prevent a dedicated adversary to find out that you are using Tor (research is ongoing, see obfsproxy).
    635 
    636 = aos on Bare Metal =
    637 Using hardware instant of virtual machines. More secure. See [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/BareMetalHints Bare Metal Hints].
    638 
    639 = Leak Testing =
    640 #OptionalFeatureNr.6# Leak Testing, see [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/LeakTests aos/LeakTests].
    641 
    642 = Anonymous 3G modem =
    643 Improves anonymity. See [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/BareMetalHints#anonymous3Gmodem anonymous 3G modem].
    644 
    645 = Anonymous wifi adapter =
    646 Improves anonymity. See [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/BareMetalHints#anonymouswifiadapter anonymous wifi adapter].
    647 
    648 = Other Anonymizing Networks =
    649 It's possible to use other anonymizing networks in together with aos. Either in addition (tunneled through Tor) or as a replacement for Tor. See [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OtherAnonymizingNetworks Other Anonymizing Networks].
    650 
    651 = Tunneling UDP over Tor =
    652 The Tor software does not support UDP itself yet. aos provides a limited workaround for using UDP anyway, in the best possible secure manner.
    653 
    654 Moved to [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations/TunnelingUDPoverTor aos/OptionalConfigurations/TunnelingUDPoverTor].
    655 
    656 = Secondary DNS resolver =
    657 Normally Tor is used for DNS resolution. If you suspect a Tor exit node to tamper with DNS, you can get a second opinion from another non-Tor DNS server.
    658 
    659 You shouldn't use other DNS resolvers than Tor over an extended amount of time. Although it's technically possible to replace DNS resolution completely (not using Tor for DNS resolution anymore), that is not recommend. That would add too much power to a single DNS server. Using a permanent DNS server is not recommend as not using a permanent Tor exit node.
    660 
    661 Note, that even if you correctly set up all settings, it might happen that this won't work. Sometimes Tor or the DNS server causes a timeout. This gets even worse, when you additionally tunnel the DNS request (for example: Tor -> JonDonym -> DNS server).
    662 
    663 == DNSCrypt by OpenDNS ==
    664 Although the official [https://www.opendns.com/technology/dnscrypt/ DNSCrypt website] states, that a Linux version does not exit, this [http://www.webupd8.org/2012/02/encrypt-dns-traffic-in-linux-with.html blog post] suggests there is one.
    665 
    666 This has nothing to do with [https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions DNSSEC], the differences of DNSSEC and DNSCrypt are well explained on the [https://www.opendns.com/technology/dnscrypt/ DNSCrypt website].
    667 
    668 These instructions completely replace Tor's DNS resolver with opendns's dnscrypt for all users and the whole system. Not recommend for a longer amount of time, see warning above. Some hints are included how to do it only for a specific user account.
    669 
    670 1. Download the [https://github.com/opendns/dnscrypt-proxy/downloads dnscrypt source code] and unpack. You have to compile it. Get into the dnscrypt directory 'cd dnscrypt-proxy-...". Configure './configure", make 'make'.
    671 
    672 2. Start dnscrypt-proxy. ^1^ ^2^ ^3^ ^4^ ^5^ ^6^
    673 {{{
    674 sudo dnscrypt-proxy --tcp-only
    675 }}}
    676 ^1^ '--tcp-only' is required since Tor does not support UDP. The UDP DNS request will immediately get truncated reply and a RFC-compliant resolver should repeat same query via TCP in this case. This is the case for Ubuntu's default DNS resolver. You can get some more information on UDP/TCP/DNS on the unrelated [http://darkk.net.ru/redsocks/ redsocks] website. [[BR]]
    677 ^2^ To start it later in background (after debugging) add '--daemonize'. [[BR]]
    678 ^3^ '--help' to see all options. [[BR]]
    679 ^4^ Start up takes a few seconds "[INFO] Generating a new key pair", this is normal, wait. Until it's done, DNS will not work. [[BR]]
    680 ^5^ '--user=username' can and should be used to start the dnscrypt-proxy under a specific user account. [[BR]]
    681 ^6^ Since this instructions completely replace Tor's DNS resolver with opendns's dnscrypt for all users and the whole system, you could add '--local-port=5800' to let dnscrypt-proxy listen on port 5800. You would be able to add iptables rules to redirect only the DNS requests of a specific user account to opendns's dnscrypt, you can get some hints how to do that in the 'httpsdnsd by JonDos' chapter below, which would be a very similar setup. [[BR]]
    682 
    683 3. Edit your resolv.conf 'nano /etc/resolv.conf', comment out everything and add 'nameserver 127.0.0.1'.
    684 
    685 4. Check if it's working, there are several [https://www.opendns.com/support/article/64 test pages] on opendns.com.
    686 
    687 5. To shut it down you can use 'sudo killall dnscrypt-proxy' and don't forget to revert the changes in /etc/resolv.conf.
    688 
    689 == httpsdnsd by JonDos ==
    690 Source: [https://anonymous-proxy-servers.net/en/help/transocks.html anonymous-proxy-servers.net] and also use it as a more verbose tutorial, but keep in mind that their tutorial is JonDonym specific, while this tutorial is Tor specific.
    691 
    692 Everything inside your aos-Workstation.
    693 
    694 === Installation ===
    695 Install dependencies.
    696 {{{
    697 sudo apt-get install libnet-ssleay-perl libnet-server-perl libnet-dns-perl libxml-simple-perl liblog-log4perl-perl
    698 }}}
    699 
    700 Download httpsdnsd. (See source above in case download link changed.)
    701 {{{
    702 wget https://anonymous-proxy-servers.net/downloads/httpsdnsd.tar.bz2
    703 }}}
    704 
    705 Unpack.
    706 {{{
    707 
    708 }}}
    709 
    710 Go into the httpsdnsd folder.
    711 {{{
    712 cd httpsdnsd
    713 }}}
    714 
    715 Install httpsdnsd. ^1^
    716  ,, ^1^ (It contains also a uninstall.sh, if you want to uninstall it later.)
    717 
    718 {{{
    719 sudo install.sh
    720 }}}
    721 
    722 Add a new user for httpsdnsd.
    723 {{{
    724 sudo adduser --system --disabled-password --group httpsdns_daemon
    725 }}}
    726 
    727 Editing /etc/resolv.conf is not required. (You still could out comment everything against DNS leaks.)
    728 
    729 Create a firewall script.
    730 {{{
    731 nano dns-fw.sh
    732 }}}
    733 
    734 Insert these firewall rules.
    735 {{{
    736 # Flush old rules
    737 iptables -F
    738 iptables -t nat -F
    739 iptables -X
    740 
    741 # Redirect DNS traffic to httpdnsd.
    742 iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonuser --dport 53 -j REDIRECT --to-ports 4053
    743 
    744 # Accept connections to the httpdnsd.
    745 iptables -t filter -A OUTPUT -p udp -m owner --uid-owner anonuser --dport 4053 -j ACCEPT
    746 
    747 # Reject all other traffic for anonuser.
    748 iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner anonuser -j REJECT
    749 }}}
    750 
    751 Install Privoxy. ^1^ [[BR]]
    752  ,, ^1^ [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations?version=95#httpsdnsdbyJonDos Wiki Version 95] of this site contains a working example using Polipo. Changed later to Privoxy, because Privoxy can be useful for other tasks as well. (Incomming: TransPort, http proxy; forwarding: http and socks.)
    753 
    754 {{{
    755 sudo apt-get install privoxy
    756 }}}
    757 
    758 Open the privoxy configuration file.
    759 {{{
    760 nano /etc/privoxy/config
    761 }}}
    762 
    763 Add the following to your privoxy configuration file. Note [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#Identitycorrelationthroughcircuitsharing Identity correlation through circuit sharing] and change the port from 9100 to something else.
    764 {{{
    765 # Theoretically you can tunnel through any
    766 # http or socks proxy. Local or remote proxy.
    767 # Inside aos-Workstation, due to design,
    768 # everything will be tunneled through Tor first.
    769 
    770 # Using Tor's socks5 proxy, running on aos-Gateway.
    771 # Change the port, see above...
    772 forward-socks5 / 192.168.0.1:9100 .
    773 
    774 # Another example using a http proxy.
    775 # (In this case, JonDo running on localhost.)
    776 # forward / 127.0.0.1:4001
    777 }}}
    778 
    779 Restart privoxy to enable the changes.
    780 {{{
    781 sudo /etc/init.d/privoxy restart
    782 }}}
    783 
    784 Privoxy is now listening on 127.0.0.1:8118. ^2^ [[BR]]
    785  ,, ^2^ For debugging you can enter this IP/port into Tor Browser as http proxy and try if you can still reach check.torproject.org. Deactivate after testing.
    786 
    787 === Starting ===
    788 Run httpsdnsd. ^1^ ^2^ ^3^ ^4^ [[BR]]
    789  ,, ^1^ For debugging, kill httpsdnsd and drop the --runasdaemon. [[BR]]
    790  ,, ^2^ Run 'httpsdnsd --help' or 'man httpsdnsd' for help. [[BR]]
    791  ,, ^3^ Httpsdnsd will by default listen on localhost port 4053 for DNS queries.
    792  ,, ^4^ --https_proxy_port=8118 will redirect traffic to port 8118, where Privoxy is listening. This is necessary because Tor offers a socks proxy and httpsdnsd requires a http proxy. Privoxy translates from http to socks. [[BR]]
    793 
    794 {{{
    795 sudo httpsdnsd --https_proxy_port=8118 --runasdaemon
    796 }}}
    797 
    798 Activate the firewall. Shouldn't show any errors.
    799 {{{
    800 sudo ./dns-fw.sh
    801 }}}
    802 
    803 === Using ===
    804 Open a console and switch to anonuser.
    805 {{{
    806 su anonuser
    807 }}}
    808 
    809 Resolve DNS.
    810 {{{
    811 nslookup check.torproject.org
    812 }}}
    813 
    814 = OnionCat =
    815 Untested. Not done yet. In development. Please leave feedback if it worked for you.
    816 
    817 Introduction into OnionCat [[BR]]
    818 [https://trac.torproject.org/projects/tor/wiki/doc/OnionCat torproject wiki about OnionCat] [[BR]]
    819 [http://www.cypherpunk.at/onioncat cypherpunk.at/onioncat] [[BR]]
    820 [https://cryptoanarchy.org/w/index.php?title=OnionCat& cryptoanarchy.org about OnionCat] [[BR]]
    821 
    822 OnionCat (Tor) might work with aos. GarliCat (i2p) might partially work with aos.
    823 
    824 General debugging hints: there at multiple sources for issues, you might stumble upon. Therefore it's recommend, before you try using OnionCat with aos, try first to successfully test OnionCat without aos. As soon as you learnt that, it eliminated one source for possible issues (OnionCat) and can start learning how to use it with aos (which might introduce new issues, but enhanced security will be your reward). You also have to learn first, how to use hidden services with aos, see [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#Hostinghiddenservices aos/OptionalConfigurations#Hostinghiddenservices] for reference.
    825 
    826 == Over Tor ==
    827 As long you want to use OnionCat over Tor, it may work.
    828 
    829 IPv6 is currently disabled on aos-Gateway, because Tor doesn't support IPv6 yet, and we didn't see need for it. We also have no IPv6 firewall for aos-Gateway yet, because it's disabled. Anyway, that will be probable no issue. IPv6 on aos-Workstation, where OnionCat will be running, is enabled. Since only OnionCat's underlying operating system requires IPv6, but not the Tor process there will be probable no problem. OnionCat on aos-Workstation will probable translate the IPv6 requests to IPv4 to the Tor process which is running on aos-Gateway. Therefore probable no IPv6 on aos-Gateway is required.
    830 
    831 There instructions on [https://cryptoanarchy.org/w/index.php?title=OnionCat& cryptoanarchy.org] look very promising. To use them with aos, minor modifications are required. Follow the instructions on [https://cryptoanarchy.org/w/index.php?title=OnionCat& cryptoanarchy.org] but execute the steps on the right machine, either on aos-Gateway or on aos-Workstation.
    832 
    833 0. Install ocat <-- on aos-Workstation
    834 
    835 1. Create a hidden service <-- on aos-Gateway
    836 
    837 2. Create the directory /etc/tor/ocat <-- on aos-Gateway
    838 
    839 3. Find the hostname of your hidden service <-- on aos-Gateway [[BR]]
    840 Also possibly see [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#Hostinghiddenservices aos/OptionalConfigurations#Hostinghiddenservices] for reference. Debugging: It's recommend to test if your hidden service is reachable first (for example, use test wise a hidden webserver), before you proceed with OnionCat.
    841 
    842 4. Start ocat <-- on aos-Workstation
    843 
    844 5. Final nodes. <-- on aos-Workstation
    845 
    846 == Over i2p ==
    847 GarliCat over i2p might only work, if you use [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OtherAnonymizingNetworks#Installingi2pinsideaos-Workstation ip2 over Tor].
    848 
    849 There was the idea to create an [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OtherAnonymizingNetworks#Installingi2ponaos-Gatewayi2pBOX i2pBOX], but it never came to live due to lack of community interest, which means GarliCat directly over i2p will not be supported by aos.
    850 
    851 As soon as i2p over Tor is working, you can probable follow the instructions on [https://cryptoanarchy.org/w/index.php?title=OnionCat& cryptoanarchy.org] without modifications.
    852 
    853 = Mozilla Thunderbird with TorBirdy =
    854 Experimental! Potentially unsafe, since both, [https://github.com/downloads/ioerror/torbirdy TorBirdy] and TorBirdy's integration into aos, are still experimental! If you want to try it anyway, keep on reading...
    855 
    856 Unfinished!
    857 
    858 The following everything on your aos-Workstation.
    859 
    860 2. Install Mozilla Thunderbird and privoxy.
    861 {{{
    862 sudo apt-get install thunderbird privoxy
    863 }}}
    864 
    865 3. Open /etc/privoxy/config
    866 {{{
    867 sudo nano /etc/privoxy/config
    868 }}}
    869 
    870 4. Safe the following content.
    871 {{{
    872 # Generally, this file goes in /etc/privoxy/config
    873 #
    874 # Tor listens as a SOCKS4a proxy here:
    875 forward-socks4a / 192.168.0.1:9112 .
    876 forward-socks5  / 192.168.0.1:9112 .
    877 forward-socks5  .onion                  192.168.0.1:9112 .
    878 confdir /etc/privoxy
    879 logdir /var/log/privoxy
    880 #actionsfile standard         # Internal purpose, recommended
    881 #actionsfile default.action   # Main actions file
    882 #actionsfile user.action      # User customizations
    883 #filterfile default.filter
    884 
    885 # Don't log interesting things, only startup messages, warnings and errors
    886 logfile logfile
    887 #jarfile jarfile
    888 #debug   0   # show each GET/POST/CONNECT request
    889 debug   4096 # Startup banner and warnings
    890 debug   8192 # Errors - *we highly recommended enabling this*
    891 
    892 listen-address  127.0.0.1:8118
    893 toggle  1
    894 enable-remote-toggle 0
    895 enable-edit-actions 0
    896 enable-remote-http-toggle 0
    897 buffer-limit 4096
    898 
    899 forwarded-connect-retries               2
    900 accept-intercepted-requests             0
    901 
    902 keep-alive-timeout                      5
    903 socket-timeout                          300
    904 }}}
    905 
    906 ,, Source: [https://lists.torproject.org/pipermail/tor-talk/2012-July/024782.html tor-talk TorBirdy 0.0.10 released - testing and feedback requested!] (modified by proper for aos).
    907 
    908 5. Restart privoxy.
    909 {{{
    910 sudo service privoxy restart
    911 }}}
    912 
    913 6. Go to Tools -> Addons -> Plugins -> deactivate all.
    914 
    915 7. Go to Tools -> Addons -> Addons -> deactivate all.
    916 
    917 8. Download the most recent .xpi of [https://github.com/ioerror/torbirdy/downloads TorBirdy] from github.
    918 
    919 9. Also download the corresponding signature.
    920 
    921 10. Get Jacob Appelbaums GPG key. (Bug: #6382)
    922 
    923 11. GPG verify. Example will follow. You should use the most recent version.
    924 {{{
    925 gpg --verify torbirdy-0.0.10.xpi.asc torbirdy-0.0.10.xpi
    926 }}}
    927 
    928 Must be "Good Signature".
    929 
    930 12. Go to Mozilla Firefox -> Tools -> Addons -> Install Addon from file (button in the upper right) -> choose torbirdy.xpi.
    931 
    932 13. Go to Mozilla Thunderbird -> View -> Preferences -> Config Editor and change the following values:
    933 {{{
    934 network.proxy.socks 192.168.0.1
    935 network.proxy.socks_port 9102
    936 }}}
    937 
    938 = VirtualBox Guest Additions =
    939 == Introduction ==
    940 Written and tested with aos 0.2.1 (Ubuntu precise). Many things can go wrong and none or the very least of them will be caused by aos. This has only limited support by the aos developers, because 1. it's not recommend, for security reasons and 2. the guest additions related bugs and instructions are somewhat out of the scope of the aos project.
    941 
    942 Installation is somewhat difficult and no packages exist. Just search the internet and you'll see, that loads of people having issues installing the VirtualBox guest additions. People having problems for years. VMware is of no alternative, people are also having trouble installing the VMware tools into Linux guests. The issue with the guest additions is ridiculous. For years no solution has been found. With each kernel update, recompilation is required, and quite often, due to some updates, complication becomes difficult or impossible for a long time.
    943 
    944 Also see article, [http://www.phoronix.com/scan.php?page=news_item&px=OTk5Mw The VirtualBox Kernel Driver Is Tainted Crap].
    945 
    946 If you are having trouble, than in most cases not because of aos. The aos setup is a regular Ubuntu Linux and VirtualBox. You can try asking the regular VirtualBox and Ubuntu resources if you have trouble.
    947 
    948 == Installing VirtualBox Guest Additions ==
    949 '''Warning: Not recommend!''' Weakens security as per [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening aos/SecurityAndHardening].
    950 
    951 On the host:
    952 {{{
    953 sudo apt-get install virtualbox-guest-additions-iso
    954 }}}
    955 
    956 Inside aos-Workstation:
    957 
    958 Execute the following commands. They can take a very long time, due to the Ubuntu upstream bug [https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/947664 Unpacking linux-headers unbelievably slow in Lubuntu Precise (Beta 1)] (affects Ubuntu precise final as well).
    959 {{{
    960 sudo apt-get update
    961 sudo apt-get dist-upgrade
    962 sudo apt-get install dkms build-essential linux-headers-generic linux-headers-generic-pae
    963 }}}
    964 
    965 Insert the guest additions iso by clicking on the VM -> devices -> install guest additions.
    966 
    967 {{{
    968 sudo mkdir -p /mnt/sr0
    969 sudo mount /dev/sr0 /mnt/sr0
    970 sudo sh /mnt//sr0/VBoxLinuxAdditions.run
    971 }}}
    972 
    973 Or start autorun.sh (not with a console, strange bug!).
    974 
    975 Force remove CD eject.
    976 
    977 Reboot. Done.
    978 
    979 == Shared Folder ==
    980 And if you want to use the shared folder read ahead... Go to VirtualBox -> machine -> change -> shared folder -> choose a folder -> use folder name "share". Choose mount automatically and create permanently. Press ok. Use the following commands to mount to folder.
    981 
    982 {{{
    983 sudo mkdir /mnt/share
    984 sudo chmod 777 /mnt/share
    985 sudo mount -t vboxsf -o uid=1000,gid=1000 share /mnt/share
    986 }}}
    987 
    988 If you run into a ''Protocol Error'' try using a different name, do not use ''share'', use something else, anything.
    989 
    990 After reboot, you have to repeat the mount command. If you want to mount the folder automatically, have a look at the [https://help.ubuntu.com/community/VirtualBox/SharedFolders source] of that information.
    991 
    992 = Even more restrictive firewall rules =
    993 #OptionalFeatureNr.3# is explained under [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#aos-Workstationisfirewalled aos-Workstation is firewalled].
    994 
    995 = Using bridges =
    996 Read and understand what a [https://www.torproject.org/docs/bridges bridge] and what a [https://lists.torproject.org/pipermail/tor-talk/2012-February/023070.html obfuscated bridge] is. Also read [https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#bridgevsnon-bridgeusersanonymity bridge vs non-bridge users anonymity]!
    997 
    998 Read the comments in the [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev/TGScript aos-Gateway] script.
    999 
    1000 = Isolate streams by destination port and/or destination address =
    1001 #OptionalFeatureNr.1# in [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev/TGScript aos-Gateway script] allows you to isolate streams either by destination port or by destination address. To make use of the feature requires some deeper understanding of applications and protocols. Examples:
    1002 
    1003 Isolate by destination address:
    1004  * Let's assume SSH goes over port 22 and you want to connect to different SSH servers and do not want an observer to be able to correlate that activity to the same pseudonym. If the SSH servers run on different IP's isolate by destination address might help.
    1005 
    1006 Isolate by destination port:
    1007  * This doesn't seem to be useful for anything in aos, applications using different protocols (and therefore different ports) are already isolated through using different SOCKSPorts.
    1008 
    1009 Isolate by destination port doesn't really achieve anything for web browsing: [https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html tor-talk Tor's stream isolation features defaults].
    1010 
    1011 If you want to do this, you have to comment the feature in and to setup your applications on aos-Workstation to use that SocksPort. In torrc you could even combine IsolateDestPort IsolateDestAddr by entering in a line, if that makes sense in your thread model.
    1012 
    1013 Instead of activating this feature, you could also add those isolation flags to one of the other Trans,- Dns-, or SocksPorts.
    1014 
    1015 For more information refer to the Tor manual.
    1016 {{{
    1017 # https://www.torproject.org/docs/tor-manual.html.en Tor stable manual.
    1018 # https://www.torproject.org/docs/tor-manual-dev.html.en Tor alpha manual.
    1019 }}}
    1020 
    1021 [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#Identitycorrelationthroughcircuitsharing Identity correlation through circuit sharing]
    1022 
    1023 = Grow Virtual Harddisk =
    1024 In case you need more disk space on your virtual harddisk... Good news is, you are still a Virtual Box user. Aos is nothing special. It's just another vm image. Any suggestions you find about Virtual Box will also work for aos.
    1025 
    1026 Somewhat difficult, there is no easy upstream solution such as a gui, there is also no better (free, Open Source) virtualizer with this feature. However, you do not need to be a genious. If you build aos from source this is a easier, since we create vdi images by default and it's easier to grow them. In case you are using the download version it's a bit more difficult. You have vmdk disk, because this is by the ova standard (exported virtual applicances).
    1027 
    1028 Unfortunately ''vboxmanage modifyhd <uuid|filename> --resize <size in mb>'' does not support vmdk images yet. (Perhaps that changes or has changed at your time of reading.)
    1029 
    1030 First of all make a clone of your existing virtual machine in case something goes wrong.
    1031 
    1032 Find the folder of your virtual hdd.
    1033 {{{
    1034 vboxmange list hdds
    1035 }}}
    1036 Go into that folder.
    1037 
    1038 Convert from vmdk to vdi.
    1039 {{{
    1040 VBoxManage clonehd "TorBOX-Workstation-disk1.vmdk" --format vdi "TorBOX-Workstation-disk1.vdi"
    1041 }}}
    1042 
    1043 Grow the disk.
    1044 {{{
    1045 VBoxManage modifyhd "TorBOX-Workstation-disk1.vdi" --resize 30000
    1046 }}}
    1047 
    1048 Go to Virtual Box VM settings, remove the old .vmdk, add the new .vdi.
    1049 
    1050 Boot up and look if it's still working. Until now we have only grew the physical size, we haven't changed the filesystem. Power off again.
    1051 
    1052 You have to boot from a boot cd and use some tool such as gparted to grow the filesystem.
     5https://sourceforge.net/p/whonix/wiki/OptionalConfigurations/