wiki:doc/TorBOX

Version 1 (modified by hmoh, 2 years ago) (diff)

--

This guide will explain how you can setup an isolated environment which is able only to use Tor to access the internet - a transparent proxy - TorBOX.

Advantages of TorBOX (if correctly configured):

  • Applications which do not support proxy settings will work, most of them, not all. Those dependent on UDP or server ports will still not function.
  • all applications have to use Tor
  • no application can connect without Tor (use Tor or do not use external internet connections at all)
  • no proxy settings necessary anymore
  • no DNS leaks possible
  • no IP leaks possible, the TorBOX host operating system can not determine the real external IP. No applications can use tricks to find out the real external IP and therefore can't leak it.
  • even java / flash / browser plugins (all still not recommend as they decrease anonymity and often have security vulnerabilities) can not leak your real external IP
  • uses only Free Software (your choose if you use Windows or Linux inside the TorBOX)
  • You can combine Tor with an additional proxy (to evade Tor bans), like you -> Tor -> additional proxy. Note: this is not recommend by the Tor developers as it decreases anonymity.
  • Tor+Vidalia and Tor Browser are not running inside same machine
  • Limited protection against side channel attacks, a compromised TorBOX still can't leak IP as long as the network, the gateway server or virtual machine does not get hacked as well.

Disadvantages of TorBOX

  • obviously more difficult to set up compared to the regular Tor Browser Bundle
  • needs virtual machines or spare hardware

introduction

I developed this guide with Windows 7 SP1 64 bit as host, it will probable work with many other host operating systems. Further I used VMware Workstation 8 as virtualizer (not exactly emulator). Same here, it might work (untested) with different virtualizers or emulators or even with bare metal (if you use spare hardware). So basic knowledge of VMware and virtual machines (called VM from now on) will be needed. Also some basic linux knowledge is needed.

NO responsibility for any leaks. I done my best to compile that guide but I am not a programmer, network expert, tor expert, lawyer or whatsoever, just a Tor user who extensively used Google. Be careful, use your brain, trust no one but yourself.

This is an advanced topic. There are many places where mistakes or bugs are possible. Therefore we will setup the TorBOX step by step. As the initial step we setup our own gateway server which will forward connections to the clear internet for us, but no Tor will be used. It is only for testing purposes because many things can go wrong until here. As soon as this is working you may move to step two, to set the TorBOX up to only use Tor for outgoing connections.

status of TorBOX

working and tested:

  • DNS
  • http
  • https
  • .onion

not ok:

  • still needs leak testing

start

Create and install two VMs. VM-1 was Windows XP SP3 which I used for anonymous surfing (many other operating systems might work).

Inside VM-2 install Ubuntu Server 11.10, after booting the installer CD press at the menu after the language selection F4 and choose 'install minimal virtual machine' (it was called JeOS in past, a minimal virtual machine), that way no unnecessary services will be installed and 128 MB RAM are sufficient.

(Technical note: Other linux flavors might also work such as Debian stable, Debian testing or whatsoever, not thought if it would be possible to create a Windows gateway server, no clue about BSD and all others.)

go to VMware Workstation -> Edit -> Virtual Network Editor -> click on (in my case it was VMNet8) NAT -> click on NAT Settings -> write down the VMware Gateway IP -> in my case it was 192.168.161.2 (Gateway IP).

setting up VM-1

For the installation of VM-1 there is only a little to say beside from the normal Tor safety advice which will apply here of course as well.

  • Connect the virtual network adapter to custom, this is important! No host-only, no NAT, no brideging! I used VMnet9 as it wasn't used by anything else.
  • test if you can NOT connect to any websites or ping any websites to ensure this VM is isolated from the clear internet

I haven't tested Linux but it will probable work similar. There are loads of video instructions available. Important part is to setup a fixed ip for the virtual lan network card and to use the same subnet like VM2- for VMnet9. In this case IP 192.168.0.2, subnet 255.255.252.0 and gateway 192.168.0.1 has worked. You do not need to setup a DNS server.

setting up VM-2

gateway server with direct (non-tor!) internet connection as pre work exercise

Three is more to do is on for VM-2. Add three virtual network cards before you install.

  • first one (will be called eth0 in linux): NAT
  • second one (will be eth1 in linux): Custom VMnet9 (No host-only, no NAT, no bridging!).

Install the rest as you wish. I did not install VMware tools, as I did not miss them without a graphical user interface, dunno if they make a difference for networking. Maybe you also want to bother installing them as it's a little complicated, please don't ask me about VMware Tools or open-vm-tools, because that's a whole different construction site, use Google.

If you use Ubuntu Desktop be sure to do

sudo apt-get remove --purge network-manager network-manager-gnome

to get ride of the network manager as it will interfere with our advanced network setup. Maybe you are genius and can use it, for me it was easier with the text configuration files.

/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# nat internet device
auto eth0
iface eth0 inet static
address 192.168.161.128
netmask 255.255.255.0
gateway 192.168.161.2

# vmnet9
auto eth1
iface eth1 inet static
address 192.168.0.1
netmask 255.255.252.0

Now test your network.

  • test if clear internet connection is working
  • test if VM-1 and VM-2 can ping each other
  • test if host and VM-2 can ping each other

'nano /etc/sysctl.conf' and insert

net.ipv4.ip_forward=1

now run

# to activate net.ipv4.ip_forward instantly without rebooot
echo 1 > /proc/sys/net/ipv4/ip_forward
# to activate net.ipv4.ip_forward instantly without rebooot
sysctl -p
# if you want to further test the setup after reboot you MUST apply this iptables rules again as it will not be stored permanently
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Troubleshooting until here:

  • Have you forgotten the iptables command? (look few lines above)
  • Always test at first if your host internet connection is working.
  • DNS inside VM-2 will not work yet, so you can not visit google.com but you can visit google's IP. To find out google's IP type 'nslookup google.com' on host.
  • Ping to any internet IP's must work. (Before that is working there is no need to go further.)

convert VM-1 into TorBOX

After normal internet connections work we now force VM-1 to use only Tor for all connections.

install Tor, see instructions here https://www.torproject.org/docs/tor-doc-unix.html.en

# become root
sudo su
# create /etc/firewall.sh
nano /etc/firewall.sh
# change owner
chown root /etc/firewall.sh
# make executable
chmod 700 /etc/firewall.sh

/etc/firewall.sh

#!/bin/sh
# /etc/firewall.sh
echo "loading firewall..."

# destinations you don't want routed through Tor
NON_TOR="192.168.1.0/24 192.168.0.0/24"

# Tor's TransPort
TRANS_PORT="9040"

# VMnet9 interface
INT_IF="eth1"

iptables -F
iptables -t nat -F

for NET in $NON_TOR; do
 iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT

# We could need a firewall rule to forbid any connection attempts form VM-1 through VM-2 to the host for the case VM-1 gets compromised and wants to attack the host, unfortunately I am not good with iptables.

# block outgoing Tor IPv6 traffic as Tor does not support IPv6 (not tested yet)
ip6tables -t filter -A OUTPUT -j DROP

# maybe block all incoming traffic (server ports) on eth0 (not done yet)

echo "firewall loaded"

Test if the firewall script does not show any errors.

/etc/firewall.sh

To load the firewall (= he force to use Tor for all internet connections) BEFORE an online connection is established 'nano /etc/network/interfaces' again and expand this part.

auto eth0
iface eth0 inet dhcp
pre-up /etc/firewall.sh

To test that type '/etc/init.d/networking restart' and you should see something like that.

root@vm:/# /etc/init.d/networking restart 
 * Running /etc/init.d/networking restart is deprecated because it may not enable again some interfaces
 * Reconfiguring network interfaces...                                                      
loading firewall...
firewall loaded.
[ OK ]
root@vm:/# 

'nano /etc/tor/torrc' I added at the top

VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.0.1
DNSPort 53
DNSListenAddress 192.168.0.1

restart Tor using

/etc/init.d/tor restart

miscellaneous

browser inside VM-1

No proxy settings needed anymore.. If you want to continue to use your browser be sure to delete all your browsers private data, use private browsing, deactivate plugins and so on. Or even better use the official Tor Browser.

Tor Browser

To use the Tor Browser now without Tor/Vidalia (because you are now using a transparent proxy - TorBOX) see https://lists.torproject.org/pipermail/tor-talk/2011-December/022447.html

testing

DNS leak test

It is essential to be sure that no DNS is leaking.

poor man's DNS leak test

On VM-2 'nano /etc/resolv.conf' and out comment everything (# before every line so everything is ignored).

#domain localdomain
#search localdomain
# the VMware gateway IP
#nameserver 192.168.161.2

As a tests result the DNS requests in VM-1 should still work while the DNS requests in VM-2 do no longer work.

using tshark

apt-get install tshark
tshark -S -i eth0 -R dns

tcmp leak test

tshark -S -i eth0 -R tcmp

udp leak test

tshark -S -i eth0 -R udp

end

sources I learned from:

Thank you!