wiki:doc/TorVPN

ATTENTION!

This project has been abandoned. Reasons:

  • complicated network setup
  • not fully tested
  • no VPN server needed if you do it in your trusted (virtual) local area network
  • I have not researched if your pc -> VPN -> Tor is secure (timing attacks maybe). Even if so you would have to trust the VPN server completely. As I never planed to use a remote VPN server and as this setup can be made easier I have abandoned this project.
  • A transparent Tor gateway proxy (TorBOX) is more easy to setup

an alternative to this project is TorBOX https://trac.torproject.org/projects/tor/wiki/doc/TorBOX

I won't delete this page and leave it for reference as it might interest other people. If you want to use a remote VPN as TorVPN you just need minor changes (switch to open VPN, do the research I mentioned above.)

ATTENTION!

This guide will explain how you can setup a TorVPN server and client and how you can create an isolated environment which is able only to use Tor to access the internet.

Advantages of TorVPN (if correctly configured):

  • Applications which do not support proxy settings will work, most of them, not all. Those dependent on UDP or server ports will still not function.
  • all applications have to use Tor
  • no application can connect without Tor (use Tor or do not use external internet connections at all)
  • no proxy settings necessary anymore
  • no DNS leaks possible
  • no IP leaks possible, neither the VPN client's host operating system has no way to determine the real external IP. No applications can use tricks to find out the machines real external IP and therefore can't leak it.
  • even java / flash / browser plugins (all still not recommend as they decrease anonymity and often have security vulnerabilities) can not leak your real external IP
  • uses only Free Software (your choose if you use Windows or Linux as VPN client)
  • You can combine Tor with an additional proxy (to evade Tor bans), like you -> Tor -> additional proxy. Note: this is not recommend by the Tor developers as it decreases anonymity.
  • Tor+Vidalia and Tor Browser are not running inside same machine
  • Limited protection against side channel attacks, a compromised VPN client still can't leak IP as long as the network, VPN server or virtual machine also doesn't get hacked.

Disadvantages of TorVPN

  • obviously more difficult to set up then the regular Tor Browser Bundle
  • needs virtual machines or spare hardware

introduction

I developed this guide with Windows 7 SP1 64 bit as host, it will probable work with many other host operating systems. Further I used VMware Workstation 8 as virtualizer (not exactly emulator). Same here, it might work (untested) with different virtualizers or emulators or even with bare metal (if you use spare hardware). So basic knowledge of VMware and virtual machines (called VM from now on) will be needed. Also some basic linux knowledge is needed.

NO responsibility for any leaks. I done my best to compile that guide but I am not a programmer, network expert, tor expert, lawyer or whatsoever, just a Tor user who extensively used Google. Be careful, use your brain, trust no one but yourself.

This guide has zero connection with torvpn.com.

This is an advanced topic. There are many places where mistakes or bugs are possible. Therefore we will setup the selfmade TorVPN server step by step. As the initial step we setup our own VPN server which will forward connections to the clear internet for us, but not Tor will be used. It is only for testing purposes because many things can go wrong until here. As soon as this is working you may move to step two, to set the VPN server up to only use Tor for outgoing connections.

status of TorVPN

working and tested:

  • DNS
  • http
  • https
  • .onion

not ok:

  • still needs leak testing

start

Create and install two VMs. VM-1 was Windows XP SP3 which I used for anonymous surfing (many other operating systems with VPN support might work) and VM-2 with Ubuntu 11.10 (other linux flavours might also work such as Debian stable, Debian testing or whatsoever, not thought if it would be possible to create a Windows TorVPN server, no clue about BSD and all other).

go to VMware Workstation -> Edit -> Virtual Network Editor -> click on (in my case it was VMNet8) NAT -> click on NAT Settings -> write down the VMware Gateway IP -> in my case it was 192.168.161.2 (Gateway IP).

setting up VM-1

For the installation of VM-1 there is only a little to say beside from the normal Tor safety advice will apply here of course as well.

  • Connect the virtual network adapter to custom, this is important! No host-only, no NAT, no brideging! I used VMnet9 as it wasn't used by anything else.
  • test if you can NOT connect to any websites or ping any websites to ensure this VM is isolated from the clear internet

After VM-2 is up and running you need to connect the VPN. This approach is similar on most Windows-based operating systems. I haven't tested Linux but it will probable work similar. There are loads of video instructions available. Important part is to setup a fixed ip for the virtual lan network card and to use the same subnet like VM2- for VMnet9. In this case IP 192.168.0.2 and subnet 255.255.252.0 has worked. It wasn't needed to setup DNS. Username and password you will configure yourself in the next chapter in /etc/ppp/chap-secrets.

setting up VM-2

VPN server with direct non-tor internet connection as pre work exercise

Three is more to do is on for VM-2. Add three virtual network cards before you install.

  • first one (will be eth0): NAT
  • second one (will be eth1): host-only
  • third one (will be eth2): Custom VMnet9 (No host-only, no NAT, no bridging!).

Install the rest as you wish. I also installed the original VMware Tools, dunno if they make a difference for networking. Maybe you also want to bother installing them as it's a little complicated, please don't ask me about VMware Tools or open-vm-tools, because that's a whole different construction site, use Google.

If you use Ubuntu be sure to do sudo apt-get remove --purge network-manager network-manager-gnome to get ride of the network manager as it will interfere with our advanced network setup. Maybe you are genius and can use it, for me it was easier with the text configuration files.

/etc/network/interfaces

# loopback
auto lo
iface lo inet loopback

# nat
# we do not care if the internal lan ip will change
# this is to ensure that we can connect to the clear internet
# without connection to the clear internet we can of course not connect to tor
auto eth0
iface eth0 inet dhcp

# host only
# here we care about having a static IP as we will need that IP later
# for example if we want to SSH to the box from the host
auto eth1
iface eth1 inet static
address 192.168.161.180
netmask 255.255.254.0

# VMnet9
# this will be the private network between VM-1 and VM-2
# we also need a static IP here as this will be the IP which VM-1 will need,
# when calling the VPN
auto eth2
iface eth2 inet static
address 192.168.0.1
netmask 255.255.252.0

/etc/resolv.conf

domain localdomain
search localdomain
# the VMware gateway IP
nameserver 192.168.161.2

Something keeps rewriting /etc/resolv.conf. I think it's a VMware bug. To stop it use this.

chattr +i /etc/resolv.conf

Now test your network.

  • test if clear internet connection is working
  • test if VM-1 and VM-2 can ping each other
  • test if host and VM-2 can ping each other

Then install pptpd, this is the VPN server software. (Note: PPTP might not be the most secure choose but that does not matter if all your virtual machines (or real hardware) are inside a trusted lan. Because of the trusted lan we do not rely on the strength of the encryption. Reason to choose PPTP was that it seamed to be the most easy to set up VPN linux server and windows built in client. No learning and bothering with SSL certificates. If you want to install the VPN server on a remote location which will be accessed over the internet you should think about some more secure VPN sytem such as OpenVPN. In that case it would be also needed to research if your pc -> secure encrypted OpenVPN -> Tor on that OpenVPN server -> Tor would damage anonymity in any way, timing stuff and so on.)

sudo apt-get install pptpd

'nano /etc/pptpd.conf' and insert

localip 192.168.1.2
remoteip 192.168.1.10-20

'nano /etc/ppp/pptpd-options' and insert at the end of the file

# the VMware gateway IP
ms-dns 192.168.161.2
nobsdcomp
noipx
mtu 1490    

'nano /etc/ppp/chap-secrets' and insert

chooseusername pptpd choosepassword *

'nano /etc/sysctl.conf' and insert

net.ipv4.ip_forward=1

now run

# to activate net.ipv4.ip_forward instantly without rebooot
echo 1 > /proc/sys/net/ipv4/ip_forward
# to activate net.ipv4.ip_forward instantly without rebooot
sysctl -p
# if you want to further test the setup after reboot you MUST apply this iptables rules again as it will not be stored permanently
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# will be done after reboot automatically
sudo /etc/init.d/pptpd restart

Troubleshooting until here:

  • Have you forgotten the iptables command? (look few lines above)
  • Always test at first if your host internet connection is working.
  • Next test if VM-2 can ping, nslookup, direct connect to IP's and to browse the web. Before that is working there is no need to bother with the VPN.
  • Maybe everything works so far, but not DNS, try to direct connect to an IP, for example use a working network connection and to nslookup google.de or ping google.de and note that IP. Paste the IP in browser and see if it connects. If so, you know, that there is only a problem with DNS left.

convert VPN into TorVPN

After normal internet connections work we now force VM-2 to use only Tor for all connections.

# become root
sudo su
# create /etc/firewall.sh
nano /etc/firewall.sh
# change owner
chown root /etc/firewall.sh
# make executable
chmod 700 /etc/firewall.sh

/etc/firewall.sh

#!/bin/sh
# /etc/firewall.sh

# this is the part which is not ready yet...
# best bet might be to use https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy and
# to adjust 'Local Redirection and Anonymizing Middlebox' or 'Using firehol in linux' for TorVPN

echo "loading firewall..."

# destinations you don't want routed through Tor
NON_TOR="192.168.1.0/24 192.168.0.0/24"

# Tor's TransPort
TRANS_PORT="9040"

# your internal interface
INT_IF="ppp0"

iptables -F
iptables -t nat -F

for NET in $NON_TOR; do
 iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT

# We could need a firewall rule to forbid any connection attempts form VM-1 through VM-2 to the host for the case VM-1 gets compromised and wants to attack the host, unfortunately I am not good with iptables.

# block outgoing Tor IPv6 traffic as Tor does not support IPv6 (not tested yet)
ip6tables -t filter -A OUTPUT -j DROP

# maybe block all incoming traffic (server ports) but VPN from VM-1 (not done yet)

echo "firewall loaded"

Test if the firewall script does not show any errors.

/etc/firewall.sh

To load the firewall (= he force to use Tor for all internet connections) BEFORE an online connection is established 'nano /etc/network/interfaces' again and expand this part.

auto eth0
iface eth0 inet dhcp
pre-up /etc/firewall.sh

To test that type '/etc/init.d/networking restart' and you should see something like that.

root@vm:/# /etc/init.d/networking restart 
 * Running /etc/init.d/networking restart is deprecated because it may not enable again some interfaces
 * Reconfiguring network interfaces...                                                      
loading firewall...
firewall loaded.
[ OK ]
root@vm:/# 

'nano /etc/ppp/pptpd-options' and change

#comment out ms-dns, delete IP
#ms-dns

install Tor, see instructions here https://www.torproject.org/docs/tor-doc-unix.html.en

'nano /etc/tor/torrc' I added at the top

VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.1.2
DNSPort 53
DNSListenAddress 192.168.1.2

restart Tor using

/etc/init.d/tor restart

miscellaneous

browser inside VM-2

No proxy settings needed anymore.. If you want to continue to use your browser be sure to delete all your browsers private data, use private browsing, deactivate plugins and so on. Or even better use the official Tor Browser.

Tor Browser

To use the Tor Browser now without Tor/Vidalia (because you are now using a transparent TorVPN) see https://lists.torproject.org/pipermail/tor-talk/2011-December/022447.html

testing

DNS leak test

It is essential to be sure that no DNS is leaking.

poor man's DNS leak test

On VM-2 'nano /etc/resolv.conf' and out comment everything (# before every line so everything is ignored).

#domain localdomain
#search localdomain
# the VMware gateway IP
#nameserver 192.168.161.2

As a tests result the DNS requests in VM-1 should still work while the DNS requests in VM-2 do no longer work.

using tshark

apt-get install tshark
tshark -S -i eth0 -R dns

tcmp leak test

tshark -S -i eth0 -R tcmp

end

sources I learned from:

Thank you!

Last modified 6 years ago Last modified on Jan 11, 2012, 3:04:28 AM