|
|
[[TOC]]
|
|
|
|
|
|
|
|
|
ATTENTION!
|
|
|
|
... | ... | @@ -34,7 +34,7 @@ Disadvantages of TorVPN |
|
|
* obviously more difficult to set up then the regular Tor Browser Bundle
|
|
|
* needs virtual machines or spare hardware
|
|
|
|
|
|
== introduction ==
|
|
|
## introduction
|
|
|
|
|
|
I developed this guide with Windows 7 SP1 64 bit as host, it will probable work with many other host operating systems. Further I used VMware Workstation 8 as virtualizer (not exactly emulator). Same here, it might work (untested) with different virtualizers or emulators or even with bare metal (if you use spare hardware). So basic knowledge of VMware and virtual machines (called VM from now on) will be needed. Also some basic linux knowledge is needed.
|
|
|
|
... | ... | @@ -44,7 +44,7 @@ This guide has zero connection with torvpn.com. |
|
|
|
|
|
This is an advanced topic. There are many places where mistakes or bugs are possible. Therefore we will setup the selfmade TorVPN server step by step. As the initial step we setup our own VPN server which will forward connections to the clear internet for us, but not Tor will be used. It is only for testing purposes because many things can go wrong until here. As soon as this is working you may move to step two, to set the VPN server up to only use Tor for outgoing connections.
|
|
|
|
|
|
== status of TorVPN ==
|
|
|
## status of TorVPN
|
|
|
|
|
|
working and tested:
|
|
|
* DNS
|
... | ... | @@ -55,13 +55,13 @@ working and tested: |
|
|
not ok:
|
|
|
* still needs leak testing
|
|
|
|
|
|
== start ==
|
|
|
## start
|
|
|
|
|
|
Create and install two VMs. VM-1 was Windows XP SP3 which I used for anonymous surfing (many other operating systems with VPN support might work) and VM-2 with Ubuntu 11.10 (other linux flavours might also work such as Debian stable, Debian testing or whatsoever, not thought if it would be possible to create a Windows TorVPN server, no clue about BSD and all other).
|
|
|
|
|
|
go to VMware Workstation -> Edit -> Virtual Network Editor -> click on (in my case it was VMNet8) NAT -> click on NAT Settings -> write down the VMware Gateway IP -> in my case it was 192.168.161.2 (Gateway IP).
|
|
|
|
|
|
== setting up VM-1 ==
|
|
|
## setting up VM-1
|
|
|
|
|
|
For the installation of VM-1 there is only a little to say beside from the normal Tor safety advice will apply here of course as well.
|
|
|
* Connect the virtual network adapter to custom, this is important! No host-only, no NAT, no brideging! I used VMnet9 as it wasn't used by anything else.
|
... | ... | @@ -69,8 +69,8 @@ For the installation of VM-1 there is only a little to say beside from the norma |
|
|
|
|
|
After VM-2 is up and running you need to connect the VPN. This approach is similar on most Windows-based operating systems. I haven't tested Linux but it will probable work similar. There are loads of video instructions available. Important part is to setup a fixed ip for the virtual lan network card and to use the same subnet like VM2- for VMnet9. In this case IP 192.168.0.2 and subnet 255.255.252.0 has worked. It wasn't needed to setup DNS. Username and password you will configure yourself in the next chapter in /etc/ppp/chap-secrets.
|
|
|
|
|
|
== setting up VM-2 ==
|
|
|
=== VPN server with direct non-tor internet connection as pre work exercise ===
|
|
|
## setting up VM-2
|
|
|
### VPN server with direct non-tor internet connection as pre work exercise
|
|
|
|
|
|
Three is more to do is on for VM-2. Add three virtual network cards before you install.
|
|
|
* first one (will be eth0): NAT
|
... | ... | @@ -79,10 +79,10 @@ Three is more to do is on for VM-2. Add three virtual network cards before you i |
|
|
|
|
|
Install the rest as you wish. I also installed the original VMware Tools, dunno if they make a difference for networking. Maybe you also want to bother installing them as it's a little complicated, please don't ask me about VMware Tools or open-vm-tools, because that's a whole different construction site, use Google.
|
|
|
|
|
|
If you use Ubuntu be sure to do {{{sudo apt-get remove --purge network-manager network-manager-gnome}}} to get ride of the network manager as it will interfere with our advanced network setup. Maybe you are genius and can use it, for me it was easier with the text configuration files.
|
|
|
If you use Ubuntu be sure to do `sudo apt-get remove --purge network-manager network-manager-gnome` to get ride of the network manager as it will interfere with our advanced network setup. Maybe you are genius and can use it, for me it was easier with the text configuration files.
|
|
|
|
|
|
/etc/network/interfaces
|
|
|
{{{
|
|
|
```
|
|
|
# loopback
|
|
|
auto lo
|
|
|
iface lo inet loopback
|
... | ... | @@ -110,20 +110,20 @@ auto eth2 |
|
|
iface eth2 inet static
|
|
|
address 192.168.0.1
|
|
|
netmask 255.255.252.0
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
/etc/resolv.conf
|
|
|
{{{
|
|
|
```
|
|
|
domain localdomain
|
|
|
search localdomain
|
|
|
# the VMware gateway IP
|
|
|
nameserver 192.168.161.2
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
Something keeps rewriting /etc/resolv.conf. I think it's a VMware bug. To stop it use this.
|
|
|
{{{
|
|
|
```
|
|
|
chattr +i /etc/resolv.conf
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
Now test your network.
|
|
|
* test if clear internet connection is working
|
... | ... | @@ -131,38 +131,38 @@ Now test your network. |
|
|
* test if host and VM-2 can ping each other
|
|
|
|
|
|
Then install pptpd, this is the VPN server software. (Note: PPTP might not be the most secure choose but that does not matter if all your virtual machines (or real hardware) are inside a trusted lan. Because of the trusted lan we do not rely on the strength of the encryption. Reason to choose PPTP was that it seamed to be the most easy to set up VPN linux server and windows built in client. No learning and bothering with SSL certificates. If you want to install the VPN server on a remote location which will be accessed over the internet you should think about some more secure VPN sytem such as OpenVPN. In that case it would be also needed to research if your pc -> secure encrypted OpenVPN -> Tor on that OpenVPN server -> Tor would damage anonymity in any way, timing stuff and so on.)
|
|
|
{{{
|
|
|
```
|
|
|
sudo apt-get install pptpd
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
'nano /etc/pptpd.conf'
|
|
|
and insert
|
|
|
{{{
|
|
|
```
|
|
|
localip 192.168.1.2
|
|
|
remoteip 192.168.1.10-20
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
'nano /etc/ppp/pptpd-options' and insert at the end of the file
|
|
|
{{{
|
|
|
```
|
|
|
# the VMware gateway IP
|
|
|
ms-dns 192.168.161.2
|
|
|
nobsdcomp
|
|
|
noipx
|
|
|
mtu 1490
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
'nano /etc/ppp/chap-secrets' and insert
|
|
|
{{{
|
|
|
```
|
|
|
chooseusername pptpd choosepassword *
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
'nano /etc/sysctl.conf' and insert
|
|
|
{{{
|
|
|
```
|
|
|
net.ipv4.ip_forward=1
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
now run
|
|
|
{{{
|
|
|
```
|
|
|
# to activate net.ipv4.ip_forward instantly without rebooot
|
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
# to activate net.ipv4.ip_forward instantly without rebooot
|
... | ... | @@ -171,7 +171,7 @@ sysctl -p |
|
|
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
|
# will be done after reboot automatically
|
|
|
sudo /etc/init.d/pptpd restart
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
Troubleshooting until here:
|
|
|
* Have you forgotten the iptables command? (look few lines above)
|
... | ... | @@ -179,11 +179,11 @@ Troubleshooting until here: |
|
|
* Next test if VM-2 can ping, nslookup, direct connect to IP's and to browse the web. Before that is working there is no need to bother with the VPN.
|
|
|
* Maybe everything works so far, but not DNS, try to direct connect to an IP, for example use a working network connection and to nslookup google.de or ping google.de and note that IP. Paste the IP in browser and see if it connects. If so, you know, that there is only a problem with DNS left.
|
|
|
|
|
|
=== convert VPN into TorVPN ===
|
|
|
### convert VPN into TorVPN
|
|
|
|
|
|
After normal internet connections work we now force VM-2 to use only Tor for all connections.
|
|
|
|
|
|
{{{
|
|
|
```
|
|
|
# become root
|
|
|
sudo su
|
|
|
# create /etc/firewall.sh
|
... | ... | @@ -192,10 +192,9 @@ nano /etc/firewall.sh |
|
|
chown root /etc/firewall.sh
|
|
|
# make executable
|
|
|
chmod 700 /etc/firewall.sh
|
|
|
}}}
|
|
|
```
|
|
|
/etc/firewall.sh
|
|
|
{{{
|
|
|
#!/bin/sh
|
|
|
```
|
|
|
# /etc/firewall.sh
|
|
|
|
|
|
# this is the part which is not ready yet...
|
... | ... | @@ -230,23 +229,23 @@ ip6tables -t filter -A OUTPUT -j DROP |
|
|
# maybe block all incoming traffic (server ports) but VPN from VM-1 (not done yet)
|
|
|
|
|
|
echo "firewall loaded"
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
Test if the firewall script does not show any errors.
|
|
|
{{{
|
|
|
```
|
|
|
/etc/firewall.sh
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
To load the firewall (= he force to use Tor for all internet connections) BEFORE an online connection is established 'nano /etc/network/interfaces' again and expand this part.
|
|
|
{{{
|
|
|
```
|
|
|
auto eth0
|
|
|
iface eth0 inet dhcp
|
|
|
pre-up /etc/firewall.sh
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
To test that type '/etc/init.d/networking restart' and you should see something like that.
|
|
|
|
|
|
{{{
|
|
|
```
|
|
|
root@vm:/# /etc/init.d/networking restart
|
|
|
* Running /etc/init.d/networking restart is deprecated because it may not enable again some interfaces
|
|
|
* Reconfiguring network interfaces...
|
... | ... | @@ -254,62 +253,62 @@ loading firewall... |
|
|
firewall loaded.
|
|
|
[ OK ]
|
|
|
root@vm:/#
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
'nano /etc/ppp/pptpd-options' and change
|
|
|
{{{
|
|
|
```
|
|
|
#comment out ms-dns, delete IP
|
|
|
#ms-dns
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
install Tor, see instructions here https://www.torproject.org/docs/tor-doc-unix.html.en
|
|
|
|
|
|
'nano /etc/tor/torrc' I added at the top
|
|
|
{{{
|
|
|
```
|
|
|
VirtualAddrNetwork 10.192.0.0/10
|
|
|
AutomapHostsOnResolve 1
|
|
|
TransPort 9040
|
|
|
TransListenAddress 192.168.1.2
|
|
|
DNSPort 53
|
|
|
DNSListenAddress 192.168.1.2
|
|
|
}}}
|
|
|
```
|
|
|
restart Tor using
|
|
|
{{{
|
|
|
```
|
|
|
/etc/init.d/tor restart
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
== miscellaneous ==
|
|
|
=== browser inside VM-2 ===
|
|
|
## miscellaneous
|
|
|
### browser inside VM-2
|
|
|
No proxy settings needed anymore..
|
|
|
If you want to continue to use your browser be sure to delete all your browsers private data, use private browsing, deactivate plugins and so on. Or even better use the official Tor Browser.
|
|
|
=== Tor Browser ===
|
|
|
### Tor Browser
|
|
|
To use the Tor Browser now without Tor/Vidalia (because you are now using a transparent TorVPN) see https://lists.torproject.org/pipermail/tor-talk/2011-December/022447.html
|
|
|
|
|
|
== testing ==
|
|
|
=== DNS leak test ===
|
|
|
## testing
|
|
|
### DNS leak test
|
|
|
It is essential to be sure that no DNS is leaking.
|
|
|
==== poor man's DNS leak test ====
|
|
|
#### poor man's DNS leak test
|
|
|
On VM-2 'nano /etc/resolv.conf' and out comment everything (# before every line so everything is ignored).
|
|
|
{{{
|
|
|
```
|
|
|
#domain localdomain
|
|
|
#search localdomain
|
|
|
# the VMware gateway IP
|
|
|
#nameserver 192.168.161.2
|
|
|
}}}
|
|
|
```
|
|
|
As a tests result the DNS requests in VM-1 should still work while the DNS requests in VM-2 do no longer work.
|
|
|
==== using tshark ====
|
|
|
{{{
|
|
|
#### using tshark
|
|
|
```
|
|
|
apt-get install tshark
|
|
|
}}}
|
|
|
{{{
|
|
|
```
|
|
|
```
|
|
|
tshark -S -i eth0 -R dns
|
|
|
}}}
|
|
|
=== tcmp leak test ===
|
|
|
{{{
|
|
|
```
|
|
|
### tcmp leak test
|
|
|
```
|
|
|
tshark -S -i eth0 -R tcmp
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
== end ==
|
|
|
## end
|
|
|
sources I learned from:
|
|
|
* http://www.debiantutorials.com/installing-and-configuring-pptp-vpn-server-on-lenny/
|
|
|
* http://www.howtogeek.com/51237/setting-up-a-vpn-pptp-server-on-debian/
|
... | ... | |