Mirimir can you please advise/help with pt 8 guide?

Discussion in 'privacy technology' started by ck124, Apr 5, 2015.

  1. ck124

    ck124 Registered Member

    Joined:
    Apr 5, 2015
    Posts:
    5
    I am reading your guide and on last step (pt :cool:...

    I am working to get the set-up TOR -> VPN. I'm configuring OpenVPN on Whonix Workstation and have it working on Whonix Workstation via OpenVPN.

    You mention here: <https://www.wilderssecurity.com/thre...gateway-with-any-vm-as-a-workstation.374072/> that OpenVPN needs 2 lines with socks-proxy. I never did that on Whonix Workstation and OpenVPN seems to work (whatismyip shows VPN exit).

    What is the functionality of those two lines? Am I missing something - what is /path/to/up? Are those 2 lines only for configuring non Whonix Workstation VMs? (like Ubuntu connecting to Whonix Gateway)?

    -

    While I have Whonix Workstation w/ OpenVPN working, I am also considering TOR -> VPN using Whonix Gateway or pfSense TOR install, which I do not know how to do.

    Can you elaborate on which method you think is best for anonymity / avoid browser fingerprinting? (Whonix Gateway -> Ubuntu, pfSense TOR -> Ubuntu, Whonix Gateway -> Whonix WS w/ OpenVPN)

    My concerns are:
    1. Firewall Rules: I cannot get adrelanos' firewall script to work with Whonix/VPN. As soon as it is enabled with correctly configured IP, it blocks all access. It works perfectly on Ubuntu w/ OpenVPN. Also since Whonix makes checks on bootup, is it even a good idea to have firewall load on bootup too (assuming I can get it working)?

    OTOH with a pfSense TOR install, I think should be easy to attach Ubuntu VM via LAN and get adrelanos' firewall script up easily (or nest pfSense VPN VM).

    2. Browser Fingerprinting -

    If I am use Whonix WS TOR Browser with OpenVPN - would I look very unique in terms of fingerprinting profiling? I go on site that and site will know that I am using TOR Browser + non TOR IP. Can an adversary see that I am using TOR browser? Panopticon EFF seems to show that I am Windows user (but 1 of 2000). But Adrelanos in old thread mention that TOR -> VPN would make fingerprint look suspicious bc not many TOR users add a VPN on top.

    I prefer Ubuntu VM instead of Whonix WS but have not figured out a way to connect Ubuntu VM to Whonix Gateway VM (or install TOR on pfSense VM). In above thread you mention you could provide instructions for installing TOR in pfSense - can you please elaborate?

    Suppose I get Whonix Gateway -> Ubuntu VM and I don't care about RAM. If I use Ubuntu's Firefox, my browser fingerprinting should then be more "common/anonymous" right (masked same as Ubuntu users)? Is this correct?

    But you also mention that I am less secure using Ubuntu Firefox instead of TOR Browser because TOR Browser has built-in privacy add-ons/patches? How much less secure would I be using Ubuntu Firefox instead of TOR Browser in this setup?

    Given firewall/browser fingerprinting concerns, which set-up would you recommend to be more anonymous?

    I know this is a lot so thank you so much for reading this and helping me! English is not my language so thank you!
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Those lines tell OpenVPN to connect through a SOCKS proxy, and to keep trying after failures. Whonix is preconfigured for OpenVPN in the workstation VM. But yes, you'd need those lines if you were using some random VM as workspace with Whonix gateway VM.
    Just using Tor browser is probably best for anonymity, because you're just like all the others. But that setup is vulnerable to leaks. Using Whonix protects against leaks, but makes you less anonymous, to the extent that websites can distinguish you from plain Tor browser users. Ask Whonix support about that.

    Adding a VPN via Tor certainly makes you less anonymous, because you're not using a Tor exit IP address. But that's the main reason for doing it, to use sites that block Tor exits. It also weakens Tor anonymity by preventing the Tor client from changing circuits. But you can get around that by periodically restarting Tor in the gateway VM, perhaps using a shell script.

    You can install another browser in the Whonix gateway, such as Iceweasel, and use that with the VPN, without messing with Tor browser. That way, websites won't suspect that you're using Tor, based on the browser signature. But it would probably be less secure than Tor browser.
    That's probably because VPN-Firewall is preventing the workstation VM from reaching the Tor client on the gateway VM. Make sure that you have this in "/usr/bin/vpnfirewall":
    Code:
    LOCAL_NET="10.152.152.10/32 127.0.0.0/8"
    With that tweak, the checks should work, because they'll still use Tor directly, and not the VPN.
    Yes, you could do that. But pfSense properly setup with Tor behaves very much like the Whonix gateway, so it wouldn't be easier. I only use Tor in pfSense when I want a gateway that takes less space.
    I'm pretty sure that they will know that you're using Tor browser. And yes, with a non-Tor IP, you'll be unusual, and so less anonymous.
    To use a Ubuntu VM with Whonix gateway, you need to configure it with a static IP address. Just run "sudo cat /etc/network/interfaces" in the Whonix workstation VM, and replicate that in the Ubuntu workspace VM. For the browser and OpenVPN client, just configure SOCKS proxy. For other apps that don't have SOCKS proxy options, you'll need to install torsocks and rinetd.
    OK, I'll post this soon.
    Yes, you'll look like other Ubuntu users. Or at least, like those who are using that VPN exit.
    I don't know. You could read up on Tor browser, and see how it's hardened.
    I answered this above.
    De nada :)
     
    Last edited: Apr 5, 2015
  3. ck124

    ck124 Registered Member

    Joined:
    Apr 5, 2015
    Posts:
    5
    Thank you!

    Where did you get 128.0.0.0/8? Did you mean 127.0.0.0/8?

    If so, I tried that and Whonix Check reports "Tor's Control Port could not be reached. Did you start Whonix-Gateway beforehand?"
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yes, that's what I meant. I've changed it.
    I'm not sure about that.

    With VPN-Firewall up in the workstation VM, can you browse through the VPN?
     
  5. ck124

    ck124 Registered Member

    Joined:
    Apr 5, 2015
    Posts:
    5
    Yes, the firewall works appropriately for the VPN thank you.

    But I'm debating whether I want to make the firewall script run on startup - because I think whonix would then be unable to do basic checks on boot.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Good :)
    It seems that it doesn't, so maybe don't.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Here's how to install Tor in pfSense.

    Get pfSense 2.2.1, Lubuntu 14.01 and FreeBSD 10.1:
    Code:
    $ sudo apt-get update
    $ sudo apt-get install hashalot
    $ cd ~/Downloads
    $ wget http://files.pfsense.org/mirror/downloads/pfSense-LiveCD-2.2.1-RELEASE-i386.iso.gz.sha256
    $ wget http://files.pfsense.org/mirror/downloads/pfSense-LiveCD-2.2.1-RELEASE-i386.iso.gz
    $ wget http://cdimage.ubuntu.com/lubuntu/releases/14.10/release/lubuntu-14.10-desktop-i386.iso
    $ wget ftp://ftp.freebsd.org/pub/FreeBSD/ISO-IMAGES-i386/10.1/CHECKSUM.SHA256-10.1-RELEASE-i386
    $ wget ftp://ftp.freebsd.org/pub/FreeBSD/ISO-IMAGES-i386/10.1/FreeBSD-10.1-RELEASE-i386-disc1.iso
    $ sha256sum -c pfSense-LiveCD-2.2.1-RELEASE-i386.iso.gz.sha256
      should see output "pfSense-LiveCD-2.2.1-RELEASE-i386.iso.gz: OK"
    $ md5sum lubuntu-14.10-desktop-i386.iso
      find hash at https://help.ubuntu.com/community/UbuntuHashes and check
    $ cat CHECKSUM.SHA256-10.1-RELEASE-i386
    $ sha256sum FreeBSD-10.1-RELEASE-i386-disc1.iso
      verify that hashes agree
    Create Lubuntu 14.01 VM with 1024 MB RAM and 100 GB thin VDI. Attach network adapter to NAT.

    Create pfSense 2.2.1 VM with 512 MB RAM and 2 GB thin VDI. Add second network adapter, attached to internal network "torgw".

    Create FreeBSD 10.1 VM with 1024 MB RAM and 200 GB thin VDI. Attach network adapter to internal network "torgw".

    Start Lubuntu 14.01 VM, follow instructions to install, and reboot.
    Code:
    $ sudo apt-get update
    $ sudo apt-get dist-upgrade
    $ sudo apt-get install openssh-server
    Then shutdown, and attach its network adapter to the pfSense VM's internal network "torgw".

    Start pfSense 2.2.1 VM, follow instructions to install, and reboot. The default LAN (em1) IP address is <192.168.1.1>. Then start Lubuntu 14.01 VM, browse https://192.168.1.1/ and finish pfSense setup, accepting defaults.

    Now start FreeBSD 10.1 VM, follow instructions to install, and reboot. Then login as root, and build Tor:
    Code:
    # portsnap fetch extract
    # mkdir /usr/ports/packages
    # cd /usr/ports/security/tor/
    # make package-recursive
    # cd /usr/ports/devel/google-perftools/
    # make package-recursive
    # cd /usr/ports/packages/All/
    # ls
      these are the packages that you will install in pfSense
    # sftp user@192.168.1.1
      > cd Downloads
      > put *.txz
      > exit
    # shutdown -p now
    In pfSense 2.2.1 VM console window, hit "8" for shell:
    Code:
    # sftp user@192.168.1.100
      > cd Downloads
      > get *.txz
      > exit
    # pkg install *.txz
    # rm -r /var/db/tor
    # mkdir -p /usr/local/var/db/tor/data
    # mkdir -p /usr/local/var/run/tor
    # mkdir /usr/local/var/log/tor
    # touch /usr/local/var/log/tor/notices.log
    # chown -R _tor:_tor /usr/local/var/db/tor
    # chown -R _tor:_tor /usr/local/var/log/tor
    # chown -R _tor:_tor /usr/local/var/run/tor
    # chmod -R 700 /usr/local/var/db/tor
    # sysctl net.inet.ip.random_id=1
    In Lubuntu 14.01 VM, browse https://192.168.1.1/ and go to "Diagnostics: Edit file". Paste "/etc/defaults/rc.conf" in "Save / Load from path:" and hit "Load". At bottom of file, add the following, and hit "Save".
    Code:
    tor_enable="YES"
    tor_pidfile="/usr/local/var/run/tor/tor.pid"
    tor_datadir="/usr/local/var/db/tor"
    Paste "/usr/local/etc/tor/torrc.sample" in "Save / Load from path:" and hit "Load". Change name to "/usr/local/etc/tor/torrc" and hit "Save". Then edit as noted below, and hit "Save" again.
    Code:
    SocksPort 127.0.0.1:9050
    SocksPort 192.168.1.1:9050
    SocksPort 192.168.1.1:9100
    SocksPort 192.168.1.1:9150
    
    SocksPolicy accept 127.0.0.1
    SocksPolicy accept 192.168.1.0/24
    SocksPolicy reject *
    
    DnsPort 127.0.0.1:53 IsolateDestPort
    DnsPort 192.168.1.1:53 IsolateDestPort
    
    VirtualAddrNetwork 10.192.0.0/10
    AutomapHostsOnResolve 1
    
    ControlPort 9151
    CookieAuthentication 1
    
    Log notice file /usr/local/var/log/tor/notices.log
    RunAsDaemon 1
    DataDirectory /usr/local/var/db/tor
    Refresh to get clean edit window, paste "/usr/local/etc/rc.d/tor.sh" in "Save / Load from path:", paste following text into edit window, and hit "Save".
    Code:
    #!/bin/sh
    
    su -m _tor -c "/usr/local/bin/tor"
    In pfSense 2.2.1 VM console window:
    Code:
    # chmod +x /usr/local/etc/rc.d/tor.sh
    # reboot
    After the pfSense VM finishes rebooting, hit "8" for shell:
    Code:
    # top
      should see tor running with user _tor
    # tail /usr/local/var/log/tor
      should see "[notice] Bootstrapped 100%: Done"
    # exit
    Now you have a pfSense Tor-gateway VM. In Lubuntu 14.01 VM, browse https://192.168.1.1/ and lock down pfSense. First delete all outbound NAT routes in "Firewall: NAT: Outbound":
    Code:
    select "Manual Outbound NAT rule generation", save and apply changes
    check all outbound NAT routes, and delete using [x] at lower right
    save and apply changes
    In "Firewall: Rules: LAN", allow access from LAN only to the Tor SocksPort:
    Code:
    edit default allow rule
    allow TCP from LAN subnet to 192.168.1.1
    save and apply changes
    The pfSense Tor-gateway VM only needs to access your entry guards, and NTP servers so that Tor has the correct time. For additional security, you can create rules on WAN that allow that, and block all other outbound traffic. Working at the command line in the pfSense console, view your entry guards:
    Code:
    cat /var/db/tor/state | less
    Browse https://atlas.torproject.org/ and get the corresponding IP addresses. Browse "Firewall: Aliases: IP", and create an alias for those IPs. You will need to update the alias periodically as your entry guards change. In a terminal, run "host 0.pfsense.pool.ntp.org" and then create an alias for those IPs. Then use those two aliases to create outbound pass rules in "Firewall: Rules: WAN". At the bottom, add a block rule for everything else.

    Finally, in "System: Advanced: Miscellaneous: Gateway Monitoring", check "Skip Rules When Gateway is Down" and hit "Save".
     
  8. ck124

    ck124 Registered Member

    Joined:
    Apr 5, 2015
    Posts:
    5
    Wow! Thank you for the detailed tutorial.

    One question I have is what the tradeoffs are for using this pfSense implementation vs Whonix Gateway and in which situations you would choose one over the other? Are the firewall rules similar or is this pfSense implementation more secure?

    Seems like one advantage is that you can chain this pfSense with others as usual whereas with Whonix Gateway you cannot.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Well, I've been intending to post that for a while, so hey :)
    I don't know. The Whonix team is very knowledgeable. As I said, the main thing with pfSense is that it's about 300 MB vs 4.3 GB for the Whonix gateway. But on the other hand, pfSense now needs about 500 MB RAM to be happy, and the Whonix gateway runs on 128 MB RAM. Choose your poison ;)
    No, they're the same in that way. This pfSense setup is not a transparent proxy.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.