Question for Mirmir

I am interested in finally trying to learn your method of using a VPN and Tor from within a VM. but I lack a lot of basic knowledge so I need to do this slowly. What is the first step that a person would need to take? I assume that I need to install Virtual box on my computer. Then what do I need to import? I know how to import Whonix gateway and workstation. Would I import something else a similar way?

If I can actually get this and learn to do it, maybe I can create a "Special Ed" tutorial for the slower crowd like me.

 

In order to access the Tor network through a VPN tunnel, you just need to run the VPN on the host machine, and then run the two Whonix VMs in VirtualBox. I describe in detail how to do that in this guide: https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-2

It's not at all as hard as you're imagining. Once you get used to using VMs, they're not that much harder to manage than Word documents etc.

 

LOL... Okay I hope you're right. I am traveling right now but I will get started here in a couple of days. Thanks

 

Apologies for hijacking this thread, but I too have a question for mirimir on this very subject. I've been trying to start a new thread for my questions, but after almost 1.5 weeks it has yet to appear in the forums and may have gotten lost?

I have set up a system as described by mirimir in his Privacy Guides.* Specifically I have constructed a system with the specifications described in Part 2 of his guides, with one modification: I am not using TOR.* I think the system is "good enough" for my needs and feel that the additional security does not justify the additional latency that a TOR connection adds.

Unfortunately I am running into two problems that I hope the kind folks here can give me some assistance and/or advice on.

For my VPN providers, I am using AirVPN on the actual physical machine (which I will refer to as the "host" from here on out) and PrivateInternetAccess (PIA) on the Virtual Machine running on the host machine (which I will refer to as the "guest" machine).* mirmir has recommended these in the past which is why I went with them.* I have to say that AirVPN is working perfectly.* Not a single problem with it.* However PIA is giving me a lot of grief.

The vpnfirewall script (the adrelanos' script mentioned in mirimir's guide) is the firewalling script that prevents data "leakage" should the VPN connection go down.* For this to work, it needs to know the IP address(es) of the VPN server(s) you intend on using.* When I was setting this up, I performed DNS lookups of the various PIA servers to determine their IP addresses.* Each of their various servers (us-seattle.privateinternetaccess.com, france.privateinternetaccess.com, etc.) returns 3-4 IP addresses in response to a DNS query.* The problem is that sometimes when I attempt to connect to PIA, it succeeds right away, however sometimes it does nothing and eventually errors out; upon viewing system log files I see a bunch of denied openvpn connections coming from IP addresses that the firewall has blocked.* What I suspect is happening is that, when I attempt to establish a VPN connection, the server I connect to will sometimes handle the connection itself, but sometimes it forwards your connection request to another server "behind the scenes" (whose IP address is private and is not published through DNS).* That is why PIA connections sometimes work (the server whose IP address the adrelanos' script knows about handles the connection itself) while other times the connection appears to stall or fail (the server that I contacted forwarded my VPN connection request to one of their private internal servers, which the firewalling script does not know about and therefore blocks).

I suspect there are dozens, if not hundreds, of these private, unlisted servers running behind the scenes.* PIA used to publish a list of all of their VPN servers' IP addresses. However they have recently changed this policy and are no longer publishing this list.* The reason they give is for security reasons.* If they publish their IP addresses, it is trivial for someone to set up blocking rules (e.g. the Chinese government could obtain this list and block all of PIA's servers, preventing Chinese dissidents from using them to hide their traffic; or manufacturers of web blocking software could easily add all of PIA's servers to their software's "do not allow" lists in one fell swoop)* This reasoning does make sense and I can understand why they adopted this policy.

For now I have implemented a kludge/workaround; I have set up a script that periodically scans the firewall logs looking for refused openvpn connections, and when it finds an IP address it hasn't seen before (my script keeps a record of them all) it adds a firewall rule to allow VPN traffic to that IP.* Obviously this is is just a stopgap and is probably not the ideal solution.* (Feels a lot like playing Whack-a-Mole - By the time I find a few new ip addresses to allow, PIA starts picking completely new ones) Is there a better solution to this problem?* Or should I give up on PIA and seek out another VPN provider?

My second problem is that I would like to be able to use VoIP through this system.* Unfortunately this is not working reliably.* When it works, it works reasonably well; there are occasional blips in the audio and voices sometime sound a bit "crunchy" but for the most part conversations work well and are intelligible.* However when it doesn't work, it fails in a spectacular manner, with long delays and/or voice dropouts (rather like talking to astronauts on the Moon), the other caller hearing an "echo" of themselves, etc.* I suspect that attempting to funnel VoIP traffic through two VPNs is introducing too much latency and/or jitter.* Is there any way of improving VoIP quality or is VoIP through this kind of system impossible?* I have experimented with trying to set up QoS, but am running into an issue.* OpenVPN can be configured to pass through the ToS/DSCP bits in the TCP/IP packets (which are used by routers to prioritize traffic).* However I have only been able to get ToS packets passed through one of the VPN layers.* (Unfortunately this level of networking is outside the scope of my knowledge.)

Thank you in advance for your time and consideration, and I appreciate any help and/or advice you are able to provide.*

 

@dburr

Regarding using adrelanos' VPN-Firewall with VPN services that redirect to numerous numeric IPs, I believe that it's possible to specify a space-delimited list of IPs and IP ranges for the script's "VPN_INTERFACE" variable. That is, instead of using this ...

Code:

VPN_INTERFACE=m.n.o.p

... you could specify this ...

Code:

VPN_INTERFACE="m.n.o.p q.r.s.t u.v.w.0/N"

In saying that, I rely on this part of the iptables manual ...

Code:

[!] -s, --source address[/mask][,...]
       Source specification. Address can be either a  network  name,  a
       hostname,  a  network  IP  address  (with  /mask), or a plain IP
       address. Hostnames will be resolved once only, before  the  rule
       is  submitted  to  the  kernel.  Please note that specifying any
       name to be resolved with a remote query such as DNS is a  really
       bad idea.  The mask can be either a network mask or a plain num‐
       ber, specifying the number of 1's at the left side of  the  net‐
       work  mask.   Thus, a mask of 24 is equivalent to 255.255.255.0.
       A "!" argument before  the  address  specification  inverts  the
       sense  of  the  address.  The  flag  --src  is an alias for this
       option.  Multiple addresses can  be  specified,  but  this  will
       expand  to  multiple  rules (when adding with -A), or will cause
       multiple rules to be deleted (with -D).

[!] -d, --destination address[/mask][,...]
       Destination  specification.   See  the  description  of  the  -s
       (source)  flag  for  a  detailed description of the syntax.  The
       flag --dst is an alias for this option.

Regarding the VoIP issue, check what modes (TCP vs UDP) your VPNs are using, and what the VoIP app needs. You'll probably have the best performance if you can have as much possible in UDP mode. TCP can get into feedback loops on high-latency connections.

 

I have a question for Mirimir as well, and would greatly appreciate a response. I've set up a system according to Guide 2 on Mirimir's iVPN Guides. I have the first VPN set up directly in the Ubuntu 12.04 host, and the second VPN set up in a Ubuntu 12.04 VM. I have a question about speaking via VoIP through the two VPN's in this system: Does it compromise my privacy to have my headset and/or speaker connected to a USB port in the host while speaking through a softphone in the VM? [As I understand it, VirtualBox handles all of the sound routing itself. In the host, I click on the speaker icon at the upper right of the screen, then choose “Sound Settings” and choose the appropriate “output” and/or “input” tabs]

 

I rarely use audio, given the identity-leak risk. But I vaguely recall that the host and all VMs with audio enabled are basically on a "party line". But that might just reflect my ignorance about audio. I do see "Audio Controller" in the audio setup tab. Maybe there can be multiple controllers, with the host using one, one VM using another, and so on.

 

Thank you for the quick reply, Mirimir. Maybe I got this wrong; I thought VoIP could be used privately through this kind of double VPN/VM system. What do you mean by "the identity-leak risk" of audio? If the multiple controllers direction isn't viable, how much of a risk to privacy (especially concerning revealing my true IP address) am I taking to use a headset connected to a USB port in the host while speaking with VoIP through a softphone in the VM guest?

 

I mean that my voice is tightly linked to my identity, and very hard to disguise. The only reliable approach would involve conversion to text and back again, which would be too slow and error-prone to bother with.

That would be fine as long as the host is firewalled, and you weren't running other VMs with audio enabled. But you should only talk with people whom you know in real life. If a capable adversary obtained a recording of your voice, they could compare that with their databases of voice recordings, and perhaps identify you.

 

I’m using the setup described by mirimir in Guide 2 of his iVPN guides. AirVPN in the physical host machine, which connects to iVPN in a guest VM. Everything’s been working great until today, when I discovered that AirVPN suddenly has a DNS leak. Don’t understand how this could happen, since it was setup exactly per mirimir’s instructions (using adralenos firewall, not pfSense VMs as firewall). This setup has worked completely fine consistently. I check for IP and DNS leaks on test sites a few times every day, and there’s never been a DNS leak until today. The test sites I used today all show that my IP address isn’t leaking, but that my DNS is leaking. For the first time, the test sites are saying I have a DNS leak, and for the first time, these test sites are actually showing the name of my local ISP. Tried multiple AirVPN servers today, and they are all showing a DNS leak. What are possible explanations for a DNS leak suddenly showing up after an extended time of there never being a DNS leak? No variables have changed that I’m aware of: I’m still using the same hardware, the same ISP connection, the same VPN/VM/firewall configurations…nothing has changed except a DNS leak has suddenly appeared.

That was an hour ago. When I just checked again, the three test sites which an hour ago said that I had a DNS leak are now saying I don’t have a DNS leak. But then I just remembered to check that more comprehensive GRC DNS site (https://www.grc.com/dns/dns.htm ) and it just found 17 servers, 16 of which included my ISP’s name! In the past the GRC DNS site has never shown me a DNS leak; this is the first time. What is going on here?

 

Maybe AirVPN changed something. But I just checked, and don't see DNS leaks.

The first thing to do is replace your ISP-assigned DNS server(s) with third-party DNS servers from http://www.wikileaks.org/wiki/Alternative_DNS etc. Do that in your LAN router, and also flush DNS in your host machine, and check for any static DNS servers. That way, even if there's a DNS leak, it won't be your ISP's DNS that leaks.

Then check the pfSense configuration. In "System: General Setup", make sure that "Do not use the DNS Forwarder as a DNS server for the firewall" is checked (enabled). Also make sure that "Allow DNS server list to be overridden by DHCP/PPP on WAN" is unchecked (disabled). Then go to "Services: DNS forwarder" and make sure that it's unchecked (disabled).

In "Services: DHCP server", check what DNS servers are specified. If it's an AirVPN tunnel IP address, try changing that to one or two third-party DNS servers.

Nothing else is ocurring to me.

 

Thanks mirimir. I’m very concerned about this. Does it feel plausible that all of a sudden a DNS leak would appear like this, or is it likelier that DNS has been leaking all along and it just wasn’t showing up on DNS leak test sites? Asked differently, do you think it’s likelier that it just wasn’t set up right from the beginning, or likelier that something has changed which is causing this leak?

I ask partly because I’m trying to gauge the implications of this leak. As I understand it, your system depends on the VM never seeing the actual ISP IP & DNS info which means it can’t reveal that info, regardless of what malware comes its way. Now that my VM has seen my ISP DNS info, does that pretty much defeat my attempt at privacy? Asked differently, will I need to start over with new VPN accounts, new VMs (and maybe a new location) to be able to be private?

[Also, to be clear, my setup does not include pfSense VMs; sorry if I didn’t make that clear enough]

 

Some of the DNS-leak test sites don't test exhaustively enough to show all DNS servers that your machine is using. The GRC test does several hundred tests, and keeps testing until it's finding no new DNS servers.

So, yes, it's possible that you've had a leak all along, if you weren't using the GRC test.

Implement my first recommendation re using third-party DNS servers.

Then check the VPN interface. In Linux Network Manager, you can change it from full DHCP to "address only" and hard code third-party DNS servers. Maybe that's doable in Windows and OS X too.

What matters is that the VM doesn't see the Internet (or vice versa, rather) except through the VPN. Having DNS leaks doesn't affect that.

DNS leaks matter when an adversary is actively after you. As long as there are no VPN leaks, your ISP's DNS server is always being accessed through the VPN tunnel. If an adversary is watching traffic exiting the VPN, they can correlate DNS lookups using your ISP's DNS server(s) with visits to websites.

However, unless you reveal your identity, that just implies that someone using your ISP (not necessarily you) is visiting those websites. The adversary would need to simultaneously monitor the VPN service entry servers, and correlate your activity with website access.

Anyway, I wouldn't stress too much. Fix the leak, and maybe switch to a different VPN service.

That was clear from "guide 2" but I didn't pick up on it

 

Thanks very much for your above DNS leak advice, mirimir. I did the things you suggested: switched from my ISP's DNS servers to 3rd-party DNS servers (in my LAN router), flushed DNS in my host machine, checked for any static DNS servers, and changed from full DHCP to “address only” and hardcoded the third-party DNS servers in Linux Network Manager. Now I thankfully don’t see my ISP’s DNS servers listed when I check on DNS leak sites.

But some of these test sites do come back with big red-letter warnings that I MAY have a DNS leak. I think this may be happening because the IP address which these sites see (via my VPN) is sometimes different than the DNS servers’ IP addresses they see. So I’m guessing that sometimes my system is using the VPN’s DNS servers, and sometimes it’s using the third-party openDNS servers I’ve now configured, and when it uses the latter, the DNS leak sites think there may be a DNS leak because IP and DNS IP addresses don’t match?

And with the GRC “DNS Nameserver Spoofability Test” page, it is typically now finding a handful of DNS servers, and while it sometimes displays the domain name of DNS servers (which now are openDNS servers, not my ISP’s servers), it also often doesn’t display the DNS server domain name and instead displays the statement: “This nameserver has no associated domain names”. When it comes back with this ‘no associated domain names” result, it does nonetheless display an IP address, for example: “Analysis of 460 queries from nameserver at [72.287.34.82]” and these displayed IP addresses are very similar to, but not exactly, the IP address of my VPN exit server.

I’m confused about what this all means, and whether I still have a problem. So, a few questions:

Can I safely assume that GRC’s “no associated domain name” servers are my VPN’s DNS servers because their IP addresses are very similar to my VPN’s exit servers? It just makes me a bit nervous that there is no domain name displayed to confirm that it’s not my ISP’s DNS servers.

Does it sound like I still have a DNS leak, since at least sometimes my system appears to be using third-party DNS servers instead of my VPN’s DNS servers?

If I still have a DNS leak, how do I fix it?

What are the practical implications of having this DNS leak? Is it definitely only a problem if an adversary is actively—in real time—trying to correlate VPN and DNS lookup traffic? I’ve seen quite a bit of concern about DNS leaks on these pages, so I want to be clear if there are any potential problems with these leaks other than that “real time correlating”.

 

Good

What test sites are you using?

I prefer the GRC test, because it's comprehensive. But it does require interpretation.

That just means that the DNS servers don't have public hostnames. If their IP addresses are similar to your VPN's exit IPs, it's safe to assume that they belong either to the VPN service or to the provider that hosts its servers.

As long as you're not using your ISP's DNS servers, you don't have a DNS leak, or at least not a serious one. Before the VPN connects, Linux is using the third-party DNS servers. After the VPN connects, it may use all of them. You can see what it's using in /etc/resolv.conf [sudo nano /etc/resolv.conf] and can delete lines [nameserver 1.2.3.4] that you don't want.

I don't think that it's a major problem. As long as you're not doing similar stuff before connecting the VPN and afterward, which is a very bad idea for many reasons, using the same third-party DNS server isn't an issue. Many people use those DNS servers. And you're using them from different IP addresses.

However, this is another reason why I like pfSense VMs. It's easy to set DNS servers, and you can lock down all "use what's findable" options.

 

Great; thanks very much. Here are sites I typically use to check for DNS leaks:
http://ipleak.net/
http://dnsleak.com/
https://www.dnsleaktest.com/
https://www.dns-oarc.net/oarc/services/dnsentropy

But the main one I trust is this GRC site:
https://www.grc.com/dns/dns.htm (which I assume is the same GRC page which you recommend)

On another front, I've been meaning to ask about another issue which has confused me. As mentioned above, I use a setup based on Part 2 of your iVPN guide series; I have one VPN in the physical host which connects to a second VPN in a VB VM; OS for both host and guest is Ubuntu 12.04, all set up as you instruct in Part 2, with those exact firewalls, etc. As I understand it, this setup should force all my traffic through the VPNs and protect my privacy. But I feel like I've read somewhere along the way that there may be exceptions to this. For example, I may have read that captcha tests can somehow leak info. I also feel like I may have read that some web-based email services can somehow leak info even when used within VPNs, and so it's best to use special privacy-oriented email services. Maybe, though, I've confused this, or these references are relevant only to those who use a single VPN, and without a VM.

So...are there any things at all which should not be done, like solving captcha tests, when using this double VPN/VM system, or is it safe to do anything online, assuming I've set up the system correctly? Is there any privacy reason not to use traditional web-based email providers when using this system?

 

Thanks. I'm curious. I'll report back.

Even with one VPN, set up properly, nothing that you do online will reveal your ISP-assigned IP address. Well, except for downloaded files or malware that "phones home" when the VPN isn't connected. But with proper firewall rules (such as using adrelanos' iptables scripts) there's no Internet connectivity at all except through the VPN, so even that stuff won't compromise you.

Even with end-to-end encryption, webmail (and email generally) leaks information in message headers, including IP address. But that will be the VPN exit IP address. And of course, email addresses of sender and recipient appear in message headers, so they should be suitably pseudonymous (not linked to true names).

 

Hi mirimir,

With regard to (using adrelanos' iptables scripts) are you referring to Hardening your VPN Setup with iptables as related to adrelanos / VPN-Firewall?

-- Tom

 

No, I'm referring to his script that configures iptables. I'm no iptables expert, but the setup works: traffic can only use the VPN tunnel, and the VPN can reconnect. And I trust him. The only downside is that you must specify the IP address of the VPN server.

Improvements and routing would be good additions.

Linux iptables and routing confuse me, and that's another reason why I like pfSense router/firewall VMs as VPN clients

 

Hi mirimir,

Do you have a link to adrelanos's script that configures iptables?

-- Tom

 

There are two scripts for download at https://github.com/adrelanos/VPN-Firewall. One is "usr/bin/vpnfirewall" that changes iptables, and the other is "/etc/init.d/vpnfirewall" that starts it at boot.

 

Thanks mirimir!

-- Tom

 

I am learning about networking in linux, so I apologize if this question is too stupid.

Adrelanos's vpn firewall only permit connections/data transfers through the vpn tunnel.
It allow connections to tun or connections tagged for destination of your vpn server ip address. Good.

How does the vpn and vpn firewall handle something like torrent traffic?
If a common firewall configuration, I mean not being only for vpn, has rules to allow traffic on torrent ports 6881 and 4444 (for example), how does the vpn firewall with openvpn know to allow such torrent traffic to pass? Does the openvpn client app know how to handle this automatically? Or does the user have to add additional rules to Adrelanos's iptables script?

 

You want your torrent client to listen on ports 6881 and 4444, right?

If so, you need to add rules to VPN-Firewall to allow that on the VPN interface.

You also need to have those ports forwarded by the VPN client.

 

Mirimir, a note to help people who trying to follow the tutorials.
I tried like you suggest is possible to make shared folder for the live cd VM so host can use shared files from Live CD VM. (pfSense VPN VM, Live CD linux VM, linux host.)

I made host folder called LiveCD.
In the Live CD VM, already I install the VirtualBox guest additions. Then I did from the tutorial:

Code:

sudo mkdir /media/cdrom1
sudo mount /dev/sr1 /media/cdrom1
cd /media/cdrom1
sudo ./VBoxLinuxAdditions.run

then I tried

Code:

sudo mkdir /home/ubuntu/host
sudo mount -t vboxsf LiveCD /home/ubuntu/host

Then I able to add files from the host to the shared LiveCD folder on the host.
But if I try to add files from the Live CD VM to the shared folder, this caused error - permission denied

It is necessary to first fix permissions of the LiveCD folder on the host
I did

Code:

sudo chmod 777 /home/user/LiveCD

(although I don't know if you say 777 is too risky for security)

and second to add VM user (mine ubuntu) to the vboxsf user group

Code:

sudo adduser ubuntu vboxsf

After do this, it working.