Using VMs for Routing VPNs and Tor: Playing with Virtual Networks

1. OpenDNS for the network, so where is this being hard coded, on a router on in on the adapters?

2. If you've just hardcoded in the DNS as I'm assuming, by OpenDNS for the network then for baz.net's default DNS, you're letting that get pushed to the client, so now you have OpenDNS on the router and the VPN DNS being pushed to you?

3. "gw.foo-bar.baz.net" is the VPN that goes down correct? If it goes down and it's properly configured you're not going to be online leaking anything, there's going to be no connectivity, so I'm still not sure how you think there's going to be any leaks.

Also we have to start thinking in terms of what OS are we discussing, if any and all.

Windows is the only one that leaks, OSX,Unix,Linux do not...

So I'm assuming you've been talking Windows all along...

 

Not Windows. Specifically, I'm talking about a pfSense VM, set up as I've described. If I misconfigure the OpenVPN client in the pfSense VM, by using an incorrect hostname, the VPN doesn't connect. I have a LiveCD VM connected to the pfSense VM's LAN, and I try a few times to run the DNS spoofability test at -grc.com/dns. Two of the ~1,700 DNS queries for grc.com make it to my network perimeter, trying to reach the VPN's DNS servers, unless I have a firewall rule on pfSense LAN to block them. That's two too many!

 

Ahh now we're getting somewhere...

I always just make up hostnames, since I'm just on a standalone workstation, no LAN connected to other physical boxes...

So, in a home/box setup, running in this order;

'Host' - 'pfSense' - 'Guest' and the Host network has the DNS hard coded, I've not seen any problems...

And I thought bascially the idea of the post was just for setting up Home users to have a few layers of protection on their home boxes, not any fancy network setups. But even still I've been assuming if the DNS was hardcoded on the actual network or Host it's not going to present a problem...

So what DNS do you want the queries making it to? I thought you were using the VPN DNS? And where did you see this happening on your end or a GRC report?

 

No, I didn't mean "hostname" to refer to any of the local machines. I meant it to refer to this line in the client.conf for OpenVPN on the pfSense VM: "remote hostname 443 tcp". After misconfiguring the VPN so it can't connect, and trying to connect to -www.grc.com, I saw lots of packets like this on the host machine's LAN interface:

Source: 192.168.100.5 [which is the host machine's LAN IP]
Destination: 10.x.y.1 [which is one of the VPN's DNS servers]
Protocol: DNS
Info: Standard query A www.grc.com

I also saw two packets like this on the WAN interface of my network perimeter router:

Source: my.external.isp.ip
Destination: 10.x.y.1 [which is one of the VPN's DNS servers]
Protocol: DNS
Info: Standard query AAAA www.grc.com

So I have added a firewall rule to the pfSense VM's LAN blocking traffic to 10.x.y.0/24.

 

Ahh ok, so only pfSense was running OpenVPN and nothing on the host?

I'll run the host with no OpenVPN, then pfsense with only OpenVPN and change the host and see if anything comes through on my end...

The last time I had it go down, I could of sworn everything stopped dead and nothing was getting through, which is what this thing should be doing by default out the box with no extra setup...

 

Yes. I was testing the "outer" VPN connection, by which I mean the VPN connection (using pfSense) which sources a VirtualBox internal network that other pfSense VM's connect through. Normally, nothing else uses that internal network, only pfSense VMs. But for testing, I had a LiveCD VM attached to hit -grc.com/dns.

With the default setup, with no firewall rules in pfSense to block DNS leaks, only two out of about 1700 DNS query packets got out of the host machine. I suspect that the GRC DNS test just hammered the VirtualBox internal network router too hard.

"Stopped dead" doesn't necessarily mean "nothing was getting through". Those DNS packets to 10.x.y.1 were never going to get answered. But they did leak information.

I've been playing with my own OpenVPN Access Server, using the default server configuration with OpenVPN clients in different OSs (so far, Ubuntu, pfSense, FreeBSD and CentOS). It's clear that pf (FreeBSD, pfSense) responds differently than iptables does. Also, although both CentOS and Ubuntu use iptables, CentOS behaves differently, probably because firewalling is on by default.

 

Ok if you can just give me the basic steps as to what you did so I can reproduce...

Here's what I've done...

1. started pfsense and it connected to VPN

2. Started VM with internal net pfsense

3. With VM running I opened Firefox and when to GRC DNS test.

4. Next in pfsenes - VPN - OpenVPN - Client, I disabled the VPN and then I cleared the logs, next I clicked the GRC button; 'Initiate Standard DNS Spoofability Test' and nothing loaded for me, I was offline.

Ok so with the steps I did 1-4 even thought I did not change the 'Server host or address' under the Client section when you said you messed with the hostname, I don't see how there was any connectivity going on.

So just give me real basic steps to follow...


THANKS

 

Yes, that's exactly one of the tests that I did. Another test was using an incorrect name for the VPN provider's access server, so the OpenVPN client kept trying to connect, but couldn't because it was looking for a server that didn't exist.

Anyway, use pfSense's capture utility to see what's going out on WAN. Use Wireshark on the host machine to see what's going out on its WAN. And capture traffic going out through your network perimeter router. You may see some DNS queries asking about -www.grc.com

 

How To Set Up A TOR Middlebox Routing All VirtualBox Virtual Machine Traffic Over The TOR Network.

-- Tom

 

Yes, that is a standard setup. Thanks for posting the link. I don't want observers to see that I'm running Tor, however.

 

For the lazy like me you can simply use Ra's Tor gateway;

http://ra.fnord.at/

Ok so you basically did what I had done? Disconnected, then clicked the test and then it was still going out?

So do I need both pfSense's capture utility to see what's going out the WAN and then Wireshark on the host as well?

By the way is pfSense's capture utility built into it? I didn't notice this, where is it?


THANKS

 

I like it too, obviously. However, it's running Tor 0.2.1.24, whereas the current version is 0.2.2.35 That's the latest version in the package repository for OpenWRT Backfire 10.03. However, OpenWRT Backfire 10.03.1 has Tor 0.2.1.30, which is almost current.

It probably wouldn't be too hard to replicate his gateway using OpenWRT Backfire 10.03.1. Compiling Tor 0.2.2.35 for it would be harder.

@addi6584 -- How are you doing

Right. I didn't see any connection to -grc.com, but DNS requests were getting out.

You could capture on the pfSense's LAN and WAN using its capture utility. You could capture on the host's WAN using Wireshark. And you could capture on the perimeter router's WAN using its capture utility (for me, it's pfSense on a little PC).

It's at "Diagnostics | Packet Capture".

 

I was just at Ra's seems like he's keeping it pretty active and sounds like concern for getting this into the Tor Projects, that would really be great.

So is pfSense's capture utility enough to test with?

 

Yes, it would be a good fit. Tor really needs an "official" transparent proxy. By design, neither TBB nor TAILS handle non-browser traffic without tweaking, and both can be broken (with some effort).

Yes. It produces standard capture files (.cap) that you can open with Wireshark.

 

Why do you think Tor needs an "official" transparent proxy?

 

I think that because it doesn't have one It takes some skill to safely torify email, torrents, news and so forth. Using transparent proxies is simpler (but not foolproof).

The Tor Router project is close, but its focus seems to be Tor via open WiFi, not private use. Still, that's why there's a Tor package in OpenWRT, I think.

 

I think Ra's project nails it on the head, making him a good candidate for that. It's also free vs. the charge of buying a specific tor router.

 

https://trac.torproject.org/projects/tor/wiki/doc/TorBOX is the route i went. its substantially easier to implement and maintain esp, given various individual hardware requirements, than trying to build a 1 size fits all image on OpenWRT

used peanuts for resources. i just did an unbuntu 10.04 server install, installed what i needed to compile everything and then removed all the packages i dont need.

i will probably wind up building another one on openbsd for an even smaller footprint. openwrt was a pita

That Ra guys website is down so im not able to read up on how hes routing UDP traffic through tor at the moment except for dns but ill throw that in there eventually

 

@addi6584 that's a very sound choice since the *BSDs are more virus resistant and stable. Also the fact that OpenBSD's pf is better than IPtables is also a good reason to use this platform instead.


Are you thinking about releasing the source code after you're done? Are you going to give it to upload it to the Tor guys?

 

i dont really have any intentions of releasing a distro. all i did was follow the torbox guidelines for the tor gateway.

the most important thing is to "block and tackle" per se with your lan's router to block anything from leaking from the vpn pfrouter, tor gateway and all machines that are to be behind the pfvpn box and/or tor gateway.

in my setup ive got a unbound dns server (also on obsd) sitting behind the pfvpn optimised to hit dns servers geographically closer to the vpn server before hitting root servers for recursion which speeds things up a bit. for everything behind the pfvpn as well as allows me to use DNSSEC and not rely on the vpns dns servers or google

you can run unbound on pfsense but they only allow peanuts for configuration options.

there are actually too many variables imo to release a distro of any sort for what we're doing actually. by default there's enormous room for error to accidentally leak packets.

 

oh I thought you were trying to implement a tor gw in obsd. nvm

 

I love Step 2 – Install the server (Tor-Gateway);

---> It is still very untested LOL...

Well as geek as I am, I really don't like reading words like that, I'm really happy just to stick to Ra's if I need Tor, but honestly the way to go is multi hopping through VPNs...

Maybe later Tor will really implement something nice...


THANKS