Why Should I Use a VPN

Talking about them here certainly does attract attention.

However, the actual setup doesn't attract attention. On either end, it just looks like you're using a VPN, which has become quite common with attacks on torrent users. The fact that you're using Tor isn't apparant until one of the VPNs is compromised. However, even if both VPNs were compromised, attackers wouldn't know that they're looking at a VPN>Tor>VPN setup. They wouldn't know that until they had compromised Tor, which is nontrivial.

If, on the other hand, you deanonymize yourself by revealing personal information, the process of attacking your Internet connections will quickly reveal the VPN>Tor>VPN setup. Even then, confirmation would require considerable effort, I believe.

 

hey mirimir you ready to continue ?

 

Yes, sorry ... coffee first

 

why of course, i myself am gona have some tea , teatime ...lols

 

Congratulations! That's very impressive. I acknowledge you for persevering

OK.

That's what I expected. We're rather mangling Tor, so expecting DNS lookups (which are a kludge in Tor to begin with) is not a very good bet.

So, you'll need to do some testing, and determine which Mullvad entry IP is the fastest and most reliable. Maybe Mullvad will tell you that. Because, by using an IP rather than one of their URLs, you're bypassing their server load balancing and failover.

Yes, that was the goal: outer VPN (AirVPN) in UDP mode and inner VPN (Mullvad) in TCP mode.

At some point, it would be good to check Incognito with AirVPN in TCP mode. And we need to review the Tor release notes to see what's changed, both from a security perspective, and to understand why Incognito doesn't work through AirVPN in UDP mode.

OK, that's fine. We don't need that stinking rule

I'm just pointing out that the setup that you have working can be easily moved from a virtuallized environment to hardware. pfSense is an operating system, and the Tor Gateway is basically OpenWRT, and could readily be tweaked to run on suitable routers. With adequate (and suitably hardened) hardware and Internet connectivity, you could even operate your own VPN>Tor>VPN anonymity service using this setup

OK, for the firewall rules, go to the "Firewall: Rules: LAN" page in the AirVPN GUI. Click the bottom right "+" button to create a new rule. For "Action", select "Block". Leave "Interface" at "LAN". For "Protocol", select "any". For "Source", select "LAN subnet". For "Destination", select "WAN subnet". For "Description", use "block all LAN to WAN traffic" or whatever. Then hit "Save". Then check your new rule in the box on the left, and click the arrowhead button next to the "Default allow LAN to any rule" rule, to move your rule above it. Then click the "Apply changes" button at the top. Then check that you still have VPN connectivity through the pfSense AirVPN VM. If you do, then repeat the process for the pfSense Mullvad VM. Now, nothing leaks around the VPNs, even DNS lookups, even if the VPNs go down.

To make this VPN>Tor>VPN chain work for your host machine, you first change Adapter 1 on the pfSense AirVPN VM from "NAT" to "Bridged". Now traffic from the physical NIC on your host machine goes directly to Adapter 1 on the pfSense AirVPN VM. Second, you change Adapter 2 on the pfSense Mullvad VM from "Internal Network" to "Host Only". Now traffic from the pfSense Mullvad VM goes to a virtual NIC on your host machine. I don't know Windows well enough to explain exactly how to use it on the host, but this is very standard stuff, commonly used for virtual appliances, so just google for setup instructions. Now your host machine will see the Internet only through the VPN>Tor>VPN chain. You may need firewall rules on the host to enforce that.

We might need an additional pfSense VM to make your host Internet connection available to other VMs. It wouldn't require any special setup. It would have WAN (Adapter 1) NATed to host, and LAN (Adapter 2) connected to an internal network named "Internet" or whatever. Then you'd have Adapter 1 on the pfSense AirVPN VM connected to internal network "Internet". Your banking etc VM would also connect to internal network "Internet".

 

well , that didnt work , ive did as instructed , setup firewall rules for the virtualboxes host only adapter in comodo , ive even tried without aka disabling all , and did as instructed , nothing, even tried setting the ip of my physical as gateway in virtualboxes host only adapter ip4 config , nothing , then ive tried bridging both together by selecting both and right clicking bridge, nothing , damn it!


and both work mullvad an airvpn in xubuntu with the firwall rulse that youve given me btw

ill list the settings of all vms now :

air vm : adapter1 :bridged adapter:my physical net adapter/ adapter 2: airvpn

mullvad vm:adapter 1:internal tor/ adapter 2:host only bellow virtual box host only ethernet adapter

tor gateway:adapter 1: air / adapter 2: internal tor

and xubuntu dont matter in this case since its only for setup and testing, not sure if this helps but i have a tap adapter aka the one airvpns openvpn client sofware uses , if thats worth anything

this i have not yet done, but im gona do it right now as well

update: ok finished installing the new VM pfsense internet , i dont asume you gotta change anything on that one unlike with airvpn or mullvad vms , then i set its adapter1 to nat and the adapter2 to internal network "internet" and then set airvpn pfsense vm adapter1 to internal "internet" , nope still no luck, arghh!

 

OK, let's back off a little, then.

Go back to the basic VPN>Tor>VPN chain, and make sure that everything works with the new firewall rules in the two pfSense VMs. That is:

AirVPN pfSense client VM (UDP mode)
..........adaptor 1 = WAN : NATed to host machine
..........adaptor 2 = LAN : connected to internal network "AirVPN"

Tor Gateway VM
..........adaptor 1 = WAN : connected to internal network "AirVPN"
..........adaptor 2 = LAN : connected to internal network "Tor"

Mullvad pfSense client VM (TCP mode)
..........adaptor 1 = WAN : connected to internal network "Tor"
..........adaptor 2 = LAN : connected to internal network "Mullvad"

Ubuntu workstation VM
..........adaptor 1 : connected to internal network "Mullvad"

Does that work?

OK, undo whatever changes you made to your host machine.

OK, but as I said above, please double check that the VPN>Tor>VPN chain still works after undoing whatever changes you made to your host machine.

That should have worked OK.

That looks fine, assuming Adapter 1 is actually "airvpn"

That may be it. In a pfSense gateway VM in VBox running on Ubuntu, selecting "Host-only Adapter" for Adapter 2 gives me the Name "vboxnet0". I don't see "ethernet adapter". But maybe I'm confused.

Anyway, when that VM is running, I see a new interface "vboxnet0" in the host. If I add that to /etc/network/interfaces and restart networking, I see that it gets an IP address from the pfSense VM's DHCP server. But I haven't figured out yet how to force the host to use it

I'll google some, and see what I can figure out.

Right.

No, that's irrelevant for now

Edit: forget about the third pfSense VM for now.

 

yes it worked , with

just as yesterday with gloabal comodo blocking rules enabled! -.-'

, btw ive set everything ive change in my host back to what it was always after testing and having no success

fyi ive named my internal vm networks according to the vpns so i dont get confused, so yes air is air

your confused , that may be so in linux but its named default "virtual box host only ethernet adapter" by virtualbox as so in windows and is there with the other network devices such as the air tap adapter and my physical nic


god damn it , victory was so close i could taste it ,arghhh!

 

OK, I'm going to replicate this in an old laptop that's running Windows 7.

What Windows are you running?

Also what versions of VBox, pfSense, and Ubuntu?

 

w7 64 bit sp1 ultimate/latest updates /UAC disabled/admin account/comodo firewall 5.12/custom ruleset for fw and d+ in safe mode, the rest i asume is of no interest

vbox 4.2.6 aka the latest release for windows, its only been a couple days -.-


pfsense the one youve recommended pfSense-2.0.1-RELEASE-amd64.iso


ubuntu

xubuntu-12.04.1-alternate-amd64


and another one for the live cd test environment

xubuntu-12.04.1-desktop-amd64


tor 5.3 the version before incognito got release 0.6, thou as you know have both and even have both setup thou i dont use incognito atm after mentioned problems

hell ive even got whonix both ovms and qubes latest ,stashed

 

OK, thanks.

As I mentioned, Qubes (see https://www.wilderssecurity.com/showthread.php?p=2174792) is an OS with internal virtualization, and it doesn't work in VBox or VMware.

 

thats a shame really

 

Yes, I suppose that it is.

I did get Qubes working in the old Thinkpad T420 that I'll be using for the VPN testing. But I didn't have the patience to learn it well enough, so I nuked it. However, given what I've been seeing about VM->host attacks, maybe it's worth a second look

 

Quebes won't work in a VM sadly, but it's well worth a look as a standalone OS. I can't think of anything security wise that beats it, it's really a work of art.

 

Yes, indeed. Although I'm certainly not qualified to have an opinion, it seems to me that what I've read either (1) says what you just did, or (2) misses the point in a more-or-less sarcastic and butthurt way.

Having said that, it seems to me that the developers have focused on security against hacking, and that anonymity features (VPN services, Tor, etc) have been rather an afterthought. Have I misread that?

 

No, your on the right track. But Joanna and crew will add features in future versions. So if you have anything you want included just ask.

 

who knows perhaps joanna and crew could make a virtualbox version once it matures more im sure that would be possible, with anonymity features such as tor and vpn services support , im sure it would be able to replace xubuntu as vm of choice, it does seem like an rather interesting project and virtualbox has support for pxe and vt-x and vt-d instructions so it shouldnt be too much of a problem


http://theinvisiblethings.blogspot.in/2012/09/how-is-qubes-os-different-from.html


"products such as VMWare Workstation or Fusion, or Virtual Box, are all examples of type II hypervisors (sometimes called “hosted VMMs”), which means that they run inside a normal OS, such as Windows, as ordinary processes and/or kernel modules. This means that they use the OS-provided services for all sorts of things, from networking, USB stacks, to graphics output and keyboard and mouse input, which in turn implies they can be only as secure as the hosting OS is. If the hosting OS got compromised, perhaps via a bug in its DHCP client, or USB driver, then it is a game over, also for all your VMs."

thats why one disables audio and usb in the settings of the according vm, about dhcp client bugs , not sure what to say about that one


"support for shared clipboards which every other VM can steal, insecure file sharing methods, and others, all make it not a very desirable solution when strong domain isolation is important. (This is not to imply that Qubes doesn't support clipboard or file sharing between domains, it does – it's just that we do it in a secure way, at least so we believe). "


clipboard and drag and drop are disabled by default


"Open GL exposed to VMs"

2d and 3d are as well disabled by default


very interesting statements indeed


with all this talk on hypervisor II aka host hosted vms i wonder if simply sandboxing virtualbox would do the trick , hmmmm...



" As of now there is still no seamless app integration for Windows applications, so Windows VMs are presented as full-desktop-within-a-window, but we're aiming to add support for this in the next Betas."

"Joanna Rutkowska said...

If you don't trust closed source software, then you should not use Windows VMs in the first place.

Please note that the Qubes Windows Support Tools runs only in VMs, not in Dom0."


hell if they manage to add full windows app support and truecrypt support, i might even consider using qubes on my host,lols


thou it could be a TAILS killer once mature

 

If they add Truecrypt I'll throw up, sorry but it's a PEDO magnet.

It won't kill Talis, that is being actively developed thank you. Now what might happen is that Joanna gets a multi million dollar offer to buy her technology from Microsoft or Oracle.

I'm surprised you haven't given Liberte Linux a shot happy?

 

well see bout liberte, maybe mirimir can chime in on that one , btw truecrypt a PEDO magnet ?!, seriously computersaysno ?..no commment -.-'.....

 

haha sorry couldn't help it. No offense!

 

Well, all encryption methods, especially good ones, will be of interest to criminals of all sorts, and to those who investigate them

 

Actually, Qubes would be your host OS. And maybe that's what you meant.

In Qubes, each key OS component and app is essentially isolated in its own VM. The host OS is basically just a minimal hypervisor. And the VMs are isolated at least as well as those in VBox or VMware. The people who wrote it work with some seriously nasty stuff, and associate with some seriously clever blackhat hackers.

As ComputerSaysNo said, it is a work of art

 

Yes, that's their goal, it seems. But we can hope that they'll maintain a "community version". In any case, it's wise to download every release, just in case

 

yes thats what i meant , as i said add windows app support and im in , hell they could add it in a version that requires you to unlock windows support features by entering your windows 7 serial key in order to authenticate you actually owning a windows license , , thou somehow i got the feeling all that wont happen, a damn shame i tell you , i already stashed the latest version on my hdd , lols , its just sitting there poor thing, guess well just have to sandbox vbox for now

btw hows the old windows7 laptop setup goin mirimir

 

It's going to have to wait a bit. Sorry

I've got to do some paying work But I'll work on it this week.

In the meantime, you could read up on pre-built VBox appliances for Windows that use the host->VM->host approach. The key is how to set up Windows networking and firewall so that apps can use the VBox host-only virtual interface.

There may also be an issue about the need for admin rights to create a network interface, as with OpenVPN. But you said that you had disabled UAC, right?