Using VMs for Routing VPNs and Tor: Host Machine Setup

Host Machine

If you plan to run several VMs, I recommend server-class hardware, or at least “gaming” machines. Effective cooling is essential, especially for the hard disks. With consumer-grade hardware, adding a high-capacity rear case fan is wise. You may also want to install a grill in front of the hard disk cage (or just drill a lattice of small holes). Some models are notorious for quickly baking hard disks, and can be obtained inexpensively.

Modern low-end dual-core CPUs will run 2-3 VMs comfortably. Still, I recommend recent-vintage quad-core CPUs or better. CPU cores are a soft limit for VM capacity. I've run ten VMs on machines with single quad-core CPUs. Enable hardware virtualization support if your CPU supports it. It's an option in the BIOS configuration.

Memory is a hard limit for VM capacity, and is currently quite cheap, so install as much as you can. That's especially important if you plan to run Windows VMs, which require more memory than Linux or BSD VMs. With a 64-bit OS, there's no 4GB memory limit.

You also want fast storage. Go for SSDs if your budget permits. Otherwise, use RAID with multiple SATA disks. My favourite host has two 150GB 10Krpm WD VelociRaptors in Linux software RAID1. I also have hosts with four 1TB 7.2Krpm WD RE3 disks in RAID5 (which is faster) or RAID10 (which is more reliable). You may want to enable boot with degraded RAID. If you don't, and one of the disks fails, you'll need to boot with a LiveCD and repair the damage before it'll boot. If you just boot with degraded RAID, on the other hand, you may not realize that the RAID array is degraded until it entirely fails (which is too late). That's especially an issue if you use RAID5 for your boot partition, because you can afford to lose just one disk, rather than possibly two with RAID10. Speed kills, as they say.

Although one network adaptor can be enough, I recommend at least two 1Gbps network adaptors. Intel adaptors are widely compatible, and conserve host CPU capacity. I recommend avoiding Realtek adaptors. Older Intel server-class PCIe x4 cards aren't very expensive, but some PCIe 1 cards don't work in modern PCIe 2 slots, so be careful.

Host Operating System

Linux is the best choice for the host OS, for five reasons. First, it's free and open-source. Second, its software RAID implementation is fast, efficient and reliable. Third, it doesn't waste host resources, and can easily be stripped down. Fourth, encrypted LVM provides flexible partition management, and native full-disk encryption (everything being encrypted except for the boot partition). Fifth, VirtualBox runs very well under it.

It's wise to dedicate host machines to running VMs, and so it's OK to proceed without prior Linux experience. Ubuntu is a good choice for new Linux users. The Ubuntu Software Center simplifies package management. The alternate install ISO provides full access to Debian's disk partitioning tools (including encrypted LVM). As noted above, there is no 4GB memory limit with a 64-bit OS. Unless you have hardware that supports Unity, and resources to waste, I recommend Ubuntu 10.04.3 (“ubuntu-10.04.3-alternate-amd64.iso”).

Installing Ubuntu is quite easy, even using the old-school wizard on the alternate install ISO. Create an install CD, and then boot your host machine with it. Just use the defaults until you reach the hostname screen. I typically combine OS name and computer model to avoid confusion (such as U10043x64R210). On the clock screen, I select “No” and set the time zone to UTC (bottom choice).

On the disk partitioning screen, I select “Manual”. While the following may seem complicated, it's really not that bad. Read it through a few times, so you have a general idea of what you're doing, rather than just following the steps. Basically, you'll be creating two partitions on each disk: 1) a small one for the boot RAID array; and, 2) a large one for the RAID array that will be encrypted using dm-crypt, and then split into logical volumes (swap, root and home) using the Logical Volume Manager (LVM).

Start with the boot-array partitions. Here are the steps for each disk:

1. create partition table (select disk, hit enter, and select “Yes”)
2. create small primary partition at beginning of each disk

(a) select “FREE SPACE” line under disk
(b) select “Create a new partition”
(c) you want 300MB total boot space, so use these partition sizes

i. 300MB for RAID1
ii. 150MB for RAID10
iii. 100MB for RAID5 with four disks​

(d) select “Primary” as partition type
(e) select “Beginning” as location
(f) under partition settings, choose use as “physical volume for RAID”
(g) select “Done setting up the partition”

Repeat the above steps for each of the other disks.

Now create a second partition on each disk, using the remaining space. We will use them for a RAID array that will hold everything else except boot. Here are the steps for each disk:

1. select “FREE SPACE” line under disk
2. select “Create a new partition”
3. accept default size
4. select “Logical” as partition type
5. under partition settings, choose use as “physical volume for RAID”
6. select “Done setting up the partition”​

Repeat the above steps for each of the other disks.

You should be back at the main disk partitioning screen. Configuring software RAID is next. Here are the steps for the boot RAID array:

1. select “Configure software RAID”
2. select “Yes” to “[w]rite changes to the storage devices and configure RAID”
3. select “Create MD device” (will be md0)
4. select desired RAID type
5. enter number of active devices (total disks less hot spares)
6. enter number of spares
7. check (using space bar) which partitions to use (boot ones)
8. click through back to main disk partitioning screen

Now repeat that process to create md1 from the other set of partitions. We will encrypt that, and then use it for LVM.

At this point, you should see two RAID devices on the main disk partitioning screen: “md0” being the boot array, and “md1” being the array for encryption and LVM. Let's do RAID device “md1” first.

1. select #1 line below main md1 line, and hit enter
2. choose use as “physical volume for encryption”
3. select “Done setting up the partition”
4. should be back at main disk partitioning screen
5. select “Configure encrypted volumes”
6. select “Yes” to “[k]eep current partition layout and configure encrypted volumes”
7. select “Create encrypted volumes”
8. check “/dev/md1” (using space bar)
9. select “Continue” and then “Finish”

Now you'll be asked for your password. Use a complex one, and make sure you remember it, because there's no way to recover it if you forget.

You should be back at the main disk partitioning screen, and should now see the encrypted volume “md1_crypt”. Now we configure logical volumes, as follows:

1. select #1 line below main md1_crypt line, and hit enter
2. choose use as “physical volume for LVM”
3. select “Done setting up the partition”
4. should be back at main disk partitioning screen
5. select “Configure the Logical Volume Manager”
6. select “Yes” to “[k]eep current partition layout and configure LVM”
7. select “Create volume group” and name it (such as “cryptovg”)
8. check “/dev/mapper/md1_crypt” (using space bar)
9. select “Continue” and then “Finish”

Now you create your logical volumes. Although you can get fancy, I recommend just swap, root (“/”) and home.

1. select “Create logical volume” and name swap
2. set size as twice your installed memory
3. select “Create logical volume” and name root
4. set size as 10GB (to allow for many upgrades)
5. select “Create logical volume” and name home
6. set size as remaining space
7. select “Finish”
8. should be back at main disk partitioning screen

Now you finish configuring your home volume, as follows:

1. select #1 line below main LV home line, and hit enter
2. choose use as “Ext4 journaling file system”
3. set mount point as “/home”
4. select “Done setting up the partition”

Now you finish configuring your root volume, as follows:

1. select #1 line below main LV root line, and hit enter
2. choose use as “Ext4 journaling file system”
3. set mount point as “/”
4. select “Done setting up the partition”

Now you finish configuring your swap volume, as follows:

1. select #1 line below main LV swap line, and hit enter
2. choose use as “swap area”
3. select “Done setting up the partition”

Then, page down the main disk partitioning screen to your boot RAID array (“md0”), and finish configuring it:

1. select it and hit enter
2. choose use as “Ext4 journaling file system”
3. set mount point as “/boot”
4. select “Done setting up the partition”

Finally, go to the bottom of the main disk partitioning screen, select “Finish partitioning and write changes to disk”, and (after checking for sanity) select “Yes”. The rest of the install process should complete with little input. Do not elect to encrypt your home directory, because that can conflict with encrypted LVM.

VirtualBox Installation

Two versions of VirtualBox are available. One is a GPL version. It's available from -https://www.virtualbox.org/wiki/Downloads/, and through the Ubuntu Software Center. The other, "VM VirtualBox", which contains non-GPL features, is available from -http://www.oracle.com/technetwork/server-storage/virtualbox/downloads/ (or by adding the VM Extension Pack from -https://www.virtualbox.org/wiki/Downloads/ after installing). I prefer VM VirtualBox. Use the 64-bit version, if possible. Include the Add-ons when you install. It's very straightforward.

Creating Test VM

Create a test VM using the same ISO file that you used for the host machine. If you name it "UbuntuTestx64", VirtualBox will select the correct OS and version. Just use the defaults for memory, and virtual hard disk type, location and size. On the final summary screen, review and hit "Create". Now you need to add the OS install ISO. Click "Storage" in the Details area on the right side, Then click on the CD icon (named "Empty") under "IDE Controller", Then click on the CD icon to the far right of "CD/DVD Drive", and select "Choose a virtual CD/DVD disk file". Navigate to wherever you put your Ubuntu install ISO, and select it. Then click "OK" to exit the settings screen.

Now double click on your VM, and go through the install process as described above. This time, though, you don't need to partition manually. You can select the encrypted LVM option, if you like. After finishing the install, as the VM starts to reboot, click "Devices" (at the top) and then "CD/DVD Devices", and then select "Remove disk from virtual drive". Open Firefox, and test your Internet connection. Then shut down the VM, using the start/stop icon at the upper right.

Now, through the main VirtualBox screen, explore the VM's settings. Under "General/Advanced" settings, set "Shared Clipboard" to "Disabled" (for security). Under "System/Motherboard" settings, deselect "Enable absolute pointing device" (unless you have one, such as a tablet). If your host machine supports it, select "Enable PAE/NX" under "System/Processor" settings. Under "Storage" settings, make sure that the CD/DVD drive is empty. Under "USB" settings, deselect "Enable USB Controller" (for security). Now run the VM again to make sure that it still works. You can click "Devices" and "Install Guest Additions" if you like.

VirtualBox Networking Options

Play with the adaptor options under "Network" settings. Under "Advanced", the default adaptor type is "Intel PRO/1000 MT Desktop". Don't change that unless you know why you want to. You can also edit the MAC address, and configure port forwarding. But not now.

By default, the adaptor is attached to "NAT", which means that it's NATed to the active host adaptor, using VirtualBox's built-in DHCP server. That is, the VM is firewalled. It can access LAN (and the Internet, if it's available via LAN) but will not accept incoming connections.

Another option is attaching it to "Internal Network". If the VM is a router/firewall (such as pfSense or OpenWRT) which has two network adaptors, you can attach one to host LAN via NAT, and the second to an internal network. That way, you can route traffic from host LAN through the VM to the internal network. By default, all VMs on that network I'll say more about that in the sections on pfSense and Tor gateway VMs.

A third option is attaching it to "Bridged Adapter". If you select the active host adaptor, the VM will have the same local IP address and connectivity as the host machine. You can also bridge to another host network adaptor, and put the VM on a different LAN. If the VM is a router/firewall (such as pfSense or OpenWRT) which has two network adaptors, you can attach one to host LAN ("input LAN") via NAT, and bridge the second to another LAN ("output LAN"). That way, you can route traffic from input LAN through the VM to output LAN. I'll say more about that in the section on pfSense and Tor gateway VMs.

The fourth option is attaching it to "Host-only Adapter". That creates a virtual network adaptor on the host, and connects it and the VM to an internal network. If the VM is a router/firewall (such as pfSense or OpenWRT) which has two network adaptors, you can bridge one to LAN, and attach the second to the host-only adaptor. That way, you can route traffic from LAN through the VM to the host machine. I'll say more about that in the section on pfSense and Tor gateway VMs.

Edit1: I fixed an error about making "VM name and hostname the same," I was testing the install steps in a VM, and had a brain fog attack.
Edit2: I added sections on VirtualBox installation, creating a test VM, and VirtualBox networking options. Creating pfSense VMs will be next (in another topic).

 

Sorry to jump in before completion, but if you need pictures, I used this tutorial with great success:

http://www.linuxbsdos.com/2011/05/10/how-to-install-ubuntu-11-04-on-an-encrypted-lvm-file-system/

The one addition I did, was to install /boot to an SD Card (laptop) or USB drive. The way I have the laptop set up, pressing the power button boots right into a 'TSA Friendly' Windows install. To boot Ubuntu, you have to insert the SD Card and boot from the BIOS. To make backup copies of /boot (store in a safe), just dd if=/dev/sdb1 of=/dev/sdc1 or whatever your sda's are, and then grub-install /dev/sdc to the backup. You can make as many copies as you want. If any updates come down, either repeat the process or run update-grub. This is an anti-evil maid measure.

PD

 

@PaulyDefran

That's a cool setup! But all of my hosts are stationary, and I have good physical security.

At this point, I don't travel with any data, just a blank machine and LiveCDs. What data I'll need, I encrypt and stash online.

I wasn't planning on using screenshots, but I'm open to suggestions. Mostly, I'd like someone who doesn't know Linux to test the writeup.

 

Hey I want my 25 cents back, LOL, j/kidding

Where's pfSense for the tutorial, I mean, isn't this suppose to be the VPN-Tor tutorial with pfSense?


THANKS

 

Sorry, I've been playing with AWS. I now have a working OpenVPN Access Server. It's private, though

 

Later today, I plan to describe how to create a pfSense VM, and how to configure its OpenVPN package to connect to a VPN service. I want to post a working configuration, so readers can verify that it works. But I don't want to use one of my accounts, obviously.

Perhaps a VPN provider would donate an account that we could use for this demo. Suggestions and offers are welcomed.

 

Sorry I'm a bit lost as to why we need to have a VPN demo, I figure people who already have a VPN service who are interested might give this a try...

I hope you can please put this up when you have time, I've been dying to try this...

 

Of course. However, getting a VPN service to work properly using the pfSense OpenVPN client is sometimes not easy. That's especially true if the provider doesn't even offer OpenVPN configuration files for Linux. I want to use an example pfSense setup that will just work "out of the box". Then you can add OpenVPN client configurations for your own services, and mess around until they work.

I'm working on it.

 

Ok, but for Unix/Linux users this should work out the box?

Well get to work faster, LOL, j/k...


THANKS

 

OK, I just set up a pfSense VM for a service that I had never used before, and it worked on the first attempt. Although it's a free 100MB account that allows "Unlimited Connected Devices Per Account", I'm not sure how long it would survive after posting the credentials to Wilders. Also, it uses username-password authentication, and the username is the email address. But it's a throwaway GMX account, so no problem there. Even so, I'm not going to post the access credentials now. Maybe someone will donate a test account. Hint

 

Why is "Enable USB Controller" a security risk?


THANKS

 

I want total control over how my VMs interact with the real world. It's not a major issue for Linux VMs, I admit. But there's a risk for Windows VMs if you mount a USB drive that's picked up something nasty from one of your Linux machines. For fun sometime, run ClamAV on one of your older Linux machines.

 

P.S. This isn't just the mirimir & DasFox show people! Over 300 views and no thanks? Hey this man has taught you something great, that you can do on Windows too with VirtualBox!

 

nice intro, readers can also check out VMware ESXi which is free and specifically designed to run standalone on server class hardware instead of running vms off of a workstation.

http://www.vmware.com/products/vsphere-hypervisor/overview.html

ESXi clusters are a staple of my my network, highly recommend.

cant also check out proxmox as well http://pve.proxmox.com/wiki/Main_Page as it is less picky when running on desktop type hardware vs ESXi

**neither support software based RAID bc software based RAID is garbage* for virtualization as it uses your CPU to perform operations which can/will cause problems eventually when running multiple vms due to resource allocation going haywire.

*pfsense min requirements are something like 256mb ram and 1G HD space, 512M ram is fine. you could probably run a zillion of pfsense vms and never have a problem w software based RAID

 

Thanks for the heads up but most of the geeks around here I'm sure know about Vmware already and we can't even get anyone to jump in on this post on a small home based workstation level, let alone server class, clusters, etc... LOL...

Anyhow, for the simplicity of what the objective of this tutorial is all about VirtualBox runs circles around Vmware in terms of speed and performance. I've run Vmware and VirtualBox in Windows and Linux and Vmware can't keep up, it's to slow and bloated...

Also I believe in supporting OpenSource as much as possible, VirutalBox is Open, Vmware proprietary...

 

There isn't a one size fits all with virtualization.

Take a look at the grid here http://en.wikipedia.org/wiki/Vmware#Products
this grid applies to any solution you wish to implement regardless of provider

The grid shows how close your VM guests are to the underlying hardware.

The top half indicates only 1 step removed for server level implementations (ESXi, proxmox (open source) etc)
The bottom half is indicative of an extra 2 steps when running a vmware workstation, virtual box, KVM, Xen etc (ex vmware server)

Generally speaking the closer your vm guests are to the hardware, the better the performance (AND network performance).

I have a mixed environment here, bulk is ESXi but also run a guest on a linux desktop similar to how mirmir's post is set up.

the reason for both is that each guest is used for a different propose.

I can say though, I would NEVER recommend using windows anything as a host.
I would *always* use a *nix based environment as a host and *always* run windows as a guest... windows actually performs farrrrrrr better in a virtualized environment than standalone.

example: The dektop on ubuntu I have here than runs vmware workstation (similar to virtual box) runs windows. With all my daily applications in windows running, the entire thing uses only 1.9Gigs of ram combined.

Windows standalone on the same machine prior used ~4Gigs of ram.

Every instance of windows around here actually runs from a unix system

I too share your enthusiasm for opensource software.

**purpose of me posting on here is not to hijack the thread but to inform readers that they do have other options than virtual box and should look into all options before committing to a solution especially when trying to maximize network performance when using VPNs and tunneling virtual machines. Hard drive performance is often the biggest bottleneck in these systems which is why SSD and RAID or SSD RAID'd are great.... just make it hardware based

check this out picking the proper NIC and mobo combo to maximize network performance https://calomel.org/network_performance.html

 

@addi6584

I had never used VMware's "bare-metal" hypervisors because they were too expensive. Once I saw their "essentials" pack, I put ESXi on one of my servers. I like it, but I don't know it as well as VirtualBox. vSphere Hypervisor looks very interesting: a free "bare-metal" hypervisor!

Although VirtualBox isn't a "bare-metal" hypervisor, it integrates so well with Linux that it comes close, I think. At least, that's my subjective experience. It doesn't do so well on Windows, however.

One of my Ubuntu hosts is an old Intel Core-Duo quad core desktop with 8GB memory and four 1TB SATA disks in software RAID10. I run Tahoe-LAFS test grids on it. I've had eight Ubuntu VMs and three ppfSense VMs running on it, so maxed out with large (~1GB) file uploads that it just about stopped at times, and it recovered fine.

But on the other hand, I probably wouldn't use software RAID for database storage.

@DasFox

ESXi is a "bare-metal" hypervisor, whereas VMware Player, Workstation and Server (like VirtualBox) run on top of the OS. On the same hardware, ESXi will almost certainly be faster than VirtualBox. But it's also much pickier about hardware, and you're committed to using the machine only as a VM host.

 

yes on all of the above.

proxmox is very interesting, I haven't been able to test it yet but clustering with it is dead simple which caught my eye. I'm not 100% sold on accessing guests through a web interface bc browsers (all of them) have terrible memory management. VMW in this area smokesss as you can use player to run any guest with zero problems.

proxmox can run on junk hardware which is cool esp w clustering.

Also yes on vSphere now being free. It was pretty strange there initially w ESXi being free but to configure it in anyway you had to buy vShpere.... however they supplied an instance of VSphere w ESXi with a limited license that restricted... nothing.
So I'm not 100% sure what they were doing.

pfsense thought is an excellent choice. used to just use pf on obsd forever for firewalls and routers thus it took me a while to warm up to GUI config through pfsense but now i love it.

 

I understand that there isn't a one size fits all for every situation, I just meant in the context of this tutorial that I felt VB a better choice is all. Certainly going beyond the scope of the tutorial, needs may be different...

I just didn't think for what was being done here, just a little routing VPN Tor VPN and pfsense thrown into the mix, we needed to get to the level of bare metal for any reasons, again, just at the level of this tutorial...

 

Very interesting but a lttle over my head. Mirmir, if you don't mind, could you create a network diagram to clarify what you're trying to accomlish here? i would appreciate some screen shots on the way too.

I am also curious as to what we are potentially trying to achieve with such a setup. I don't think people ignore your tutorials on purpose, but it's just they are either too shy or unknowledgeable about what you have outlined.

 

Here's a diagram that I did a while ago -http://www.4shared.com/photo/6K9zr22v/Network.html Basically, I'm tunneling one VPN tunnel through another. The local client aka gateway router for each VPN tunnel is a pfSense VM. There's also Ra's Tor gateway router. Once you have those gateway router VMs, you can work with them just like real routers.

This is for anonymity, privacy and security. It's also to make VPNs and Tor easy to work with, on a day-to-day basis. I was inspired by Ra's work on the Tor gateway VM. The setup is difficult, I admit. But you only need to do it once for each VPN service.

 

I checked out the diagram and am still confused Can you please redraw one with clearer labelling?

So is this to firewall the vpn traffic from harming your host? So am I exposed to the internet attacks if I use something like tor even if I'm behind a router?

What is the privacy benefit of running one vpn's traffic through another? Wouldn't at least one entity know who you really are? That's unless your initial vpn in the chain is accessed through something like tor where theoretically no one node would be able to trace the communication back to you.

 

Also why is it of importance to not reveal that you are using tor in your case? Is it the authorities where you live?

 

It is confusing, I admit. And when you add remote servers, accessed via VPNs and accessing other resources via VPNs, it get's really insane. Anyway, I'll work on a clearer diagram.

When you're using a VPN, you're not exposed to Internet attacks, because the VPN connection is NATed, which firewalls it. That's why you can't run servers through VPN services, unless you forward open ports. However, you are exposed to attacks from within the VPN tunnel. You're always exposed to the OpenVPN server. And if the VPN is configured to allow client-client connections, which (one hopes) is not the case for VPN services, you are also exposed to attacks from other VPN clients. Using pfSense as the VPN client, you are firewalled from the VPN. You could also achieve that on Linux clients using iptables.

The outer VPN, the one that I directly connect to, knows my true IP address, and effectively knows who I am (unless I anonymously use WiFi). The inner VPN only sees the outer VPN's exit IP. If I pay for it anonymously, the two VPN providers would need to collude in order to identify me. If I put Tor between the two, that would be very hard.

I mostly use VPNs. So my ISP is going to know that. I've been doing that for many years, and I download torrents occasionally, so I probably don't attract too much attention. But if I add Tor to the mix, and maybe I2P and Freenet, then I stand out more from the crowd. I don't want that. Of course, I stand out some because of the traffic signatures of the various protocols. If I could fix that, I would.

 

What do you guys think of XenClient, compared to VMware ESXi?

It's my understanding it's open source and free, or at least it use to be.