Using VMs for Routing VPNs and Tor: Playing with Virtual Networks

Oh I meant the setup outlined as:

Code:

Guest os with a VPN client installed on it > pfsense> Tor gateway

*all interconnections are internal networks*

So just to confirm this is firewalled and also anonymous connection to a VPN provider correct? Sorry for the repetiveness, I'm alittle slow now after a long day of work

Isn't the guest os already using this setup?

 

I still don't get that. You write "Guest os with a VPN client installed on it". What sort of VM is that? The pfSense VMs that I've described are guest OSs with OpenVPN clients. So, are you referring to a pfSense VM? Or do you mean "host os with a VPN client installed on it"?

Next in your chain is "pfsense". Is that a VM or an internal network?

Whatever the preceding components are, "Tor gateway" is last. I take that to mean that Tor is being routed through at least one VPN. But there are no VPN connections being routed through Tor, as I understand your chain.

If Tor is in fact "last" -- connecting through the VPN(s) -- it doesn't anonymize you from the VPN providers. If there are two nested VPNs in your setup, you are at least somewhat anonymized from the "second" (inner one) by the "first" (outer one). If there is just one VPN, you aren't anonymized from its provider.

Routing Tor through a VPN does anonymize the VPN's exit node from whatever you're accessing on the Internet. So an attacker wouldn't know what VPN provider to coerce.

There are multiple guest OSs. Each of the VM components (pfSense gateways, Tor gateway, workstation VMs) is a separate VM.

 

here's another pro tip:

The way the above is configured is using multiple subnets 192.168 vs 10.10 which will wind up being a pita to get network access to fileservers between the two without more hardware or finagling the crap out of another pfsense instance to act as a bridge (which is a pita)

instead you can actually do all this from the same subnet but just restrict which machines can connect via dhcp to which pfsense box by mac address. Each pf box obviously will assign a different block of ips for its leases (be sure to set that up). from there you can also deny all ARP requests from everyone except for the MAC addresses explicitly allowed for each pf box

that way normal lan machines will not get ips and thus their traffic routed through the pfvpn boxes but the "secure" machines will only get their ips assigned by the pfvpn boxes.

Make sure to packet sniff and dns check the secure machines to make sure they're getting routed through the proper channels.

make sure to adjust your NAT rules on the pfvpn boxes to allow for this as well. just change them from 10.10.0.0/X to 192.168.0.0/X to suit your needs.

this way you can still retain lan access to fileservers etc but transfer internet (not lan) traffic securely.

 

Well, "being a pita to get network access to fileservers between" those subnets is totally what I want! Although I'm very far from being a network security expert, I do believe that keeping resources at different security levels on different subnets is good practice.

Yes, one can do that. But it's easier to attack.

 

I see how this is confusing. I meant that windows 7 guest with something like privatetunnel client running on it. This would be internally networked with pfsense which in turn is connected to the tor gateway.

In that configuration myipaddress would detect my ending ip as from privatetunnel servers which led me to believe that my connection to private tunnel is anonymizedmaking it the last station before my traffic reaches its destination.

Is it important to protect the tor gateway by placing another firewall vm in front of it?

 

yes if you keep the subnets totally separate. however as soon as you insert a bridge to share storage of any kind the theory behind having them sub netted in the first place goes out the window.

ideally yes you'd have a second storage server on the other subnet but that eventually gets to be impractical.

are you currently sharing a file server with your setup? if so im curious how you have that setup too. for mere communications etc there's no need, but if you want to move some weight around then things get interesting

i should preface too, w ESXi we do NOT have the same options as you guys have with setting up NICs to NAT/Bridge or XYZ option w the host machines. doesnt work like that since there isn't a "host" to do any of that with bc we're a server, we get to assign an interface to a box just like if it were a physical box. we're on our own with how we configure networking which is fine.

with an actual host machine, might be easier to finagle something for sharing datastore etc im not sure.

the other thing too, i have to redo this guys tor gateway internally to work as if it were not a vm bc like i mentioned we dont have the ability to bind a NIC to a WAN, LAN or act as bridge to something. out of the box, tor gateway doesnt work at all in a normal non-hosted vm environment. looks pretty straight forward though.

see this: http://ra.fnord.at/2010/02/routing-unmodified-virtual-machines-through-the-tor-network/

other thing you may also want to do is delete telnet from his tor vms, might be there to do size limitations but should be rebuilt with ssh instead if you actually have to connect to it remotely for some reason

other thing is that he has hard coded his/someones dns servers in there in /etc/dhcpd.conf that route to germanyish, prob want to change those to ones you're more familiar with... ie your pfvpn tunnel box etc

also he doesnt have support for e1000 nics built in which doesnt come w openWRT ahhh ha! off to the work bench

 

OK, I think that I almost get it. You're just routing a VPN through Tor. If there's another VPN client running on pfSense, you would be routing two nested VPNs through Tor. I've never tried that

If you're not running another VPN client on pfSense, I'm not sure that you need pfSense. Given the choice, I'd rather run the VPN client on pfSense than on the Windows VM.

I wouldn't say that you're protecting the Tor gateway. You're hiding the fact that you're connecting to Tor. I prefer to do that.

 

Exactly since the point of running a tor gateway means that even if the vm is comrpromised or some locally installed program wants to connect remotely, the remote destination can only see the tor exit node.

So if I understand you correctly, with a setup like this:

Win7+VPN client locally installed>pfsense>Tor Gateway>pfsense

My real ip is unknown to the vpn
My Isp can't see that I'm using tor.
My win7 guest is protected from network/vpn based intrusions or attacks.

Right?

 

Before I answer, please say more about those "pfsense" entries in your chain.

Are they pfSense VMs?

Are they running OpenVPN clients connecting to other VPN services?

Or are they just pfSense firewalls?

 

They are just pfSense firewall vms setup for protection

 

If, as you say, the pfsense components "are just pfSense firewall vms setup for protection", then I'd say:

Yes, because you connect to the VPN through Tor.

No, because you're connecting directly to Tor through your ISP, and not through a VPN. Websites etc that you visit, on the other hand, can't see that you're using Tor.

You're protected from evil Tor exit nodes, because you connect to the Internet through the VPN, which connects through Tor. You're not protected from anything on the VPN, except by your Windows firewall. That's probably not a serious threat unless you're using a honeypot VPN run by evil hackers

If you just want to run your VPN client on Windows, and route the VPN through Tor, I don't really think that you need the pfSense VMs.

 

I have finally nailed down the objective of your setup and what exactly happens.
To summarize real quick: You are diverting all ubuntu traffic through a VPN which is setup to collect all packets on pfsense. You then anonymize the traffic coming from your IP by using a tor gateway. You hide the resulting tor traffic by placing a second (different) vpn on another instance of pfsense which lies between the LAN and tor gateway. That second vpn is the one who knows who you are, but they can't see your traffic since it's encrypted. The first vpn can see your traffic, but can't see who you are. In the porcess you are firewalled from any malicous network attacks.

Ubuntu > pf+vpn1>tor gt>> pf+vpn2>>>

Quite clever I must say

In my shortcuted attempt I mistakedly thought that I was doing the exact same thing, but in a simpler manner. But that was not the case. My only issue with the instruction of how to setup a vpn on pfsense is that they are much harder to follow without some visual aids of somekind.

I am interested with what you've done here, but I just can't get past the learning curve as it is now. I prefer a more 'dumbed down' version of this part of the tutorial if your time permits. With pictures please

 

Yes. Actually, traffic from your true IP gets anonymized three times: 1) by vpn2; 2) by Tor; and 3) by vpn1. Your ISP sees that you connect to vpn2, and vpn2 sees your true IP. But vpn1 only sees you through Tor, so they only know you based on payment information. Internet sites see that you use vpn1. Only vpn1 and vpn2 know that you use Tor.

It's slow too Mostly, I just use this setup:

Ubuntu > pf+vpn1 > pf+vpn2 >>>

Both VPNs are two-hop with "no logging", and they're in jurisdictions that don't readily cooperate with my true jurisdiction, or with each other.

Although it may be confusing to read all those steps, I recommend that you just try it. You can break as many pfSense VMs as you like. It installs very quickly, so it's not even worth creating and reverting VM snapshots. Once you start becoming familiar with the webconfigurator, my instructions will be easier to follow.

There are tutorials at -http://pfsense.org/ for basic setups. I also recommend the manual, pfSense: The Definitive Guide.

 

Yeah, I was about to say that the latency on that would have been brutal
I was surprised that you mentioned torrenting as a viable activity on that setup.

I don't think that there are any free options with this level of identity protection, right? If it's ok with you, could you pm me the ones you use? Are their speeds acceptable?

I'm not ready to give up so soon.

 

I don't want to get too specific. You can't go far wrong with any of the ones that have been mentioned positively on Wilders. Which combination is best depends on your real location. Just try some combinations, and see what you get. BolehVPN is probably a good first hop, at least initially. It's just one-hop, though. For two nested two-hop VPNs, I'm happy if I get 2Mbps each way, with 200-300msec latency. Sometimes I get almost 4Mbps each way. With Tor in the mix, I get 0.5-1Mbps most of the time.

 

I used the nat option then I just start TOR inside the vm there done

Thats my IP and I use a mobile broadband connection.

This is my real IP

 

this is what im working on with a new tor gateway image, it'll include actual networking support so you can configure LAN WAN however you want.

havent had any time recently but hopefully by next week it'll be done

 

Ra is that you?

 

no i am not Ra

 

Done that. however when I browse to 192.168.1.1 (Ubuntu VM connected to pfsense2), nothing happens: "The connection has timed out".

 

When I connect thru my vpn my outside will look like this
http://i1233.photobucket.com/albums/ff388/shovenose/Iran/ip.jpg

 

You're probably browsing somewhere that you can't get to from where you are

From each pfSense VM console window, get its LAN IP address. From the VirtualBox Details page for each pfSense VM, get the name of its LAN internal network (Adapter 2). To see a pfSense VM's webConfigurator, your workstation VM must be on the same internal network, and the browser must be pointing at the right URL (192.168.1.1 being the default).

One other possibility comes to mind. Maybe you disabled the "Anti-Lockout Rule" in "Firewall | Rules | LAN". If that were the case, you could get back in via "Reset to factory defaults" in the pfSense VM console window.

 

Yes, that part I also thought myself. Here are the settings:


pfsense1:

Wan 10.0.2.15 (DCHP)
Lan 192.168.1.1

Adapter 1: NAT
Adapter 2: Internal network1


pfsense2:

Wan 192.168.1.101 (DCHP)
Lan 192.168.1.1

Adapter 1: Internal network1
Adapter 2: Internal network2


Anti-lockout rule wasn't disabled.

 

Yes, that I thought myself. Here are the settings:


pfsense1:

Wan 10.0.2.15 (DCHP)
Lan 192.168.1.1

Adapter 1: NAT
Adapter 2: Internal network1


pfsense2:

Wan 192.168.1.101 (DCHP)
Lan 192.168.1.1

Adapter 1: Internal network1
Adapter 2: Internal network2



It wasn't disabled.

 

I get it, I think.

This is a crucial addendum to my instructions!

By default, pfSense always uses 192.168.1.0/24 for its LAN. But if pfsense1 and pfsense2 both have the same LAN IP address and range, then pfsense2 will have both its WAN and LAN in the same IP address range. That is not good. Therefore, you must change the LAN IP address and range for one of the pfSense VMs.

Using the pfsense2 console, select "2) Set interface(s) IP address", and change the LAN IP address to "192.168.2.1", with "24" as bit count, and hit "y" to enable DHCP server on LAN. You can use "192.168.2.101" for the starting IP address, and "192.168.2.199" for the ending one.

I neglected to mention this in my instructions, and it is a key omission. Mea culpa.

Edit: I can't edit the initial post because it's too old. For now, I'll just add a bolded warning.