Network Settings for chaining VPNs in VirtualBox?

Discussion in 'privacy technology' started by krustytheclown2, Mar 28, 2015.

  1. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Hi all,

    So my current setup goal is VPN1 on host --> VPN2 on Linux VM --> VPN3 on Windows/Linux VM

    I want the gateway VM to be running on a lightweight graphical distro, eg. Crunchbang, instead of something like pfSense or ipFire which I've used before but is frankly too much headache for me.

    What exactly are the correct Network settings in VirtualBox, for both the Gateway VM and primary VM? I've been playing around with numerous settings but all have failed...

    Thanks!
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Just use adrelanos' VPN-Firewall, at https://github.com/adrelanos/VPN-Firewall for the host and the Linix gateway VM. Once you have VPN-Firewall setup and working (just usr/bin/vpnfirewall, not the init.d script) you can install iptables-persistent. That will save rulesets in /etc/iptables/rules.v4 and /etc/iptables/rules.v6, and will load them at each reboot. You can edit them and manually reload. It's good to lock down IPv6:
    Code:
    $ sudo nano /etc/iptables/rules.v6
    .....................
    *filter
    
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    
    COMMIT
    .....................
    $ sudo iptables-restore < /etc/iptables/rules.v6
    Rules for the workspace VM are less important, but you could do something like this (with xxx.xxx.xxx.xxx being the IP address of the gateway VM:
    Code:
    *filter
    
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A INPUT -f -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A OUTPUT -o eth0 -d xxx.xxx.xxx.xxx/32 -j ACCEPT
     
  3. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Actually what I'm asking about is what I should select as the Network Adapters in the VirtualBox settings, that's what's confusing me. VPN Firewall I already understand and implement, but thanks for the refresher!

    Currently I've tried using on the Gateway:

    Adapter 1: PCnet-FAST III (NAT)
    Adapter 2: PCnet-FAST III (Internal Network) Named "VPN Chain," Promiscuous Mode Allow VMs

    Workstation:

    Attached to Internal Network named VPN Chain

    Adapter 1: PCnet-FAST III Promiscuous Mode Allow All

    Where's my error precisely?
     
    Last edited: Mar 28, 2015
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Oh :)

    I use the default "Intel PRO/1000 MT Desktop", and leave "Promiscuous Mode" as default "Deny".

    The rest of it is fine. I use names without spaces for internal networks, but spaces are probably OK if VBox doesn't complain.
     
  5. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    So I changed the Adapter to Intel PRO/1000 MT Desktop, and changed Promiscuous Mode to Deny, on both the workstations and the gateway, and changed the name of the network to one word.

    I launched the Linux Gateway, and connected it to the VPN, then launched the Workstation. The workstation tried to connect to the network, but failed. I turned off the VPN on the gateway, but the Workstation still refused to connect. I tested with both Debian and Windows 7 workstations with the same result... Is there anything I might be missing?

    I guess that I could install Virtualbox within the first VM, and launch the second VM from that, Inception style. Seems like it would be more taxing on resources that way, but hey it's worth a shot haha
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Sorry, I wasn't thinking it through. You either need to run a DHCP server on the Linux gateway, or configure static IPs on the workstation VMs. For the DHCP server option:
    Code:
    $ sudo nano /etc/network/interfaces
    ........................
    auto lo
    iface lo inet loopback
    auto eth0
    iface eth0 inet dhcp
    auto eth1
    iface eth1 inet static
      address 192.168.1.1
      netmask 255.255.255.0
    ........................
    $ sudo ifdown eth0
    $ sudo ifup eth0
    $ sudo ifup eth1
    
    Enable forwarding:
    Code:
    $ sudo nano /etc/sysctl.conf
    ......................................
    kernel.printk = 3 4 1 3
    net.ipv4.ip_forward=1
    net.ipv4.conf.all.accept_redirects = 0
    vm.swappiness=1
    vm.min_free_kbytes = 8192
    ......................................
    Add DHCP server:
    Code:
    $ sudo apt-get update
    $ sudo apt-get install isc-dhcp-server
    $ sudo nano /etc/dhcp/dhcpd.conf
    ..........................................
    ddns-update-style none;
    default-lease-time 600;
    max-lease-time 7200;
    authoritative;
    subnet 192.168.1.0 netmask 255.255.255.0 {
      option subnet-mask 255.255.255.0;
      option routers 192.168.1.1;
      range 192.168.1.100 192.168.1.105;
    }
    ..........................................
    $ sudo nano /etc/default/isc-dhcp-server
    .................
    INTERFACES="eth1"
    .................
    $ sudo service isc-dhcp-server start
    Do iptables:
    Code:
    $ sudo nano /etc/iptables/vpn-rules.v4
    
    Edit: My bad. This should be "/etc/iptables/rules.v4".
    ...........................................................................................
    *nat
    
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    
    -A OUTPUT -o lo -j RETURN
    -A POSTROUTING -o tun0 -j MASQUERADE
    
    COMMIT
    
    *filter
    
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A INPUT -f -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    
    -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
    -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
    -A INPUT -i eth1 -s 192.168.1.0/24 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -j LOG --log-prefix "vpn-gw blocked input: "
    -A INPUT -j DROP
    
    -A FORWARD -i eth1 -o tun0 -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -j LOG --log-prefix "vpn-gw blocked forward: "
    -A FORWARD -j REJECT --reject-with icmp-admin-prohibited
    
    -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
    -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
    -A OUTPUT -o eth0 -p udp -m udp -d IP-of-VPN-server/32 --dport port-of-VPN-server -j ACCEPT
    -A OUTPUT -o tun0 -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -j LOG --log-prefix "vpn-gw blocked output: "
    -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
    
    COMMIT
    ...........................................................................................
    $ sudo iptables-restore < /etc/iptables/vpn-rules.v4
    VirtualBox won't run in VirtualBox VMs. But it will in Qemu VMs :)
     
    Last edited: Mar 30, 2015
  7. redcell

    redcell Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    126
    Is there VPN firewall for Windows version out there?
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    VPN-Firewall is just a set of rules for Linux iptables. Wikipdeia says:
    In Windows, you would use the built-in firewall, or some third-party one. There have been rules for Comodo floating around, but I have no clue whether they're compatible with current versions of Windows.
     
  9. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Ok, so I set up a fresh Debian VM to use as the gateway, and I got through the first step of editing /etc/network/interfaces using nano to those specs. Next step went a bit off, this is what it told me:

    I'm honestly not a command line wizard like you are, so I really don't know what's going on, is there something wrong after "ifup eth1" because it seems to me that there is?
     
    Last edited: Mar 29, 2015
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    It's an acquired taste ;)
    I see that eth0 is the adapter that's NATed to the host. Did you define a second adapter, attached to an internal network? That should be seen as eth1.
     
  11. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    My bad, you're right, it was a fresh VM and I forgot to change it.

    I got through everything until the IPtables edit, this is what Nano told me after pasting all of that into it:
    Is vpn-rules.v4 a VPN-Firewall file? I'm not intending on using that with this Gateway VM, since the VPN provider I'm using randomly assigns me to any of several dozen servers located in different cities in the specific country I choose, which makes specifying IP addresses as VPN-Firewall requires, rather impractical.

    Thanks for helping me out, you really seem to know a lot about this stuff! :) And sorry if I seem a bit noobish.
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    The file "/etc/iptables/rules.v4" is used by iptables-persistent, and the folder "/etc/iptables/" doesn't exist until you install that package.

    You can still use iptables rules (modeled after VPN-Firewall) if you're switching among multiple servers. You just need to allow connections to each server, specified by its IP address. Having 10-20 (or whatever) allow rules is OK. In pfSense, you can define an alias that points to multiple IP addresses, but I don't know whether that's possible in iptables.
     
  13. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210

    Alright, I managed to configure all of those settings, and double checked everything. But there are two glaring issues: after this setup is complete, the Gateway VM refuses to connect to the VPN. I clicked on the VPN I had set up with OpenVPN, and it didn't even attempt to connect (the connection worked before the setup attempt). I tested whether trying PPTP would help, but it gave me the same result. My host is running OpenVPN with UDP, and the VPN connection I had in the Gateway was UDP as well.

    Even without the VPN connected, I launched a Windows 7 Workstation VM with the Gateway running, but it still was unable to connect to the internet. It apparently recognized that there was indeed a network in place, and asked me whether I wanted to use the Network as Home / Work / Public, but after choosing Public it still didn't connect to the internet....

    I'm beginning to think that the QEMU VM --> Vbox Workstation is going to be easier, and I have plenty of RAM and a solid CPU to play around with.... Do you happen to know what package needs to be installed to get a GUI for Qemu similar to VBox? I'm using Ubuntu on the host and it seems that all the Qemu packages I've found through Synaptic and command line utilities.... And with this setup, would my Vbox Workstation still have VT-x support? Because without it VM's are painfully slow....
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    You need to specify the OpenVPN server, in the config file, by IP address. That's because there's no access to DNS servers until the VPN connects.
    Did you setup the DHCP server in the gateway VM?
    I see no reason to be doing two levels of virtualization. Maybe I didn't get it. Please say more.
     
  15. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Which config file exactly? :confused: And the IP of the server varies randomly between any of several dozen/hundred...

    Yes, and I ran the command to start it before launching the Workstation.... So it seems to be a more fundamental issue even before any VPN comes into play...

    It just seems to be much more straightforward to me, and likely better at securing my host, since an exploit targeting the hypervisor would need to get through two different virtualization softwares. If the performance hit is just ~1gb of RAM and ~10% CPU, it's no big deal as I have plenty to spare and the Workstations I intend to run are pretty light. The only deal killer would be a lack of hardware virtualization in the Workstation as that makes any VM essentially unusable at any reasonable speed. I have both VT-x and VT-d if that matters....
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    In the OpenVPN config file :) It sounds like you're using a config file with "remote-random" and maybe also server hostnames that resolve to multiple IP addresses. If you want to use all of those servers randomly, you'll need to tweak the OpenVPN config file, adding a "remote w.x.y.z" line for each of the servers. And then, in "/etc/iptables/rules.v4", you'll need a "-A OUTPUT -o eth0 -p udp -m udp -d w.x.y.z/32 --dport port-of-VPN-server -j ACCEPT" line for each one.
    OK, please run these in the gateway and post the output:
    Code:
    $ sudo ifconfig
    
    $ cat /etc/sysctl.conf
    
    $ cat /etc/dhcp/dhcpd.conf
    
    $ cat /etc/default/isc-dhcp-server
    
    $ sudo service isc-dhcp-server status
    
    $ sudo iptables -L
    It's an interesting idea, and maybe it would work. But I suspect that performance would be awful.
     
  17. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
     
  18. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210

    A load of stuff I barely understand ;) Can you see an issue?
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Well, I certainly don't understand all of it either ;) But I do see one huge issue. The output of "sudo iptables -L" tells me that the default accept-everything iptables rules are loaded. Given that, there's no forwarding configured from eth1 (your VBox internal LAN) to the Internet.

    Another issue may be that "/etc/default/isc-dhcp-server" contains both INTERFACES="eth1" and INTERFACES="". That's easy to fix: just delete or comment out the INTERFACES="" line.

    The iptables rules are a little more complicated, because they need to be different when the VPN is connected (forwarding eth1 to tun0) vs when it's not (forwarding eth1 to eth0). If the norm will be to have the VPN connected, do this:
    Code:
    $ sudo nano /etc/iptables/rules.v4
    ...........................................................................................
    *nat
    
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    
    -A OUTPUT -o lo -j RETURN
    -A POSTROUTING -o tun0 -j MASQUERADE
    
    COMMIT
    
    *filter
    
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A INPUT -f -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    
    -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
    -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
    -A INPUT -i eth1 -s 192.168.1.0/24 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -j LOG --log-prefix "vpn-gw blocked input: "
    -A INPUT -j DROP
    
    -A FORWARD -i eth1 -o tun0 -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -j LOG --log-prefix "vpn-gw blocked forward: "
    -A FORWARD -j REJECT --reject-with icmp-admin-prohibited
    
    -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
    -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
    -A OUTPUT -o eth0 -p udp -m udp -d IP-of-VPN-server/32 --dport port-of-VPN-server -j ACCEPT
    -A OUTPUT -o tun0 -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -j LOG --log-prefix "vpn-gw blocked output: "
    -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
    
    COMMIT
    ...........................................................................................
    Those iptables rules will load at boot. And you can manually load them by running this:
    Code:
    $ sudo iptables-restore < /etc/iptables/rules.v4
    You need a different set of iptables rules when the VPN isn't connected:
    Code:
    $ sudo nano /etc/iptables/no-vpn-rules.v4
    ...........................................................................................
    *nat
    
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    
    -A OUTPUT -o lo -j RETURN
    -A POSTROUTING -o eth0 -j MASQUERADE
    
    COMMIT
    
    *filter
    
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A INPUT -f -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    
    -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
    -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
    -A INPUT -i eth1 -s 192.168.1.0/24 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -j LOG --log-prefix "gw blocked input: "
    -A INPUT -j DROP
    
    -A FORWARD -i eth1 -o eth0 -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -j LOG --log-prefix "gw blocked forward: "
    -A FORWARD -j REJECT --reject-with icmp-admin-prohibited
    
    -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
    -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    COMMIT
    ...........................................................................................
    Whenever you want to test without the VPN connected, load these rules by running this:
    Code:
    $ sudo iptables-restore < /etc/iptables/no-vpn-rules.v4
    If the norm will be to have the VPN not connected, name the first ruleset "vpn-rules.v4" and the second ruleset "rules.v4". In that case, whenever you connect the VPN, you'll need to load the proper rules by running this:
    Code:
    $ sudo iptables-restore < /etc/iptables/vpn-rules.v4
     
Loading...