Tunnel traffic from Virtualbox to VPN running on host

Discussion in 'privacy technology' started by doveman, May 10, 2015.

  1. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I've got a Windows virtualbox setup with PIA's client installed, so there's a TAP-Win32 network adapter and I have the Kill Switch option enabled in the client, so there's no Internet connectivity when the VPN isn't connected. The Virtualbox adapter is running in Bridged mode, so it has an IP address on the same subnet as the host (192.168.x.x) to let me access shared folders from the Vbox.

    I've also installed Comodo in the Vbox and set the rules as per this guide.
    https://www.bestvpn.com/blog/10218/build-your-own-vpn-kill-switch-in-windows-comodo/

    I've also created a LAN Zone which contains 127.0.0.1/255.0.0.0 and 192.168.1.64/255.255.255.0, then a "LAN Ruleset" set to allow IP In/Out between Source Network Zone=LAN Zone and Destination Network Zone=LAN Zone, then a "Allow LAN" Global Rule to do the same and an "All Applications" Application Rule set to "LAN Ruleset" and the same for "System". This allows all programs to access the host's shared resources and the Loopback, although I guess I could just untick "Filter loopback traffic" to do the latter.

    The default Outgoing Only rules for Comodo Internet Security, Windows Updater Applications and Windows System Applications will only be able to send over the VPN once it's connected with the current setup, so might as well be set to VPN Ruleset instead of Outgoing Only (which is what I've done for each individual app I want to connect only over the VPN) but I was thinking that if I decide to disable the Kill Switch, I could allow these and maybe some other stuff to connect over the normal unprotected connection and just force selected programs over the VPN. There's something called rubyw.exe that runs from the temp folder and appears to be part of the PIA client but I blocked it without it causing any problems, so I'm not sure what the purpose of that is.

    Now the problem I have is I don't want to have to run the PIA client in the Vbox and the host, as that will use up two of the five devices they allow, so what I want to do is just run the client on the host and have the traffic from the Vbox tunneled back to the host and over the VPN. I presume there's some way of creating a listener on the host which listens on a specific port and forwards any traffic the Vbox sends on that port onto the VPN and likewise redirects any incoming traffic back to the Vbox. I guess I'd have to set each program to proxy it's traffic on the same port but I'm not what I'd do with qbittorrent, as I've already set that to use a SOCKS5 proxy direct to PIA on port 1080.

    As I won't be using the PIA client on the Vbox, I'll need to delete the "VPN Zone" Network Zone which contains the TAP-WIN32 MAC address as that won't exist anymore. I'll also need to change the "VPN Zone" Ruleset which references the "VPN Zone" Network Zone but I can't set that to only allow IP In/Out on a specific port, as the port settings are only available when selecting TCP/UDP but that won't allow any of the other protocols. Maybe I just need to add an extra rule to the Ruleset to Allow Any ICMP from Any to Any. The "Allow LAN" Global Rule will be no good either, as that would allow all traffic to the host on the proxy port (and any other port).

    So I'm not sure what rules I'll need on the Vbox. I know I'll need to use the Comodo rules from that guide on the host as they need to be where the PIA client and TAP-Win32 adapter are installed.

    As you can probably tell, I'm pretty confused and would appreciate some assistance. At the end of the day, I want all traffic from the Vbox going over the VPN and just selected programs on the host doing so.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I've forgotten most of what I ever knew about Windows :(

    Using VirtualBox NAT will have the VM using the PIA connection on the host. Shared folders are trivial for folders on the host. Maybe you can even use network shares on Windows as shared folders.
     
  3. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    Yep, I'm already using Windows network shares on the host, which the Vbox can access.

    I understand that using NAT instead of bridged mode will redirect traffic from the Vbox through the host but even if I can still setup rules in Comodo on the Vbox to specify which programs can connect, I don't know that I'll be able to specify that they can only connect over the VPN. Likewise on the host, I won't be able to set rules there to control the programs running on the Vbox, as Comodo on the host won't be able to tell which programs are running on the host and will just see a stream of traffic. I'm not really sure how I'd set rules on the host to control the Vbox traffic at all.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Using NAT, VMs can only connect through the internal VirtualBox router running on the host. So there's no need to firewall VMs, unless you want to control outbound traffic by app.

    On the host, it's most secure to restrict all traffic to the VPN. But you can setup Comodo rules to restrict VirtualBox and other apps to the VPN, and allow direct access only to LAN.
     
  5. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I do want to control traffic by app on the Vbox, to ensure that only what I want is connecting. It's easy to create rules for the apps but not to ensure they can only communicate on the VPN.

    If on the host I can setup rules to make all traffic to/from the Vbox go via the VPN, that would do the trick I guess (although I'd have to preferred to only force traffic for selected programs running on the Vbox over the VPN, leaving stuff like Windows updates to run over the unprotected connection, in case it contains any identifying information) but how would I do that? I would have thought a rule for Virtualbox will just affect the Virtualbox program and not any traffic from the NAT adapter as such, so would I need to setup rules to restrict traffic on the NAT MAC (if it even has it's own MAC) to the VPN MAC?

    Actually, if all Vbox traffic is forced over the VPN by rules on the host, then surely that's going to affect any LAN traffic (i.e. accessing Windows shared folders) as well, as Comodo on the host won't be able to differentiate between the two will it?
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    By "Vbox", do you mean the VM?

    Is the VM also running Windows?
    Yes, that's easy, using Comodo on the host.
    Do you want Windows updates on the VM to run direct, bypassing the VPN? That's not so easy. Maybe it would work to create two adapters on the VM, one NATed to the host and so connecting through the VPN, and the other bridged to the host adapter and so connecting directly. Then point Windows updates to the bridged adapter, and everything else to the NATed adapter.
    The "NAT adapter" is part of VirtualBox.
    I was thinking that you could create a network share on the host, and then use that as a shared folder in VirtualBox.
     
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    I am enjoying reading along gentlemen. From a casual uninvolved read its tough to determine whether or not you are concerned about security only, or also anonymity. Folks who use a VPN may elect to do so for security and not really even care about anonymity. Something like a wifi/coffee shop application or similar. If anonymity is a concern as well, you may consider using a linux VM for a multitude of reasons. The physical isolation of a VM means that you can limit exposure (in case of malware, etc.) to the hardware details of the virtual machine. Things like the MAC, etc... will only show those of the VM even if the machine gets infected. IF you use windows you need to remember the license key/serial of the operating system is still present in the VM. Does that trace directly back to you, and if so would it be a problem should it be discovered? ------------- > Just something to consider.

    I am pretty sure from reading along that my application/needs differ from yours. I don't allow ANY LAN cross talk. My machine cannot even connect to the network ddwrt router panel -- once I bring up the circuit and the subsequent IP table firewall restrictions. It is positively isolated on several levels. You may not need or even want this isolation.

    There is a thread around here titled NGFW which is truly next level on firewall -- if that is something you want to study.

    BTW --- if I am out in the weeds and confusing the "thrust" of this thread just ignore the post and keep moving. LOL!
     
  8. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    Yeah, sorry I always do that.

    The VM is running Windows.

    OK, so I can create rules in Comodo on the host to channel the VM traffic over the VPN, although if the NAT adapter is part of Virtualbox and so the rules have to be for Virtualbox.exe, that means that the Virtualbox program will communicate over the VPN as well for updating, etc., so that could be a possible leak point if it might disclose any identifying information from the host system.

    That sounds like a good idea, I'll give that a go. Yeah, ideally I'd want to limit the programs communicating over the VPN, to avoid Windows updates, etc sending any identifying information over that connection.

    What I can do is add specific folders in the VM settings as shared folders and then assign drive letters to those in the VM. Maybe this doesn't use the LAN or either of the network adapters, so I won't need to create rules to allow it in Comodo on the VM.
     
  9. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    It's a bit of both for me. It's quite tricky to maintain anonymity though, as if you're serious you need to avoid logging into any websites whilst using the VPN, which rather limits the websites you can use (no e-mail, forums, stores, banking). So what I originally planned to do is just use a VM for some anonymous browing and torrenting over the VPN, as I can keep the VM quite clean and less likely to leak anything. I might look at using a Linux VM for this purpose when I've got more time.

    What I'm thinking of doing in addition now though is to have the VPN client running on the host, with the same VM traffic tunnelled over the VPN but also one specific browser (Chrome Portable or Iron Portable) using the VPN, for anonymous browsing from the host, with another browser used for accessing e-mail and other sites I have to log into. Whilst most of those sites use SSL and thus provide some protection from people seeing your login details, if accessed via the VPN it provides an attack vector, where someone could go to the company and say "supply me with a list of IPs that user X has logged in from" (I'm sure over the years plenty of data has accumulated showing that user X is connected to my person) and than match those (VPN) IPs to any browsing I did whilst using that VPN IP.

    I'm probably being a bit paranoid and don't really need that level of anonymity but it's an interesting challenge trying to maintain it and I learn more about security/anonymity and the possible weak spots. I'll have a look at NGFW thanks.
     
  10. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Couple of simple things come to mind.

    You could use ONE vpn for your actual person identity. The IP would be that of the vpn's but it would remain constant. Remember that for true name stuff you are NOT trying to be anonymous only secure. There is NO point in attempting anonymity for something with your actual name on it, duhhhh!!

    For other internet actions you should use a different VPN/TOR so the IP's from your true self and all other anonymous activities are never bridged together so to speak. This would certainly be simple to do and provide substantial movement towards what you want to accomplish. It should be quite simple to have multiple vpn clients on your host OS.

    I feel it is incumbent upon me to mention that your use of one machine instead of using separate systems is injecting some risk into meeting your goals successfully. So far, Mirimir and I are the only ones posting along here. I can tell you with certainty that neither of us would use the same machine for anonymous activity and then later for true name activity. There have been many discussions about this. I feel that over time if you learn to create multiple independent systems it will be training well placed. You can have one laptop and yet many completely independent operating systems with zero cross talk among them.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    :)
    Yes, I was getting that :)
    VirtualBox shouldn't know anything about you. There's no need to register in order to download.
    I'm curious whether that would work. I've never tried it. But it is dangerous, in that the VM would have a way to bypass the VPN, and you'd be relying on Comodo rules to sort it out. My approach, whenever I need to run Windows in a VM, and be "anonymous" using a VPN, is to use a copy of Windows that I've obtained anonymously, from an old computer bought for cash at a yard sale etc. That way, Windows in the VM doesn't know anything about me.
    OK. I was thinking that you wanted to access other LAN shares.
     
  12. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I'm sure you're right that one should use separate systems for anonymous activity and secure true name activity. I couldn't be bothered with rebooting every time I wanted to check my e-mail, etc and then rebooting again to do something anonymous though and I'd end up being tempted to violate the rules and do the wrong thing in the wrong system. Whilst not providing as good isolation, I feel using a VM is a more practical way for me to achieve at least a fair degree of separation. Obviously, if I was at significant risk I'd be more concerned to achieve total separation!

    I'm not really sure how much additional protection using a VPN achieves for a lot of true name stuff, when the websites I'm accessing are all using SSL anyway, so should prevent any peeking by authorities or my ISP. My data (e-mail, etc) at the site is vulnerable to being accessed by the authorities anyway and I'm sure they've linked as many people's real identities to their e-mail accounts as they can already. So they could easily go to yahoo for example and order them to disclose what IP address I logged into my account from and then go to the VPN provider who owns that address and order them to log when I connect and what IP address I'm assigned by them.

    Ideally of course one would create new identities, accounts, etc when using a VPN and then only access them over the VPN, so that there would be no link to a real identity (providing you pay for the VPN anonymously of course) but you'd still have to avoid accessing stuff like bank accounts, which are linked to your real identity, over the VPN. So then you'd have anonymous VPN, secure VPN and normal connection for real identity stuff. For me personally, I don't really think there's much benefit using a VPN for accessing my accounts, so I think I'll just do most of my browsing, etc in the VPN and then access my e-mail, etc on a normal connection, to at least maintain some privacy in my browsing. Of course, I'll have to remember to copy links in e-mails and paste them into the VPN browser (probably on the VM) rather than click on them, which will open them via the normal connection.
     
  13. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    Yeah, I was just thinking that maybe it could query the registry for identifying data and include that in any debug reports it might upload, or even send it when checking for updates.

    It's not perfect sure but I think that Comodo is pretty robust and will block everything if it is shutdown, so as long as the rules are setup correctly it should do the trick for me.

    I actually thought that's what I was doing until I checked and found I'd setup shared folders via Virtualbox. :)

    I'm not certain that doesn't piggy-back on the Windows network file sharing though, so I'll try disabling "Client for Windows Network" and "File and Printer Sharing" in the VM for the LAN adapter and check if it still works. In fact, I found that those two services were enabled by default on the VPN TAP-Win32 adapter, which doesn't seem good so I disabled them on that as well.
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    That's what I recommend. Compartmentalization.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    That's possible, for sure. I totally don't trust Windows, and use Linux for my hosts. I don't necessarily trust Linux either, but at least there's no identity/money trail.
     
  16. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    There are all kinds of tags inside of a computer that can identify it uniquely. The include the serial numbers in the bios and hard drives, the Windows PID in a Windows system and any mac addresses of network devices as well as other identifying numbers in the hardware. It just takes one connection with your real identity on that machine to connect it with you. Generic VMs isolated from the host system's tags make it harder to get that information.

    Compartmentalization is the way go. Keep anything with your real identity on a computer dedicated to that with the appropriate security to protect your identity. Do anything else on another machine or better yet, a VM on that machine.
     
  17. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    Yeah, it's probably better to do all browsing in the VM, other than real identity stuff which I'll do on the host.

    Exploring my original idea though, after installing the VPN client on the host I see on the TAP-Win32 adapter it creates it has "Virtualbox bridged networking driver" enabled on it. Do I want to leave this enabled?

    If I have both a NAT and a bridged adapter installed on the VPN and no VPN client, how will Windows decide which adapter to send the internet traffic over? Most stuff, like Windows Updates will only be able to use the default connection. It might be possible to direct some programs to use a specific adapter but I can't say I've seen any. So if all traffic goes automatically over the NAT adapter, then through Comodo on the host to the VPN, there's no way to use a non-VPN connection for specific programs/tasks. It's certainly possible in Comodo to create a Zone for a specific adapter's MAC address and then limit specific programs to only be able to use that but that doesn't really help if there's no way to make the programs use that adapter.

    So even if I wanted to, it doesn't seem like I could really use the VPN on the VM for specific programs if the VPN client is running on the host. So I'll probably just keep the client on the VM, so that I can have specific programs forced to use the VPN and other programs restricted to the non-VPN connection (when the VPN is disconnected, as otherwise everything tries to use the VPN adapter and if blocked from doing so by Comodo, just can't connect).
     
  18. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I've just noticed something rather worrying.

    I'm connected to the VPN and downloading a torrent to a VM Shared Folder on the host (mapped to F: in the VM). All adapters have MS Networking and file sharing disabled. However, checking the properties for the NAT and VPN adapters, they're both showing similar upload/download totals which are constantly changing. The NAT adapter shows 1,604,000,000 / 5,672,000,000 whilst the TAP-Win32 adapter shows 1,483,000,000 / 5,074,000,000 (roughly rounded, as they're constantly changing), so there's a bit more traffic on the NAT adapter than the VPN one.

    Obviously before I installed the NAT adapter no traffic was going over it, so why would it now be sending everything over it as well as the VPN adapter?

    EDIT: I disabled the NAT adapter and the torrent traffic stopped, so it was definitely using it, as well as the VPN adapter apparently. I have set the torrent program to use SOCKS5 on a specific host address but in Comodo I've set the torrent program to use the VPN ruleset, which allows IP In that's destined for the VPN adapter MAC address, IP Out from the VPN MAC address and blocks everything else, so I don't know how they hell it could connect via the NAT adapter!
     
    Last edited: May 16, 2015
  19. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    The route is usually VPNTap over the host adapter. The host adapter sees the encrypted VPN traffic. This is normal whether in a VM or real machine.

    It is best to use a separate machine for real ID stuff. That way the host of the VMs is kept clean both of any traces of your real identity and of excessive CPU and memory use which could affect VM performance.
     
  20. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    OK, so I guess whichever adapter (Bridged or NAT) is first in the order list, then the VPN TAP attaches to that and sends it's encrypted data over it, as the VPN TAP itself doesn't have any external connectivity. That makes sense and even though the Comodo rules restrict the program to using the VPN TAP, after the data is sent to that it has no control over where it goes next.
     
  21. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I had some problems with the PiA client, apparently due to using TCP on port 443, which I thought would be useful to help mask the traffic but it constantly kept disconnecting after a minute or so and had trouble reconnecting. Setting it back to UDP and Automatic port fixed it but I don't know why that was necessary.

    I found I couldn't use manual settings for the Bridged Adapter and had to set them back to Auto. With the VPN disconnected, checking the Status for the Bridged Adapter shows it is set to 192.168.1.254 for the gateway and DNS server. With the VPN connected, both of those are blank, which I presume the client's DNS Leak Protection setting is responsible for. Obviously I have to leave the client's Kill Switch setting disabled, otherwise it blanks those settings when the VPN is disconnected and I don't have any connectivity to do Windows Updates, etc. I don't really need it anyway, as Comodo is serving as my Kill Switch.

    The rubyw.exe which runs when the client is launched is annoying, as it runs it from a different random location in the temp folder each time, so it's impossible to set a rule for it in Comodo and I have to manually allow it (with Comodo set not to create a rule, otherwise I'd end up with numerous redundant rules) each time I launch it. I don't know what purpose it serves, as the client is able to connect to the VPN even if I block this .exe and as it tends to pop up more than once, I block and terminate it but it's annoying that I have to do that. I guess I'll ask PiA about that.
     
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Yes, ask PIA, or use another VPN. I don't know this Windows stuff well enough to help very much :(
     
  23. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    PIA have said:

    "The Ruby processes are intentionally designed to randomize as a security measure to avoid a possible exploitation on your system. Sorry for any inconvenience.

    If your security software is not able to exclude "rubyw.exe" by filename, you could enter it based on an actual file already present in the %LOCALAPPDATA%\Temp. Once you exclude one version of Ruby, future manifestations should also be excluded. Simply go to the %LOCALAPPDATA%\Temp folder, and find the most recent "ocr####" folder and exclude it."

    which rather misses the point, as firewall rules have to be specific to a particular file and location so I can't make an exclusion rule for rubyw.exe, otherwise a rogue program could just use the same name to bypass the firewall, which seems a bigger security risk than any benefit that running Ruby from random locations might provide.
     
Loading...