Trying to decide if such a configuration is worth my time, and specifically if the incremental increase in security is enough. Scenario: Moderate to high end pfsense/BSD appliance functioning as primary router on home network. This is set in stone as vpn1 for one of the LANs. Another LAN running direct to ISP for raw connection also setup on this appliance. Must be hefty enough to pull 150 meg all day long even through the VPN LAN. Now moving along my build: Per the thread title I can easily setup a linux host and create vpn2 on the host OS. There would be no workspace on the host. In a single laptop scenario I would build VM's that would either NAT or Bridge to the host and workspace would be limited to the VM's alone. I do this now and it works smoothly. Incidentally, TOR enters the equation as the final three relays before any exit. I am considering expanding this model for some of my more sensitive operations. Enter the second laptop model. I am soliciting any links or interesting areas you may know about to read through pitfalls and improvements via a two laptop chaining model. My current model is easy to use and although it took awhile to build and "hone" it is now virtually effortless to use. I suspect the two laptop/computer model would be just as effortless once configured. I want to operate in the 150 meg range so I am leary of a Raspberry or little device like that. The middle laptop will be crunching all the vpn2 math plus TOR so it needs some heft to it. The final laptop will be running and processing the TOR circuit and finally workspace. In all these models its cat6 ethernet all the way. I will/do use an AP router for wireless on one of my LANs. Opinions: is the physical compartmentalization using two computers, as described above, worth it?
At one point, I had an old 1U quad-core server that I used like that. It ran Debian, with one VPN on the host, and several pfSense VPN-gateway VMs for nested VPN chaining. It had a four-port NIC card, with one port for uplink, and three for LANs, with a pfSense VM bridged to each as DHCP server. So I could route a different VPN chain to each LAN. It worked well. And you get physical compartmentalization. But the downside is that adversaries with physical access could discover your VPN exits, just by connecting to the LANs. You can of course lock down the DHCP servers by MAC and whatever, but that can be hacked.
If money were no object, and starting from a clean slate, I'd not pick laptops because of their limited networking IO (you'll presumably need a dongle), plus I dislike their nasty fans. There are quite a range of 2+ NIC fanless appliances which I would prefer and are actually not very expensive (e.g. $150). They vary in terms of vt-d support, but most would do NI for the crypto. Sadly, I think there is a niche for this kind of thing now, as VMs won't do everything.
deBoetie and Mirimir, Thanks guys. deBoetie, I have been reading about those $150.00 fanless (pfsense support vendors) but I have concerns about them holding up on 150-200 meg networks, which I run all day long. Also, I actually meant computers in the generic sense when I typed "laptop". I dealt with the crappy nic thing and laptops with Mirimir a couple years ago. You are right about their crappy network capabilities for when things are a little beyond normal scope. Use of a dongle was an utter failure on a high end network throughput situation. Laptops are OK when they occupy the final link in the chain and no further "chaining" is needed. Mirimir, one of the things I hoped to attain by chaining physical devices is not being observed via joining the LAN alone, or either end of the tunnel. If an adversary were to somehow join the vpn1 device, how would they ever see the exit on vpn2 that is bridged in the chain? Conversely, if at the other end they broke through the workspace TOR browser, and somehow made it to the vpn2 device even, how would they then make it back to vpn1? A compromise on this level configuration would be a state actor with someone specific being targeted. Not sure, but I don't think that is me. Let me add a thought and further questions maybe for you two, or others as well. Instead of setting a retail/homeowner router in AP mode for wireless with pfsense/BSD how about this --- Just keep my ddwrt configured router (retail router quality only) connected directly to my ISP. This means my family has "normal" wireless for our Androids and generic devices. Now I run Cat6 from that router to an appliance/computer running vpn1 as a host only ----- > then physical chaining (more Cat6 connecting the vpn2 laptop computer's ethernet), which to facilitate the process, has VM's for TOR and workspace? This would be child's play to configure, and one advantage is the only device running 24/7 is the generic ddwrt router to the ISP. Because of how I configure/code the linux clients for my vpns I would be able to quickly and easily rotate both vpn relays daily making it tougher to watch than a static route. Actually, I like the idea alot. It would take me about 2 minutes to bring this up every day, which is the only inconvenience I visualize. If I use a computer as opposed to a commercial appliance I can fully encrypt (LUKS) all the vpn computers and arm them with deadman throwouts so nobody gets physical interior access. All hobby stuff, no needs here, just fun to build.
The approach I've chosen to go down is a 4-port integrated diy pfsense router with separate AP with multi-ssd and VLAN support. The logic for this is that I want the "unwashed" BYOD stuff, mobile phones, network printers, webcams, Voip ATAs on a physically distinct "red" LAN (and VLAN). The red LAN is internet only, one of my objectives with this setup was to help protect myself from LAN threats from weak endpoints. My "real" devices and VPNs are on the other two physical network interfaces. I can add additional interfaces as and when, and am thinking of doing so specifically for VPN applications. Of course, that puts routing and isolation in one box, on the other hand, it's as solid as anything else for what it's doing, and it's physically distinct (important from the physical address space perspective). I think it also supports your chaining ideas for the downstream boxes with VMs and workspaces, configured how you like. The physical realisation (way over $150! and I don't know what the latest and greatest is): Supermicro server board, mATX profile, A1SRM-2558F, with 4 Intel GigE ports onboard. http://www.supermicro.com/products/motherboard/Atom/X10/A1SRM-2558F.cfm Processor's a fanless 15W 4 core 2.4G Atom C2558 SoC (there's also an 8-core version but that needs a fan and is significantly more $), this one was about $250. Has AES-NI. There are 4 x GigE C2000 SoC I354 Intel NICs, with some I/O overhead reduction. pfSense/BSD sees these as an igb driver type, and these are not officially supported for VLAN but do work (I've increased the mbufs to avoid some reported issues). Loads of memory (to 64G) & 2 pcie2 NIC card expansion (if more Ethernet ports become needed, I'll pop in a cheap 2-port intel board, or the 1350-T4). The VLAN Multi-ssid Wireless access point is a TP-Link TL-WA901ND.
@Palancar I'm not sure that I follow your questions. My point was that using physical devices instead of VMs is more secure from cross-device compromise, but less secure for adversaries with physical access. Let's say that you're using VMs. You leave for a few hours, with no friends around, and just lock the system. And let's say that you have FDE. So an adversary would need to mess with the system, trying to unlock it without rebooting, or compromise FDE, or whatever. Unless they're very good, you'll probably notice something. But let's say instead that you have gateway and workstation devices, connected by ethernet. Now you have just a standard network compromise situation. I'm just saying that you need to secure it.
I have a similar setup for now for the same reason. Part of the family wants clearnet only because...there actually is no "real" reason for it. I just started with pfsense using a basic setup. I bought one of these small boards @deBoetie is talking about. It's just not that powerful. It has a 1Ghz quad core (AMD) with AES-NI support and virtualization support (AMD-V) + 4GB RAM. I am interested in more advanced setups but I am busy understanding my basic setup, haha. I wanted a stable LAN-VPN connection because I feel more comfortable using TOR over VPN on my Qubes laptop although I have a leakproof and working setup via wireless as well. I wanted to learn about pfsense and routers, too. Mostly as a hobby. I thought about using very old hardware, too but one of the main reasons I chose a new board was power consumption. It's about 6 to 12W. When I think about my laptop and its power consumption (plus the noise from fans) I am not so happy. Sorry that I can't comment on your planned setup, that is a little over my head. I am interested in how your setup will look like anyway.
OK now we are on the same page. I did misunderstand what you were saying about getting to my stuff. I am not overly concerned about a physical breach in my absence due to an advanced alarm system, but it is always possible. The alarm itself is full stealth and NO company/agency even knows it exists. Its loud as hell with strobes and the full "rodeo" if it is triggered. I remind you that I always use FDE and I am quite stealthy with a deadman setup. In this latest project I will likely just shut down the two FDE computers when I leave and then mount them when I want to resume activities. Since the ddwrt router is on 24/7 the family will not even be aware of any issues, meaning its all seamless from their vantage point. deBoetie, Your hardware (in the newer of your posts) is much more what I was thinking of, but as relates to my response to Mirimir ------- does YOUR hardware setup offer FDE, as would use of a Linux machine running LUKS? I am only concerned with placing a device serving as VPN1 in a position behind the router, and before the vpn2 machine, and of course anything further down the line. Balthazar, I am aware that should I decide to use a bit older hardware I will pay more for power consumption, but I am not going to use some "history museum appliance" that adds 20 bucks to my electric bill every month, LOL! A small compromise on consumption would be OK since its not a 24/7 device. It is fairly important to me to be able to rotate the entire circuit somewhat easily. I am hoping for something better than saving unique cert's for each vpn I want to use. Currently I have coded clients that select from a list of VPN's in a split second while mounting up. By varying my circuit often it will serve my personality nicely. Then in general to all reading along; this configuration is important to me because a solid vpn1 specific device can break communication from the rest of my LAN very thoroughly. With all the talk regarding Wikileaks we have lots to process. One thing for sure is that Androids, SmartTV's and much more are "listening devices" at best. I want to keep them isolated from my downstream activities. Over time we will learn if all of this is just useless, but for now I am playing by the "rules" I know of.
I don't think I'm so concerned about FDE on the pfsense box, although I guess I should pay more attention to the logs (or perhaps pointing them at null or something). Even there, it'll not be logging what's going via the VPN, or any other VPNs downstream. Is that what you are most concerned about? From what I've seen so far, the Wikileaks dump is more-of-same from a technical perspective, but does emphasise why local segregation is a good idea (plus all the other compartmentalisation stuff we get up to). It is also, one might hope, a reminder to the great unwashed that their precious smartphones are not safe, and to the somewhat complacent Linux kernel people that the same applies to them.
Yep, its a logging vs privacy - compromise debate type thing. I can configure zero logs and just have vpn1 allow a connection through it from vpn2 and downwards. In that case I would be safe. I have been running everything with FDE for so long its become part of my world. LOL!
This project is still being investigated. I went down a "side street" and I have been spending some time reading about using Debian or Ubuntu server as my vpn1 setup. It is not that tough to use straight Debian configured as a router. The tough part is in MY determining possible leaks or weak points. I wish my coding was a bit stronger. Its slow reading and its all new to me with this mission. In the final analysis I may determine that just because I get it to work, it doesn't mean its solid. PfSense just flies out of the box almost! I can't really justify the 650 bucks for the hardware I would love to get my hands on. If anyone reading along has significant experience trying to run straight Linux as a vpn1/router I would love to hear about your experiences. Plus or minus comments.
