How To Set Up A TOR Middlebox Routing All VirtualBox Virtual Machine Traffic Over The TOR Network

Want to support HowtoForge? Become a subscriber!
 
Submitted by chris_dj (Contact Author) (Forums) on Mon, 2012-02-06 18:03. :: Linux | Ubuntu | Security

How To Set Up A TOR Middlebox Routing All VirtualBox Virtual Machine Traffic Over The TOR Network

This tutorial will show you how to reroute all traffic for a virtual machine through the Tor network to ensure anonymity. It assumes a standalone machine with a Linux OS, and VirtualBox installed. In this case, we'll be using Ubuntu on the host machine.

Thanks to
- http://www.tolaris.com/2009/03/05/using-host-networking-and-nat-with-virtualbox/
- https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
- http://www.rootdamnit.eu/2011/12/10/virtualbox-tor-backtrack-aka-how-to-become-almost-invisible/

All commands on the host machine should be run as root (sudo or su.

 

Step 1 - Add A Bridge Interface For Your Virtual Machine (VM) On The Host Machine (HM)

# apt-get install bridge-utils

Add the following to /etc/network/interfaces:

# VirtualBox NAT bridge
auto vnet0
iface vnet0 inet static
 address 172.16.0.1
 netmask 255.255.255.0
 bridge_ports none
 bridge_maxwait 0
 bridge_fd 1
        
 up iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
 down iptables -t nat -D POSTROUTING -s 172.16.0.0/24 -j MASQUERADE

Start the bridge interface:

# ifup vnet0

 

Step 2 - Setup DHCP And DNS For Clients

# apt-get install dnsmasq

Edit /etc/dnsmasq.conf to include:

interface=vnet0
dhcp-range=172.16.0.2,172.16.0.254,1h

Start the daemon:

# /etc/init.d/dnsmasq restart

 

Step 3 - Install And Set Up TOR

Install TOR - INSTUCTIONS

Edit /etc/tor/torrc and add:

VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 172.16.0.1
DNSPort 53
DNSListenAddress 172.16.0.1

Restart TOR:

#/etc/init.d/tor restart

Create and edit middlebox.sh on the HM:

#!/bin/sh

# destinations you don't want routed through Tor
NON_TOR="192.168.1.0/24"

# Tor's TransPort
TRANS_PORT="9040"

# your internal interface
INT_IF="vnet0"

iptables -F
iptables -t nat -F

for NET in $NON_TOR; do
 iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT

and run it:

#./middlebox.sh

 

Step 4 - Set Up The Virtual Machine On The HM

Open VirtualBox, start the machine. Go to Devices > Network Adapter. Disable all network adapters except Adapter 1.

Set the following options:

Attached to: Bridged Adapter
Name: vnet0
Click OK.

Finally make sure your virtual machine gets its IP address via DHCP, and refresh the DHCP client/reboot the VM. It should have an IP in the range 172.16.0.n, name resolver 172.16.0.1 and gateway 172.16.0.1.


Copyright © 2012 CDH
All Rights Reserved.
add comment | view as pdf view as pdf | Display a printer-friendly version of this page. print
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Thanx four this tutorial, I
Submitted by Anonymous (not registered) on Tue, 2012-10-16 14:56.
Thanx four this tutorial, I have searched a lot for this but never found it. My problem is, I want to do this on arch linux and there doesn't exists the file /etc/network/interfaces or any similar config.
So i want to start the bridge manually with:
brctl addbr br0
ifconfig vnet0 172.16.0.1 netmask 255.255.255.0 up
iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -j MASQUERADE

but I can't figure out how to set the other settings like:
auto vnet0
vnet0 inet static
bridge_ports none
bridge_maxwait 0
bridge_fd 1

I hope someone can help me.
reply | view as pdf view as pdf
Has anyone been able to
Submitted by Anonymous (not registered) on Tue, 2012-05-15 20:34.
Has anyone been able to successfully replicate the steps outlined above?  Just curious. I'm unable to connect to any hosts in the Virtual Machine. I can ping the 172.16.*.* address but can't any where else. Thought I'd ask.
reply | view as pdf view as pdf
Re: Has anyone been able to
Submitted by mpd2 (not registered) on Thu, 2012-06-07 15:34.
Yes, this works as of the date of this comment.  I had to make an adjustment on my machine (vanilla ubuntu 12.04) because dnsmasq-base was installed by default: http://ubuntuforums.org/showpost.php?p=12006425&postcount=7.
reply | view as pdf view as pdf
blocking UDP traffic
Submitted by chris_dj (registered user) on Fri, 2012-03-30 12:02.

You can also block all UDP traffic/leaks from your virtual machine with

iptables -A FORWARD -i $INT_IF -p udp -j DROP

in middlebox.sh (DNS queries continue to be handled by TOR):

#!/bin/sh

# destinations you don't want routed through Tor
NON_TOR="192.168.1.0/24"

# Tor's TransPort
TRANS_PORT="9040"

# your internal interface
INT_IF="vnet0"

iptables -F
iptables -t nat -F

for NET in $NON_TOR; do
 iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -A FORWARD -i $INT_IF -p udp -j DROP
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT

 

 

reply | view as pdf view as pdf
Re: blocking UDP traffic
Submitted by len mccoy (registered user) on Sun, 2012-05-27 23:36.

I have set this up and it seems to be working well.  I included chris_dj's extra command in middlebox.sh.  Web sites like seemyip and others show IP addresses that are not mine. 

However, I use a lot of command line requests, and I'm wondering how I could test them for anonymity.  Is there a address I could ping that would somehow return my originating IP?  Or would it just be reasonable to conclude that since the browsers are anonymous, and since TOR is not installed on the guest OS, only on the host OS, that all traffic from the guest must necessarily be anonymous as well?

reply | view as pdf view as pdf
Re: Re: blocking UDP traffic
Submitted by Pan Ta (not registered) on Tue, 2012-06-26 19:31.
It works for me -- also including the extra command in middlebox.sh.

You can check your IP address at the command line by creating a shell script.

http://ubuntuforums.org/archive/index.php/t-526176.html 

I confirmed the same IP addresses from the command line that I get from my browser.

Also, for what it's worth, I'm running through a VPN on my host before I ever start Tor. When I start my guest, everything still works... the IP addresses are always different -- and never reflect my current ISP. If someone discovers a flaw in this, I'd like to hear about it.

reply | view as pdf view as pdf