Comments on How To Set Up A TOR Middlebox Routing All VirtualBox Virtual Machine Traffic Over The TOR Network
How To Set Up A TOR Middlebox Routing All VirtualBox Virtual Machine Traffic Over The TOR Network This tutorial will show you how to reroute all traffic for a virtual machine through the Tor network to ensure anonymity. It assumes a standalone machine with a Linux OS, and VirtualBox installed. In this case, we'll be using Ubuntu on the host machine.
25 Comment(s)
Comments
You can also block all UDP traffic/leaks from your virtual machine with
iptables -A FORWARD -i $INT_IF -p udp -j DROP
in middlebox.sh (DNS queries continue to be handled by TOR):
#!/bin/sh
# destinations you don't want routed through Tor
NON_TOR="192.168.1.0/24"
# Tor's TransPort
TRANS_PORT="9040"
# your internal interface
INT_IF="vnet0"
iptables -F
iptables -t nat -F
for NET in $NON_TOR; do
iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -A FORWARD -i $INT_IF -p udp -j DROP
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
I have set this up and it seems to be working well. I included chris_dj's extra command in middlebox.sh. Web sites like seemyip and others show IP addresses that are not mine.
However, I use a lot of command line requests, and I'm wondering how I could test them for anonymity. Is there a address I could ping that would somehow return my originating IP? Or would it just be reasonable to conclude that since the browsers are anonymous, and since TOR is not installed on the guest OS, only on the host OS, that all traffic from the guest must necessarily be anonymous as well?
You can check your IP address at the command line by creating a shell script.
http://ubuntuforums.org/archive/index.php/t-526176.html
I confirmed the same IP addresses from the command line that I get from my browser.
Also, for what it's worth, I'm running through a VPN on my host before I ever start Tor. When I start my guest, everything still works... the IP addresses are always different -- and never reflect my current ISP. If someone discovers a flaw in this, I'd like to hear about it.
Maybe it's a flaw or maybe it's just me getting confused here but with this setup I get some strange results using nmap guest-side. No matter the target "nmap -sS" reports all ports open and "nmap -sT" all ports filtered.
Maybe I'm missing something obvious here but I'm really not experienced when it comes to iptables.
Has anyone been able to successfully replicate the steps outlined above? Just curious. I'm unable to connect to any hosts in the Virtual Machine. I can ping the 172.16.*.* address but can't any where else. Thought I'd ask.
Yes, this works as of the date of this comment. I had to make an adjustment on my machine (vanilla ubuntu 12.04) because dnsmasq-base was installed by default: http://ubuntuforums.org/showpost.php?p=12006425&postcount=7.
There is one flaw in this procedure, in that the MASQEURADE rule in Step 1, which gets executed when the vnet0 interface comes up, gets flushed out of iptables when you execute the middlebox.sh script, which is a bit of a mistake, and which is probably causing your problem.
To fix this you need to add that same rule by copying and pasting it into the middlebox.sh script so it looks like this;
#!/bin/sh
# destinations you don't want routed through Tor
NON_TOR="192.168.1.0/24"
# Tor's TransPort
TRANS_PORT="9040"
# your internal interface
INT_IF="vnet0"
iptables -F
iptables -t nat -F
iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
for NET in $NON_TOR; do
iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -A FORWARD -i $INT_IF -p udp -j DROP
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
Thanx four this tutorial, I have searched a lot for this but never found it.
My problem is, I want to do this on arch linux and there doesn't exists the file /etc/network/interfaces or any similar config.
So i want to start the bridge manually with:
brctl addbr br0
ifconfig vnet0 172.16.0.1 netmask 255.255.255.0 up
iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
but I can't figure out how to set the other settings like:
auto vnet0
vnet0 inet static
bridge_ports none
bridge_maxwait 0
bridge_fd 1
I hope someone can help me.
Is it really necessary to run a dhcp server on the host machine or can the VM be run without dhcp by assigning an IP to its network?
I just configured the network device in the VM to have a static IP of 172.16.0.2 and a gateway and DNS server of 172.16.0.1 and it works.
Before the Step 2, when I trying to do the:
# ifup vnet0
Cannot find device "vnet0"
Failed to bring up vnet0.
Any suggestion?
I had this setup working in Mint Maya / Ubuntu Precise. I upgraded to Mint Rebecca and now the VirtualBox is not disguised properly any longer: before the upgrade, the VB was not able to contact the outside world without running the script containing the iptables commands. Now, in Mint 17, the VB has full access to the internet, even when the virtual network is not startet and sites like ipaddress.com show that the ip is not masqueraded!
There seem to be some serious changes either to the kernel or VirtualBox 4.3 that require changes to this setup.
THIS SET UP IS UNSAFE IT LEAKSUnless you are 100% sure what you are doing do not follow this setup. Dnsmasq binds before the tor service and runs on port 53 - You need to reconfigure TOR DNS service port and swap and correct the iptables command, if you don't the DNS queries will leak to the outside world making it possible to identify you.
With this configuration, works good with torified connections, but when I try to access a $NON_TOR network from the vps, it allways give timeout. Accessing $NON_TOR hosts form the host machine works fine, but accessing them from the vps gives timeout. How can I solve it? Thanks.
With the latest tor version, this howto is no longer working. You have to change the config (/etc/tor/torrc):
FROM:
VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 172.16.0.1 DNSPort 53 DNSListenAddress 172.16.0.1TO:
VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 172.16.0.1:9040 DNSPort 172.16.0.1:53otherwise you see the following error:
[warn] Skipping obsolete configuration option 'TransListenAddress'
[warn] Skipping obsolete configuration option 'DNSListenAddress'
How To Set Up A TOR Middlebox Routing All VirtualBox Virtual Machine Traffic Over The TOR Network.
# /etc/init.d/dnsmasq restart dnsmasq: failed to create listening socket for port 53: Address already in use
How to do with this error message in ubuntu 18.04
See this question: it helped me to fix this error but my VM did't get the internet connection, even when everything seemed to be working. It sends packages with a ping command but not recieving them back.
The issue can be fixed if you enable bind-interfaces in /etc/dnsmasq.conf
Is this tutorial still alive for Ubuntu 18.04?
Work ubuntu 16! Not work ubuntu 18.04, 18.10 please help!
Works on Debian 9 (Stretch). On Debian 10 (Buster) it doesn't.
is it works on Ubuntu 20.04 ?
does this work with A KVM too? should i just replace "virtualbox" with kvm in the command?
Can someone explain how to add a bridge interface on Ubuntu 20.04, because it uses /etc/netplan/ insted of /etc/network/
I just upgraded my system to Ubuntu 22.04 and now this setup does not work anymore: the guest can neither do DNS queries ("no servers could be reached), nor can it ping the hosts network 172.16.0.1
What do I need to change to make the VM middlebox work again?