[tor-talk] Designing a secure "Tor box" for safe web browsing?

Gozu-san gozu at xerobank.net
Sun Aug 7 19:53:36 UTC 2011 

As the router for a VirtualBox internal network, ra's Tor gateway VM
<http://ra.fnord.at/> does basically what you describe.  You could route
that to a physical NIC on the host.  Or you could replicate the setup in
a Soekris etc box.  JanusVM <http://janusvm.com/> might also work for
you.  Basically, it's a VM running Tor that you access through an
OpenVPN tunnel.

On 07/08/11 12:47, Robin Kipp wrote:

> Hi all,
> so, I've been browsing the web using Tor for some time now, and I have to say that, at least with the cir quid I am currently using, I'm quite impressed with the performance, especially since I'm only connected through a 3g ap at the moment! So, I've had a look around the Torproject site and reading up on how it all works and what safeguarding should be performed in order to stay secure. So, I was thinking, how could I get all the systems that are part of my own home network to access the web securely and anonymously? Well, I came up with the following idea, and since some of you guys may have tried this, was wondering if this would be practicable:
> on my network, all devices are behind a hardware firewall that performs NAT and packet filtering for viruses and other malicious stuff (UTM). The firewall acts as the DHCP within the network, and its WAN port is connected to my router which only handles internet connections. So far for my current network topology. Now, I was thinking of adding another gateway here. My idea was to take an embedded PC (e.g. a Soekris box) and installing a distribution such as Debian on its memory. Then, a DHCP could first be set up on this box. Using iptables, network interface routing could be configured, so that traffic arriving at the LAN network interfaces would be routed to one exit point, the WAN interface. So, at this stage, the DHCP on the Debian machine would assign IPs to clients connected to the LAN ports, and all traffic arriving at these ports would be redirected to one port which would be the WAN. Now, this box could, for example, be connected in between the firewall and the rou
te
>  r. So, the firewall would receive an IP from the Debian box, and all network clients would still be behind the firewall. So then, when a client wants to access the internet, it would first go through the firewall, from the firewall to the Debian box and from there to the router and the web. Now, the Debian box would have to route all connections through the Tor network. I guess Polipo could be set up on the Debian box so that it will route all outgoing connections through the Tor network. In this case, all traffic passing through the box would be anonymized on the fly. However, some other steps would have to be taken. For example, I guess it would be wise to implement functionality such as offered by the SSL Everywhere Firefox extension, so that SSL would automatically be enabled on as many sites as possible. Also, it probably would be better to configure Polipo to reject any Cookies, Java Applets, Flash and anything else that could compromise security. As such limitations
 w
>  ould also limit "comfortable" browsing, I guess various modes could be designed, such as a safe mode (fully anonymized), a restrictive mode (not everything is blocked, thus potential security risks exist) and a non-restrictive mode (all traffic is routed through Tor, however no packet filtering is performed - most convenient but also most insecure). Also, both safe and restrictive mode could perform things such as browser-header obfuscation, geo-data obfuscation, etc. Sure, such concepts would probably take some time and work in order to make everything work. Therefore, I wondered if someone might be working on such a task already and if not, if this would be a project which would make sense, and which would be worth putting some effort into. I guess my idea probably isn't new to most people dealing with Tor and secure networking, but I'm wondering if such a platform already exists. I definitely will be working on this once I get back home, as I think such an undertake wou
ld
>   be quite useful to me personally!
> Robin
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

More information about the tor-talk mailing list