[tor-talk] Tor VPN Server selfmade

hmoh at Safe-mail.net hmoh at Safe-mail.net
Fri Jan 6 05:17:14 UTC 2012


The goal is to create a bulletproof environment where nothing can leak thought configuration mistakes, dns, java, flash, plugins and even side channel attacks, local infections, trojans... Additionally it's also nice to know that all applications can be torified even if they do not support proxy settings and it does no longer matter if they probable implement socks4a or only socks4.

Unfortunately JanusVM is closed source, unsecure (see malinglist at the end of last month) and unmaintained (no answer from the JanusVM devs). But the concept can be adjusted.

Initial step is to learn how to setup a VPN server and how to connect to a VPN server and to use it's internet connection. After that's done this internet connection needs to be torified.

The frist virtual machine (VM) - which can be of course also be a spare physical device - will run a VPN server. It's quite easy to setup a VPN server. pptp VPN might not be the most secure choose but when only used locally then I see no problem if the encryption might be broken. I choosed pptp because it's easier to setup, no bothering with certificates. Here are some instructions how to set it up.
http://www.howtogeek.com/51237/setting-up-a-vpn-pptp-server-on-debian/
http://www.debiantutorials.com/installing-and-configuring-pptp-vpn-server-on-lenny/

The first VM also needs three virtual network cards.
- host only connection (for administrative tasks, SSH access, not that important, can be done directly as well, but if you plan to use real hardware later it's worth to think about it)
- NAT connection (access to clearnet)
- VMnet private network

The second VM can use an operating system of your choose. As of right now I also see no reason why this couldn't be even Windows. The second VM needs one virtual network card, a VMnet private network. That is important. Do not use NAT. The VPN connection might work as well but as soon as the VPN breaks down or is shut down the host ip might leak.

VM-2 is only able to connect to VM-1 (thanks to VMnet private network). And VM-2 has no way to determine that real clear external host ip address. VM-2 will VPN connect to VM-1. Thanks to VM-2 to accept the VPN connection and to forward all traffic thought Tor.

The "forward all traffic thought Tor" could become the tricky part, hopefully the Tor wiki article Tor Transparent Proxy will help out here.

That's the concept so far. Hopefully this overcomes the weak points of JanusVM (closed source, unmaintained, unsecure, outdated, possible leak when VPN breaks down). 

Any thoughts about weaknesses, improvements, ideas, whatsoever are welcome.


More information about the tor-talk mailing list