In my last two posts, I talked about different options for securing your network traffic, and how to setup a machine to pass network traffic through. As promised, this last post in the series will walk you through some of the more complex steps in configuring the last 3 options. Please note, that each of these sets of instructions assumes you have already setup your ‘black box of privacy’, and attached it into the network. The first two sections assume that you installed Ubuntu, and configured the network according those instructions, while the last section just assumes you’ve ‘built’ your machine with two network interfaces (we’ll walk through installing an OS on that machine here).
So let’s dive into it.
Run Network through TOR
As mentioned above, ensure you setup your ‘black box of privacy’ following the first two sections outlined in my previous post. Once the machine has the OS setup, and the network is configured, we’ll want to setup TOR to proxy all traffic through it. This is similar to what we did in the previous post. Install TOR, set it up as a service, and enable it. This is then when our instructions change a little bit. Rather than using the router to push all traffic through TOR, we’ll actually just build the network pipeline to have all traffic move through the TOR machine. In order to accomplish this, we’ll want to setup our network to have our router’s output connect to our TOR machine, and our TOR machine connect to our modem.
Now all traffic leaving your router will pass through your TOR machine, which will then use TOR as a VPN. Remember, TOR might end up slowing down your traffic as discussed in the first post. Knowing that we might decide not to use TOR, but instead to use a VPN.
Run Network through VPN
This setup isn’t too much more complicated than the above one. Similarly, you’ll want to ensure that you have a VPN Machine (your ‘black box of privacy’), your OS is properly setup, and your network is configured. Once that is completed, you’ll want to setup and install your VPN as a service.
When selecting a VPN, ensure that the software supports a Linux machine and that you can run your VPN client from the command line. Once you determine what those steps are, we’ll want to setup a service to run the VPN (similar to what we did with TOR), so that the VPN is always running; that it runs on startup, and restarts itself on failure. First, create the below file in /lib/systemd/system and name it vpn.service
[Unit] Description=Job that runs our VPN Documentation=man:vpn(1) [Service] Type=forking ExecStart=COMMAND TO RUN VPN [Install] WantedBy=multi-user.target
Replace COMMAND TO RUN VPN with the command you determined above to launch your VPN. Finally, to complete our service setup, we want to enable and start our VPN service with the below commands
sudo systemctl enable vpn.service; sudo systemctl daemon-reload; sudo systemctl restart service.service;
Similar to above, again, ensure that your VPN machine is hooked up in between your router and modem, to ensure all traffic passes through it. If you’re looking for some additional security and simplicity, you might want to consider using pfSense for your OS, instead of Ubuntu (or whatever other OS you chose for the above).
Run Network through pfSense
The initial setup for the pfSense machine is a little more complicated. Once we get it going, however, it makes managing your security much simpler. First, download the latest version of pfSense. You’ll want to select the Install version, and probably the 64-bit one as well (depending on the hardware you’re running it on). Select the CD (ISO) if you’re installing on a virtual machine, or a USB if installing on physical hardware.
If installing on a physical machine, ensure you have two network cards installed, and if installing on a virtual machine, ensure you’ve added two network interfaces. For this setup, it’s not required for you to set up traffic forwarding, but ensure you have two adapters enabled one bridged (for your outbound – WAN – traffic), and one internal (for your local – LAN – traffic). There is no need to change any of the other advanced settings.
Upon first launching the machine with the ISO (or USB), choose the first option, to Boot pfSense. When prompted (after about 20 seconds), select I to launch the installer. I prefer using the quicker Easy Install, as it’ll get our machine setup with all of the expected settings. When prompted, use the default kernel, and then reboot the machine. Unmount the ISO, or remove the USB once prompted.
The machine will then prompt you for some initial setup. I usually skip setting up the VLAN and move onto setting up the network interfaces. I have always allowed pfSense to auto-detect the interfaces. If you are using VirtualBox, your interfaces are emX, and for a physical machine, they should be ethX. Numbering for these interfaces starts at 0. Before you proceed, ensure your network interfaces match up to what you expect and that your WAN (connection to our modem) and LAN (connection back to your network) look correct.
At this point, a new screen should display showing you options to configure your machine. Note the LAN address of the system. If this address conflicts with another network address (say your modem is on the same IP address), choose option (2) to fix the setup. I personally like to change this just to keep this machine, and all behind it oits’s own subnet. After selecting 2, select (2) for LAN, then enter your new IPV4 address. I went with 192.168.2.1. I set a subnet bit count of 24, and let pfSense handle the DHCP. These are all things you might want to change to your own preferences. Finally, I answer no to using the http web protocol. After this, pfSense told me I could access it by visiting https://192.168.2.1, and that’s exactly what I did. I found it much easier to configure via the browser than the command line. This is one of the reasons I really like pfSense.
After you’ve logged into your web interface (use username admin password pfsense), we can finally look at setting up our VPN. You’ll be directed to a setup wizard, and you can accept the provided defaults. This is because we did the critical setup earlier. To setup our VPN, we want to open up our VPN Wizard by navigating to VPN -> OpenVPN in the menu items. From this point onwards, you’ll need the VPN information from your VPN provider. Enter that information, and select run for the VPN. To check your VPN status, navigate to Status -> OpenVPN and ensure your VPN is running.
As always, be sure to check your connection is actually secure from the section provided in this first post.
And that is it! Hopefully, after all of these instructions, you feel better about what information you are actually sharing, and feel confident with how you can protect it. As always, leave questions below, and good luck!