Setting up your ‘Black Box of Privacy’

In a previous post I outlined a bunch of ideas for keeping your internet usage private. Towards the end of the post, I indicated that I would provide follow-ups for setting up the configurations outlined. Well, this is the first of those posts.

There were three examples that I had saved for working through. Each of them actually involve the same initial setup: creating a machine with two network adapters, and installing an operating system on that machine. The OS placed on top of the machine will be different in each case, but will nevertheless involve the same basic steps. For that reason, this post will walk through the initial machine setup, and then we’ll cover setting up a TOR machine to proxy all network traffic through.

Setting Up The Machine

In order to build our ‘black box of privacy’, the first thing we need to do is set up the ‘hardware.’ Now, at this stage, you have two options; build a physical machine, or build a virtual one. The specs for both the physical and virtual machine will be similar. Ideally, we’ll want a machine with 2 cores, and at least 1 gig of ram. The required hard-drive space should be minimal, but I always suggest having at least 10 gigs, just because operating systems are getting larger, and having more swap file space is always a good idea. Additionally, ensure that you have 2 network adapters for the machine.

I won’t go into all of the details of building a physical machine, I’ll just assume you have these components assembled into something usable. For a virtual machine, I suggest using VirtualBox, simply because it is open source and free. There are plenty of other tools you can use, and for a simple setup VMWare would also work just fine. You’ll want to create your base machine with the basic information listed above. To add additional network adapters, instructions can be found here for VirtualBox, and here for VMWare. You should ensure that the configuration setting is for NAT, not Bridged or Host-Only.

Once we have the machine setup properly, we’ll want to install our operating system. For our first two options (running the router through TOR, or the network through TOR or a VPN), I would suggest running an open sourced (read as free) OS like Ubuntu or CentOS. For these instructions, I will move forward assuming an installation of Ubuntu, but there is no reason that needs to be the case. For our last option (running the network through pfSense), you’ll want pfSense as your OS. First download an image of your chosen OS. I have linked the OSes above to their download links; I always suggest going with the LTS version when available. Once you have downloaded the ISO (or bootable image if installing on a physical machine), run through the basic installer on the machine.

If you’re interested in going the pfSense route, you’ll need to wait for the next post to continue, but I’ll leave you with these additional instructions for initially setting up your machine.
If you’re looking at configuring Ubuntu (or CentOS, or really, any other machine), we first need to configure the network.

Configuring the Network

We need to ensure that your machine knows what to do with its two network interfaces. What we desire, is for traffic to come in on one interface, and get forwarded to the second (after going through our security measures first). To do this, we just need to set up a few simple rules on our machine. Typically, the network interfaces are named eth0 and eth1. If yours are named differently, make the appropriate changes in the below steps.

First, we want to enable IP forwarding. We can do this multiple ways, but the simplest is to turn it on within the system processes. To accomplish this, set the value of /proc/sys/net/ipv4/ip_forward to 1. We can do this with the below command

echo "1" > /proc/sys/net/ipv4/ip_forward

Finally, all we need to do is add our rules indicating that we want to forward traffic from eth0 to eth1.

sudo iptables -A FORWARD -i eth0 -o nic1 -j ACCEPT;
sudo iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT;
sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE;

Ensure you note the address of eth0, as this will be where you want to point all of your network traffic. That’s it, we’re now ready to start setting up our machine for the specific task, and pointing our router at the machine.

Passing Router Traffic through TOR

Now that we have the machine configured, it’s time to get our router traffic to run through TOR. First, we need to configure our ‘black box of privacy’ to be running TOR, and here-forth this machine will be referred to as our ‘TOR machine’. We’ll need to install TOR on our TOR machine, and we can follow the same instructions as before. If you installed the server version of the operating system, it probably doesn’t have a display. If this is the case, then you’ll need to set up a virtual display for the browser. You should install Xvfb with the below command to allow our browser to run without an issue

sudo apt-get –y install xvfb

The last step of our TOR install, is to ensure that it is always running, so that we can always pass our traffic through TOR via our proxy. To do this, we want to set up a simple service. First, create the below file in /lib/systemd/system and name it tor.service.

[Unit]
Description=Job that runs TOR for proxy traffic
Documentation=man:tor(1)

[Service]
Type=forking
ExecStartPre=Xvfb :99 -ac 2>/dev/null 1>&2 &; export DISPLAY=:99
ExecStart=/path/to/tor/start-tor-browser

[Install]
WantedBy=multi-user.target

Replace /path/to/tor with the location that you installed TOR to, and only include the ExecStartPre command if you needed to install Xvfb in the above steps. To complete our TOR install, we want to enable and start our TOR service with the below commands

sudo systemctl enable tor.service;
sudo systemctl daemon-reload;
sudo systemctl restart service.service;

Once that is completed, we’ll want to obtain the proxy information to connect through TOR.

Finally, we just need to configure our router to pass all traffic through TOR. If you have already configured your router to run DD-WRT, this is very simple. Navigate to Administration -> Commands, and paste the below code into the textarea

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j DNAT --to 127.0.0.1:3128 
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to 127.0.0.1:3128

You need to replace 127.0.0.1 with the IP of eth0 that you configured earlier in both lines. You also need to replace 3128 with the port that the TOR proxy is listening on. Click the Run Commands button, and finally click the Save Firewall button. That’s it. All traffic on your network connecting to your router is being passed through TOR. You should check this out by using the same verification specified in the previous post.

The final blog in this series for passing entire network traffic through your ‘black box of privacy’ using either TOR, a VPN, or pfSense will be out later this month. As always, please leave questions below!