Hail Eris
Großmeister RA-Punzel
Nice to find a discussion about TorBOX. I tried to test it today in VirtualBox on Ubuntu 12.04, but I got a critcal error; TorBOX tried to enable PAE, but my laptop doesn’t support PAE, so TorBOX crashed.
I hope it is ok im writing it here, I didn’t know how to contact the developers drictly.
Greetings, Lauscher
]]>Of course you can whitelist which relays you want to use and go for the fast tor servers. This is how I suppose you make tor “faster”. No one should do that!
https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#Youshouldletpeoplechoosetheirpathlength !
https://www.torproject.org/docs/faq#ChooseEntryExit !
Did you even read all of the tor website before you made this thing?
]]>Thanks
]]>>your project is much lighter than the bloated and malfunctioning TorBOX
If something isn’t working as expected please let us know at the wiki (no need to register, log in as cypherpunks, password: writecode)
About the size see: https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev/ClientVM#WhyisClientVM.ovasobig
Future Gateway.ova will be smaller.
]]>Again all I can say is WOW, can’t wait to see this stuff in the near future…
But at least maybe TitaniumTor LOL… ;)
Cheers Ra! :)
]]>For the message directly above this one, every time I post the link, the message doesn’t register so I’ve shortened it: http://bit.ly/GACRgo
As for a project name I’ve got a few suggestions and the philosophy behind them.
For the gateway:
OnionGate – Embodies the Tor mascot in it’s name.
ShadowGate – Because its virtual and transparent to the user
AnonymaTor – Implies that its a Tor based mechanism for anonymity.
Titanium – Describes it best, because it’s light,fast and powerful
For the workstation simply call it one of these: WorkBench, TinyBench, TinyStation, MicroStation; or simplyincluding one of the prefixes suggested above before the words bench/ station.
]]>ad 1) OpenWRT does not provide any explicit hardening features AFAIK. It would be a nice-to-have feature but there are hardly any Linux distributions that fulfill the requirements – which reminds me that I should write them down explicitly (https://github.com/ra–/Tor-gateway/wiki/Todo)
ad 2) The default root password is empty and IMHO there is no need to define one, because one gets a root-shell on the console in VirtualBox only and there is no network service like ssh or telnet running. I can’t see a way where one of the two daemons (dhcpd and tor) could elevate their privileges. But if anyone comes up with an explaination why defining a root password would be a good thing to do, I will definitely add it to the FAQ (https://github.com/ra–/Tor-gateway/wiki/Faq).
ad 3) Netfilter protects the gateway from other VMs in a way that it doesn’t allow any direct connections but on UDP port 67 (for DHCP).
ad 4) There is a lot of work to do on the Tor workstation. Currently it is in a proof-of-concept state at best. The main problem unresolved yet is to find a distribution (like Tiny Core Linux) or setup (like a Live-CD) that guarantees that there is no data written to disk permanently and at the same time stays maintainable. I speculate on moving that feature to VirtualBox but it is currently not possible to export a VM and have a virtual disk be immutable.
ad 5) When using a NAT the user does not have to configure anything. When using a bridge the user has to define a local network device. Nevertheless the bridge configuration should probably go into a FAQ. I am currently moving the project to github andwrite up documentation. https://github.com/ra–/Tor-gateway/wiki
PAE/NX will probably make sense to use in the future.
ad 6) I did the leak testing as follows:
-) Prepare the Tor gateway to make it easier to test by adding
ReachableORAddresses *:443
to /etc/tor/torrc
-) Make VirtualBox capture all packets of the Tor gateway:
VBoxManage modifyvm “Tor gateway 0.5.1″ –nictrace1 on –nictracefile1 /tmp/torgw.pcap
-) Generate traffic on any Tor workstation or the Tor gateway itself.
-) Analyze the pcap file with Wireshark
wireshark -R ‘!(tcp.port == 443)’ /tmp/torgw.pcap
There should only be some DHCP and ARP packets between the Tor gateway VM and VirtualBox on the VM host visible.
If you do your own leak testing, please let me know about the results.
ad 7) The Tor fast gateway currently also is a proof-of-concept only but it seems to be fairly usable – even at its current state. I added to the TODO-list that the number of hops should be configureable. This should be easy to add but I must say that it’s not on top of my priority list yet.
]]>There is currently a problem with Tor known as identity correlation through circuit sharing, outlined in the link below. I guess that the gateway ccould be vulnerable to this but it’s not your fault since Tor has a problem with this now. Can the Gateway vm be used by multiple vms running at the same time? Is that recommended? I was thinking f a case where mutliple identities are running at the same time in separate domains, anonymously.
What is the likliehood that one vm could communicate/cross infect another that is behind the same gateway instance?
Thanks again.
]]>1- Tor is currently not taking advantage of compile time hardening like NX, ld, gcc etc. but this is expected to change in the 0.2.3.X branch. Does OpenWRT have such security features? Can you please check if this distro is a security enhanced one? So far OpenWRT seems ideal in the sense that it has a reduced attack surface and lighter footprint. Chrooting would be of little use since if Tor becomes compromised it’s already too late. The suggested measures would make any theoretical vulnerabilities in Tor harder to explioit by a lot.
2- Should users change the default root password for the gtway vm? If so can you please post this as a suggestion in your topic?
3- Is netfilter protecting the tor in the gtway from compromise in the event that the workstation is rooted? If that’s not the case, is there a way to firewall the gtway components from direct communication from the workstation/
4- IMHO you should link to a light weight distro (puppy/DSL etc.) for a workstation since that will mean less effort to maintain the project. If you would still prefer to maintain the workstation then I would suggest you slim it down to one browser -not Opera :)- and enable many security features to thwart any potential attacks. Basically turning it into a super-secure micro workspace.
5- The gateway has NAT selected by default, can you please change that to bridged? This will allow the vms to be isolated from the host in the case of an attack. Also enabling PAE/NX by default would make sense when Tor is able to support hardening.
6- I would really like to help you test your gateway for leaks, regrettably I don’t have much Linux experience. I found a battery of suggested leaktests used in the TorBox project listed here:
https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/LeakTests
If you can tell me how i can go about running them I’ll see to it that it’s tested.
7- The Fast Gateway is working great. I’ve read that for safer anonymity purposes, however, a minimum of 3 hops is required. Is there a way to have 3 hops but only select fast nodes above a certain threshold to be included for selection? If this ruins performance then nevermind it’s just an idea.
Thanks for your dedication, your project is much lighter than the bloated and malfunctioning TorBOX that they have. Their gateway alone is a crazy 300mb in size! Too much bloat :S
PS: I’m communicating anonymously using disposable mail to prevent authority eavesdropping so please post your replies here as this is the only for me to know your opinions on this.
]]>Keep up the GREAT WORK! :)
]]>I uploaded Tor fast gateway 0.1.0 which includes an updated Tor package (0.2.2.35).
What IMHO is needed at least before announcing the project:
-) Move the project to another hoster (Move to github is in progress: https://github.com/ra–/Tor-gateway )
-) update source build scripts to including Tor package building (in progress but not finished yet)
Tor gateway 0.5.1-pre includes the currently recommended version for the 0.2.2.x branch (0.2.2.35).
[0] https://gitweb.torproject.org/tor.git/blob/HEAD:/ChangeLog
]]>Ok sorry, I guess I misread those last replies, I see this is something in the planning you want to make, so that the end-user can update it.
Can’t wait to see that…
So in the Tor gateway 0.5.0, Tor 0.2.1.30 is safe to use?
THANKS
]]>Can you please update the Tor package for the fast gateway as well? Using the fast gateway means no more need for relying on seedy VPN services to get faster speed. Thankyou RA keep it up. Please let the Tor project know so they can link to it for activists.
]]>I haven’t installed this yet, is information listed in the term now how to do this?
THANKS
]]>THANKS ra! :)
]]>THANKS
]]>Well, look forward to some new updates!
Keep up the great work!
]]>On the gateway iptables is only used for the traffic redirection and filtering any kind of traffic but TCP/IPv4.
]]>Also why the need for a firewall/iptables rules if someone already has a firewall on their box, isn’t that a bit redundant?
Thank you…
]]>https://www.torproject.org/docs/bridges
I never heard of anything where this is also a preferable method to get online instead of connecting directly and gain anything from it, or higher anonymity…
]]>Also what about a transparent proxy?
ta…
]]>I would like to say that with your Fast Tor Gateway, I can achieve excellent bandwidth speeds, ones exactly equal to those under a normal setup directly from my ISP. Now I could really use the internet while Torrified, a far contrast with the typical dismal speeds of the TBB.
]]>Let’s cooperate.
]]>Glad to see this site is still alive, but I’ve spent 2 weeks trying to get it to work, it seems that this blog is always down.
So you might consider getting another site or host, there are many great sites out there you can use for Free too!
If you don’t have a good running site that has very little down time, which should really be 99.9% up, then it makes the project look bad and it seems like every time I want to come to this blog since you’ve been running it, it’s down.
Keep up the great work, this really needs to be on the Tor Project! :)
]]>At the moment I have no idea on how to configure that one automatically. Any ideas welcome.
AFAIK Tor and I2P are fundamentally different as I2P is a standalone anonymousing network on top of IP whereas Tor anonymouses internet traffic.
]]>Another idea I have is, would it be possible for you to design an I2P gateway vm? This is an alternative anonymizer project that enjoys much faster connection speeds and lower latency than tor due to the way they are designed.
]]>Actually when you have some time, do you think you could PLEASE put up a tutorial that shows how you created the Gateway?
I’d greatly apprecaite this! :)
THANKS Ra
]]>Thanks for the FAST reply, ok I understand for your Gateway image you make.
But if someone wants to install Tor on their computer running Linux, or on their own Linux guest, install Tor, how can we set this up so Tor runs over the network the same?
Please don’t misunderstand me, THANK YOU very much for your work, this is really great, it’s just that I’d like to learn how to do this and install Tor on my own computer and have everything going over Tor.
So can you please teach me how I can do this?
I’m a pretty good Linux geek of 10 years, I’m sure if you help me I can do this too.
THANKS
]]>Ok nice to hear and see it’s still being actively developed, sorry I haven’t been paying attention to it in a while, my bad it’s Da, same as Das too making the post… :)
Ra could you PLEASE be so kind as to either point me where I can read, or can you PLEASE tell me how I can setup Tor so that it works on the network level like you did in the Gateway, so that anything going online is routed over Tor?
I want to be able to route, connect to a VPN also going over Tor like this and I would really appreciate help for installing Tor and doing this?
THANKS
]]>How can we use our own VM, after setting the internal network to Tor, then when we start our VM and it’s running on the Tor network, connect to a VPN so that VPN is now going over Tor?
THANKS
]]>From what I can see these versions have not changed in a long time?
THANKS
]]>I did a fsck of the virtual disk and exported the VM – maybe this works for you: http://pluto.fsinf.at/~ra/Tor workstation 0.1.7-test1.ova
]]>Details:
Result Code:
VBOX_E_FILE_ERROR (0×80BB0004)
Component: Appliance
Interface: IAppliance {Hex String}
Tor Gateway 0.3.5 installed with no problems.
Any ideas?
The hidden service must be configured at the Tor gateway, but the service itself like HTTP may run on any machine on a reachable network. The gateway just does the TCP redirection. So it may also run on the Tor workspace.
]]>For my risk model, I need Tor gateway with LUKS-crypto. I see that it’s been ported to OpenWRT. Have you used it?
]]>Still all the same problems as the older version, to little memory, can’t run it in full screen without the screen tearing or the taskbar appearing in the wrong place…
Also can you consider making something so people can stop and start Tor, otherwise I guess for the moment the only thing you can do is close and restart the browser…
THANKS
]]>The DNS connection to 85.214.73.63 (which is just the first server listed in /etc/resolv.conf) you see in first place is needed for resolving the names of one of the NTP servers listed in /etc/config/system. Correct time is needed by the Tor client to work.
All other connections run through the Tor network (as you noticed 128.31.0.39:9101 is a Tor node).
A better solution would be to use the VirtualBox host->guest time synchronization but this would need building the VirtualBox kernel modules for OpenWRT which is still on the TODO-list.
]]>The first connection is ALWAYS: