Privacy guaranteed - Your email is not shared with anyone.
Separate names with a comma.
Discussion in 'Tech Talk' started by 12smile, Jan 23, 2013.
I installed spy hunter and all this nonsense stopped. Blocks undesirables as soon as detected
I just tried TOR ( hadn't used it before) and my browsing experience was pretty slow compared to my regular connection. Almost slow enough I'm not sure I could put up with it unless I really thought I needed to.
I immediately got advertisements in German, so it was fairly clear it was routing my traffic around the world a few times. I think I was showing an IP address out of Sweden actually. If you want true IP anonymity it is the way to go probably.
The incognito, inprivate browsing, etc in the regular browsers isn't going to really going to make you difficult to find because it is still routing your traffic right to and from your regular ip address.
I'm curious about the vpn option harry gunner mentioned. I'm certainly techie, but I might need more explanation. I have a VPN I use currently to connect to a LAN at a business, but it doesn't route all traffic to there (though I could configure it to). But I also don't want all my traffic going thru their internet connection!
Sorry if this seems like a thread hijack, but what would you think of using vpntunnel com (same as vpntunnel.se) and using my router to establish a vpn using pptp or open vpn (unsure if that is the same open vpn they support?). It is a dd-wrt router and supports both as far as I can tell, but have not experience with either. That would effectively cover all my network traffic.
That's what I use. And also a Firefox add-on called Priv3. I get virtually no ads on any web page.
'jdeere_man' and others, please forgive the wall of text. It is that kind of a question. This is a description of what I did. Others can add to the discussion or ask for more details on particular issues.
* Why I did it. 1) I use my laptop while traveling and use either hotel/motel wireless or coffee shop wireless. 2) I don't trust "smart phones" and didn't get a G4 Internet plan for the few times I'd dare to connect my phone to Internet. I only connect over Wi-Fi hotspots. I wanted a way to tunnel past all the hotspot threats before hitting the 'net.
* Overview: VM running Linux with a OpenVPN server and 'tinyproxy' proxy. Laptop and Android phone runs OpenVPN client.
The VPN/proxy virtual machine (VM): Runs a 64bit RHEL6 clone with 512MB RAM and one virtual CPU. Any Linux distribution should work. One virtual NIC is bridged to the host physical NIC that routes traffic to the Internet.
I kept the installation to a minimum, but did a custom installation to make sure I had all the services I needed. Mainly looked for programs to support 'libvirt' since I use on KVM on the host as the hypervisor. Also wanted development tools so I could compile source code as needed.
I did not install the X Window System or a GUI. I either SSH in directly or connect through a serial console from the host to configure/maintain the VM. The final VM file is about 3.6GB in size. The disk size is not fixed and will grow as needed. But I don't expect it to grow since I didn't install a caching proxy.
One could use VirtualBox instead of KVM to build the VM host and machine. Probably easier. Runs on Windows as well. I didn't because my use is business/personal and did not want to worry about Oracle's license for the extension pack.
Another option is VMware. We've build VM's on that for clients, but there was no need for me to spend money when KVM is around.
I decided to install 'OpenVPN' and 'tinyproxy' on the VM. I chose OpenVPN because there's a OpenVPN client app available for my Android phone. I trust that app more than the native VPN app that comes with Android. Plus, it's more secure than M.S. PPTP. L2TP is a bear to set up under a OpenSwan VPN server and I would have wanted to go that way to use RSA instead of shared secrets.
'tinyproxy' is a straightforward non-caching proxy, all I need.
The VPN server is secured in several ways: SELinux, OSSEC, iptables configured to block out entire continents or countries and to drop malformed packets, etc. The firewall also forwards local traffic to/from the virtual 'tun' network that OpenVPN creates. Proxy runs as 'nobody'. Multiple partitions that are either immutable or mounted as 'noexec,nosuid,nodev'. Swap, /tmp and /var/tmp are set up with 'cryptsetup' and a random key. The proxy only allows connections from the non-routable virtual network established by OpenVPN. So no direct outside access to the proxy.
The client programs use the DNS I assigned on the VPN/proxy, OpenDNS. So, a hacker/cracker at a Wi-Fi hotspot attempting to spoof DNS won't succeed. Also, I did not register the IP to associate it with a URL, so clients don't need DNS to find the VPN, just it's IP address. As I mentioned before, sites in the business of tracking are mapped to '127.0.0.1' by the /etc/hosts file on the VPN/proxy. So, they don't see my traffic at all.
My main concern is security over autonomy, but I may add the 'polipo' proxy to the VPN. It can easily chain to 'Tor'. i.e. the proxy on the VPN would direct traffic to 'Tor'. 'polipo' would listen on a separate port on the same virtual network OpenVPN creates. So, if I wanted more autonomy, I would simply change the port number in my web browser proxy setting.
'tinyproxy' allows you to enable "anonymous proxying" and to specify which fields to pass in the connection packet header. You can even block the 'User-Agent' to make it harder for sites to characterize you by the OS, browser that you use. But, some sites will brand you a threat and block you. GlockTalk doesn't care. I generally allow it along with 'Host', 'Authorization' and 'Cookie'. Cookies are useful to websites and are less of a concern if they are deleted when the browser closes. All the packet header fields are described here: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
* Authentication: I used a separate VM with no Internet access as a certificate authority (CA) to sign the public and private keys for all parties. I did it all using 'openssl'. But, OpenVPN offers something called "easy-rsa" that's supposed to make this task easier.
The private key for the phone should be password protected. You will be asked for it when you configure the client.
The Android OpenVPN client (and apparently the Windows client) needs a PKCS12 formatted cert/privatekey combination file. A Linux client wants the public certificate and private key in separate files. I used 'openssl', but 'easy-rsa' might do that for you.
You will need four or five files on clients and six on Linux server:
- server.conf on the server
- client.conf on a Linux client or nearly the same file with name changed to client.ovpn on Android or Windows.
- dh2048.pem Diffie-Hellman signing certificate. (on server only, not clients)
- public certificate of the CA (never the CA private key)
- CA signed public certificate for the phone (or laptop), CA signed private key for the phone (or laptop). These two are adjoined as a single file on Android (or Windows).
- OpenVPN's ta.key (OpenVPN's HMAC to strengthen safety of TLS handshaking. Thwarts Wi-Fi spoofing. 'OpenVPN' provides a simple command to create it.)
I placed the five files on a microSD and plugged it into my Android phone. The OpenVPN client setup picked up the files off of 'external_sd'.
* The phone: I installed 'OpenVPN Connect' from https://play.google.com/store/apps/details?id=net.openvpn.openvpn and 'Firefox Beta' from https://play.google.com/store/apps/details?id=org.mozilla.firefox_beta&hl=en
'OpenVPN Connect' is also available for iOS from https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8
The native web browser on Android has no way to change how to connect to Internet. Fortunately, Firefox-beta provides a way. No GUI for that, one must use 'about:config'.
* Laptop: Easier. Used same tar.gz source I compiled on the server to compile/install on my laptop. Used a .conf for clients instead of servers. Web browsers have a GUI dialog for setting up proxies.
In both cases, I went to a site that shows the IP address I'm using to confirm I'm using the proxy. Then from my phone, I entered a nonexistent site name to make sure the 'OpenDNS' page showed up for such sites (proving the phone is using DNS configured on the VPN).
harrygunner, thank you very much for the detailed information and taking the time to post it!
I'm trying to get my router to connect to vpntunnel.se using openvpn. the connection establishes according to the log, but i cannot pass traffic to the outside world once the connection comes up.
I just went to 'vpntunnel.se' to see what they do. Not a lot of tech support. However, the openvpn client you download from their site changes the routing tables on the device that's running the openvpn client. The new route directs traffic from your client side to Sweden, or other of their sites in other countries.
Can you elaborate on "get my router to connect to vpntunnel.se using openvpn"?
There are some routers and or router firmware (like DD-WRT and TomatoUSB) that have OpenVPN built in. It allows the router to be configured as a VPN client so it can connect to another VPN endpoint/server. This way one's entire network can go over the VPN tunnel rather than just one individual computer.
I'm posting this using Tor. All this talk of autonomy had me add 'Tor' to my VPN/proxy. Running a separate SOCKS capable proxy on another port chains traffic to the Tor client. The Tor client connects to Tor relays.
Tor is slow, but an interesting function if I ever feel a need to be more autonomous.
Yes, you're correct. I'm using DD-WRT. My router connects, but I can't pass traffic. I need to mess with it more tonight I haven't had enough time yet to figure it all out.
I want to use the router so I can pass all traffic from multiple machines and a network server.
Its been a while since I've messed with OpenVPN but if I remember right both sides of the tunnel had to use the same network IP range otherwise the traffic doesn't get passed between locations. Also the firewall/iptables on both routers may need to be configured to allow the OpenVPN ports and other networking ports to pass traffic back and forth over the VPN tunnel.
Google shares info so they suck in my opinion ( according to the news)