Make the entire Windows PC connect to the Internet through TOR
IntroductionThe Onion Router is a famous anonymity network. On a Windows it comes with Tor Browser Bundle - the FireFox browser and the tor.exe which acts as SOCKS5 proxy, listening on 127.0.0.1:9050. Such configuration allows to torrify every application with SOCKS proxy support. But...
What about other applications without built-in SOCKS settings? Tor Browser Bundle will not torrify them. However, there are number of such programs someone would like to tunnel through TOR. For instance, it could be desktop bitcoin wallet Exodus. Or it could be Android emulator Memu.
Obviously, there is demand to hide the entire operating system behind TOR. Such situation is called Transparent Proxy, because applications don't see the proxy - instead they "think" they're connected to the Internet directly. This article explains how to create Linux Virtual Machine, acting as a Transparent Proxy for the whole Windows PC. Before continuing, I must notice there is a program Tallow with same functionality. Unfortunately, I can't get it working on my PC. If you experience otherwise, then it's just great. If not, then read on...
Prerequisites and Assumptions
1. You have Windows XP - Windows 10
2. You're connected to the Internet directly through the Network Adapter (Ethernet, RNDIS) and NOT through VPN (OpenVPN, PPTP, L2TP).
3. You have VMware Workstation or Oracle VirtualBox installed.
STEP 1: INSTALL UBUNTU VIRTUAL MACHINE
If you use VMware the following services must be enabled on host: VMware DHCP Service, VMware NAT Service.
Download ISO image of "Ubuntu 17.10 (Artful Aardvark) Server i386" from official website.
Inside VMware Workstation open Edit ➛Virtual Network Editor... and make sure VMnet0 is bridged to your Internet Network Adapter.
Click "Create a New Virtual Machine". When asked "What type of configuration do you want?" select "Custom (advanced)"
When prompted to choose location of ISO file, select "I will install the operating system later."
In the next dialog select Linux Ubuntu
When asked about Memory size, set 512 Mb. In the next dialogs leave default values. When creating disk, 15 Gb would be enough
After creating VM, click "Edit virtual machine settings". Remove Printer, Sound Card and USB Controller. HDD can be made "Persistent"
On the "CD/DVD (SATA)" tab select downloaded earlier ISO image
On the "Network Adapter" tab choose VMnet0
Click "Add..." button to add second Network Adapter and leave its type as "NAT".
Go to VM ➛Power➛ Power On to Firmware and change boot order, making CDROM first
Press F10 to save the changes and reboot. During installation, press "Enter" to select ens32 as the Primary Interface.
Afterwards, the interfaces should be configured automatically and assigned IP addresses by DHCP of your LAN. If not, then you must configure them manually. Give them different IPs. The IP of ens33 doesn't matter, since we'll change it later.
In the "Partition disks" dialog select "Guided - Use entire disk"
In the "Configure the package manager" dialog leave HTTP proxy blank.
In the "Software selection" dialog select only "OpenSSH server"
After completing installation, go to VM ➛Power➛ Power On to Firmware again and make "Hard Drive" be first boot device.
STEP 2: CONFIGURE UBUNTU VIRTUAL MACHINE
Now, I'd recommend to enable root user:
sudo passwd root sudo passwd -u root
and enable root login over SSH:
sudo nano /etc/ssh/sshd_config PermitRootLogin yes
Type ifconfig in terminal and take notice of inet address of ens32 interface. In my case it was 192.168.2.153 - it's IP of VM. After rebooting, it would be possible to connect to VM over SSH. Personally, I prefer KiTTY to send commands and WinSCP to modify files.
Disable swap file:
swapoff /swapfile
edit /etc/fstab, comment out /swapfile
#/swapfile none swap sw 0 0
Remove swapfile:rm -f /swapfile
Edit /etc/apt/sources.list:
###### Ubuntu Main Repos deb http://nl.archive.ubuntu.com/ubuntu/ artful main restricted universe multiverse deb-src http://nl.archive.ubuntu.com/ubuntu/ artful main restricted universe multiverse ###### Ubuntu Update Repos deb http://nl.archive.ubuntu.com/ubuntu/ artful-updates main restricted universe multiverse deb-src http://nl.archive.ubuntu.com/ubuntu/ artful-updates main restricted universe multiverse
apt-get update apt-get dist-upgrade
Edit /etc/sysctl.conf - enable forwarding:
net.ipv4.ip_forward=1 net.ipv4.conf.all.accept_redirects = 1 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.all.accept_source_route = 1
reboot
Install packages:
apt-get update apt-get --no-install-recommends install ifupdown gcc automake cmake zip unzip libssl-dev pkg-config zlib1g-dev libevent-dev apt-get install pptpd apt-get clean
Compile TOR:
mkdir /programs mkdir /programs/tor chmod 777 -R /programs wget -P /tmp https://www.torproject.org/dist/tor-0.3.1.9.tar.gz tar -xvzf /tmp/tor-0.3.1.9.tar.gz -C /tmp chmod 777 -R /tmp/tor-0.3.1.9 cd /tmp/tor-0.3.1.9 ./configure --prefix=/programs/tor --exec-prefix=/programs/tor --disable-asciidoc make make install-strip cd / rm -f /tmp/tor-0.3.1.9.tar.gz rm -f -r /tmp/tor-0.3.1.9 chmod 777 -R /programs/tor/bin mkdir /programs/tor/etc/keys1
Create file /programs/tor/etc/torrc1 with content:
VirtualAddrNetworkIPv4 10.192.0.0/10 AutomapHostsOnResolve 1 AutomapHostsSuffixes .exit,.onion DNSPort 192.168.7.1:5353 TransPort 192.168.7.1:9040 AvoidDiskWrites 1 UseEntryGuards 1 AllowNonRFC953Hostnames 1 ClientRejectInternalAddresses 0 WarnPlaintextPorts 65000 OptimisticData 1 PathsNeededToBuildCircuits 0.25 ClientOnly 1 SOCKSPort 127.0.0.1:9050 DataDirectory /programs/tor/etc/keys1 RunAsDaemon 1
Edit file /etc/network/interfaces:
auto ens33 iface ens33 inet static address 192.168.7.1 netmask 255.255.255.255 mtu 1400
Enable ens33:
ifup ens33
Check if interface is enabled:
ifconfig
Try to start TOR:
/programs/tor/bin/tor -f /programs/tor/etc/torrc1
It should be working.
Configure PPTP server:
systemctl stop pptpd.service
Edit /etc/pptpd.conf:
option /etc/ppp/pptpd-options logwtmp connections 10 localip 192.168.7.1 remoteip 192.168.7.12-21
Edit /etc/ppp/pptpd-options:
name pptpd refuse-pap refuse-chap refuse-mschap require-mschap-v2 #require-mppe-128 ms-dns 192.168.7.1 proxyarp nodefaultroute lock nobsdcomp novj novjccomp nologfd
Note, #require-mppe-128 is commented out, because encryption is not required on local network.
Edit /etc/ppp/chap-secrets:
user1 pptpd password1 *
user2 pptpd password2 *
user3 pptpd password3 *
user4 pptpd password4 *
user5 pptpd password5 *
user6 pptpd password6 *
user7 pptpd password7 *
user8 pptpd password8 *
user9 pptpd password9 *
user10 pptpd password10 *
Edit /etc/ppp/ip-up, add to the end:
iptables -t nat -A PREROUTING -i $PPP_IFACE -p udp --dport 53 -j REDIRECT --to-ports 5353 iptables -t nat -A PREROUTING -i $PPP_IFACE -p udp --dport 5353 -j REDIRECT --to-ports 5353 iptables -t nat -A PREROUTING -i $PPP_IFACE -p tcp --syn -j REDIRECT --to-ports 9040
Edit /etc/ppp/ip-down, add to the end:
iptables -t nat -D PREROUTING -i $PPP_IFACE -p udp --dport 53 -j REDIRECT --to-ports 5353 iptables -t nat -D PREROUTING -i $PPP_IFACE -p udp --dport 5353 -j REDIRECT --to-ports 5353 iptables -t nat -D PREROUTING -i $PPP_IFACE -p tcp --syn -j REDIRECT --to-ports 9040
Try to start PPTP server:
systemctl enable pptpd.service systemctl start pptpd.service
It should be working.
Create file /etc/systemd/system/rc-local.service with content:
[Unit] Description=/etc/rc.local Compatibility ConditionPathExists=/etc/rc.local [Service] Type=forking ExecStart=/etc/rc.local start TimeoutSec=0 StandardOutput=tty RemainAfterExit=yes SysVStartPriority=99 [Install] WantedBy=multi-user.target
systemctl enable rc-local.service systemctl start rc-local.service
Create file /etc/rc.local with content:
#!/bin/sh -e /programs/tor/bin/tor --quiet -f /programs/tor/etc/torrc1 /dev/null 2>/dev/null & exit 0
chmod 777 /etc/rc.local
Reboot VM:
reboot
Make sure tor and pptpd are running:
netstat -tulp
Turn off VM:
poweroff
STEP 3: CONFIGURE WINDOWS
Create new PPTP connection:
In Windows 10 open Settings ➛Network & Internet➛VPN➛Add a VPN connection
Here, the "Connection name" should be "pptpd"; "Server name" is the IP of Ubuntu Virtual Machine; "VPN type" is PPTP; Login and Password are taken from chap-secrets. Click "Save" button.
Open Control Panel ➛ Network and Sharing Center ➛Change adapter settings
In the properties of pptpd adapter, on the tab "Security" select "Allow these protocols" and check on "Microsoft CHAP version 2":
Open "Local Group Policy Editor" (Win+R, gpedit.msc) and navigate to Computer Configuration➛ Administrative Templates ➛Network➛DNS Client. Enable the following policies:
Turn off smart multi-homed name resolution
Turn off smart protocol reordering
Turn off multicast name resolution
Reboot Windows to apply changes.
STEP 4: USAGE
Create two *.BAT files SET_FAKE.bat and RESTORE_DHCP.bat
SET_FAKE.bat:
netsh interface ipv4 set dnsservers "Ethernet" static 127.0.0.2 primary netsh interface ipv6 set dnsservers "Ethernet" static 0:0:0:0:0:ffff:7f00:2 primary netsh interface ipv4 add dnsservers "Ethernet" 127.0.0.3 index=2 netsh interface ipv6 add dnsservers "Ethernet" 0:0:0:0:0:ffff:7f00:3 index=2
RESTORE_DHCP.bat:
netsh interface ipv4 set dnsservers "Ethernet" dhcp netsh interface ipv6 set dnsservers "Ethernet" dhcp
Here, "Ethernet" is the name of Internet Network Adapter. 127.0.0.2, 127.0.0.3, 0:0:0:0:0:ffff:7f00:2, 0:0:0:0:0:ffff:7f00:3 are spoofed DNS.
Power On Ubuntu VM and run SET_FAKE.bat as Administrator.
Now, Windows should not be able to do the Name Resolution, but should connect to the IP addresses directly:
Establish PPTP connection to Ubuntu VM:
Open Browser and go to https://www.perfect-privacy.com/dns-leaktest to check if there are leaks.
Do whatever you intended to do in the TOR network.
Disconnect from PPTP and restore DNS Settings back - run RESTORE_DHCP.bat as Administrator.
Power Off Ubuntu VM.
STEP 5: HIDE THE FACT YOU'RE USING TOR
Some websites block TOR users. To overcome this obstacle, one might use usual SOCKS proxy. The free SOCKS4/5 proxy list is available at https://www.socks-proxy.net. This applies only to browsers/applications with built-in SOCKS functionality. Windows can't apply proxy settings globally while PPTP connection is active (PPTP is a sort of VPN).
Proxifier for Windows can proxify every application, even such, which don't have SOCKS settings. You can download 30-day trial version from official website. Proxifier also includes free tool ProxyChecker with ability to test Proxy Servers.
Comments
Post a Comment