How to force whole-network Tor with LAN -> Tor -> WAN configuration?
-
FYI, I polished up that info a little better and turned it into an article for LBC: 10 steps to make Tor safer with pfSense. Thanks for the help kejianshi. Even though I didn't quite get to where I wanted to go, your help eventually led me to another solution that worked for me, and will probably work for a lot of other people who ought to take a look at using pfSense. I guess that's the only part of this that I got right from the start - pfSense is the key component!
-
Another FYI, my article is now slightly famous thanks to reddit:
http://www.reddit.com/r/onions/comments/1l15hx/10_steps_to_make_tor_safer_with_pfsense/
http://www.reddit.com/r/privacy/comments/1l25mu/adding_more_tor_to_your_day_leading_up_to_a_total/
I hope the attention will lead more people to try using pfSense. It's a fantastic system that more people ought to know about. Being able to so easily do unexpected stuff with it will probably get people's imaginations going. What will they think of next?!
-
Well - as long as you are happy, I am happy. Are you using it?
-
Yes, I am using it. Further research indicated that Tor was not configured to accept external connections, so I will be revisiting this topic later. It may still be possible to force whole-network Tor, without any LAN client configuration. I have succeeded in tunneling UDP over Tor and Torifying everything using a VPN. I tested it with VoIP, and despite such a long route, the increased latency was acceptable! I fully expected VoIP to be miserable to use, but it was not much worse than using it without Tor. That was a huge surprise.
-
I just created a VLAN using pfSense, and am routing all external traffic over Tor using a Raspberry Pi 2…
pfSense is my acting DHCP server, but the Raspberry Pi 2 is the default gateway... The Raspberry Pi 2 is also provided Internet access using a different VLAN that's traffic is routed over my PIA (PrivateInternetAccess) VPN, but that's defaulted at my Cisco Smart Switch... So I'm double covered...
I created an SSID on my Meraki Wireless AP just for the new VLAN so all my wireless clients that use it will be doing so over the VPN/TOR networks...
I'm also not using SQUID at all... Everything just works...
If anyone is interested, I can gladly post a tutorial...
FYI, and any traffic that shouldn't (or can't) transmit over the Tor network is being dropped to prevent leaks.
I haven't thoroughly tested for leaks yet, but am doing so now...
-
I would be very curious to see your tutorial if you write one.
-
I posted it to my blog for initial posting…
Here's the link: http://www.lennysh.com/create-a-tor-vlan-using-a-raspberry-pi-and-pfsense/
Please let me know if I missed anything, or could of done anything better.
Once I get it fine tuned, I may copy/paste it here for easy finding...
-
Just remember the spooks run their own honeypots including smaller honeypots on public websites & services in plain view.
You can be found using TOR because in maths its possible to workout unknowns and thus you wont ever have perfect privacy or anonymity which is especially bad news for introverts.
-
+1 on the need for a TOR package. It would make setting up a guest wireless network really easy. No WLAN passwords needed and no worrying about what the guest do on the network.
-
I just found out that Intel has had backdoors in their hardware for years. Of course they claim it's just a bug, and only processors from 1995 to 2011 are affected, but there is conveniently always a "bug upgrade" that removes the old backdoor and creates a new one that will take a while to be found. With that in mind, I have to wonder if we're all wasting our time. AMD said they would review the possibility that they have a backdoor, but I'm not optimistic. Who can we trust these days?
I don't know much about Raspberry Pi - is it running on something that is less likely to be backdoored? The thought crossed my mind that since ARM designs, but does not manufacture, that means anyone they license their design to would be able to see the licensed design specs, and spot a backdoor if one existed. Intel, AMD, etc don't let anyone look at their designs, so it literally takes a decades and a lot of luck for someone to find out about a backdoor.
“We cannot trust” Intel and Via's chip-based crypto, FreeBSD …
Intel left a fascinating security flaw in its chips for 16 years – here's …
I don't know why everyone isn't talking about this, and bringing it up in every conversation that remotely involves cryptography. The Intel backdoor is so phenomenally effective that it can be installed into the CPU microcode. It cannot be detected, and it can never be removed. Wiping an HDD and doing a fresh OS install will not get rid of it. Of course, Intel claims they got rid of it in 2011, but then they introduced something that could potentially be a wireless backdoor:
“Secret” 3G Intel Chip Gives Snoops Backdoor PC Access Alex …
That article seems alarmist, and people criticizing it point out that a lack of an antenna would give it pathetically short range, but I completely disagree. I think the alarmist reaction is the right one. First of all, being able to gain complete access to a CPU even if it requires you to be within 10 inches of it, is more than adequate to make the backdoor useful. Simply walking past a PC might be sufficient to gain access to it. Or, what about sending RF signals down ethernet or power lines? That'd do it too. That kind of weak signal espionage is well-developed in "spook" world, and even lowly amateur radio enthusiasts are able to pull off tricks like that.
This whole-network Tor thing is something I take pretty seriously, and I'm not afraid to turn to specialized hardware like Raspberry Pi or whatever if that's necessary to ensure Tor's cryptography can't be rendered useless by hardware backdoors. This is crazy that this even needs to be discussed, but since it does, it ought to be tattooed on everyone's forehead until solutions are found and made available. Everyone needs to worry about this.
-
IMHO if you need THAT much encryption, you're doing something really bad. Either that or you need a titanium tin-foil hat.
If you're really worried about it, drive 100 miles in any direction, find a home with an unsecured wireless connection, and use a throw-away Netbook each time you access the Internet via Tor. Oh, and either steal the Netbook or pay with cash in a back alley.
-
tim.mcmanus, how much encryption are you referring to as "THAT much"? Because what I've described obliterates ALL encryption. What exactly is a "really bad" use of encryption in your opinion? How much do you think your opinion of badness matters to people who want to use effective encryption? And, most importantly, what gives you the idea that you know anything at all about what other people are encrypting?
If you will kindly give me your login credentials for this forum, I will write your opinion for you, posing as you. I might then proceed to proclaim your love of evil and all things forbidden, once again, posing as you. You don't like the sound of that? Oh, then it looks like you need "THAT much really bad" encryption too.
No, sir, you can take your opinion of what I'm doing with my encryption, and shove it - into your favorite encryption tool, and then delete the key.
-
Famous:
https://www.reddit.com/r/conspiracy/comments/3kinq6/why_isnt_everyone_talking_about_hardware/
…and:
https://www.reddit.com/r/conspiracy/comments/3kesvm/study_shows_conspiracy_theory_insult_losing_power/
-
Time to loosen the tinfoil hat.
-
Because what I've described obliterates ALL encryption.
Um, Tor…
And, most importantly, what gives you the idea that you know anything at all about what other people are encrypting?
Usually you encrypt things you don't want people to see. You're either severely paranoid or doing something really bad.
If you will kindly give me your login credentials for this forum, I will write your opinion for you, posing as you. I might then proceed to proclaim your love of evil and all things forbidden, once again, posing as you. You don't like the sound of that? Oh, then it looks like you need "THAT much really bad" encryption too.
It's actually a violation of the terms of using this board, sharing of login credentials. And I like it here, so, no, I won't share.
No, sir, you can take your opinion of what I'm doing with my encryption, and shove it - into your favorite encryption tool, and then delete the key.
I thought what you were doing obliterated all encryption. Are you sure you know what that word means?
-
Because what I've described obliterates ALL encryption.
Um, Tor…
Yes, Tor. Onion routing is fundamentally onion encryption. The only reason the onion routers don't know the source or destination of packets is because they're encrypted. No encryption, no Tor. Encryption backdoor, Tor backdoor.
And, most importantly, what gives you the idea that you know anything at all about what other people are encrypting?
Usually you encrypt things you don't want people to see. You're either severely paranoid or doing something really bad.
I wear clothes too.
If you will kindly give me your login credentials for this forum, I will write your opinion for you, posing as you. I might then proceed to proclaim your love of evil and all things forbidden, once again, posing as you. You don't like the sound of that? Oh, then it looks like you need "THAT much really bad" encryption too.
It's actually a violation of the terms of using this board, sharing of login credentials. And I like it here, so, no, I won't share.
You missed the point. Without effective encryption, you don't have to share your login credentials, they can simply be taken from you. Are you using an American-made CPU?
No, sir, you can take your opinion of what I'm doing with my encryption, and shove it - into your favorite encryption tool, and then delete the key.
I thought what you were doing obliterated all encryption. Are you sure you know what that word means?
You missed the point again. The point was that the encryption key isn't required. Don't worry, you won't lose your opinion by encrypting it, even if you do delete the key.
-
I think most people want privacy, assume they have it and therefore assume anyone excited about internet privacy must be a criminal or something.
I don't think tor is the way to go though. Its slow and has to many limitations.
A good VPN would be better.
-
Tor hasnt been that slow for me, but tails for example is not secure or hardened in any way, in fact alot of the so called privacy products when I started investigating them appear to do the opposite especially when considering how easy it is to stand out by virtue of running something different to everyone. In some respects the misdirection are the claims of affording some level of privacy, just like Snowden is a false flag as the spooks didnt know how to break it to the world the capabilities they have some of which go back last century.
The US or UK is no better or worse than Russia, China or North Korea, they still ignore their own laws when it suits them.
If anything, for privacy you'd probably want to use the most popular computer device and OS out there in order to blend into the crowds, beit a phone, laptop, tablet or desktop, and even then you still have stingrays to deal with, but if they want to target you, you have no privacy at all, lets face it even the land lines in your offices and homes are powered up 24/7 to listening in at will which is also handy in case of a powercut.
In the mean time this still hasnt stopped a few US companies taking out patents on stuff I've been working on, which is why people are financially cleansed in the same sense as ethnic cleansing was outlawed after WW2, as money makes developments, patents, lawyers etc all possible, which a one man band like myself simple cant compete with.
Ironic really how history repeats in many ways.
-
I don't think tor is the way to go though. Its slow and has to many limitations.
A good VPN would be better.
Tor IS the way to go. It works very well for me. It works so well I can do VoIP with it, and still have acceptable latency. It's amazing and surprising it works, but it does indeed work. Oh, and I use a VPN via Tor to tunnel UDP traffic through Tor's TCP-only limitation. So, I have 3 Tor hops, 1 VPN hop, and one final destination VoIP hop. That means I'm routing my VoIP calls around the world at least 5 times before they arrive at at the other end of the conversation, and it still works amazingly well! Anyone could do this with satisfactory results if they wanted to.
-
I doubt seriously your UDP voip packets are going out via tor. If you have a TCP solution that is routable over tor, it would not be usable.