OpenBSD, Tor transparent local proxy.

in #tor7 years ago (edited)

Background


Just in the case that you've missed our last article we're speaking about OpenBSD, the most secure open source system operative in the world, and Tor, a free software for enabling anonymous communication.
In our first post we have done an introduction and a first configuration creating a tor service with only one local socks port opened for a static user configuration.
We've also introduced the concept of FVEY that we will continue to analyze as soon as possible.
What we don't touch last time is the important fact that this two fabolous softwares have got a strange difficult history of interoperability between them. OpenBSD is in ours life from middle of the nineteen and Tor, the onion router project, from september 2002.
torbsd proyect
But only with the birth of the torbsd proyect the configuration of the anonymizing daemon is something simple and easy as it have to be. We can study read and fork the work of the torbsd fellowes at github.

Tor daemon in a OpenBSD system


Starting from a clean OpenBSD install we will install Tor from packages:

$ doas pkg_add -U tor
$ doas pkg_add -U arm # ncurse control tool

To see what files were added to our operative system with the install of those two packages simply use (package tor in the example):

$ pkg_info -L tor
Information for inst:tor-0.3.0.10
Files:
/usr/local/bin/tor
/usr/local/bin/tor-gencert
/usr/local/bin/tor-resolve
/usr/local/man/man1/tor-gencert.1
/usr/local/man/man1/tor-resolve.1
/usr/local/man/man1/tor.1
/usr/local/share/doc/tor/tor-gencert.html
/usr/local/share/doc/tor/tor-resolve.html
/usr/local/share/doc/tor/tor.html
/usr/local/share/examples/tor/torrc.sample
/usr/local/share/tor/geoip
/usr/local/share/tor/geoip6
/etc/rc.d/tor

The torrc file


tor network

Now we have to configure the torrc file in /etc/tor/torrc :

$ doas cat <<EOF >> /etc/tor/torrc
User _tor
RunAsDaemon 1
AvoidDiskWrites 1
GeoIPFile /usr/local/share/tor/geoip
GeoIPv6File /usr/local/share/tor/geoip6
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 127.0.0.1:9040
DNSPort 127.0.0.1:53
DataDirectory /var/tor 
Log notice file /var/log/tor_log 
ControlPort 127.0.0.1:9051           
CookieAuthentication 1        
ExcludeNodes {AU}, {CA}, {US}, {NZ}, {GB}, {DK}, {FR}, {NL}, {NO}, {BE}, {DE}, {IT}, {ES}, {SE}
NodeFamily {AU}, {CA}, {US}, {NZ}, {GB}, {DK}, {FR}, {NL}, {NO}, {BE}, {DE}, {IT}, {ES}, {SE}
StrictNodes 1
GeoIPExcludeUnknown 1
SocksPort 127.0.0.1:9900
PathsNeededToBuildCircuits 0.95
EOF

Prepare the environment:

$ doas mkdir /var/tor
$ doas chown -R _tor:_tor /var/tor
$ doas chown _tor:_tor /dev/pf
$ doas touch /var/log/tor_log
$ doas chown _tor:_tor /var/log/tor_log

Let's explain every option in the torrc :

  1. User: after open the sockets the daemon will work under the UID of.
  2. RunAsDaemon: to launch or not the daemon in the background.
  3. AvoidDiskWrites: try to write to disk less frequently.
  4. GeoIpFile: where is in the fs tree.
  5. GeoIpv6File: where is in the fs tree.
  6. VirtualAddrNetwork: will try to explain later.
  7. AutomapHostsOnResolve: control VirtualAddrNetwork.
  8. TransPort: transparent proxy port where tor communicate with pf.
  9. DnsPort: port where tor dns resolver accept queries.
  10. DataDirectory: where tor put his session stuff.
  11. Log notice file: log file (don't know why accept spaces here).
  12. ControlPort: port where arm or others have to connect to control tor.
  13. CookieAuthentication: bool to indicate the authentication mode in control port.
  14. ExcludeNodes: where we don't want to go in ours tor circuits using ISO 3166 country code.
  15. NodeFamily: build a unique family with those codes.
  16. StrictNodes: strictly respect our ExcludeNodes list.
  17. GeoIPExcludeUnknown: if it don't know where is the tor relay simply don't use it.
  18. SocksPort: static port socks 4/5 listener (will deepen later).
  19. PathsNeededToBuildCircuits: tor won’t build circuits until it has enough descriptors or microdescriptors to construct that fraction of possible paths.

Now we've to be sure that dhclientwill not rewrite /etc/resolv.conf. In OpenBSD we've to add this to /etc/dhcpclient.conf:

$ doas cat <<EOF >> /etc/dhclient.conf
    supersede domain-name-servers 127.0.0.1;
EOF
$ doas sh /etc/netstart

The pf.conf file


the pf firewall

OpenBSD was the first system operative to use one of the most powerful firewall, pf.
In others POST we will better analyze how to properly use this monster, but for now simply use this pf.conf to create a transparent firewall in an OpenBSD system newer than the 4.7 version.
We create another loopback interface in our system to play a little with internal routing:

$ doas ifconfig lo1 create up 127.0.0.2
$ doas cat <<EOF >> /etc/hostname.lo1
inet 127.0.0.2
EOF

And use those directives in our pf.conf :

$ doas cat <<EOF >> /etc/pf.conf
# destinations you don't want routed through Tor
non_tor = "{ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 }"
# Tor's TransPort
trans_port = "9040"

match in all scrub (no-df random-id reassemble tcp)
antispoof for egress inet
block return log on egress all

pass in quick on lo1 inet proto tcp all flags S/SA modulate state rdr-to 127.0.0.1 port $trans_port
pass in quick on lo1 inet proto udp to port domain rdr-to 127.0.0.1 port domain

pass quick on { lo0 lo1 }

pass out quick inet proto tcp user _tor flags S/SA modulate state
pass out quick inet proto udp to port domain route-to lo1
pass out quick inet to $non_tor
pass out inet proto tcp all route-to lo1
EOF

Here you are some examples on how to use the pf firewall:

  • pfctl -e (enable)
  • pfctl -d (disable)
  • pfctl -f /etc/pf.conf (load rules)
  • pfctl -nf /etc/pf.conf (parse file, don't load)
  • pfctl -sr (show current ruleset)
  • pfctl -ss (show current state table)
  • pfctl -si (show filter stats and counters)
  • pftcl -sa (show all)
  • pfctl -t table -T flush (flush table)
  • pfctl -k 192.168.1.80 (kill connections for host 80)
  • pfctl -t
    -T expire 86400 -flush table (entries added in last 24 hours)
  • add -vv to any for more info

Start tor at boot


Last configuration is to activate tor at start.
¿Will you use this daemon to protect your privacy or to access to the #deepinternet?

$ doas rcctl enable tor
$ doas reboot

stay tuned for more OpenBSD, tor and deepinternet posts, i love you.