Skip to content

Tor relay in virtualized OpenBSD with KVM

Hi,

Since some time ago, I’m really worried about my privacy; especially because IPRED was introduced in Sweden in 2009, the country where I’m living now. I’ve discovered (well, re-discovered, I knew about before) Tor Project and I’ve started to play with with one clear goal: protect my privacy and try to help the others who want to do the same.

One of my first games has been to run a Tor relay in my personal server. It has been a good experience: learning something about Tor and how it works and so on. Now the service is running fine, but the main problem I had was to limit the bandwidth because my server (as any hosting service) has no unlimited transfer bandwidth. Tor offers several ways to do that, so no problem after all. On the other hand, my normal Internet connection at home hasn’t any transfer bandwidth limit… so, it’s clear the next step to take: build a Tor relay in my home machine using my normal Internet connection. At present I use an Ubuntu 10.04 LTS with KVM as a virtualization technology.

  1. Create the OpenBSD VM

    2. Well, there is a lot of good info about this topic out there. Let me say only one think: it works fine with OpenBSD 4.8 i386. I’ve tested OpenBSD with previous versions fo KVM and it wasn’t simple. Now it seems easier. It’s not perfect (I’ve a minor problem with NIC that I have to debug) but it runs fine in general. I think Ubuntu 10.04 LTS uses kvm-84, but I’m not sure. Check it by yourself.

  2. Tor Relay in OpenBSD VM

    3. Install tor from the wonderful OpenBSD ports; some programs as trafshow or ifstat can help you to “see” the network traffic later.

    # export PKG_PATH=ftp://your.ftp.mirror/pub/OpenBSD/4.8/packages/`machine -a`/
# pkg_add tor trafshow ifstat

    Then configure the service as you want; the Tor Project has excellent documentation (maybe I’ll create another post about it)

  3. Redirect the Tor traffic from host server to guest server

    4. It has been the more “complex” step in the process. I’ve a public IP in my Ubuntu NIC (obviously it means that my home router is configured as a bridge with my ISP) and the KVM network is NATed. So, my network looks like:

    jespasac@jespasac:~$ ifconfig 
eth0      Link encap:Ethernet  HWaddr 00:24:8c:dc:47:45  
          inet addr:213.113.52.4  Bcast:213.113.55.255  Mask:255.255.248.0
          inet6 addr: fe80::224:8cff:fedc:4745/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:25059 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21604 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:20904405 (20.9 MB)  TX bytes:11804657 (11.8 MB)
          Interrupt:27 Base address:0xe000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2054 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2054 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:5440373 (5.4 MB)  TX bytes:5440373 (5.4 MB)

virbr0    Link encap:Ethernet  HWaddr e6:90:1e:9d:b3:f4  
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          inet6 addr: fe80::f4f3:d1ff:fe65:5019/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5657 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5631 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2720408 (2.7 MB)  TX bytes:4073317 (4.0 MB)

vnet0     Link encap:Ethernet  HWaddr e6:90:1e:9d:b3:f4  
          inet6 addr: fe80::e490:1eff:fe9d:b3f4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5657 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5756 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:2799606 (2.7 MB)  TX bytes:4076144 (4.0 MB)

    What I’ve done is simple: redirect the incoming traffic in 9001 (tor relay port by default) to the OpenBSD VM (192.168.122.248).

    $ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9001 -j DNAT --to-destination 192.168.122.248:9001

    To be honest, I don’t master iptables as I do with pf, so take your time reading about how KVM and networking works in Ubuntu. Note I haven’t used the host public IP (-i eth0 only without the -d flag) in the iptables command because my public IP isn’t always the same.

  4. Test all is working fine

    5. I love tcpdump and related tools to check the network traffic, so:

    # Host

    jespasac@jespasac:/$ sudo tcpdump -i eth0 -n -t -q dst host 213.113.52.4 and port 9001
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
IP 217.70.189.145.50078 > 213.113.52.4.9001: tcp 1448
IP 217.70.189.145.50078 > 213.113.52.4.9001: tcp 1448
IP 92.241.184.49.54966 > 213.113.52.4.9001: tcp 1448
IP 92.241.184.49.54966 > 213.113.52.4.9001: tcp 1448
IP 85.31.187.67.60086 > 213.113.52.4.9001: tcp 586
IP 174.36.199.200.3268 > 213.113.52.4.9001: tcp 0
IP 173.193.221.28.53343 > 213.113.52.4.9001: tcp 736
IP 174.36.199.200.3268 > 213.113.52.4.9001: tcp 0
IP 174.36.199.200.3268 > 213.113.52.4.9001: tcp 0
IP 85.31.187.67.60086 > 213.113.52.4.9001: tcp 0
IP 85.31.187.67.60086 > 213.113.52.4.9001: tcp 1448
IP 85.31.187.67.60086 > 213.113.52.4.9001: tcp 236
IP 85.31.187.67.60086 > 213.113.52.4.9001: tcp 0
IP 92.241.184.49.54966 > 213.113.52.4.9001: tcp 1448
IP 92.241.184.49.54966 > 213.113.52.4.9001: tcp 1448
IP 92.241.184.49.54966 > 213.113.52.4.9001: tcp 1448
IP 92.241.184.49.54966 > 213.113.52.4.9001: tcp 1448
IP 92.241.184.49.54966 > 213.113.52.4.9001: tcp 1448
IP 174.36.199.200.3268 > 213.113.52.4.9001: tcp 0
IP 174.36.199.200.3268 > 213.113.52.4.9001: tcp 0
IP 217.70.189.145.50078 > 213.113.52.4.9001: tcp 1348
IP 85.31.187.67.60086 > 213.113.52.4.9001: tcp 0
IP 85.31.187.67.60086 > 213.113.52.4.9001: tcp 0
IP 85.31.187.67.60086 > 213.113.52.4.9001: tcp 0
IP 85.31.187.67.60086 > 213.113.52.4.9001: tcp 0
IP 174.36.199.200.3268 > 213.113.52.4.9001: tcp 0
IP 67.205.89.146.58462 > 213.113.52.4.9001: tcp 586
IP 62.112.194.60.57613 > 213.113.52.4.9001: tcp 586
IP 174.36.199.200.3268 > 213.113.52.4.9001: tcp 0
IP 85.31.187.67.60086 > 213.113.52.4.9001: tcp 0
IP 85.25.184.125.53976 > 213.113.52.4.9001: tcp 586
IP 85.31.187.67.60086 > 213.113.52.4.9001: tcp 0
IP 92.241.184.49.54966 > 213.113.52.4.9001: tcp 1448
IP 92.241.184.49.54966 > 213.113.52.4.9001: tcp 1448
IP 92.241.184.49.54966 > 213.113.52.4.9001: tcp 1448
IP 92.241.184.49.54966 > 213.113.52.4.9001: tcp 1448
IP 92.241.184.49.54966 > 213.113.52.4.9001: tcp 1122
IP 174.36.199.200.3268 > 213.113.52.4.9001: tcp 586
IP 85.31.187.67.60086 > 213.113.52.4.9001: tcp 0
[...]

    # Guest VM:

    # uname -a                           
OpenBSD minipuffy 4.8 GENERIC.MP#359 i386

# ifconfig                           
lo0: flags=8049 mtu 33200
        priority: 0
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
pcn0: flags=8a43 mtu 1500
        lladdr 52:54:00:3e:ee:14
        priority: 0
        groups: egress
        media: Ethernet autoselect (autoselect)
        inet 192.168.122.248 netmask 0xffffff00 broadcast 192.168.122.255
        inet6 fe80::5054:ff:fe3e:ee14%pcn0 prefixlen 64 scopeid 0x1
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
pflog0: flags=141 mtu 33200
        priority: 0
        groups: pflog

# ifstat 2 10
       pcn0       
 KB/s in  KB/s out
   50.49     53.08
   60.42     64.85
   43.18     43.26
   45.35     45.46
   59.08     62.77
   42.93     43.45
   50.42     52.65
   57.60     56.26
   46.99     48.53
   47.45     46.65

# tcpdump -i pcn0 -n -q -t port 9001 
tcpdump: listening on pcn0, link-type EN10MB
212.117.162.222.32768 > 192.168.122.248.9001: tcp 0 (DF)
192.168.122.248.36193 > 88.208.121.151.9001: tcp 586 (DF)
92.241.184.49.54966 > 192.168.122.248.9001: tcp 586 (DF)
87.73.90.232.52614 > 192.168.122.248.9001: tcp 1172 (DF)
174.36.199.200.3268 > 192.168.122.248.9001: tcp 1172 (DF)
192.168.122.248.9001 > 174.36.199.200.3268: tcp 630 (DF)
212.117.162.222.32768 > 192.168.122.248.9001: tcp 0 (DF)
212.117.162.222.32768 > 192.168.122.248.9001: tcp 0 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
212.117.162.222.32768 > 192.168.122.248.9001: tcp 0 (DF)
212.117.162.222.32768 > 192.168.122.248.9001: tcp 0 (DF)
212.117.162.222.32768 > 192.168.122.248.9001: tcp 1098 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
192.168.122.248.45296 > 89.79.36.79.9001: tcp 586 (DF)
192.168.122.248.9001 > 87.73.90.232.52614: tcp 586 (DF)
88.208.121.151.9001 > 192.168.122.248.36193: tcp 0 (DF)
87.73.90.232.52614 > 192.168.122.248.9001: tcp 586 (DF)
212.117.162.222.32768 > 192.168.122.248.9001: tcp 0 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
212.117.162.222.32768 > 192.168.122.248.9001: tcp 0 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
212.117.162.222.32768 > 192.168.122.248.9001: tcp 0 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
212.117.162.222.32768 > 192.168.122.248.9001: tcp 0 (DF)
212.117.162.222.32768 > 192.168.122.248.9001: tcp 0 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
212.117.162.222.32768 > 192.168.122.248.9001: tcp 0 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
192.168.122.248.9001 > 212.117.162.222.32768: tcp 1448 (DF)
192.168.122.248.9001 > 87.73.90.232.52614: tcp 586 (DF)
174.36.199.200.3268 > 192.168.122.248.9001: tcp 1460 (DF)
174.36.199.200.3268 > 192.168.122.248.9001: tcp 298 (DF)
174.36.199.200.3268 > 192.168.122.248.9001: tcp 0 (DF)
192.168.122.248.9001 > 174.36.199.200.3268: tcp 0 (DF)
192.168.122.248.9001 > 174.36.199.200.3268: tcp 1460 (DF)
192.168.122.248.9001 > 174.36.199.200.3268: tcp 1460 (DF)
174.36.199.200.3268 > 192.168.122.248.9001: tcp 0 (DF)
174.36.199.200.3268 > 192.168.122.248.9001: tcp 0 (DF)
192.168.122.248.9001 > 174.36.199.200.3268: tcp 1460 (DF)
192.168.122.248.9001 > 174.36.199.200.3268: tcp 1460 (DF)
192.168.122.248.9001 > 174.36.199.200.3268: tcp 1460 (DF)
174.36.199.200.3268 > 192.168.122.248.9001: tcp 0 (DF)
174.36.199.200.3268 > 192.168.122.248.9001: tcp 0 (DF)
173.193.221.28.53343 > 192.168.122.248.9001: tcp 0 (DF)
192.168.122.248.9001 > 174.36.199.200.3268: tcp 1460 (DF)
192.168.122.248.9001 > 174.36.199.200.3268: tcp 1460 (DF)
192.168.122.248.9001 > 174.36.199.200.3268: tcp 1460 (DF)
[...]
    Twitt
This was written by jespasac. Posted on Monday, January 3, 2011, at 15:03. Filed under GNU/Linux, Hacktivism, Networking, OpenBSD, Virtualization. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback.

One Trackback/Pingback

  1. Tweets that mention MiniBOFH.org ยป Tor relay in virtualized OpenBSD with KVM -- Topsy.com on Monday, February 21, 2011 at 03:34

    [...] This post was mentioned on Twitter by mark reardon, Mo @ torservers.net. Mo @ torservers.net said: MiniBOFH: Tor relay in virtualized OpenBSD with KVM http://bit.ly/gHrGmP [...]

Post a Comment

You must be logged in to post a comment.