Using and implementing techniques for Privacy and Anonymity

Currently still under Construction



Introduction
Setting Up a Site-To-Site VPN with OpenVPN
Setting up OpenVPN Server for mobile clients
Setting up an SSTP VPN with Windows Server 2008 R2
SSH Tunnelling (Linux & Windows)
Connecting to Tor on Windows using Vidalia | Setting up a Tor Relay
Creating a Site-To-Site IPSec VPN with Cisco routers



Introduction

The following information will assist anyone who needs to implement or wants to enable secure connection mechanisms for privacy and or anonymity. For the majority of this guide I will be using the Pfsense firewall distribution. The following security techniques that will be in this guide include: Site-To-Site VPNís using OpenVPN, configuring OpenVPN server on Pfsense for secure remote access to oneís network, setting up an SSTP VPN server using Windows Server 2008 R2, using SSH tunnelling methods, connecting to the TOR network and then finally a brief guide on using Tormail and BitCoin for anonymous online transactions.

Setting Up a Site-To-Site VPN with OpenVPN

For the Site-To-Site VPN we will be connecting to the Mullvad VPN provider.


First step: Import Mullvad CA into Pfsense Cert Manager:

Second step: Import client certificate and private key:

Third step: Create connection to Mullvad in OpenVPN Client:

Fourth step: Add network interface, should be called OPT1 depending on the amount of current interfaces, then select ovpnc1 for the network port. Note: my configuration is not default for interface names and Network port, hence the VPN interface and ovpnc6 network port.

Fifth step: Enable the new interface:

Sixth step: Create a manual Outbound NAT rule to map any protocol from the LAN source to VPN interface:

Seventh step: Verify that OpenVPN has initialised:

Eighth step: Verify VPN is working by accessing a website, then check IP address and DNS info at dnsleaktest.com

Setting up OpenVPN Server for mobile clients

The following information will enable you to remotely establish a VPN connection to your home/small-business network.

First step: Goto OpenVPN wizard, select Local User Access, click Next.

Second step: Choose a Certificate Authority (note: Goto Certificate Manager to create a CA and certificate if required), Click Next, then choose Server certificate.

Third step: For this setup, the protocol TCP and port 55690 will be used (note: default OpenVPN protocol is UDP with 1149 port number)

Setting up an SSTP VPN with Windows Server 2008 R2

SSH Tunneling with Terminal (Linux)

First we'll start with Terminal in Linux.

1. Open a Terminal.

2. Make the SSH connection.

Syntax: ssh -CTNv -p [port] [user]@[hostname or ip address] -D [port to forward]

Example: ssh -CTN -p 443 jeff@my-remote-host.org -D 5000

The "-CTN" options are:

  • C = Compression
  • T = Disables TTY allocation (makes the SSH connection but won't give you a shell.)
  • N = Do not execute remote command.
  • v = Verbose (print whats happening to the screen)
  • and finally, -D sets the local port to use for forwarding data through the SSH tunnel.


3. Next, we see that SSH has printed what its doing to the screen and is now asking for a password. Type your password for the ssh account on the server here.

4. Now we see that the password has been accepted and the SSH tunnel is now set up and running.

5. Now we need to change the Proxy settings in Firefox.

From the menu bar choose Edit > Preferences. Select the Network tab, then click the Settings button.

Select the Manual proxy configuration radio button and in the SOCKS Host box type: "127.0.0.1" Then in the Port box type: "5000" (the port you chose with the "-D" option in Step 2)

6. The next step is to make sure that your DNS queries will go through the SSH tunnel rather than bypassing it.

In the browser Address bar, type: about:config and click on the I'll be careful, I promise button to continue.

In the search field type: DNS and look for network.proxy.socks_remote_dns and set this value to true.

Finally, Go to a website such as whatismyip.com or dnsleaktest.com and see that your IP address is now the IP address of the server that you are tunneling through.

If your IP address has not changed, go through the steps again to make sure you have set the browser proxy settings correctly.

SSH Tunneling with Putty (Windows)

For this we will use the Putty client on Windows.

1. Open Putty

2. Enter the remote servers' IP address or Hostname in the Hostname (or IP address) field, then enter the port number in the Port field.

3. In the left pane click the Plus sign next to SSH and then click Tunnels.

Enter the local port that you want to use in order to send traffic through this tunnel in the Source Port field. Then select the Dynamic radio button.

Now click on the Add button. Notice that the port 5000 is now listed in the Forwarded Ports box with a D for Dynamic.

4. Now click the Open button to start the connection. If this is the first time you're connecting to a specific server, you will see the following diaglog box. Click yes to accept.

You will be prompted for a Username and Password. After you enter them successfully, the session and tunnel will be open.

Now we need to set the Proxy settings on the web browser. In this case: Firefox!

Open Firefox and go to the Tools menu. Select Options.

Select the Network tab and then click the Settings button.

Select the Manul proxy configuration radion button. Then in the SOCKS Host field type: 127.0.0.1 and in the Port field, type the port number that we used earlier for the tunnel: 5000.

Then click OK.

In the Address Bar go to about:config, then click the I'll be careful, I promise! button to continue.

Now in the Search field, type: DNS. Look under the Preference Name column for network.proxy.socks_remote_dns and change it to true.

Finally, go to a website such as whatismyip.com or dnsleaktest.com and check if your IP address has changed.

If it has....Hooray! it worked! You have successfully tunneled your internet traffic through an SSH Tunnel.

If it hasn't changed, then you may need to go over some of the steps again to make sure they are correct.

Connecting to Tor using Vidalia

To start, you need to go to https://torproject.org and download the TorBrowserBundle application.

Click on the purple download button

And then click on the orange download button.

Once you see the dialog box below, select Save File.

Now, open the .exe file. Select the where you want to extract the TorBrowserBundle files and click Extract

Navigate to folder in which you chose in the previous step and double click on the Start Tor Browser executable file.

You should now see the Vidalia Control Panel pop up and start making a connection to the Tor Network. (If it's not starting, click the Start Tor button.)

The next screenshot shows the program has successfully connected to the Tor Network. Once it has established a Tor connection, it will automatically open the TorBrowser (a version of Firefox)

The TorBrowser will automatically go to the site https://check.torproject.org to see if you are running Tor.

So if you see the following screen in the TorBrowser, you are using the Tor Network! (Hooray!!!)

If you only want to use Tor to browse web pages anonymously, then you've done all that you need to do. You don't need to read the rest of this section.


Setting up a Tor Relay

To set up a Tor Relay in an already running Vidalia instance, click on the Sharing icon. Then select the Relay traffic inside the Tor network(non-exit relay) radio button.

You may also specify a nickname for your relay, but its not required. Leave everything under Basic Settings set to the default values.

Click on Bandwidth Limits and set the amount of bandwidth that you want to allocate to other users of the Tor network. Click OK and you're done! You are now a Tor Relay!

To setup an Exit Node for Tor

Click on the Sharing icon then click the Relay traffic for the Tor network (exit relay) radio button.

Set the values as per the previous Non exit relay config or leave them as default.

Next click on the Exit Policies tab and select the Internet Resources that you want to allow users to access through your exit node (Web, SSL, email, etc...). Then click OK and you're done!!

If you would like to view the Tor network map, you can click on the View the Network icon.

You'll see results like the ones below.

Creating a Site-To-Site IPSec VPN with Cisco routers

To set up a Site to Site VPN with Cisco routers, we will use Cisco's Packet Tracer program.

Here is the topology that we will use:

Using 3 1841 Routers with serial interfaces between R1 > R2 and R2 > R3, we will configure RIPv2.

The Subnets that we will use here are:

  • R1 (LAN) 192.168.1.0/24
  • R3 (LAN) 192.168.3.0/24
  • R1 > R2 (Serial) 10.1.1.0/30
  • R2 > R3 (Serial) 10.2.2.0/30

First, configure R1 interfaces.

R1(config)# interface fa0/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shutdown
R1(config)#interface s0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown

Router 2:

R2(config)#int s0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#int s0/0/1
R2(config-if)#ip address 10.2.2.1 255.255.255.252
R2(config-if)#no shutdown

Router 3:

R3(config)#int fa0/0
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#int s0/0/1
R3(config-if)#ip address 10.2.2.2 255.255.255.252
R3(config-if)#no shutdown

Now we need to set up RIP version 2.

On R1:

R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#network 192.168.1.0
R1(config-router)#network 10.1.1.0
R1(config-router)#no auto-summary

On R2:

R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#network 10.0.0.0
R2(config-router)#no auto-summary

On R3:

R3(config)#router rip
R3(config-router)#version 2
R3(config-router)#network 192.168.3.0
R3(config-router)#network 10.2.2.0
R3(config-router)#no auto-summary

Make sure you can see all networks in every routers routing table.

Now you should test connectivity with a ping test from PC2 to PC1 or vice versa.

The following table shows the configuration that we need for the VPN

Encryption Details

R1

R3

  • Encryption: AES
  • Key: FreePenguin
  • Hash: SHA
  • Authentication: pre-shared key
  • DH Group: 2
  • Lifetime: 86400
  • Transform Set: VPN-SET
  • ACL: 110
  • Peer: 10.2.2.2
  • Encryption: AES
  • Key: FreePenguin
  • Hash: SHA
  • Authentication: pre-shared key
  • DH Group: 2
  • Lifetime: 86400
  • Transform set: VPN-SET
  • ACL: 110
  • Peer: 10.1.1.1

This table shows the configuration for the VPN map

Map Details

R1

R3

  • Description: VPN to R3
  • Peer: 10.2.2.2
  • transform set: VPN-SET
  • ACL: 110
  • Description: VPN to R1
  • Peer: 10.1.1.1
  • transform set: VPN-SET
  • ACL: 110

Configuring ISAKMP Phase 1. We will configure ISAKMP and IPSec on R1 first, then move to R3.

R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encr aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#exit

Set the pre-shared key to be used:

R1(config)#crypto isakmp key FreePenguin address 10.2.2.2

Configure IPSec

R1(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Create IPSec transform set

R1(config)#crypto ip transform-set VPN-SET esp-3des esp-sha-hmac

Create the Crypto Map

R1(config)#crypto map VPN-MAP 10 ipsec-isakmp
R1(config-crypto-map)#description VPN link to R3
R1(config-crypto-map)#set peer 10.2.2.2
R1(config-crypto-map)#set transform-set VPN-SET
R1(config-crypto-map)#match address 110
R1(config-crypto-map)#exit

Finally the last part......for R1.
Apply the crypto map to the interface.

R1(config)#int s0/0/0
R1(config-if)#crypto map VPN-MAP
**You should see the following message**
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
If you see that ISAKMP is ON, then we have completed the IPSec VPN config on R1.

Now for the configuration of ISAKMP Phase 1 on R3!

Since this is the same config as R1 (except for the ip addresses) i'll just list all of the commands because they are the same as before. R3(config)#crypto isakmp policy 10
R3(config-isakmp)#encr aes
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 86400
R3(config-isakmp)#exit
R3(config)#crypto isakmp key FreePenguin address 10.1.1.1
R3(config)#access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R3(config)#crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
R3(config)#crypto map VPN-MAP 10 ipsec-isakmp
R3(config-crypto-map)#set peer 10.1.1.1
R3(config-crypto-map)#set transform-set VPN-SET
R3(config-crypto-map)#match address 110
R3(config-crypto-map)#exit
R3(config)#interface s0/0/1
R3(config-if)#crypto map VPN-MAP
Router outputs: *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Issue a PING from PC1 to PC2. Hopefully it will be successful for you.


Now we verify that the ping we just sent was actually encrypted and sent through the VPN tunnel.


R1#show crypto ipsec sa
The outlined section shows that 3 packets were encrypted and decrypted successfully.


Thats it! You've configured and verified an IPSec VPN Tunnel!