Openbsd, Tor and the "Streams Isolation"

in #openbsd4 years ago

¿Stream isolation?


isolation

So, we've arrived to configure our Tor daemon in a manner that will transparently "torified" all the tcp connections of our workstation using a where it "speaks" with the firewall of OpenBSD, pf.
¿Do you remember? It was here, in our steemit.
Obviously our work is so far to be considered as terminated, and in a matter or another sincerely i think that we'll work to protect privacy of Internet users all the rest of ours life, but this is another story.
Stream isolation...not a lot of people speak about isolation, human mind consider it one of the worst thing; and sincerely they have some reason, isolation is not amused. But in privacy world isolation of differents streams of data is the key, if one of the fourteen or one bad boys organization (¿are there any differences?...no i really don't think so...man i don't think...i know it).
Our good friend Tor, you're a friend of mine correct my dear, in a somehow less documented feature or better less publicized feature can isolate TCP/IP streams in four different manners; we know that a connection is characterized by:

1. source ip
2. destination ip
3. source port
4. destination port

If some of you, dear friends, don't know how work the TCP/IP protocol i can recommend to you read a little introduction in the famous wikipedia, here.
In practice tor will assign a different route in the tor network for every connection, every ip and every application depending by our configuration in the torrc file.

Hacking over torrc##


So we're going to change the configuration of our torrc to enable the over commented stream isolation.
Here you are the new version like usual located under /etc/tor/ :

User _tor
RunAsDaemon 1
AvoidDiskWrites 1
Log notice syslog
Log notice file /var/log/tor_log

DataDirectory /var/tor

ControlSocket /var/tor/control GroupWritable RelaxDirModeCheck
ControlSocketsGroupWritable 1
SocksPort unix:/var/tor/socks WorldWritable

ControlPort 127.0.0.1:9051 
CookieAuthentication 1
CookieAuthFileGroupReadable 1
CookieAuthFile /var/tor/control.authcookie

GeoIPFile /usr/local/share/tor/geoip
GeoIPv6File /usr/local/share/tor/geoip6

VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1

ExcludeNodes {AU}, {CA}, {US}, {NZ}, {GB}, {DK}, {FR}, {NL}, {NO}, {BE}, {DE}, {IT}, {ES}, {SE}
NodeFamily {AU}, {CA}, {US}, {NZ}, {GB}, {DK}, {FR}, {NL}, {NO}, {BE}, {DE}, {IT}, {ES}, {SE}
StrictNodes 1
GeoIPExcludeUnknown 1
PathsNeededToBuildCircuits 0.95

DNSPort 127.0.0.1:53 IsolateDestPort

#GENERIC
TransPort 127.0.0.1:9040

#FIREFOX
SocksPort 127.0.0.1:9900
#CHROMIUM
SocksPort 127.0.0.1:9901
#TOR BROWSER
SocksPort 127.0.0.1:9902
#XCHAT
SocksPort 127.0.0.1:9903 IsolateDestAddr IsolateDestPort
#THUNDERBIRD + TORBIRDY
SocksPort 127.0.0.1:9904 IsolateDestAddr IsolateDestPort
#IM
SocksPort 127.0.0.1:9905 IsolateDestAddr IsolateDestPort
#PKG_ADD
SocksPort 127.0.0.1:9906
#KEYBASE
SocksPort 127.0.0.1:9907 IsolateDestAddr IsolateDestPort
#SSH
SocksPort 127.0.0.1:9908 IsolateDestAddr IsolateDestPort
#WGET
SocksPort 127.0.0.1:9909 IsolateDestAddr IsolateDestPort
#BITCOIN
SocksPort 127.0.0.1:9910
#PRIVOXY
SocksPort 127.0.0.1:9911
#POLIPO
SocksPort 127.0.0.1:9912
#GNOME wide proxy
SocksPort 127.0.0.1:9913

Ok, starting for our last configuration of torrc you are seeing a lot of addictions.
First of all you've to create /var/tor/control.authcookie :

 $ doas -u _tor touch /var/tor/control.authcookie

Secondly you can appreciate that we statically declare a serie of SocksPort with differents options for every applications we're normally use in our workstation (there are the mine, you can declare others).
But what exactly are we doing?
We are considering the transparent proxy port (TransPort 127.0.0.1:9040) like our last resources, in fact all application that we're not declare in the other ports will be enrouted in the tor network using that port.
The others applications that we're declaring are going to be configured statically one by one if they support proxing with socks technology or will be encapsulated for a third program, in our escario we will use torsocks, provoxy or polipo.
There's another difference, some application will use IsolateDestAddr and/or IsolateDestPort.
These two options, two of the fourth that tor are bind to us, create differentes circuits for the same application. In practice using the same app we will bind to differents ip address.
Using those tricks in only one work session we're using many different indentities to the external world. It's obvious that we're hiding very good our presence in Internet.

##Special thanks##

I want to close this post, say one simple thank you, to the Whonix crew, that have worked a lot and publicate good tutorials about streams isolations and explain it with in a good and simple way.

thank you