It may have gone unnoticed by many, however for British citizens the start of 2017 was a sad day for privacy. With effect from the 30th of December 2016, a new law came into effect which vastly expanded the ability of the police and intelligence services (and the Food Standards Agency, the NHS, and British Transport Police) to scrutinise your internet browsing and other communications. Of course, I understand that in order to find a needle in a haystack, one must first have a haystack. However, the implementation of this law requires a rather risky proposal: It requires service providers to retain a record of every website you visit, when you visit, how long you visited for… and to hold all of that data for 12 months. This results in quite a significant amount of data on a person being aggregated in one place. Certainly enough to infer a great deal of knowledge about that person and their pattern of life. Who might be interested in such data? Certainly the police and intelligence services if need be. But what about extortionists, blackmailers, and hostile foreign intelligence agencies? History has shown that ISPs aren’t secure. Before too long, there will be another breach, and huge amounts of personal data will be leaked as a direct result of the new law.
However… there is something you can do about it. Use of a VPN service (Paid for, not free. If you aren’t paying for the product, it’s because you are the product.) with strong encryption will help, as will the use of Tor. Below I’ve included a simple explanation of how to create a virtual machine that will act as a transparent proxy, sending all of your browsing data (including DNS queries!) over Tor. The tutorial assumes you’re familiar with Oracle’s VirtualBox and with using the command line in Linux.
First, download the latest iso for Ubuntu Server, and then install using the minimal base system tools and libraries. If you’re planning to run this headless or on a remote machine other than the one you’re actually using to browse the internet, then remember to also include the SSH server. Set the network card to run in bridged mode.
Once you’re installed and rebooted, log in as the user you created during setup and then elevate to root:
Next, update the system and install tor:
apt-get update && apt-get -y upgrade && apt-get install tor
Next you’ll need to edit the configuration file at /etc/tor/torrc to add in the following lines:
Log notice file /var/log/tor/notices.log VirtualAddrNetwork 10.192.0.0/10 AutomapHostsSuffixes .onion,.exit AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 192.168.X.X DNSPort 53 DNSListenAddress 192.168.X.X
On the lines for TransListenAddress and DNSListenAddress you will need to input the static IP of your server. You will also need to edit /etc/network/interfaces to reflect the fact that you want the VM to use a static IP. Within that file you’ll need to find the entry for the network card which will almost certainly begin with something that looks like:
# The primary network interface auto enp0s3 iface enp0s3 inet dhcp
In my home network, I use the Class C private address space, and my router is at 192.168.1.254, so therefore my /etc/network/interfaces entry looks like this:
auto enp0s3 iface enp0s3 inet static address 192.168.1.1 netmask 255.255.255.0 gateway 192.168.1.254 network 192.168.1.0 broadcast 192.168.1.255 dns-nameservers 220.127.116.11 18.104.22.168
Next, you should start tor and set it to start every time the VM reboots:
/etc/init.d/tor start && update-rc.d tor enable
…and then set up the iptables rules (be careful to ensure that you use the correct interface name for your system after the -i switch):
iptables -F iptables -t nat -F sudo iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 22 -j REDIRECT --to-ports 22 sudo iptables -t nat -A PREROUTING -i enp0s3 -p udp --dport 53 -j REDIRECT --to-ports 53 sudo iptables -t nat -A PREROUTING -i enp0s3 -p tcp --syn -j REDIRECT --to-ports 9040
After each of those commands you won’t receive any kind of confirmation, unless you’ve done something wrong, in which case you’ll get an error message. So to check that the rules have been applied correctly, we can confirm the iptables rules in place by running the following command:
iptables -t nat -L
If you are happy that the rules are in place, then go ahead and save the rules to a config file:
iptables-save > /etc/iptables.conf
Now, to ensure that the rules are loaded back in every time we reboot, we need to create a very small script which will get called whenever the interface is brought up (usually during the boot process). To do this, use your favourite text editor (I use nano):
This will create the file and open it for editing. Into the file, put the following contents:
#!/bin/bash /sbin/iptables-restore < /etc/iptables.conf
The last thing to do is to make the script executable and reboot in order to apply all of the settings and to get the proxy up and running:
chmod +x /etc/network/if-pre-up.d/iptables reboot
Assuming you’ve done everything right, the machine will reboot and bring up a tor proxy on the IP address you specified. You’ll need to know that IP address in order to connect your clients to it. In Windows 10 this is reasonably straightforward:
- Click on the Windows Icon to bring up the Start Menu
- Type in “Network and Sharing” – this should highlight the Network and Sharing Centre
- On the left hand side of the window, click on “Change adapter settings”
- Identify which network connection you use to access the internet and then right-click and select properties:
- Select IPV4 and click on properties to allow you to alter the settings:
You can see in the example above, I have told my Windows PC that the gateway is at 192.168.1.1, which is the IP address that I have specified for the Tor Proxy VM. Yours may be different.
Finally… we need to check if it works: Click Here
Final word: Whilst browsing with Tor can help your overall privacy, it is by no means a guarantee of anonymity. Consider other ways in which you can be tracked: cookies, browser fingerprinting, leakage of your internal IP by WebRTC… consider this as just one part of an overall strategy, and never assume that you are completely safe just because you used Tor.