[DEPRECATED]Secure browsing and torrenting

cloverskull · 2017-11-08 23:53:32

WARNING: This guide should be considered a starting point for a conversation and a lens into the world of secure computing, but I'd hesitate to follow it at this point. Some aspects of this guide result in a suboptimal secure computing platform and I intend to rewrite it entirely with more reasonable suggestions!

Hey guys,

I'm not advocating for piracy here, but I am advocating for file sharing, legally. Let's just say I don't want my ISP tracking me sharing bunsenlabs ISOs.

Now, I have one big caveat to this howto - currently in Debian Jessie, nm-applet is broken insofar as you are unable to use a GUI to set up openvpn sessions. I'll go over the manual, bash terminal method as well as the graphical method, but don't be surprised when the graphical method segfaults for you!

Ok, I set this up using firejail, blocking ipv6, some custom firefox rules, custom firejail rules, and a VPN configured through NordVPN. I like NordVPN because you can pick what country you'd like to be, which means I can watch Netflix (USA) while I work overseas at times, and I can also make my traffic originate in a country like Swizerland that favors privacy more than we do here in the USA.

Basic setup steps.

Install firejail

sudo apt-get install firejail

Firejail is a neat little program. It silos processes into defined namespaces/UID/whatever, basically blocking access to certain resources. I'll not go into how firejail works at length, but encourage you to check out the Arch wiki page on firejail for further reading.

First, let's make a simple script in ~/bin that we can call to block any arbitrary program's access to the internet. I call mine ~/bin/safe. In this file, I have the following

#!/bin/bash
firejail --net=none $@

Save that in the file, chmod +x ~/bin/safe, and let's test it. I used vlc, by way of "safe vlc", and tried loading a network URL to a youtube video. Lo and behold, it was blocked from reaching network resources. Sweet!

Moving on, let's talk about how VPNs work. Allegedly they encapsulate all of your traffic to obfuscate your activity and/or make it appear you are in a different location. This is great, in theory, but in reality there are many ways your computer leaks the truth about who you are and what you're doing, which makes associating your activity very easy. Yes, this is a bit tin-foil-hat-y, but if we're gonna go secure, let's go all the way, shall we?

Open up a web browser and head to https://ipleak.net/ to see everything the internet knows about you. We'll work on these items systematically.

First off, find a good VPN service that uses OpenVPN. I recommend NordVPN. Sign up, pay the man, and get your account credentials. Create a folder in your home directory, I used ~/vpn, and get the *.ovpn files from the VPN provider saved inside.

A couple of preliminary installation steps:

sudo apt-get install openvpn
cd ~/vpn
wget https://downloads.nordcdn.com/configs/archives/servers/ovpn.zip
unzip ovpn.zip
rm ovpn.zip

Find the server you'd like to configure, which will be associated with one of the .ovpn files. In the case of NordVPN, there is a page here which lists all the servers. Pick from "Standard VPN Servers" and select the country you'd like to pretend to be. Note the corresponding .ovpn file (pick either TCP or UDP, I'm unsure if it makes all that much of a difference, but TCP gave me better error control watching videos).

Ok, this is for Jessie users, we need to do this through bash. That means when you connect to your VPN, you leave it connected and leave the window open! Stretch users can skip ahead.

Jessie users, to fire up your VPN session:

sudo openvpn [file name]

So for example

sudo openvpn ~/vpn/ovpn_tcp/us842.nordvpn.com.udp.ovpn

This will prompt you for your credentials. Don't worry, nothing is saved or echoed or anything. Now I'm going to cover how to set this up in nm-applet, which Jessie users can skip (for now).

For stretch users, we can do this through nm-applet.

First, we need to install network-manager-openvpn-gnome and bounce the network-manager service

sudo apt-get install network-manager-openvpn-gnome
sudo service network-manager restart

After a minute or so your network connection should come back up. At this point, let's configure the VPN. Click on the network icon in your panel, VPN Connections, Configure VPN. (pro-tip: sudo nm-connection-editor from the command line, then click "Add").

From here we want to "Import a Saved VPN Configuration". Locate your corresponding .ovpn file you'd like to use (commensurate with the server you'd like to use) and configure the login name. You can save your password here as well, but it's something I prefer not to do.

To activate, just click your network manager applet, VPN connection, and select the VPN.

Back to all users again:

Now if we sanity check against https://ipleak.net/ you'll see the "Your IP address" section reflects the VPN. However, we're still leaking DNS, still leaking WebRTC, geolocation, torrenting...there's a few more steps.

If you don't need IPV6, let's shut it off. Most VPNs don't tunnel this stuff yet so it's just a vulnerability.

In /etc/default/grub, append "IPV6_DISABLE" to "GRUB_CMDLINE_LINUX".

sudo nano /etc/default/grub

Make this line

GRUB_CMDLINE_LINUX=""

Look like this

GRUB_CMDLINE_LINUX="IPV6_DISABLE=1"

Save it and run

sudo update-grub

Then edit /etc/sysctl.conf

sudo nano /etc/sysctl.conf

And paste the following at the bottom

# ipv6 switcheroo
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.en01.disable_ipv6 = 1
nat.ipv6.conf.wlan0.disable_ipv6 = 1

Save it, close it, and

sudo sysctl -p

If you see errors about missing devices, just comment out those lines and try again. It's no big deal to leave them in there, in the long run.

Ok, now let's defaul jail all of our applications and apply some smart jailing logic right off the bat.

sudo firecfg

And then let's edit transmission-gtk's default jail settings to disable IPV6.

sudo nano /etc/firejail/transmission-gtk.profile

Find the line that says

protocol unix,inet,inet6

and make it say

protocol unix,inet

And then add custom dns servers (up to 3) just below it. I'll paste the NordVPN custom DNS servers here. This is useful to avoid DNS leaking.

dns 162.242.211.137 
dns 78.46.223.24

Ok, now let's set up a secure browser. We'll use firefox for this.

First, I made a script called ~/bin/safeffx. Copy the following into that file, chmod +x the file, and then it should run jailed.

firejail --private --netfilter=/etc/firejail/nolocal.net --protocol=unix,inet --dns=162.242.211.137 --dns=78.46.223.24 firefox -no-remote --private

Note, all of that is on one line. A quick description is that we are running firejail in private mode (lock down access to the filesystem), we aren't allowing firefox to sniff any local network stuff, we're locking down to inetv4, we're using our two custom DNS servers, and we're launching Firefox privately. Adjust your settings as needed.

Now, if you go to https://ipleak.net/ you'll probably still see that we're leaking some things. We need to configure our browser. Go to your url search bar and type about:config. Search for 'media.peerconnection.enabled' and double click on it to switch it from true to false. Now if you go to https://ipleak.net/ you'll see that we're no longer leaking WebRTC requests. Go back into about:config and switch "geo.enabled" to be false as well. Reload https://ipleak.net/ and find the Geolocation portion. Click the Activate button and it should pop up with a warning that it can't find you, or that the user disabled geolocation services. Good!

As a final test, click the button in https://ipleak.net/ to download a magnet link torrent. Open it up in Transmission. Sorry, I haven't configured or tested this in another bittorrent client, so I only have instructions for transmission. Go ahead and let that torrent churn for a while. The only reports you should see in https://ipleak.net/ should be the ones for the IP address of the VPN tunnel itself. Nothing should be revealed about you in that page. No location data whatsoever.

Ok, that pretty much wraps things up. Again, I don't advocate stealing software/music/movies or whatever, and this isn't a 100% solution for security and privacy. But it's a step in the right direction.

Please let me know if you have any issues or if there's some way to improve this howto. Thanks!

Last edited by cloverskull (2017-11-09 19:32:56)

dhalgren · 2017-11-09 05:25:32

Thanks. Helped me fix a problem I was having with my vpn.

Snap · 2017-11-09 07:26:40

Nice howto.

I think I have to point out something regarding editing profiles whatsoever. When firejail upgrades arrive, the profiles are often updated and thus overwriten, so any changes made to them will be lost. Customizations should be made in *.local files instead of the default *.profile files provided. locals override default profiles. So instead of this:

sudo nano /etc/firejail/transmission-gtk.local

better go like this:

    sudo cp /etc/firejail/transmission-gtk.profile /etc/firejail/transmission-gtk.local
    sudo nano /etc/firejail/transmission-gtk.local

and make any customization to the local file instead.

Aside of this, keep an eye on profile changes every firejail upgrade. You might be using an outdated and insecure local setup. Keep track of changes and manually keep your locals up to date. Yes, for this and other reasons firejail can be a cumbersome annoyance.

Last edited by Snap (2017-11-09 07:27:24)

Head_on_a_Stick · 2017-11-09 07:33:12

Thanks for the guide cloverskull!

I would note though that the user namespaces kernel feature that is employed by firejail is not really secure at all and new vulnerabilities in that system are posted fairly frequently so it may not be wise to rely on it too much.

See this post on the Arch mailing list for more:

https://lists.archlinux.org/pipermail/a … 43066.html

EDIT: Daniel Micay is the maintainer of Arch's linux-hardened kernel package and a member of the KSPP and works as the lead developer of CopperheadOS as his day job so he knows his stuff.

Last edited by Head_on_a_Stick (2017-11-09 07:38:56)

martix · 2017-11-09 12:57:48

Great tuto, thanks!

@HoaS From the link: "Firejail - A junk, insecure application is not a reason to greatly reduce kernel
security for everyone." Ouch!!! That's a short and clear statement, I did not know about it. So there is no Firejail or similar apps on Arch. Interesting. If I'm not mistaken the basic idea is about sandboxing, which should increase system security, but those user namespace vulnerabilities just have a sort of counter-effect. At least this is how it looks...

It makes no sense then to use Transmission, Midori, Firefox, vlc, etc. in Firejail? Hmmm, good question...

SBruleMD · 2017-11-09 17:31:53

cloverskull wrote:

Now, I have one big caveat to this howto - currently in Debian Jessie, nm-applet is broken insofar as you are unable to use a GUI to set up openvpn sessions. I'll go over the manual, bash terminal method as well as the graphical method, but don't be surprised when the graphical method segfaults for you!

fwiw, I have three openvpn connections that I have been using with nm-applet since I installed Hydrogen earlier this year; no issues. Wasn't aware there was a known problem with openvpn and nm-applet on Jessie.

Head_on_a_Stick · 2017-11-09 19:19:03

martix wrote:

It makes no sense then to use Transmission, Midori, Firefox, vlc, etc. in Firejail?

No, firejail does provide some protection and it is probably worth using but what I am saying is that it should not be regarded as some sort of "silver bullet" that will solve all security problems.

NSA wrote:

Security is a state of mind.

cloverskull · 2017-11-09 19:30:54

After doing a bit more research and local testing, I don't think this guide should be followed. I'm going to deprecate it in the title and add a big warning but will leave it around for posterity (and the ensuing conversation which followed). I think I may have a much easier method for being able to securely browse/torrent, which I'll write up shortly as an alternative.

Thanks everyone!

Muntic0re · 2018-01-30 13:29:41

thanks for this guide

martix · 2018-01-30 17:26:42

@Muntic0re There is an other - newer - one from cloverskull here.

Muntic0re · 2018-02-02 12:07:22

Good guide @martix too. I usually use Tor browser and a proxy server for a secure connection. Moreover it gives me high speed and with proxy, https://buy.fineproxy.org/eng/index.html I can switch to whatever country I want.+Always good support.

Last edited by Muntic0re (2018-02-22 11:26:08)

#1 2017-11-08 23:53:32

[DEPRECATED]Secure browsing and torrenting

#2 2017-11-09 05:25:32

Re: [DEPRECATED]Secure browsing and torrenting

#3 2017-11-09 07:26:40

Re: [DEPRECATED]Secure browsing and torrenting

#4 2017-11-09 07:33:12

Re: [DEPRECATED]Secure browsing and torrenting

#5 2017-11-09 12:57:48

Re: [DEPRECATED]Secure browsing and torrenting

#6 2017-11-09 17:31:53

Re: [DEPRECATED]Secure browsing and torrenting

#7 2017-11-09 19:19:03

Re: [DEPRECATED]Secure browsing and torrenting

#8 2017-11-09 19:30:54

Re: [DEPRECATED]Secure browsing and torrenting

#9 2018-01-30 13:29:41

Re: [DEPRECATED]Secure browsing and torrenting

#10 2018-01-30 17:26:42

Re: [DEPRECATED]Secure browsing and torrenting

#11 2018-02-02 12:07:22

Re: [DEPRECATED]Secure browsing and torrenting

Board footer