TOR Breakout Prevention (Poor Man's Solution)
The idea here is to make a virtual machine that can only connect to
another VM (the router) which is running TOR. With this, you could a)
someone hacks you (through your web browser or if you're running a
hidden service through your service) and gets root access to your
system (the VM) they won't be able to connect to the outside world.
I never finished this exercise
because it wasn't working 100% and didn't want to keep polishing it. It
still might be useful someday. Could be combined with my OpenVPN VM
Network to do stuff as well.
Here's what kept me back:
- the libvirt "isolated" network gives access to the hypervisor
system, you'd need to setup a virtual network manually
- I was hoping to test out a hidden service, but realized I can't
poke a hole in my firewall for TOR, so I have no way for traffic to get
back to me...despite some notes found saying that TORs reverse proxy
might be able to do this
Keys, keep the VM router very locked down. Only the TOR service (or
possibly privoxy/polipo) should be accessible. No httpd, sshd, etc.
2 Ethernet Interfaces
- Hypervisor segregated network
iface eth1 inet static
sudo service networking restart
HiddenServicePort 80 10.34.100.3:80
forward-socks5 / 127.0.0.1:9050 .