Deniability - Isolating on-premise hidden services (VM-based restrictive networking) #66

New Issue

nihilist · 2024-10-01T18:25:00+02:00

nihilist commented

2024-10-01 18:25:00 +02:00

VM hidden service (in a deniable encryption volume)
1.5) VM decoy tor traffic (outside of the deniable encryption volume)
VM tor bridge w/ VPN connection
router VM to restrict firewall (the tor bridge VM can connect anywhere, and everything else in that isolated LAN can only connect to the tor bridge VM)
router VM has NAT connectivity on the WAN side
homeserver has a VPN connection w/ lockdown enabled to route the traffic elsewhere.

1) VM hidden service (in a deniable encryption volume) 1.5) VM decoy tor traffic (outside of the deniable encryption volume) 2) VM tor bridge w/ VPN connection 3) router VM to restrict firewall (the tor bridge VM can connect anywhere, and everything else in that isolated LAN can only connect to the tor bridge VM) 4) router VM has NAT connectivity on the WAN side 5) homeserver has a VPN connection w/ lockdown enabled to route the traffic elsewhere.

nihilist added the

Complex

label 2024-10-01 18:25:00 +02:00

nihilist added this to the OPSEC Tutorials (paid contributions) project 2024-10-01 18:25:00 +02:00

nihilist added the

/!\ On Priority - High Quality Tutorial

label 2024-10-05 11:24:42 +02:00

nihilist referenced this issue

2024-10-15 13:42:24 +02:00

Anonymity - Gitea .onion setup (Code repositories) #22

nihilist commented

2024-10-15 14:01:57 +02:00

Requires:
-(at minimum 2 wan) dual wan config as showcased in https://blog.nowhere.moe/opsec/failover-wan/index.html
-power failover setup as showcased in https://blog.nowhere.moe/opsec/failovers/index.html
-linux homeserver https://blog.nowhere.moe/opsec/linux/index.html
-qemu hypervisor https://blog.nowhere.moe/opsec/hypervisorsetup/index.html
-pfsense qemu VM as showcased in https://blog.nowhere.moe/opsec/pf_virt/index.html
-isolated LAN network for the VMs also as showcased in https://blog.nowhere.moe/opsec/pf_virt/index.html

Starting from a setup where you have:
-a pfsense VM
-an isolated LAN network
-and a debian VM in that LAN network
-a HDD with a VC hidden volume of 100GB (pfsense 20gb, debian 60gb)

To be showcased:
-how to move that debian VM in a veracrypt hidden container (shut it down and then move it in there)
-clone that debian VM to another debian VM B
-rename debian VM A to "Tor bridge VM (with VPN)"
-rename debian VM B to "hidden service VM 1"
-setup mullvadVPN on that VM for a "serverside -> VPN -> tor -> clients" setup

-Then mention the automating deniability protection w/ emergency shutdown script as showcased in https://blog.nowhere.moe/opsec/physicalsecurity/index.html

-How to setup the firewall on the pfsense VM to only allow the "Tor Bridge VM (with VPN)" to access the WAN, and how to restrict any other host in the LAN network (such as the "Hidden service VM 1") to only access the "tor bridge VM"
-then on the "tor bridge (with vpn) VM" setup the tor bridge, with a mullvad connection ( "serverside -> VPN -> tor -> clients" setup)

-Then setup tor on the hidden service VM, and configure it to use the "tor bridge VM" as the bridge to connect to tor.
-Then setup the actual hidden service (on some basic local nginx service on port 80) saying "welcome to blahblah.onion"

Requires: -(at minimum 2 wan) dual wan config as showcased in https://blog.nowhere.moe/opsec/failover-wan/index.html -power failover setup as showcased in https://blog.nowhere.moe/opsec/failovers/index.html -linux homeserver https://blog.nowhere.moe/opsec/linux/index.html -qemu hypervisor https://blog.nowhere.moe/opsec/hypervisorsetup/index.html -pfsense qemu VM as showcased in https://blog.nowhere.moe/opsec/pf_virt/index.html -isolated LAN network for the VMs also as showcased in https://blog.nowhere.moe/opsec/pf_virt/index.html Starting from a setup where you have: -a pfsense VM -an isolated LAN network -and a debian VM in that LAN network -a HDD with a VC hidden volume of 100GB (pfsense 20gb, debian 60gb) To be showcased: -how to move that debian VM in a veracrypt hidden container (shut it down and then move it in there) -clone that debian VM to another debian VM B -rename debian VM A to "Tor bridge VM (with VPN)" -rename debian VM B to "hidden service VM 1" -setup mullvadVPN on that VM for a "serverside -> VPN -> tor -> clients" setup -Then mention the automating deniability protection w/ emergency shutdown script as showcased in https://blog.nowhere.moe/opsec/physicalsecurity/index.html -How to setup the firewall on the pfsense VM to only allow the "Tor Bridge VM (with VPN)" to access the WAN, and how to restrict any other host in the LAN network (such as the "Hidden service VM 1") to only access the "tor bridge VM" -then on the "tor bridge (with vpn) VM" setup the tor bridge, with a mullvad connection ( "serverside -> VPN -> tor -> clients" setup) -Then setup tor on the hidden service VM, and configure it to use the "tor bridge VM" as the bridge to connect to tor. -Then setup the actual hidden service (on some basic local nginx service on port 80) saying "welcome to blahblah.onion"

Sign in to join this conversation.