Anonymization of all traffic through VPN + TOR / I2P. Putting the middlebox from scratch

    This article will tell you how to forward all traffic of the operating system through TOR so that the operating system does not even suspect the presence of TOR.

    This will help you not to think about the endless proxy and onion settings, to stop being afraid of the topic “but does the client torrent merge my real IP address, since it does not fully support the proxy?” and, finally, to be insured against the legislative ban of TOR in Russia.

    When I say “TOR”, I mean “TOR and I2P”. Using a similar technique, you can connect any darknet here.

    The article is “purely concrete”. The theory is already well described in the article Pandos ' and . This text will give a detailed instruction "how to make it work."

    Formulation of the problem

    1. My computer should go to the "all traffic - not Russian" mode at the click of a button.

    2. By pressing the second button, it should switch to the mode “all traffic goes through TOR”

    3. The third button is for I2P.

    4. The input TOR-node must be located abroad.

    5. All this should work under linux, windows, android. In advance: everything is fine with OS X and iPhone, I just don’t have them, so I won’t be able to protest.


    Using tor over vpn does not necessarily increase anonymity. More details: . This article describes a tool that, however, must be used wisely.


    First of all, we need a relatively cheap VPS, the owners of which do not mind that TOR is spinning there (and not Russian, of course). Personally, I use DigitalOcean. The forbidden traffic is not specified in their ToS (although if you download pirated torrents directly from their IP they will block it at a time. Well, actually, we need TOR for this ...). It costs $ 5 per month.

    You can register right here: (referral link, you are $ 10, I am $ 25. Do not want to play this business - remove the refcode).

    If you know the best or at least the worst hosting options for such purposes - write a comment, I will update the article.

    I will not describe the specific procedure for creating a VPS, since it depends on the hosting and is simple. Let's assume that you can finally execute a command,

    ssh root@

    and get shell on VPS-ku. I will assume that debian 7 is running on VPS-ke. At least this article was tested on debian 7. It will work on ubuntu too, probably.

    Package Installation

    First, a few applications that make our lives easier. Do not forget to put your favorite editor, mc if necessary, etc.
    apt-get update
    apt-get upgrade # Если с обновлением придет новое ядро -- перезагрузитесь!
    apt-get install fail2ban unattended-upgrades etckeeper # я всегда ставлю это на новый сервер

    I2P is not in the debian repository, so you have to add a new source.

    echo "deb wheezy main" >> /etc/apt/sources.list.d/i2p.list
    echo "deb-src wheezy main" >> /etc/apt/sources.list.d/i2p.list
    apt-get update
    apt-get install i2p-keyring
    apt-get update

    Now we will put the main packages - TOR, VPN and I2P. We also need a DNS server. I am using unbound.

    apt-get install tor i2p unbound openvpn privoxy

    VPN setup

    I will keep all VPN settings in / opt / vpn. First you need to generate certificates for the server and client.

    NB We will run several servers (one for tor, one for regular traffic) and use the same certificate for them. It's not obligatory. It is quite possible (and necessary) to generate an independent certificate or even your own CA for each of the openvpn servers.

    mkdir /opt/vpn
    mkdir /opt/vpn/log
    cp -rf /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /opt/vpn/rsa # Это набор скриптов для создания ключей. Можно и без них, но сложно.

    Now we will generate a new CA and the necessary certificates.
    cd /opt/vpn/rsa
    . ./vars
    ./build-ca # Спросит кучу вопросов. Отвечайте что угодно.
    ./build-key-server server # Опять куча вопросов. Пароля не вводите. На забудьте подписать сертификат в конце
    ./build-key --batch client # Уффф. Хоть тут не спрашивает ничего. 

    Examine the / opt / vpn / rsa / keys folder. Now there are several key + certificate pairs.

    ca. {crt, key} - certificate authority
    server. {crt, key} -
    client server key . {crt, key} - client key.

    The client needs to be given only ca.crt, client.crt and client.key, the rest of the files should remain only on the server.

    It's time to write a configuration file for the server. Put it in/etc/openvpn/00-standard.conf

    port 1201
    proto udp
    dev tun
    ca /opt/vpn/rsa/keys/ca.crt
    cert /opt/vpn/rsa/keys/server.crt
    key /opt/vpn/rsa/keys/server.key
    dh /opt/vpn/rsa/keys/dh1024.pem
    # Server Routing
    # server-bridge
    #Client configuration
    push "redirect-gateway def1"
    push "dhcp-option DNS"
    keepalive 10 120
    log /opt/vpn/log/server-standard.log
    status /opt/vpn/log/status-standard.log
    verb 3

    Try running openVPN
    /etc/init.d/openvpn restart

    If this does not work out, you have a bug: Correct according to the instructions and achieve a successful server launch.

    OK, VPN is working. It's time to connect to it. To do this, we write the config file on the client:

    dev tun
    proto udp
    # Тут должен быть реальный внешний IP адрес сервера
    remote 1201
    resolv-retry infinite
    verb 3
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf
    [Вставьте сюда содержимое ca.crt]
    [Вставьте сюда содержимое client.crt]
    [Вставьте сюда содержимое client.key]

    Now try connecting
    sudo openvpn --config client.conf --script-security 2

    After the inscription “Initialization Sequence Completed” appears, you are connected and must successfully ping The Internet will be gone, that's fine.

    Internet setting

    Suppose we don’t want to use TOR, but just do not want a Russian external IP for ourselves. In this case, using this script:

    echo 1 >  /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -s $SUBNET -o eth0 -j MASQUERADE

    you will achieve what you want. Rewrite this in /etc/rc.local.

    TOR setting

    If you read and completed the previous part, do not forget to clean iptables
    iptables -F
    iptables -t nat -F

    Now let's say that you still want a VPN through TOR (and you did not complete the previous point). Then:

    append the following to the end of / etc / tor / torrc:

    AutomapHostsOnResolve 1
    TransPort 9040
    DNSPort 53
    AccountingStart day 0:00
    AccountingMax 10 GBytes
    RelayBandwidthRate 100 KBytes
    RelayBandwidthBurst 500 KBytes

    also change our server config file /etc/openvpn/00-standard.conf. Change the DNS from Google to local. Remember to restart openvpn.
    push "dhcp-option DNS"

    Finally, the following construction on bash will redirect all incoming vpn traffic through tor

    iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53
    iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port
    /etc/init.d/tor restart

    By the way, remember this design. This is a universal way to redirect all traffic from a given network card through a transparent proxy. We will add I2P in the same way.

    Done. Connect to the VPN. Make sure you have a TOR IP address. Check out some .onion site to check: dns works too.

    Configure I2P

    With I2P complexity. They do not have their own DNS server, so you have to do your own.

    Open /etc/unbound/unbound.conf and add to the end:
        logfile: "/etc/unbound/unbound.log"
        local-zone: "i2p" redirect
        local-data: "i2p A"
        access-control: allow
        access-control: allow
        local-zone: "." redirect
        local-data: ". A"
        local-zone: "*" redirect
        local-data: "* A"

    After that, any (!) Domain will be opened into a deliberately non-existent IP address It remains to "catch" such traffic and redirect it to localhost: 8118 - this is where I2P listens.

    By the way, he’s not listening yet. Run
    dpkg-reconfigure i2p

    and set the flag to start at boot.

    Stop tor. Run unbound.
    /etc/init.d/tor stop
    /etc/init.d/unbound restart

    Now configure privoxy in a bunch in I2P. Add / etc / privoxy / config to the end
    accept-intercepted-requests 1
    forward /

    and restart privoxy.

    Just like in the case of TOR, change the DNS to local in the vpn server configuration:

    push "dhcp-option DNS"

    If you have already tried redirecting TOR - do not forget to clean iptables:
    iptables -F
    iptables -t nat -F

    It remains to redirect:
    iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53
    iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port

    It’s familiar, right? The only difference is the proxy port number.

    Connect to the VPN. You are in I2P. Open epsilon.i2p, make sure the network is working.

    What's next?

    Then you have to make sure that they do not conflict. Instead of one server / etc / openvpn / 00-standard, make three: 00-standard for normal traffic, 01-tor for tor, and 02-i2p for i2p. Assign them different subnets (for example, 10.8.2. * For tor and 10.8.3. * For i2p). After that, tor and unbound will cease to conflict and you will be able to connect to any of the three simultaneously working networks.

    In addition, the client does not now verify the server certificate. This can be fixed.

    And you can also gash a virtual machine for which roll out tun0, the traffic of which goes through TOR, after which the virtual machine will not even know about the VPN. And in the host of this virtual machine, register routing so that without a VPN it does not connect at all.

    And also it is necessary to put a speed limit in I2P. And VPN logs do not rotate. And there is no web muzzle.

    And also ... and I’ll certainly describe all this in other articles. Then - thanks for your attention!

    Used sources

    Also popular now: