Transparent Proxy - secure, isolated box (JonDoBOX)

Ideas to everything that could be useful. Proposals and tips for JonDonym programming.
proper
Posts: 39
Joined: Sun Apr 01, 2012 21:19

Transparent Proxy - secure, isolated box (JonDoBOX)

Post by proper » Sun Apr 01, 2012 21:24

We are developing a secure anonymizing box, where the clue is, that the workstation is unaware of it's own non-anonymous external IP and can therefore not leak it (either by misconfigured/buggy applications or through malware).

Our concept consists of two (virtual) machines. One machine acts as a gateway, the anonymizing software in running on that box. The other machine, the workstation, has no way to access the internet, unless it is using the Gateway. This is a very brief description of the concept. If you are interested in a more comprehensive description, please have a look at our homepage. [1]

Initially we used Tor as anonymizing software. It might be also possible, to replace Tor with JonDo.

Are you interested in our approach?

Is JonDo suited for our thread model? (The workstation may not be made aware of the gateway's non-anonymous external IP.)

Do you think, it could work with the free version of JonDo? As only http proxy to port 80 and 443 is supported, I guess, for example IRC port 6667 will not be accessable from the workstation? That would be only possible using the premium version of JonDo?

We started to describe, how it can be done, to use JonDo. [2]

Do you have any comments, suggestions, questions or whatsoever regarding our project or plans?

[1] https://trac.torproject.org/projects/to ... doc/TorBOX
[2] https://trac.torproject.org/projects/to ... ngNetworks

Georg Koppen

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by Georg Koppen » Mon Apr 02, 2012 7:38

proper wrote:We are developing a secure anonymizing box, where the clue is, that the workstation is unaware of it's own non-anonymous external IP and can therefore not leak it (either by misconfigured/buggy applications or through malware).

Our concept consists of two (virtual) machines. One machine acts as a gateway, the anonymizing software in running on that box. The other machine, the workstation, has no way to access the internet, unless it is using the Gateway. This is a very brief description of the concept. If you are interested in a more comprehensive description, please have a look at our homepage. [1]

Initially we used Tor as anonymizing software. It might be also possible, to replace Tor with JonDo.

Are you interested in our approach?
Definitely.
Is JonDo suited for our thread model? (The workstation may not be made aware of the gateway's non-anonymous external IP.)
Yes, I think so.
Do you think, it could work with the free version of JonDo? As only http proxy to port 80 and 443 is supported, I guess, for example IRC port 6667 will not be accessable from the workstation? That would be only possible using the premium version of JonDo?
Basically, the client software is only available in a free version meaning all users have the same. Depending on the mix cascades the user connects to, services are restriceted. If a user has chosen a free cascade she might indeed only use port 80 and 443 and, yes, IRC using port 6667 is not available to her. The premium mix cascades are not port restricted with the sole exception of port 25 which is blocked due to spam avoidance.
We started to describe, how it can be done, to use JonDo. [2]

Do you have any comments, suggestions, questions or whatsoever regarding our project or plans?
Use "JonDonym" if you want to talk about the mix server network. "JonDo"/"JonDoConsole" is just the client software. Thanks for looking into it. And if you have questions about JonDo/JonDonym do not hesitate to ask be it here in the forum or via support[@]jondos[.]de (without the brackets).

cane

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by cane » Mon Apr 02, 2012 7:57

We started to describe, how it can be done, to use JonDo.
JonDo does not have a TransPort and DNSPort like Tor. But with 2 small tools you can use JonDo with a transparent proxy like Tor.

- with transocks_em you can redirect all traffic of the box "1" to JonDo running on box "2".

- for handling DNS requests you can redirect all port 53 traffic to an HTTPSDNS server via JonDo running on box "2".

Because more people interested in this solution we will add an tutotial how to use JonDo like a transparent proxy to our online help (I hope, tomorrow).

For JonDo running in box "2" we have two solutions: the GUI JonDo proxy client and the GUI-less JonDoDaemon proxy client, which can be operated at command line or remote with telnet interface. For more information about JonDoDaemon you have a look at: https://anonymous-proxy-servers.net/wik ... for_Debian


May be, you have to change the firewall in box "1" to switch between Tor and JonDo.

Using free cascades you can only surf the web. For IRC, Jabber, mail and so on a premium account is requiered.

For developer we can provide free premium accounts, but a user have to pay.

For technical details you can contact me using Jabber (XMPP) too: cane@draugr.de (OTR see below)

proper
Posts: 39
Joined: Sun Apr 01, 2012 21:19

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by proper » Wed Apr 04, 2012 15:30

Thanks for your reply.
cane wrote:Because more people interested in this solution we will add an tutotial how to use JonDo like a transparent proxy to our online help (I hope, tomorrow).
Can you share the link please?

cane

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by cane » Thu Apr 05, 2012 12:34

Have a look at: https://anonymous-proxy-servers.net/en/ ... socks.html

May be, you can post some appropriate firewall rules to use the transparent proxy here? Thanks.

proper
Posts: 39
Joined: Sun Apr 01, 2012 21:19

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by proper » Fri Apr 06, 2012 16:09

cane wrote:- for handling DNS requests you can redirect all port 53 traffic to an HTTPSDNS server via JonDo running on box "2".
Do JonDonym (exit servers) support remote DNS resolution?
Thanks!
cane wrote:May be, you can post some appropriate firewall rules to use the transparent proxy here? Thanks.
Our existing firewall for transparently routing through Tor is here: https://trac.torproject.org/projects/to ... v/TGScript (Under "The Firewall" /etc/torboxfirewall.sh). Perhaps not many changes are neccessary.

We don't have any adjusted rules for JonDonym yet.

Georg Koppen

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by Georg Koppen » Fri Apr 06, 2012 16:14

proper wrote:
cane wrote:- for handling DNS requests you can redirect all port 53 traffic to an HTTPSDNS server via JonDo running on box "2".
Do JonDonym (exit servers) support remote DNS resolution?
The ones in premium cascades, yes.

proper
Posts: 39
Joined: Sun Apr 01, 2012 21:19

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by proper » Fri Apr 06, 2012 17:00

Georg Koppen wrote:
proper wrote:
cane wrote:- for handling DNS requests you can redirect all port 53 traffic to an HTTPSDNS server via JonDo running on box "2".
Do JonDonym (exit servers) support remote DNS resolution?
The ones in premium cascades, yes.
How does DNS resolution work with free cascades and JonDoFox?

DNS resolution in the clear?

cane

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by cane » Fri Apr 06, 2012 18:09

How does DNS resolution work with free cascades and JonDoFox?
JonDo is a HTTP proxy for JonDoFox, not a SOCKS proxy like Tor. DNS resolution is done on the exit mix.

If a HTTP proxy was set in Firefox, no DNS query were done by firefox. DNS resolution is the job of the HTTP proxy, not the job of the application. In case of JonDonym, it is done by the exit mix.

proper
Posts: 39
Joined: Sun Apr 01, 2012 21:19

Re: Transparent Proxy - secure, isolated box (JonDoBOX)

Post by proper » Fri Apr 06, 2012 21:11

I finally got it. Transocks redirects the network layer to socks, and JonDo (premium) is a socks proxy. That's why it won't work out of the box with free cascades.

To use the free cascades, a socks to http redirector would be needed. (Short search revealed that socks2http exists.) However, that setup seems very complicated, perhaps too complicated. (network layer -> transocks -> socks2http -> JonDo)

I don't know if there is an application to tunnel the network layer through http. (transparent http proxy) Perhaps Squid can do that.

Post Reply