VPNs and Tor

Dr. Greg Bernstein

August 4th, 2021

VPNs

References: VPNs

VPN History Overview

  1. Private networks built with “leased lines”
  2. Tunneling across the internet, as a “cheaper leased line”
  3. Securing everything with IPSec anyway you want to if you can figure it out
  4. Satellite offices, road warriors, remote workers via OpenVPN protocol uses SSL/TLS
  5. Anonymity for consumers and others…
  6. Single user devices, zero trust, move towards simplicity Wireguard

Building Networks

  • Networks are built out of communication links and switches (also referred to as nodes)
  • Links operate at a particular layer, e.g., IP, Ethernet, MPLS, SDH, G.709, WDM, etc…
  • Switches operate at at least one layer. Switches may also be called routers, ADM, etc depending on layer

Example Abstract Network

Wavelength Service Example 1

From Lumen Wavelength Service

Wavelength Service Example 2

From Lumen Wavelength Service

Dark Fiber Example 1

From Stealth Communications

Dark Fiber Example 2

From Stealth Communications

Alternative to Leased Lines: The Internet

From Tunnels and VPNs

Tunneling Protocols

  • IP-in-IP: Simple and early approach directly supported by IPv4 and in the Linux kernel
  • GRE (Generic Routing Encapsulation): Allows about any type of packet to be transported over IP, Linux support
  • L2TPv3 (Layer 2 Tunneling Protocol): Provides optimized Ethernet over IP and tunnel control.

Securing Things

  • Wikipedia: IPSec: “Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network.” Works at the IP layer
  • Wikipedia: OpenVPN: “OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections…”, “It uses the OpenSSL encryption library extensively, as well as the TLS protocol, and contains many security and control features.”

Example VPN: WireGuard

WireGuard Basic Description

From WireGuard

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.

WireGuard Cryptography

From WireGuard

WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. It makes conservative and reasonable choices and has been reviewed by cryptographers.

WireGuard Tunneling

From WireGuard

WireGuard securely encapsulates IP packets over UDP. You add a WireGuard interface, configure it with your private key and your peers’ public keys, and then you send packets across it. All issues of key distribution and pushed configurations are out of scope of WireGuard; these are issues much better left for other layers, lest we end up with the bloat of IKE or OpenVPN. In contrast, it more mimics the model of SSH and Mosh; both parties have each other’s public keys, and then they’re simply able to begin exchanging packets through the interface.

WireGuard Messages

From WireGuard WP

WireGuard Interfaces

From WireGuard

WireGuard works by adding a network interface (or multiple), like eth0 or wlan0, called wg0 (or wg1, wg2, wg3, etc). This network interface can then be configured normally using ifconfig(8) or ip-address(8), with routes for it added and removed using route(8) or ip-route(8), and so on with all the ordinary networking utilities. The specific WireGuard aspects of the interface are configured using the wg(8) tool. This interface acts as a tunnel interface.

Virtual Network Interfaces 1

From Wikipedia: TUN/TAP

In computer networking, TUN and TAP are kernel virtual network devices. Being network devices supported entirely in software, they differ from ordinary network devices which are backed by physical network adapters. TUN, namely network TUNnel, simulates a network layer device and operates in layer 3 carrying IP packets. TAP, namely network TAP, simulates a link layer device and operates in layer 2 carrying Ethernet frames. TUN is used with routing. TAP can be used to create a user space network bridge.

Virtual Network Interfaces 2

Uses and Platforms from Wikipedia: TUN/TAP

  • VPN Examples: OpenVPN, OpenSSH, OpenConnect, WireGuard
  • Virtual Machines Networking examples:Open vSwitch, QEMU/KVM, VirtualBox
  • Platforms: FreeBSD, Linux, Windows, iOS/OS X, Android

Example: Virtual Interfaces on Windows

WireGuard and VirtualBox interfaces on my laptop

Example: Real Network Interface on Windows

Only my Wifi is currently connected here

WireGuard Demonstration Network

WireGuard Addresses

  • Endpoint addresses: The real IP addresses for machines on local networks or the internet used by routers (switches)
  • WireGuard Interface and AllowedIPs addresses: Addresses for the virtual WireGuard interfaces and MUST NOT correspond to networking addresses/prefixes already used by routers.
  • My local network uses private 192.168.1.x addresses, so for this WireGuard demo I’m using private addresses in the range 192.168.2.x

Demonstration Addresses and Keys

  • Laptop: endpoint address 192.168.1.228, WireGuard interface: 192.168.2.2, Public Key: RP80KtB6vOJh18qUt0plAOJQLqAdqMipu/FTNjDb0zs=
  • Linux Server: endpoint address 192.168.1.220, WireGuard interface: 192.168.2.1, Public Key: Oq34hHw1jtr/88Q3iCeGOgbwdozZm9O8e+NW0uZrRmQ=
  • Android Phone: endpoint address 192.168.1.208, WireGuard interface: 192.168.2.55, Public Key: VpJZ+OA9O+InevZTTFZrXkihZQqPtHg6uo1/JP24f2w=

Confidential Web Page on Linux Server

  • Set up a simple server http-server
  • Bind the server to the WireGuard interface address 192.168.2.1
  • Used TCP port 8080 for the server, http-server -a 192.168.2.1 -p 8080

Client and Server Screens

Not really confidential info, but it could be

WireShark Traces 1

Can we tell WireGuard is being used by sniffing traffic

WireShark Traces 2

Can we tell that a client is talking to an HTTP server?

Anonymity

Beyond a Secure Connection

Who is “they” in each case below?

  1. “They” know your IP address and hence your location
  2. “They” know what site/service you are communicating with and where it is located
  3. “They” may be tracking you and identifying you via your browser
  4. “They” are constantly attacking (DDoS) your web site to prevent others from getting to it

VPNs for Anonymity

Idea: Use an “intermediary” (proxy) to forward your requests to the destination website so the web site will see the proxy’s address and not yours. See How to Choose a Good VPN. Let’s look at an open source example.

References: Tor

Tor Overview 1

From Tor Overview

The Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor’s users employ this network by connecting through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy.

Tor Overview 2

From Tor Overview

Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, instant messaging services, or the like when these are blocked by their local Internet providers. Tor’s onion services let users publish web sites and other services without needing to reveal the location of the site.

Traffic Analysis

From Tor Overview

Using Tor protects you against a common form of Internet surveillance known as “traffic analysis.” Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests. This can impact your checkbook if, for example, an e-commerce site uses price discrimination based on your country or institution of origin. It can even threaten your job and physical safety by revealing who and where you are.

Tor and Traffic Analysis

See Tor Slides 5-28.

Example: Home to Website

The Dark Web 1

From Wikipedia: Dark Web

The dark web is the World Wide Web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access. Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identifying information, such as a user’s location

Dark Web Overlays

Onion Services 1

From Tor: Onion Services

Tor makes it possible for users to hide their locations while offering various kinds of services, such as web publishing or an instant messaging server. Using Tor “rendezvous points,” other Tor users can connect to these onion services, formerly known as hidden services, each without knowing the other’s network identity.

Onion Services 2

From Tor Design Paper

Rendezvous points are a building block for location-hidden services in the Tor network. Location-hidden services allow Bob to offer a TCP service, such as a webserver, without revealing his IP address. This type of anonymity protects against distributed DoS attacks: attackers are forced to attack the onion routing network because they do not know Bob’s IP address.

Onion Service Overview 1

Onion Service Overview 2

Onion Service Overview 3

Onion Service Overview 4

Onion Service Overview 5

Onion Service Overview 6

Onion Service Example

Useful Systems Using Tor

  • OnionShare Easy secure sharing via Tor
  • SecureDrop “SecureDrop is an open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources”
  • Tails “Tails is a portable operating system that protects against surveillance and censorship.”
// reveal.js plugins