-
Notifications
You must be signed in to change notification settings - Fork 46
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Patrick Schleizer
committed
May 7, 2014
1 parent
e345e43
commit 6147f0e
Showing
1 changed file
with
5 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6147f0e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi adrelanos, how are you doing? This script looks interesting. Do you think it would be easy to translate this into a patch for Network Manager? I want to implement something like this but it has to have a clean way to install/uninstall, and it has to cause as little changes as possible to system wide settings. I want network manager as it is the only non-CLI way of managing VPN connections that I know of. If it's not too hard to do this patch, I would be willing to help write it. In the same time, we can maybe add a patch that makes network manager respect mac address settings (another problem I noticed).
6147f0e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
6147f0e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK I will look into it. I like C, but I don't know much about iptables, so maybe you can help with that :)
6147f0e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey. I tried your VPN Firewall against Network Manager and it works pretty well. The openvpn plugin has a program /usr/libexec/nm-openvpn-service-openvpn-helper that gets called after the tun interface is created. So I replaced that with a bash script that calls the firewall, and then calls the original nm-openvpn-service-openvpn-helper. I tested it by killing the openvpn program, and indeed, the lock for the network manager openvpn goes down, but nothing can be accessed. The unload script works fine also. The only thing that didn't work is the VPN_SERVERS variable. Even when I had the default server IP you put there, I was still able to use my VPN which has a different IP. The VPN_INTERFACE variable works well. I still feel like there should be a more "elegant" way to do this (without all those rules), but so far this is the best I've seen.
As for respecting the MAC address, I think the best approach is to modify the linux kernel. There's some functionality in it called ethtool, that allows for programs (like Network Manager) to get the real hardware addresses of the network devices. One way could be to modify the function that returns the MAC address so that it returns the spoofed address instead (in ethtool_get_perm_addr in http://lxr.free-electrons.com/source/net/core/ethtool.c). Another way the MAC address can be shown is if the driver is reloaded. Perhaps a way to protect against this is to build the drivers into the kernel, rather than have them as modules. Another way is to look at cached dmesg output, so that can be cleared. I don't think there is any other way to get it other than load a kernel module, search for in memory/filesystem if the user manually put it there, or mess around with the kernel in general. Oh yeah, and the mac should be spoofed before network manager starts.
I am planning to make an Anonymity mode for Pirate Linux that will do something similar to what Whonix does. But instead of virtualizing the gateway, I will keep it unvirtualized but running in the minimal environment needed to run Network Manager. I can't virtualize it because I want it to work with laptops that mostly use wifi and mobile broadband connections. And Network Manager is the only tool that can handle those kinds of connections.
Edit: You can also get the MAC address from the eeprom (try ethtool -e ). I don't know how to disable this, or if it's necessary.
6147f0e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
6147f0e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
6147f0e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
6147f0e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Andrew K:
Dear Andrew,
there has been a big update. A pre-release of freshly split, untested packages, welcoming early comments before perfecting them:
https://github.com/Whonix/Whonix/issues/40#issuecomment-44753513
This discussion here is difficult to find. Please let's move it into to https://github.com/Whonix/Whonix/issues/40#issuecomment-44753513 or elsewhere.
Cheers,
Patrick