The other day I was updating my Malware Analysis VMs, and for some reason, I just couldn't get Whonix gateway to connect.

Whonix also required you to switch to its subnet/etc manually, since there was no DHCP :(. So I got onto the trusty Google and came up with a few alternatives.

One of them was setting up a pfSense virtual machine, installing TOR, and routing all traffic through the TOR install. This appealed because it would be a simple case of switching network adapters to switch between networks without messing with IP configs...

pfSense is an open source firewall/router computer software distribution based on FreeBSD. It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network. Wikipedia

pfSense is (currently) based on FreeBSD 11.1, and given that I haven't touched FreeBSD in many years this was quite a learning curve for me.

Things you will need

  1. The ability to read (congratz on getting this far if you can't)
  2. A decent computer
  3. An internet connection (once again... congratz on getting this far if you don't have one)
  4. VirtualBox
  5. pfSense disk image
  6. SSH Client (I use MobaXTerm)
  7. Most importantly: A good sense of humour, so I don't come off as a condescending a$$h0l3.

You can grab VirtualBox from Oracle's site: https://www.virtualbox.org/wiki/Downloads
You can grab the pfSense disk image from their website: https://www.pfsense.org/download/

Before you start

I am creating a more comprehensive guide using something other than pfSense. I've been running into some really big issues which I'm not encountering on the other fork. That guide will probably be up in the next few days, and will cover things like preventing DNS leaking/UDP/etc.

VM Creation

Obviously, the first thing to do is to define the Virtual Machine's settings and actually install pfSense in said VM. Thankfully, setting up pfSense itself isn't much of a challenge.

Remember pfSense is based on FreeBSD 11.1, so select BSD as the Type and FreeBSD as the Version, along with an appropriate name. I've also opted to use 2GB of RAM for the VM, but I have the resources. The smallest I would try with is 512MB (if I recall correctly, that is the system minimum).


I've also gone with a 32GB disk, but since it is Dynamically allocated it doesn't really matter much.

Once the machine has been created go its settings.


I've opted for a Bridged adapter so the VM will get its own IP address from my Ubiquity switch.

The important thing here is that you need to enable Adapter 2.

Attach adapter 2 to an Internal Network and name it pfSenseTOR (or whatever...)


Start the VM and attach the pfSense disk image you downloaded.

Hit start. You will briefly see the following screen:

I say briefly because pfSense will automatically boot itself. Wait a few seconds (or minutes, depending on your host computer's specs). This is the screen you will be greeted with when the startup process is completed.

Hit accept

Select install


*
Set your keyboard, or just... you know... continue with default.

Select Auto

Let pfSense do its magic and install itself

Select no

Reboot.

Congratulations, you just rebooted back into the installer. Installception?

Remove the mounted image, force it if you need too.

Reset the machine, and wait for pfSense to boot.

If you see this: CONGRATZ! You can follow instructions. You have installed pfSense, now for the REALLY fun part (</sarcasm>)

Setting up pfSense

By default, pfSense blocks access from the WAN. If you think about where a firewall is usually positioned in a network, that makes valid sense. You don't want someone having remote access to it after all.
However, since I like to live dangerously (and the fact this VM is behind my actual network firewall so it is not visible remotely... so much for living dangerously) I'm going to be opening up the firewall fully on the WAN. Remember, BAD IDEA if pfSense is directly facing the internet.

It's also worth noting at this point, that the default admin login is admin:pfsense

See, I wasn't lying.

There are two ways to enable access to the WebUI from the WAN.

I'm going to take the quick and dirty method, but the first thing to do is enable SSH on pfSense. As per the menu, select option 14. The wizard will ask you to confirm the current status of SSHD and ask you to enable if it is disabled.

Now in the menu select option 8 to open a shell. Why? WAN access is still blocked.

Type the following and hit enter: pfSsh.php playback enableallowallwan
What that command will do is it will allow anything and everyone on the WAN port, which is what I want.

Now type exit to return to the menu.


Since the firewall is now nice an open for the WAN, if you navigate to https://<wan-ip-address-here> you should be presented with this wonderful screen.

Log in using the default credentials, and you will be greeted with the setup wizard.

As with most setup wizards, we don't read much and just click next.

These are the changes in the steps you need to make:

Step 1:
- Nothing... Neeext

Step 2:
- Nothing... For now... Neext

Step 3:
- Set your timezone

Step 4:
- Nothing

Step 5:
- Nothing

Step 6:
- Change the password but make sure you note what it is. For the purposes of this guide, I'm leaving it as the default.

Step 7:
- Not really a step... Just hit reload.

Step 8:
- Once again, not really a step either. Just wait.

Step 9:
- Whoever decided to make Steps 7, 8 and 9 steps needs to re-evaluate how he makes choices.
- Also, pfSense is now setup.
- Click here in the "Click here to continue on to pfSense webConfigurator." one.

You will now be greeted with the actual dashboard.

Once again, congratulations. pfSense has been setup.

Installing TOR

This can actually get a little tricky since tor isn't a part of the repositories anymore included in pfSense.

Using your favourite SSH client, connect to pfSense

Select option 8 to load a shell.

Now that you have a shell it is time to install a few packages, and Tor.

  1. pkg install nano
  2. pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/zstd-1.3.3_1.txz
  3. pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/tor-0.3.2.10.txz

Tor has now been installed, time to configure it.

Configuring TOR

First things first, scrap the default torrc config file: rm -rf /usr/local/etc/tor/torrc

Now create a new one with the following settings: nano /usr/local/etc/tor/torrc

DNSPort 192.168.1.1:53 # Use your LAN address
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
RunAsDaemon 1
TransPort 9040
ExcludeNodes {RU}, {BY}, {KG}, {KZ}, {UZ}, {TJ}, {TM}, {TR}, {AZ}, {AM}
ExcludeExitNodes {RU}, {BY}, {KG}, {KZ}, {UZ}, {TJ}, {TM}, {TR}, {AZ}, {AM}
HeartbeatPeriod 1 hours
ExitRelay 0

Now you need to get tor to load on startup, there are sooo many different ways this can be done. There isn't a need for complex startup scripts, the one below works just fine:

# Change directory to rc.d
cd /usr/local/etc/rc.d/
# Create the script
touch ./tor.sh
# Add a single line to run tor and set it to be executable
echo "/usr/local/bin/tor" >> tor.sh && chmod +x tor.sh

Reboot pfSense. You should see an extra log line during the boot process, the Starting /usr/local/etc/rc.d/tor.sh...done. line.

Configuring pfSense for TOR

So now that TOR is running on pfSense, and it is listening for any Transparent Proxy connections on port 9040. Now we need to configure those connections.

Log back into the pfSense WebUI and navigate to Firewall -> NAT. The Port Forward page will load.

Now, unfortunately, you can't port forward *, meaning you will have to add limited ranges or individual port rules.

For the sake of simplicity let's just add a single rule for HTTP to understand the process of how it is done.

Click the first Add button and pfSense will open the Edit Redirect Entry page

First things first the rule we want to make applies to LAN not WAN, so change the interface to LAN.
As far as I know, Tor does not route UDP traffic, so leave the protocol as TCP.
Make sure the Source is Any, which you can do by clicking the Display Advanced button.
The destination should NOT be the LAN Net, so check Invert match and change Type to LAN Net.
Now we need to define the port to map, and as we (should?) know, HTTP runs through port 80. So either leave From port and To port as Other and enter 80 in the Custom fields for both, or select HTTP from the combobox.
We are going to be redirecting that traffic to localhost:9040, which is the transparent proxy port we set in torrc. Redirect target IP should be 127.0.0.1 and Redirect target port should be Other and enter 9040 into Custom.
Set a description and hit Save.

You will see the rule you added as well as a notification from pfSense about the changes.

Hit Apply Changes to... well... apply the changes. It will take several seconds for that process to complete.

Since we have a "base" rule we can now just duplicate and edit it by using this button: under Actions

Hit that button and add a new rule for HTTPS


Something else that is needed, is to disable the DNS resolver of pfSense, as we obviously want to use Tor as the resolver.

Navigate to Services -> DNS Resolver and untick the option for Enable DNS resolver. Click the Apply Changes button when it pops up.

Now a firewall rule needs to be created to pass DNS requests to Tor.

Navigate to Firewall -> Rules. Select the LAN tab and add a new rule to the top of the list.

The Edit Firewall Rule page will open. Change Address Family to be IPv4, if it isn't already. Change the Protocol to TCP/UDP. Set Source to LAN Net. Change Destination to Single host or alias and enter the LAN IP, then change the Destination Port Range to be DNS(53).

Apply changes in the firewall and that is that.

Connecting a VM to pfSenseTOR

In VirtualBox, go the settings of your VirtualMachine that you want to torrify. Under Adapter 1 settings in Network change Attached to: to Internal Network and select what you named your Adapter 2 for pfSense earlier.

Hit Ok and that is it. The VM will now connect to pfSense, which will allocate the VM an IP. All HTTP and HTTPS traffic will be passed through the Tor network. To connect to the normal network edit Adapter 1 and change it to Bridged or NAT, etc.

Just keep in mind that you will need to add NAT rules for whatever traffic you need to forward through the tor network.

Footnote

Remember this is just a pretty rough tor setup that isn't very secure. Wait for my more comprehensive guide for a much more secure setup.

Changelog

2018/04/04
- Initial Publication

2018/04/04
- Fixed an incomplete thought in "Configuring TOR"