Sunday, July 3, 2016

tun2socks over tor

We all know that situation, you receive a link from PayPal, saying someone hacked your account and drew money out of it. Now, of course it’s a fraud (You knew that right?). But… You still want to take a look on the website. How harmful can it be ?

Well, a lot! Visiting a malicious website can be very dangerous for your machine, even if you’ll visit this website from a VM (with a safe restore point to get back to), then still, the attacker would be able to get some details about you. For example, your IP address, OS fingerprint (of the VM), and sometimes, even more details too (browser dependant). Recently it has been discovered that even browsing through VPN isn’t enough, and you’re still at risk of revealing your real IP address to a potential attacker!

So why not browsing the website from a VM for keeping the machine safe, and from the TOR browser inside the VM for not revealing your real IP address? Well, you could do that, and that’s what most of the people are doing. But... what if you want to perform anonymous non-HTTP requests? or what if the website offers you to download a contagious document, obviously you want to research it, however, would you download it? I hope not!

"Tor only protects your applications that are properly configured to send their Internet traffic through Tor."
Tor project

Opening such a binary file could run some unknown code on your vm, which could send unwanted internet traffic about you without going through your proxy settings, meaning it won’t be using Tor’s three nodes and will reveal your real IP address. In simple words, it could access the internet right through your regular network link and unshed your router’s IP to the bad guys.

We don’t want that. Right ? of course not. So! what can you do, is following this guide for having a secured and anonymous virtual machine (guest) that will run on your real machine (host) and all the network traffic that’ll come out of the guest machine will go through 3 proxy servers (Tor nodes) around the world. So, when you’ll check the link from “PayPal” and download this contagious file, you’ll be secured, anonymous and safe.

To summarize things up, if you want a secured vm with no leaking network traffic, and afraid that the normal TOR browsing isn’t enough by itself, you should read further.
We will set new virtual TAP device using OpenVPN, will send all the traffic wrapped with SOCKS using tun2socks, and will route it through Tor as proxy channel.

# If you are using windows as your host machine, read those ‘#’ carefully, you might use them. Search for Windows Users tag.

How to read this post
1. If you are a beginner, start from #2 (What is Tor ?).
2. If you know some stuff but still want to understand every single step, start from #4 (What is it openVPN ?).
3. If you are a pro, go down to the end to TL;DR part (No questions please).

Final result should be

1. Some stuff to download
First, we will need VirtualBox running with Windows machine as the guest machine, and Tor browser on the host machine of course.

- Tor
- Windows XP (VirtualBox image ready to use. Read here about it, or download other OS here)

2. Installing Tor (on host machine)
Tor is free software for enabling anonymous communication. The name is an acronym derived from the original software project name The Onion Router.”
In other words, with Tor you can browse anonymously online. No one will know your real IP address.

2.1 How Tor works
Quicky #1
Quicky #2

2.1 Installing Tor
It should be pretty easy to install Tor. Just double click on the installation and go with the default options.

3. Installing windows (to act as guest machine)
Someone on WikiHow did a pretty good job and published this guide
It's a quick do-it-yourself guide for installing windows .iso file through virtualbox.

Next, you should go to virtualbox's settings and make sure that your guest machine network adapter is set on "Host-Only". This will create a local interface on your host machine, and will allow the guest machine to "talk" and "see" only your host machine. It won't be able to access the internet, only communicate with your real computer. We are doing so because we want to redirect all the traffic through our host machine, without any network leaks to other places...

On host, If you’ll do ifconfig/ipconfig, you should see a new virtual interface named vnic (with Virtual-box it will be named vboxnet). I have two virtual machines, so one of them is vnic0, and the other is vnic1:

We will use this IP in our torrc configurations as our listening IP for SOCKS server. Using Virtual-box the IP on host is most likely to be by default.

You can read more about that in here.

4. Configuring Tor to be used as a SOCKS proxy
"Socket Secure (SOCKS) is an Internet protocol that routes network packets between a client and server through a proxy server. SOCKS5 additionally provides authentication so only authorized users may access a server."

This means that we will route all the network traffic from the guest machine through Tor that will be used as a SOCKS proxy on the host machine. In other words, all the traffic from the guest windows will be sent through Tor over the world. That's the best way to ensure no packet leaks at all.

Now we only need to configure Tor to act as a SOCKS proxy for us. All we need is to edit "torrc" file, which holds all the configuration for Tor. For instance: What port should Tor be listening on for SOCKS requests, Which address it should ignore, Special HOST-IP mapping, etc.. You can review all the different options here.

Let's do this
- Search for torrc file (<INSTALTION_BASE_PATH>/TorBrowser/Data/Tor/torrc)
    - Mac: /Applications/
    - Windows: C:\Program files\TorBrowser\Data\Tor\torrc
    - Can sometimes be on the Desktop.
    - If you still didn't find it, this should be helpful.
- Duplicate torrc to torrc-socks
    - Backup is important
    - Otherwise the regular Tor browser won’t work
- Add 2 new lines to “torrc-socks" (Replace with the IP from #3):
    - SocksPort
    - DNSPort
    - Save and close file.

4.1 Notes
DNSPort - high port instead of 53
You could use DNS port 53 instead of 53530. We are using high port instead of 53 (generally known as DNS port) because:
    - Some people will run this tutorial over linux/mac machines without administrator privileges. They won’t be able to hard-listen on low port such as 53.
    - Sometimes you’ll have a running DNS server configured on your host, which will be listening on port 53

4.2 Let’s test everything so far
Run Tor with torrc-socks configuration file. You can do this with -f option and torrc-socks file path as a parameter.
Command-line examples:
  • Mac: /Applications/ -f /Applications/
  • Windows: "C:\Program files\TorBrowser\Tor\tor.exe” -f "C:\Program files\TorBrowser\Data\Tor\torrc-socks"

You should be seeing something like this output:
#Windows Users: If you don’t get any output when running “tor.exe” - don’t worry, it’s a known bug or here.

And if you’ll check your network connection using netstat, you should be seeing listening on tcp-9050, udp-53530:
Tip: use pipe with grep/findstr for easier lookup
    - Mac: netstat -natn | grep
    - Windows: netstat -ano | findstr
    - Linux: netstat -nlp | grep

5. Configure guest machine with tun2socks
"tun2socks is used to "socksify" TCP (IPv4 and IPv6) connections at the network layer. It implements a TUN virtual network interface which accepts all incoming TCP connections (regardless of destination IP), and forwards them through a SOCKS server."

In short, tun2socks wraps all tcp connections with SOCKS protocol and sends the traffic through proxy server. With that’s running, all of our network traffic from the VM will go right through Tor SOCKS server, and from there to 3 Tor nodes around the world, and finally to our destination.

5.1 Static IP
So first, let’s configure the guest LAN interface with static IP. Set the IPv4 IP to be one above your host virtual nic IP. In our case, it will be and subnet of The default getaway will be our host virtual nic IP, which is

Winkey + R -> ncpa.cpl -> Right click on LAN nic -> Properties -> Double click on Internet Protocol (TCP/IP):

You should be able to ping each other ( <- - - > If that doesn’t work you probably need to turn off your firewall on one of the sides (or both), or at least create new allowing rule for ping between those two machines (optional).

5.2 Installing OpenVPN
We will use OpenVPN for creating new TAP device (new virtual interface inside our guest OS). Installing OpenVPN is pretty easy, just download the installation package and install with all the defaults. Next, run OpenVPN in the background and go to Network Adapters (Connection on some OSs). You’ll see a new interface named Tap-Win32 something, this is our new TAP nic.

- Now change its name from “Tap-Win32…” to "VPNTOR"
- Configure its details:
- IP:
- Netmask:
- Gateway:

Now we have new Tap device that will be used to capture all of our wrapped SOCKS traffic and send it via Tor as a proxy. So, where are we wrapping the traffic with SOCKS? great question. We will use tun2socks for that.

5.3 Wrapping traffic with socks
Create new directory in drive C (in your guest machine) named “SOCKSTools” (c:\SOCKSTools), and inside extract tun2socks directory. Inside you’ll have “bin” directory, and inside a nice tool named “badvpn-tun2socks.exe”. This is the tool which wraps all the traffic with SOCKS.
The full command line for running this is:

"badvpn-tun2socks.exe --tundev tap0901:VPNTOR: --netif-ipaddr --netif-netmask --socks-server-addr"

- tundev is your Tap device
- netif-ipaddr/netmask  is your virtual router IP address and netmask
- socks-server-addr is your socks server address and port

#Windows Users: You may get a missing msvcrXXX.dll error. Here is what you should do.
#Windows Users: You may get “DeviceIoControl(TAP_IOCTL_GET_MTU) failed” when running the command above, If so, you’ll need to downgrade your windows Tap interface, download and install tap-windows-9.9.2_3.exe

After running this command line, you should be able to ping your virtual router at

If you are having any problems, try using
route print
command (and other route commands) to get it going. This is how it should look when it’s alright:

5.4 DNS forwarding (Optional: Only if your Tor’s DNS port is different than udp 53)
Since we change the normal DNS udp port on our host machine, we need to send all the DNS traffic to that port. The way we are doing it is:
1. Configure on the LAN device the DNS servers as I showed before (local IP address)
2. Download UDP proxy. I’m using “Simple UDP Proxy/pipe 0.4.1” or “sudppipe” from here
    2.1 Put it here C:\SOCKSTools\Proxies\udp_proxy.exe
3. Run it so it’ll listen locally on port 53 and send all that traffic (DNS) to the host virtual nic ( on the high port we chose (53530)
Command line:
-> C:\SOCKSTools\Proxies\udp_proxy.exe -x 53530 53

That’s it. You’re done! Run everything together and make sure you check your IP using “what is my ip” service, and you verify that you get some random IP.

5.5 Optional: What is my IP?
If you’re a serious about it, you would install python and run a little script that will check your external IP every few minutes.
I called the python script “” and placed it here: C:\SOCKSTools\Scripts\

import urllib
import re
import time


print " --- IP Check ----"
while 1:
       print "--> ",
       request = urllib.urlopen(url).read()
       theIP = re.findall(r"\d{1,3}\.\d{1,3}\.\d{1,3}.\d{1,3}", request)
       print "My External IP is: ",  theIP
       print "-------------"
   except Exception, e:

To run this I installed Python 2.7 and wrote this command line:
Python27.exe C:\SOCKSTools\Scripts\

6. Summary and Automation
So far, I assume all of your tools are placed like this:
    -> badvpn-1.999.128-win32
         -> bin
              -> badvpn-tun2socks.exe
    -> Proxies
         -> udp_proxy.exe
    -> Scripts

Obviously, we love automation. That’s why I wrote three little .bat files.
1. Secure_VM.bat: Run everything inside the VM

@echo off
echo  --- Secured VM ----
start cmd /k ("C:\SOCKSTools\Proxies\udp_proxy.exe" -x 53530 53)
start cmd /k ("C:\SOCKSTools\badvpn-1.999.128-win32\bin\badvpn-tun2socks.exe" --tundev tap0901:VPNTOR: --netif-ipaddr --netif-netmask --socks-server-addr
start cmd /k (c:\python27\python.exe "C:\SOCKSTools\Scripts\")
echo DONE


2. Kill_VM.bat: Kills and cleans everything (NOTE: it will terminate all cmd.exe process)
@echo off
echo  --- kill all ----

taskkill /f /im python.exe
taskkill /f /im udp_proxy.exe
taskkill /f /im badvpn-tun2socks.exe
taskkill /f /im cmd.exe


3. Run_Tor.bat: Run it on your Host machine to run tor with our special torrc.
@echo off
echo  --- Running Tor ----
start cmd /k ("C:\SOCKSTools\TorBrowser\tor.exe" -f "C:\SOCKSTools\TorBrowser\torrc-socks")
echo DONE


You can place them where ever you want.
That’s you're done! Now you can start the whole process just by running Tor’s command line and double-click on “Start_VM.bat"

Torception: Try to install Tor inside the VM and browse with it. All its traffic is going through… another Tor!

We will set new TAP device using OpenVPN, will send all the traffic wrapped with SOCKS using tun2socks, and will route it through Tor as proxy channel.

1) Download and install on host machine Tor and VirtualBox (+windows).
2) Duplicate “torrc" to "torrc-socks” and configure torrc-socks file with 2 new rows:
    - SocksPort LOCAL_VMNIC_HOST_IP:9050
3) Configure guest machine:
    - Make the guest machine network adapter host-only mode.
    - Configure LAN interface with static IP that is one above your host virtual nic IP Address. Set DNS servers to be this static IP and localhost.
    - Install inside the guest machine OpenVPN, tun2socks, python 2.7 (optional)
    - Name the new interface "TORNIC"
     - Configure “TORNIC” IPv4 with these properties:
     - IP:
         - GW IP:
    - Make sure to create this tree (you can collect the scripts and binaries from sections 1, 5.5, 6):
    -> badvpn-1.999.128-win32
         -> bin
              -> badvpn-tun2socks.exe
    -> Proxies
         -> udp_proxy.exe
    -> Scripts
    -> Batch
         -> Secure_VM.bat
         -> Kill_VM.bat
4) And your’e done!
On host run Tor’s proxy command line with torrc-socks as config file.
On Guest run secure_vm.bat for starting secured vm. kill_vm.bat will shut down everything when you’re done.

- Highly secured VM
- Free
- Has ProxyVM which is actually TorVM
- VPN service
- $$
- Can be used with your host/guest machine
- An operating system focused on anonymity, privacy and security.
- Free
- Awesome if you don’t have to use windows as a guest machine.

That’s it? Am I perfectly safe?
Not at all. Check for example this, this, this, this or even this.
This is just the tip of the iceberg, you can just imagine how much is still under the surface. I repeat again, it should be very clear, you can never be 100% protected, but you should always do the maximum towards that.


No comments:

Post a Comment