A VPN tunneled through a VPN?
If you are suspicious of Tor, tired of the laggy connection, or simply want a more stable means to ensure your connection is encrypted and secure, you can easily create a VPN connection through a VPN connection which ensures anonymity and hard-core encryption of your network stream (with kill switches to protect your identity if the VPN connection is dropped).
Our desired result in this case is a secure and anonymous Kali Linux installation (Kali is a free Debian-based security penetration testing suite). In the end, we’ll use a paid VPN service (pia, Private Internet Access) and a Kali Linux virtual machine running on Windows 8.1 along with kill switches and firewall configurations to ensure our connect cannot leak and our public IP address remains hidden.
Step 1 – install VPN software on Windows client
First, install the pia (private internet access) VPN software on your Windows machine. PIA is a very cheap, secure (they claim they keep no log files) VPN service which provides easy-to-install clients for various operating systems including Windows and Linux. After it was revealed that Hide My Ass turned over hacker’s identity to the authorities, PIA became the go to service for hackers everywhere.
In the PIA settings, make sure you have options to prohibit DNS and IPv6 leaks selected. Also, make sure the VPN Kill Switch is checked too.
The importance of VPN kill switches
As any hacker that’s gone after Russian or Chinese targets knows, their favorite form of defense is a strong DOS attack against the hacker. This is particularly true with Russian targets. Whether it’s a flaw in PIA’s service or, more likely, a purposeful design, these DOS attacks can easily knock down your VPN connection. If you do not configure your VPN to halt all Internet traffic when the VPN drops, your real IP address will be revealed once the VPN connection is broken. It’s imperative that your VPN client software is configured to stop Internet traffic if the VPN line goes down. This is easy to do with PIA’s Windows client (select VPN Kill Switch) and as of the time of this writing, support for a kill switch on the Linux version will be arriving soon (it’s in beta).
Step 2 – check VPN connection on Windows client
Once the VPN is configured on your Windows client, fire up your web browser and hit https://www.privateinternetaccess.com/pages/hide-my-ip/ to make sure your connection is running through the VPN.
Step 3 – start Linux virtual machine and check connection
Next, start a virtual machine running your Kali Linux instance. Open a browser in the VM and hit https://www.privateinternetaccess.com/pages/hide-my-ip/ again. It should also show your network traffic going through the same VPN connection.
Step 4 – install VPN client on Linux virtual machine
Now install the PIA VPN software on your Linux client per PIA’s instructions (openvpn will be used for the VPN client). Configure the VPN to use a different node than the one you are using on your Windows client. If your client supports it, make sure the kill switch option is checked. If no kill switch option is available, don’t worry, we’ll add another fail-safe protection measure in the steps below.
Check VPN connection
Start up the VPN connection (openvpn “VPN_NODE.ovpn”) and check your IP address in the browser again. Your public IP address should show you are going through the VPN node you configured in your Linux client or chose in your “openvpn” command.
Change config to allow easy start of VPN
Note: It’s easy to get rid of the openvpn login prompt. pia will supply an assortment of .ovpn files pointing to the many VPN nodes they have located around the world. First create a login.conf file in the directory you saved the .ovpn files in. In the login.conf file, add your username on the first line followed by the password on the second line. Finally, modify the .ovpn files to pass the login.conf file in the auth-user-pass line.
Now you can start your VPN connection from a terminal windows using the following command without being prompted for the PIA username and password.
openvpn “CA North York.ovpn”
At this point, our network connection is moving through the Kali Linux VPN node and tunneled through the VPN node on our Windows host machine. If the VPN connection on Kali drops, the traffic will continue routing through the secure Windows VPN connection. If the Windows VPN connection then drops, the kill switch will halt all network traffic to and from your machine.
Note: many people like to start their VPN connection from the terminal windows in the background. As much as I hate frivolous open terminal windows, I like to run the VPN connection in the foreground so I can monitor messages and easily kill, or change, the connection when needed. This is especially important in VM environments where connections in suspended virtual machines can be problematic when the virtual machine environment is resumed. Save yourself some headaches and just run the VPN connection in a terminal window in the foreground.
Step 5 – configure firewall on Linux virtual machine
On the Kali Linux VM, we’re going to take an extra step to ensure our connection is secure and stable by configuring the firewall to *only* allow connections through the VPN. This way, if the VPN connection is dropped, and for some reason the kill switch does not work, the firewall will halt all Internet traffic. Note that this inherently means that the firewall must be running for your VPN connection to be protected.
Install Firestarter, a firewall tool that uses Linux’s iptables/ipchains on the backend and makes it easy to manage and monitor the firewall interface.
apt-get install firestarter
Add VPN tunnel to iptables
Changes the permissions on the user-pre file so we can edit it.
Chmod 777 /etc/firestarter/user-pre
Edit /etc/firestarter/user-pre and add these lines
# Allow traffic on the OpenVPN inteface
$IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT
Change the permissions on user-pre back to “read only”.
chmod 440 /etc/firestarter/user-pre
Start the firewall with this command:
Step 6 – restart your Linux VPN connection, start the firewall, and test
Finally, start the Firestarter interface (you might want to add a shortcut to one of your panels) and click the Stop button. In the terminal window that is running your Linux openvpn VPN connection, press Ctrl-C to kill the VPN. Restart the VPN connection (“openvpn YOUR_NODE.ovpn”) and then via Firestarter, click the “Start the Firewall” button to turn the firewall back on. Hit a page through your browser to make sure your Internet connection is working. Now kill the VPN connection in your terminal windows and try to hit the page again to make sure your network connection has been blocked after the VPN connection was dropped.
With this configuration change, regardless of whether or not the VPN kill switch works in the Linux VM (or works fast enough to prohibit leaking of our public IP address), all Internet traffic must pass through the VPN while the firewall is running. If you want to run traffic outside of the VPN connection, simply kill the VPN connection and stop the firewall.
Optional – configure the Network Manager applet
Kali includes the Network Manager applet, the icon that appears in the top-right hand side of the toolbar. By default, this applet does not manage Kali’s network connections. This is easy to change however by editing the /etc/NetworkManager/NetworkManager.conf file and changing the “managed” option to “true”. Restart the VM and you will now be able to view and monitor active network connections by right-clicking the icon.