An exploration of ways to force all virtual machine traffic through Onion routing. Although these methods are FreeBSD and bhyve specific, they should translate easily to other VMs and OSes.
Method One: Only allow VM to see host SOCKS port
Advantages:
- no NAT required
- only needs a simple bind rule in place of complex firewall rules
- VM only aware of SOCKS port on host
- only way traffic will leak is if VM is broken out of somehow
Disadvantages:
- must manually launch apps with
torsocksor configure them for SOCKS
/etc/rc.conf:
kld_list="nmdm vmm"
cloned_interfaces="bridge0"
ifconfig_bridge0="inet 172.168.0.1 255.255.255.0 up addm wlan0 up addm tap0 up"
Run pkg install rinetd.
/usr/local/etc/rinetd.conf:
192.168.0.1 9050 127.0.0.1 9050
Run:
pkg install grub2-bhyve
kldload vmm nmdm
service netif restart
service rinetd restart
bhyve -c 2 -m 4G -w -u -H \
-s 0,amd_hostbridge \
-s 3,virtio-blk,/dev/zvol/zroot/vm/openbsd.img \
-s 5,virtio-net,tap0 \
-s 29,fbuf,tcp=0.0.0.0:5900,w=800,h=600,vga=off,wait \
-s 30,xhci,tablet \
-s 31,lpc -l com1,stdio \
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
openbsd-uefi
In the VM:
ifconfig vio0 172.168.0.2 netmask 255.255.255.0 up
curl --socks5-hostname 192.168.0.1:9050 https://check.torproject.org