Hackernoon logoSecurely Tor All The Things On Linux by@amiroffme

Securely Tor All The Things On Linux

Amir Off Hacker Noon profile picture

Amir Off

Front-End Developer with Back-End and DevOps tendencies.

Transparently route all packets through Tor on a GNU/Linux machine.

There is a great tool called Tortilla released by the cybersecurity company CrowdStrike. What Tortilla does is it enables creating a secure tunnel between a virtual machine (VM) and the Internet by routing all the packets through the Tor network. The way it works essentially is by bridging the VM’s virtual network card to Tortilla’s network adapter that acts on DHCP, ARP, DNS and TCP packets, and drops everything else. This way no packets from the VM ever touch the host system’s actual network driver. Unfortunately Tortilla was built only for Windows. Luckily, there’s a way to use Tortilla on a GNU/Linux machine.

On Windows, Tortilla requires creating a VM as a guest operating system and bridging it’s network with the Tortilla network adapter:

On Linux, the procedure is very similar with two major differences:
1. It requires nesting another VM inside the sub-host VM.
2. The sub-host VM should be connected to the host system via NAT mode.

The sub-host VM is connected to the host system via NAT networking mode and the network adapter of the guest VM is bridged with the Tortilla adapter on the host system which routes all it’s traffic through the Tor network out to the Internet.

Be aware that all the work should only be done in the guest VM so that malicious code can’t circumvent the Tor tunnel to the Internet and can’t discover identifying information on the host system. The operating system for the guest VM can be cherry-picked, anything will work as long as the sub-host VM is running Windows because of Tortilla.

Networking Modes:

Network address translation (NAT) networking mode is the best choice because the host system (Linux) will act as a gateway to the network for the guest VM, nobody on the network (apart from the host system) will be able to see it since it’s sitting in a separate network.
Bridged networking mode on the other hand will share the host system’s network connection with the guest VM, it will be sitting as if it were another computer on the network, everyone on the network will see it and be able to interact with it. That’s a big security failure and better be avoided.

It should now be obvious to think that using Tortilla on Linux along with NAT and creating another nested VM adds another reasonable layers of security to the whole thing. That’s a big advantage for Linux users.

The Tutorial


In the following tutorial will be using Ubuntu 14.04 (64 bit), VirtualBox and Windows XP (32bit). Other hypervisor such as VMware or QEMU, and any other Linux distributions should be compatible with this method as longs as they follow the same configurations that are set in this tutorial.
This tutorial also assumes you used Tortilla before and know how to install it, if that’s not the case follow this SlideShare presentation to get started.

Creating the Sub-host virtual machine:

Step 1: creating a virtual machine that will act as the “sub-host”. This is where the Tortilla network adapter is installed.

OPSEC 1: storing the virtual machine in an encrypted drive partition is a very good idea. And always use different pass phrases for encryption!
OPSEC 2: disabling the Snapshots, Shared clipboard and Drag’n’Drop options helps to prevent unwanted data leaks.
Settings > General > Advanced

Step 2: Assigning at least 1GB of RAM to the virtual machine (~43% of the amount given, in this case 448MB will be made available to the guest VM later):

Settings > System > Motherboard

Step 3: Making 2 CPU cores available to the virtual machine (You should not, however, configure virtual machines to use more CPU cores than you have available physically). Toggle the option “Enable PAE/NX (Only if the VM has to access more than 4GB of RAM).

Settings > System > Processor

Step 4: Enabling hardware virtualization. If your host system’s CPU supports the nested paging (AMD-V) or EPT (Intel VT-x), then you can expect a significant performance increase by also enabling nested paging.

Settings > System > Acceleration

Step 5: Making sure the virtual machine is connected to network using NAT mode. (this option will give you Internet access if your host system has Internet access).

Settings > Network > Adapter

Creating the guest virtual machine:

Step 1: Installing the guest virtual machine inside the sub-host VM (and violating the laws of physics in the process).

OPSEC 3: make sure to disable the Snapshots, Shared clipboard and Drag’n’Drop options on the guest virtual machine as well.

Step 2: Setting up the guest virtual machine and assigning 448MB RAM to it’s base memory. (It’s not possible to set half the amount of RAM that we assigned to the sub-host VM since more of it will be used by the sub-host VM).
The best boundary value in this case is: 448MB.

Settings > System > Motherbord

1 CPU core for the sub-host VM, another one left for the guest VM:

Step 3: Enabling the network adapter and using bridged networking mode to attach it with the Tortilla Adapter that’s installed in the sub-host VM.

Settings > Network > Adapter
OPSEC 4: The NAT networking mode will be enabled by default on the Adapter 1. Make sure to disable it before starting the guest virtual machine to avoid getting it connected to the host and sub-host network and sharing it’s real IP address!

The End

Take a look at how even DNS queries from the operating system’s clock in the virtual machine are routed through the Tor network:

OPSEC 5: Another good security method is to connect to Tor over a VPN on the guest virtual machine. If you choose to use TOR over a VPN, the benefits are that you would be again, hiding from your ISP the fact that you are using TOR. Also, your VPN would only be able to see that you are connecting to TOR nodes and that you are sending encrypted data. The VPN would not be able to see what data you are sending over TOR unless they decrypted it, because remember, all information relayed over TOR is encrypted. — Deep Dot Web / Privacy PC


You may have heard this before and you will hear this again: “Nothing is ever fully secure — nothing is immune to hacking and penetration”. Maintaining good OPSEC is practiced by minimizing the possibilities of being traceable and hackable. Always try to find security flaws in your system and fix them.

I hope you enjoyed reading,
Please follow and share for me tech stuff 🤖💖


Join Hacker Noon

Create your free account to unlock your custom reading experience.