Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
setup-tor-vm.py
#!/usr/bin/env python
##
## this will set up a VDE switch which has a tap interface (tap_tor)
## which is also set up by this script. This tap interface has all its
## data pushed out through tor (or dropped, if it's UDP and not port
## 53) via some iptables rules. probably you need to run this as
## root. when the VM shuts down, the processes started here are killed
## as well.
##
## WARNING: all nat iptables rules are deleted by this script!
## (see near the bottom)
##
## your vm image is going to need something like this in
## /etc/network/interfaces (presuming it's debian and has an eth0
## network device):
##
## iface eth0 inet static
## address 10.0.0.5
## netmask 255.255.255.0
## gateway 10.0.0.210
##
import subprocess
import os
import time
import sys
## "config" such as it is
uplink_ip = "10.0.0.210"
tap_name = 'tap_tor'
tor_rc = '/tmp/torrc'
switch_name = '/tmp/vde_switch_tor'
vm_image = '/home/mike/src/vmbuilder/lemuria-debian-lenny-kvm/disk0.qcow2'
##
## VDE switch
##
vdeswitch = subprocess.Popen(['vde_switch', '-s', switch_name, '-tap', tap_name])
print "Started vde_switch at PID",vdeswitch.pid,"with control socket",switch_name
time.sleep(1)
##
## TAP interface
##
print "Bringing up",tap_name,"on",uplink_ip
if os.system("ifconfig %s %s up" % (tap_name,uplink_ip)):
vdeswitch.kill()
print "error, killed vde_switch"
sys.exit(-1)
##
## separate TOR instance for our traffic
##
open(tor_rc,'w').write("""
## tor seems to always want to start a SOCKS listener; 9050 is the default port
SocksPort 9055
SocksListenAddress 10.0.0.210
## don't need this, but good for getting info while it's running
## (default is 9051)
ControlPort 9056
HashedControlPassword 16:F224C256D983050B606E28C6C416BF879A3DE3E51CEC687C9DFDE6C94C
# possibly not needed for this example but this allows
# .onion and .exit routes to "just work"
AutomapHostsOnResolve 1
# this is where we'll send TCP traffic for proxying
TransPort 9040
TransListenAddress 10.0.0.210
# just DNS requests will be sent here
DNSPort 9053
DNSListenAddress 10.0.0.210
## flesh out a few more options for a full config
Log notice stderr
RunAsDaemon 0
DataDirectory /home/mike/src/virtual-machines/tor
""")
## may need to change the owner if you're not on debian
os.system('mkdir /home/mike/src/virtual-machines/tor')
os.system('chown debian-tor /home/mike/src/virtual-machines/tor')
tor = subprocess.Popen(['tor', '-f', tor_rc, '--quiet'])
print "Started tor at PID",tor.pid,"with",tor_rc,"for config"
##
## use iptables to forward all TAP traffic to Tor
##
for x in ['iptables -t nat -F',
'iptables -t nat -A PREROUTING -i %s -p udp --dport 53 -j REDIRECT --to-ports 9053' % tap_name,
'iptables -t nat -A PREROUTING -i %s -p tcp --syn -j REDIRECT --to-ports 9040' % tap_name]:
print x
os.system(x)
##
## now just start the VM
##
vm = subprocess.Popen(['kvm',
'-vga',
'std',
'-net', 'nic,macaddr=12:34:56:aa:bb:cc',
'-net', 'vde,sock=%s'%switch_name,
'-m', '128',
'-smp', '1',
'-drive', 'file=%s'%vm_image])
vm.wait()
print "VM exited..."
print "killing tor"
tor.kill()
print "killing vde switch"
vdeswitch.kill()
@harkleycod

This comment has been minimized.

Copy link

harkleycod commented Jun 26, 2017

Does it work with ipv6 (using ip6tables)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.