By following these instructions, is possible to obtain an encrypted DNS connection for internal local network or local computer running FreeBSD. The local_unbound package allows to hash DNS queries on the local machine, this prevents DNS from querying the site addresses, which is another security feature.
What is needed:
Computer with local unbound package. It is installed by default, so is not nessesy to install it.
TOR package
First, we install the tor package
Because tor requires a packet filter to operate, and most importantly, it checks the permissions of, after installing the tor package, is nessesry to enable the _tor group to use Packet Filer (pf). Without this it will not work.
For this purpose in the file /etc/devfs.conf
Paste at the end of the file
Now that we have TOR installed, we can prepare it for inclusion. For this purpose in the file
/etc/rc.conf
Add the following entrie, but don't turn it on yet.
Because permissions are given and we have added an entry in rc.conf, can configure the tor client to work as a transparent proxy. Since we are advanced users, we delete the file called torrc.
Paste the following configuration in its place.
I use ee so
and paste:
Save the changes with the esc key > leave editor > save changes.
The permissions should be the default, it is not necessary to impose them.
Be sure to explain what each command does.
SOCKSPort 0 - disables SOCKSport. SOCKSport is used when we want to bundle TOR, with the browser. No packet filter permissions are required here.
TransPort 9050 - Transparent proxies, programs don't know they are using a proxy. To run this, is needed permissions for the packet filter.
DNSPort 9053 - DNS port.
UseEntryGuards 1 - If this option is set to 1, we pick a few long-term entry servers, and try to stick with them. This is desirable because constantly changing servers increases the odds that an adversary who owns some servers will observe a fraction of your paths.
GuardLifetime 1 - should change the first server that TOR connects to every day. I don't know if it works, I got it from somewhere, it's not in the manual.
I'm gonna stop here for a second.
Tor allows to enable two instances by default. But it is possible to set them up to ten. If someone needs it very badly, and I always need it very badly it can be changed.
The scheme for running more than one isance is as follows :
On file /etc/rc.conf add as many entries as needed of instances in the range of nothing to nine.
The first instance is the default and is defaulted as one. Therefore, subsequent instances are numbered from two.
Configuration files are in the same directory as the main configuration file, with @2 @3 @4 ... @9 added and so on. Just remember to change the port number in the next instance. For example /usr/local/etc/tor/torrc@2 has with me the following entries.
For subsequent instances @3 @4 ... @9 a daemon edit is required. For this purpose, in the file
/usr/local/etc/rc.d/tor
we find the following
and we change the
at
Because it is already configured with TOR, to work as a Transparent Proxy, proceed to configure local_unbound and pairing it with TOR. On file:
/var/unbound/unbound.conf
Paste and customize entries.
server: - Server configuration
interface: igb0 - Access to the server from the interface. Another interface in a separate entry (I think)
access-control: 127.0.0.1 allow -permit access from selected groups of IP addresses.
access-control: 10.1.1.0/24 allow -permit access from selected groups of IP addresses.
forward-zone:
name: "Router" - Name
forward-addr: 127.0.0.1@9053 - DNS server address and port. Another address in a separate entry.
forward-first: yes - I don't know.
To start the unbound server on startup in /etc/rc.conf add an entry:
But that's not all. Because, the library required by the program at system startup loads later than unbound, it does not start.
Because, there is an added entry in /etc/rc.conf It is possible and generally necessary to use /etc/crontab. For this purpose is needed to make a bash script file. It can be made anywhere, I made it in the root directory.
So we make a new file
In this file, paste the following
Privileges must be granted:
Then add an entry at the end of the /etc/crontab file
To take advantage of the created, there are two ways. If someone wants to use it locally, on the computer they are working on adds an entry to /etc/resolv.conf
But if someone wants to use it on the server, as I do, it should not be done. Due to the samba problems that are occurring.
The second way is to redirect traffic from lan to local_unbound, to do this, leave in the file /etc/resolv.conf some other DNS address.
The best choice of DHCP server is named. Install and add interfaces...
/etc/rc.conf
Configuring it and modify it according to our needs:
/usr/local/etc/dhcpd.conf
In which option domain-name-servers is the address at which the network gateway is located.
Set up NAT
/etc/pf.conf
Important TOR ports: 9001 and 9030 tcp on external interface.
The loopback is completely unlocked at my place, so I don't want to check it now, but there was something important there.
If anyone has any useful commands for checking what sites are stored in local_unbound please feel free to comment. If anyone knows how to set the storage time for saved pages, also please comment.
If everything is ok, this page should show us one DNS server address as the IP address we are using.
External links:
https://www.youtube.com/watch?v=1OkpvQsdm24
https://unixcop.com/how-to-install-dhcp-server-on-freebsd
https://wiki.archlinux.org/title/Unbound
Personal work.
What is needed:
Computer with local unbound package. It is installed by default, so is not nessesy to install it.
TOR package
First, we install the tor package
Code:
pkg install torBecause tor requires a packet filter to operate, and most importantly, it checks the permissions of, after installing the tor package, is nessesry to enable the _tor group to use Packet Filer (pf). Without this it will not work.
For this purpose in the file /etc/devfs.conf
Paste at the end of the file
Code:
# Allow members of group _tor to using packet filter
own /dev/pf root:_tor
perm /dev/pf 0660Now that we have TOR installed, we can prepare it for inclusion. For this purpose in the file
/etc/rc.conf
Add the following entrie, but don't turn it on yet.
Code:
...
tor_enable="YES"
...Because permissions are given and we have added an entry in rc.conf, can configure the tor client to work as a transparent proxy. Since we are advanced users, we delete the file called torrc.
Code:
rm /usr/local/etc/tor/torrcPaste the following configuration in its place.
I use ee so
Code:
ee /usr/local/etc/tor/torrcand paste:
Code:
SOCKSPort 0
TransPort 9050
DNSPort 9053
UseEntryGuards 1
GuardLifetime 1Save the changes with the esc key > leave editor > save changes.
The permissions should be the default, it is not necessary to impose them.
Be sure to explain what each command does.
SOCKSPort 0 - disables SOCKSport. SOCKSport is used when we want to bundle TOR, with the browser. No packet filter permissions are required here.
TransPort 9050 - Transparent proxies, programs don't know they are using a proxy. To run this, is needed permissions for the packet filter.
DNSPort 9053 - DNS port.
UseEntryGuards 1 - If this option is set to 1, we pick a few long-term entry servers, and try to stick with them. This is desirable because constantly changing servers increases the odds that an adversary who owns some servers will observe a fraction of your paths.
GuardLifetime 1 - should change the first server that TOR connects to every day. I don't know if it works, I got it from somewhere, it's not in the manual.
I'm gonna stop here for a second.
Tor allows to enable two instances by default. But it is possible to set them up to ten. If someone needs it very badly, and I always need it very badly it can be changed.
The scheme for running more than one isance is as follows :
On file /etc/rc.conf add as many entries as needed of instances in the range of nothing to nine.
Code:
...
tor_enable="YES"
tor_instances="2"
...
tor_instances="9"
...The first instance is the default and is defaulted as one. Therefore, subsequent instances are numbered from two.
Configuration files are in the same directory as the main configuration file, with @2 @3 @4 ... @9 added and so on. Just remember to change the port number in the next instance. For example /usr/local/etc/tor/torrc@2 has with me the following entries.
Code:
SOCKSPort 0
TransPort 9150
DNSPort 9153
UseEntryGuards 1
GuardLifetime 1For subsequent instances @3 @4 ... @9 a daemon edit is required. For this purpose, in the file
/usr/local/etc/rc.d/tor
we find the following
Code:
...
if [ -z "${instance}" -a -n "${tor_instances}" ]; then
inst_only="$2"
inst_done=0
...
Code:
inst_only="$2"
Code:
inst_only="$9"Because it is already configured with TOR, to work as a Transparent Proxy, proceed to configure local_unbound and pairing it with TOR. On file:
/var/unbound/unbound.conf
Paste and customize entries.
Code:
server:
interface: igb0
access-control: 127.0.0.1 allow
access-control: 10.1.1.0/24 allow
forward-zone:
name: "Router"
forward-addr: 127.0.0.1@9053
forward-first: yes
remote-control:
control-enable: yes
control-use-cert: no
control-interface: 127.0.0.1server: - Server configuration
interface: igb0 - Access to the server from the interface. Another interface in a separate entry (I think)
access-control: 127.0.0.1 allow -permit access from selected groups of IP addresses.
access-control: 10.1.1.0/24 allow -permit access from selected groups of IP addresses.
forward-zone:
name: "Router" - Name
forward-addr: 127.0.0.1@9053 - DNS server address and port. Another address in a separate entry.
forward-first: yes - I don't know.
To start the unbound server on startup in /etc/rc.conf add an entry:
Code:
local_unbound_enable="YES"But that's not all. Because, the library required by the program at system startup loads later than unbound, it does not start.
Because, there is an added entry in /etc/rc.conf It is possible and generally necessary to use /etc/crontab. For this purpose is needed to make a bash script file. It can be made anywhere, I made it in the root directory.
So we make a new file
Code:
ee /root/local_unbound.shIn this file, paste the following
Code:
#!/bin/bash
service local_unbound startPrivileges must be granted:
Code:
chmod +x /root/local_unbound.shThen add an entry at the end of the /etc/crontab file
Code:
@reboot root /bin/sh /root/local_unbound.shTo take advantage of the created, there are two ways. If someone wants to use it locally, on the computer they are working on adds an entry to /etc/resolv.conf
Code:
nameserver 127.0.0.1
options edns0But if someone wants to use it on the server, as I do, it should not be done. Due to the samba problems that are occurring.
The second way is to redirect traffic from lan to local_unbound, to do this, leave in the file /etc/resolv.conf some other DNS address.
The best choice of DHCP server is named. Install and add interfaces...
Code:
pkg install isc-dhcp44-server-4.4.2P1_1/etc/rc.conf
Code:
dhcpd_enable="YES"
dhcpd_ifaces="igb0 wlan0"Configuring it and modify it according to our needs:
/usr/local/etc/dhcpd.conf
Code:
default-lease-time 3600;
max-lease-time 86400;
ddns-update-style none;
subnet 10.1.1.0 netmask 255.255.255.0 {
option domain-name "router";
option domain-name-servers 10.1.1.1;
range 10.1.1.2 10.1.1.200;
option routers 10.1.1.1;
}
subnet 10.1.2.0 netmask 255.255.255.0 {
option domain-name "router";
option domain-name-servers 10.1.2.1;
range 10.1.2.2 10.1.2.200;
option routers 10.1.2.1;
}In which option domain-name-servers is the address at which the network gateway is located.
Set up NAT
/etc/pf.conf
Code:
ext_if="re0"
int_if="igb0"
wifi="wlan0"
set skip on lo
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)Important TOR ports: 9001 and 9030 tcp on external interface.
The loopback is completely unlocked at my place, so I don't want to check it now, but there was something important there.
If anyone has any useful commands for checking what sites are stored in local_unbound please feel free to comment. If anyone knows how to set the storage time for saved pages, also please comment.
If everything is ok, this page should show us one DNS server address as the IP address we are using.
IP/DNS Detect
What is your IP, what is your DNS, check your torrent IP, what informations you send to websites.
ipleak.net
External links:
https://www.youtube.com/watch?v=1OkpvQsdm24
https://unixcop.com/how-to-install-dhcp-server-on-freebsd
https://wiki.archlinux.org/title/Unbound
Personal work.
Last edited: