TailsOS is a Debian with a very specific custom configuration. TailsOS does not come with the VPN packages preinstalled meaning you can't configure the VPN connection out of the box but it is still doable in more than one way. The first method is using the standard TailsOS bootable USB key with persistent storage configured.
The second way is modifying the actual read-only distribution on the USB storage device.
Here is the general idea of how to configure VPN (cryptostorm specifically) on TailsOS. This is not a step-by step howto and requires some knowledge of Linux especially for the firewall configuration.
If needed, I could write a step-by-step how-to later on.
1) Configure persistent storage as described in the Tails documentation
2) Install required packages as described in the Tails doc -> advanced topics -> additional software (http://tails.boum.org/doc/advanced_topi ... ex.en.html
) (Hint: apt-get update; apt-get install network-manager-pptp, network-manager-pptp-gnome).
The packages needed are: network-manager-pptp, network-manager-pptp-gnome, network-manager-openvpn and openvpn.
Note down any package dependencies as well.
3) Add the package list (including the dependencies) to the /live/persistence/TailsData_unlocked/live-additional-software.conf file (one package per line)
4) In the Network Manager configuration dialog, the VPN tab should allow you to create a new VPN connection. Use the apropriate cryptostorm config file, populate the user name hash and save the configuration
5)In a terminal window look at the iptables messages for dropped packets (tail -f /var/log/syslog|grep -i drop) and from Network Manager start your new VPN connection which will fail due to the firewall rules.
As far as I remember, the first packets I had to allow were DNS and openvpn related on the loopback interface, followed by udp traffic (inbound and outbound) to port 443 of the cryptostorm nodes
6) Based on the dropped packets, configure iptables to allow packets to and from the servers used by your VPN configuration. An example of iptables rules can be found here: https://github.com/cryptostorm/cryptoha ... ctives.txt
and here: https://github.com/cryptostorm/cryptoha ... tostorm.sh
Based on the existing TailsOS rules and the ones on github, you should be able to script something which will allow you to start the VPN connection
Once the firewall is configured, the VPN connection should start without any problems.
7) add iptables rules to block all traffic to/from the outside world except for the the traffic to/from the cryptostorm nodes.
8) Restart tor (vidalia) and check the network setup using tcpdump or some other packet inspection application.
The second method is a lot sexier and can automate the entire VPN connection process but it involves modifying the squashfs image:
1) copy the squashfs file from the USB device to a temporary location
2) Install squashfs-tools and extract the image
3) mount --bind the proc, sys and dev file systems on the <extraction_dir>/proc, sys and dev directories
4) chroot to the directory containing the extracted squashfs
5) Install the openvpn packages (network-manager-pptp, network-manager-pptp-gnome, network-manager-openvpn, openvpn)
6) Modify the Network Manager dispatcher scripts in /etc/NetworkManager/dispatcher.d/
The scripts are run in order by Network Manager after it brings up the network connection. As far as I remember the first one is the firewall, followed by tor and last is the persistent software package updater. You will have to modify the firewall script and ensure that your VPN connection starts before tor. I would refer to the sample scripts on the cryptostorm github
To start a pre-configured VPN configuration at the command line, use nmcli in the script but before that you need to modify the VPN configuration file as follows:
- in the [vpn] section, set password-flags=0
- add a new [vpn-secrets] section containing the entry password=<whatever>
Without these modifications, the root user won't be able to start the VPN connection.
7) Once happy with the modifications, unmount proc, sys, dev and recreate the squashfs image file.
8) Make a backup of the original squashfs file on the USB device and replace the original with your newly created one.
9) Reboot. If done correctly, once you pass the startup dialog, Network Manager will get an IP for your machine and will launch the scripts you have created/modified. Ideally you'll see the clearnet network coming up, followed by the VPN and by tor.
10) Use tcpdump to confirm that all connections are dropped except the connections to the VPN servers.