Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ
Ξ We've updated our CA certificate. All members need to be using the latest ones by Dec 22. See this page for more infoΞ

HOWTO: OS X VPN Leak Block

Guides, HOWTOs etc on how to setup Cryptostorm on PCs, smartphones, tablets and routers.

Topic Author
someonesomewhere

HOWTO: OS X VPN Leak Block

Postby someonesomewhere » Tue Dec 02, 2014 9:01 am

About

This is a simple guide to securing potential leaks on OS X. This is accomplished by using DNSCrypt and BSD PF (packet filtering). This is useful if you are not on your own network behind an OpenWRT or DD-WRT router. This guide requires OS X 10.7 or later. I have only tested it on OS X 10.10. Please read all of the source code for comments as some things are placeholders.

DNSCrypt

http://dnscrypt.org

DNSCrypt allows one to resolve hostnames by connecting to a DNS server using encryption. As long as the DNS server supports DNSCrypt, then your DNS queries should pass through your ISP as an encrypted message. DNSCrypt is an open source program hosted on GitHub, and it is developed by OpenDNS. Thankfully, one has the option to choose a DNS server (like one from OpenNIC) rather than using OpenDNS's servers (logging by default).

The following is a nice and simple guide to setting up DNSCrypt on OS X. Just substitute the DNS server of the author's choice with your own. If you don't want to use home-brew, then by all means follow the instructions provided by DNSCrypt whilst consulting that guide too.

Guide
https://cosu.ro/blog/2014/03/24/dnscryp ... -resolver/

OpenNIC servers
http://wiki.opennicproject.org/Tier2

Tunnelblick

Make sure Tunnelblick is setup correctly and routing all traffic over the virtual interface. Tunnelblick > VPN Details… > Settings > Advanced… > While Connected > Route All Traffic Through the VPN

BSD PF

http://www.openbsd.org/faq/pf/index.html

PF is BSD's packet filtering solution. It supersedes ipfw which was an equivalent to iptables.

The following file should be placed in /etc/pf.anchors/<name-your-anchor-file>
This file is the main workhorse, and it does all of the blocking.

Code: Select all

# These variables may not be correct on your system.
# Physical interfaces found at "Apple > About This Mac > System Report… > Network"
vpn      = "utun0"
loopback = "lo0"

# These are private network addresses. Choose the one that is suitable to network(s)
# you wish to be compatible with.
table <private> const { 192.168.0.0/16, 172.16.0.0/12, 169.254.0.0/16, 10.0.0.0/8 }

# Return on block instead of dropping packets.
set block-policy return

# Ignore loopback interface.
set skip on $loopback

# Scrub all packets.
scrub in all

# Block everything by default.
block all

# Block all IPV6 packets. No support yet for IPV6.
block quick inet6

# Block all ICMP packets. Can't hurt, right?
block quick proto icmp

# Allow DHCP packets. Not needed if manually configuring network.
pass out quick proto udp from any             port 68 to 255.255.255.255 port 67
pass in  quick proto udp from 255.255.255.255 port 67 to any             port 68

# Allow local network traffic.
pass from <private> to <private>

# Allow Airdrop and Airprint. Remove if not desired.
pass on p2p0
pass on p2p1
pass on p2p2
pass quick proto tcp to any port 631

# Allow DNS servers. Replace Xs with OpenNIC DNSCrypt server IP address.
pass out quick proto udp to   XXX.XXX.XXX.XXX
pass in  quick proto udp from XXX.XXX.XXX.XXX

# Allow traffic on VPN interface.
pass on $vpn


The following file should be placed in /etc/pf.anchors/org.cryptostorm.balancer
This file will allow us to connect to their servers to make a connection.

Code: Select all

# Place all of the cryptostorm hostnames you wish to potentially connect to.
# I have placed all of the balancers from the config file in here. Sometimes,
# these cannot be resolved so troublesome ones can be removed.
cryptostorm = "{ raw-balancer-dynamic.cryptostorm.net raw-balancer-dynamic.cryptostorm.org raw-balancer-dynamic.cstorm.pw raw-balancer-dynamic.cryptostorm.nu }"

# The following rule will allow us to connect to the VPN service.
pass out proto udp to   $cryptostorm port 443
pass in  proto udp from $cryptostorm port 443


The following file should be placed in /etc/pf.anchors/firewall.conf
This file will load all of the anchors into it that we want. Make sure you replace the placeholders in the code.

Code: Select all

anchor "<your-anchor-name>"
load anchor "<your-anchor-name>" from "/etc/pf.anchors/<your-anchor-filename>"

anchor "org.cryptostorm"


You can test run it. This will activate (-e) the firewall and show any errors.

Code: Select all

sudo pfctl -e -v -f /etc/pf.anchor/firewall.conf

Code: Select all

sudo pfctl -a org.cryptostorm.balancer -v -f /etc/pf.anchor/firewall.conf


Hopefully you should get no errors. If you see the following, you can ignore it:

Code: Select all

No ALTQ support in kernel
ALTQ related functions disabled


You can turn it off with:

Code: Select all

sudo pfctl -d


Launch Daemons

A Launch Daemon is an OS X daemon that will run on launch. This will enable the firewall, but it will not enable the rules to connect to cryptostorm (that will come later). Replace placeholders!

Place the file in /Library/LaunchDaemons/name-your-daemon-file.plist

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>your-daemon-filename.plist</string>
    <key>ProgramArguments</key>
    <array>
      <string>/bin/bash</string>
      <string>-c</string>
      <string>ipconfig waitall &amp;&amp; /sbin/pfctl -e -f /etc/pf.anchors/firewall.conf</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>StandardErrorPath</key>
    <string>/var/log/pf.log</string>
    <key>StandardOutPath</key>
    <string>/dev/null</string>
  </dict>
</plist>


The following file will add the cryptostorm rules for connection. Whenever you log in for the first time you will need to run this script. Place it somewhere convenient for you. I had trouble setting this up as a launch daemon or launch agent so manual invocation it is.

Code: Select all

#!/usr/bin/env bash

pfctl -a org.cryptostorm -f /etc/pf.anchors/org.cryptostorm.balancer


Disable IPV6

Although, we are blocking IPV6 packets, we can also disable it in OS X. Jump in the terminal and enter the following:

Code: Select all

networksetup -listallnetworkservices


And then enter the service name within the quotes below:

Code: Select all

networksetup -setv6off "Service Name"


Repeat this step until they are all off. If you go into "Apple > System Preferences > Network > <Some Interface> > Advanced…", you should see that IPV6 is off. This option wasn't available in the GUI before unfortunately.

Usage

That should be it. Whenever the VPN interface isn't available, no packets will escape other than to the encrypted DNS server and some local communications.

To use: whenever you log in for the first time on boot, run the last script to allow a connection to be established and connect.

Monitoring

Use tcpdump to monitor your traffic if you wish. Report back if you find anything suspicious.

You can also check error logs at "/var/log/pf.log"

Or you confirm the active rules with…

List anchors

Code: Select all

sudo pfctl -vs rules


List anchor rules

Code: Select all

sudo pfctl -a <enter-anchor-name> -vs rules


Other Useful Programs

For those who want a GUI PF interface: IceFloor http://www.hanynet.com/icefloor

For a GUI packet analyser: Cocoa Packet Analyzer http://www.tastycocoabytes.com/cpa/

Potential Issues

I get an error which claims that the hostnames could not be resolved!
The solution is to remove any of cryptostorm's hostnames which do not work (for some reason this can happen to me for the .nu .pw balancers). Open OS X's Network Utility and do a DNS Lookup to check which ones get resolved or not, and then make the appropriate amendments. One issue could also be that DNSCrypt isn't setup correctly, or the DNS server is down.

My torrents are slow!
I am not sure if it is the firewall or cryptostorm. I did some testing, and torrents appeared to be really slow to get up to speed when the firewall is on. So, I wasn't sure if the torrent client was bypassing the tunnel beforehand to get the swarm connections it needed.

Why isn't the tap interface in the firewall?
For some reason Tunnelblick doesn't have a tap interface for me. I wish I knew why (or what a tap interface is for that matter). Just add it in.

Not working!
Post here.

Feedback

Networking nerds, please give feedback so this can be improved. I never used any of these technologies before.

Sources

These were helpful for optimising code and fixing some errors.

http://superuser.com/questions/468919/p ... conf-on-ma

https://gist.github.com/SonicHedgehog/8170325


vinchat
Posts: 15
Joined: Mon Nov 03, 2014 2:46 pm

Re: HOWTO: OS X VPN Leak Block

Postby vinchat » Fri Dec 05, 2014 2:53 pm

Hi,

I'm following your procedure. Have all the files set up like this:
/etc/pf.anchors/firewall.conf
/etc/pf.anchors/or.cryptostorm.balancer
/etc/pf.anchors/pf_cs.conf

In which firewall.conf contains:

Code: Select all

anchor "pf_cs.conf"
load anchor "pf_cs.conf" from "/etc/pf.anchors/pf_cs.conf"

anchor "org.cryptostorm"


The other files are the same as yours.
When I execute the

Code: Select all

sudo pfctl -e -v -f /etc/pf.anchors/firewall.conf
I get the following error:

Code: Select all

pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

No ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.anchors/firewall.conf:4: syntax error
pfctl: Syntax error in config file: pf rules not loaded


So it says something is wrong with 'anchor "org.cryptostorm" ' in the firewall config. Any clue what's going on?

Thanks in advance!


vinchat
Posts: 15
Joined: Mon Nov 03, 2014 2:46 pm

Re: HOWTO: OS X VPN Leak Block

Postby vinchat » Sat Dec 06, 2014 8:59 pm

Alright, so the problem was that the last line should be ended with <CR> char (\n). That is now fixed and the following rules are now loaded without errors:

Code: Select all

#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"as
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"



# These variables may not be correct on your system.
# Physical interfaces found at "Apple > About This Mac > System Report… > Network"
vpn      = "tun0"
loopback = "lo0"
cryptostorm = "46.165.222.248"
wifi = "en0"

# These are private network addresses. Choose the one that is suitable to network(s)
# you wish to be compatible with.
#table <private> const { 192.168.0.0/16, 172.16.0.0/12, 169.254.0.0/16, 10.0.0.0/8 }

# Return on block instead of dropping packets.
#set block-policy return

# Ignore loopback interface.
#set skip on $loopback

# Scrub all packets.
#scrub in all

# Block everything by default.
block all

# Block all IPV6 packets. No support yet for IPV6.
#block quick inet6

# Block all ICMP packets. Can't hurt, right?
#block quick proto icmp



# Allow local network traffic.
#pass from <private> to <private>

# Allow Airdrop and Airprint. Remove if not desired.
pass on p2p0
pass on p2p1
pass on p2p2
pass quick proto tcp to any port 631

# Allow traffic on VPN interface.
pass on $vpn


# Allow DHCP packets. Not needed if manually configuring network.
pass out quick proto udp from any             port 68 to 255.255.255.255 port 67
pass in  quick proto udp from 255.255.255.255 port 67 to any             port 68

# Allow DNS servers. Replace Xs with OpenNIC DNSCrypt server IP address.
pass out proto udp to   213.73.91.35
pass in  proto udp from 213.73.91.35
pass out proto udp to   80.237.196.2
pass in  proto udp from 80.237.196.2

pass out proto udp to   $cryptostorm port 443
pass in  proto udp from $cryptostorm port 443


Changed position of a few rules and disabled a few because of the "Rules must be in order: options, normalization, queueing, translation, filtering" error. I'm connecting to the "raw-balancer-dynamic.cryptostorm.net" (46.165.222.248) server.

But now, viscosity is stuck here:

Code: Select all

06 16:56:54: Viscosity OpenVPN Engine Started
Dec 06 16:56:54: Running on Mac OS X 10.10.1
Dec 06 16:56:54: ---------
Dec 06 16:56:54: Checking reachability status of connection...
Dec 06 16:56:55: Connection is reachable. Starting connection attempt.
Dec 06 16:56:55: OpenVPN 2.3.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Dec  3 2014
Dec 06 16:56:55: library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08


Anyone...? :(


Topic Author
someonesomewhere

Re: HOWTO: OS X VPN Leak Block

Postby someonesomewhere » Sun Dec 07, 2014 6:01 am

I didn't create this with Viscosity in mind. I think Viscosity has a tunnel and tap interface, and you might need to add it in the rules. I see you have commented out the skip on the loopback interface. That could be part of the issue.

I also do not recommend having any of your rules in the files provided by Apple as they are notorious for changing practically anything between OS updates. Nor do I recommend throwing everything in together. They were separate for a good reason.

If you had errors initially in the org.cryptostorm anchor, it was probably because the hostnames couldn't be resolved. Have you confirmed that DNSCrypt is working? Try checking the dnscrypt.log file, or try doing a lookup in the Network Utility app.


Topic Author
someonesomewhere

Re: HOWTO: OS X VPN Leak Block

Postby someonesomewhere » Tue Dec 23, 2014 6:38 am

I just tested this for the first time over WiFi, and it pretty much allowed any traffic through. I have amended the "/etc/pf.anchors/<name-your-anchor-file>" file by removing the AirDrop and AirPrint rules which has fixed the issue.

Code: Select all

# These variables may not be correct on your system.
# Physical interfaces found at "Apple > About This Mac > System Report… > Network"
vpn      = "utun0"
loopback = "lo0"

# These are private network addresses. Choose the one that is suitable to network(s)
# you wish to be compatible with.
table <private> const { 192.168.0.0/16, 172.16.0.0/12, 169.254.0.0/16, 10.0.0.0/8 }

# Return on block instead of dropping packets.
set block-policy return

# Ignore loopback interface.
set skip on $loopback

# Scrub all packets.
scrub in all

# Block everything by default.
block all

# Block all IPV6 packets. No support yet for IPV6.
block quick inet6

# Block all ICMP packets. Can't hurt, right?
block quick proto icmp

# Allow DHCP packets. Not needed if manually configuring network.
pass out quick proto udp from any             port 68 to 255.255.255.255 port 67
pass in  quick proto udp from 255.255.255.255 port 67 to any             port 68

# Allow local network traffic.
pass from <private> to <private>

# Allow DNS servers. Replace Xs with OpenNIC DNSCrypt server IP address.
pass out quick proto udp to   XXX.XXX.XXX.XXX
pass in  quick proto udp from XXX.XXX.XXX.XXX

# Allow traffic on VPN interface.
pass on $vpn


vinchat
Posts: 15
Joined: Mon Nov 03, 2014 2:46 pm

Re: HOWTO: OS X VPN Leak Block

Postby vinchat » Wed Jan 07, 2015 12:59 pm

Yes, disabling the skip on loopback was part of the problem. Some time ago I figured it out, it's inferieur to your solution, but works good enough. For the rest out of there...

Code: Select all

#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"as
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

vpn=tun0
en = "{en0 en4}"

table <local> const { 192.168.1.0/24, 192.168.178.0/24, 145.94.0.0/16, 192.168.178.0/24 }
table <dns> const { 212.54.40.25, 212.54.44.54, 10.4.0.1 }

table <cs_vpn> const { 46.165.222.248, 198.27.89.56, 79.134.235.133, 167.88.9.27, 23.19.35.14, 212.83.167.81, 89.26.243.109 }

block all

set skip on lo

# Allow Airdrop and Airprint. Remove if not desired.
pass on p2p0
pass on p2p1
pass on p2p2
pass quick proto tcp to any port 631

pass on $vpn

#pass DHCP requests
pass on $en proto udp to <local> port 5353
pass quick on $en proto udp from <local> port 67:68

# Bonjour
pass on $en proto tcp to <local> port 5354
pass on $en proto tcp from <local> port 5354
pass on $en proto udp to <local> port 5353
pass on $en proto udp from <local> port 5353
pass on $en proto udp from <local> port 53
pass on $en proto udp to <local> port 53

# ssh
pass on $en proto tcp from <local> port 22
pass on $en proto tcp to <local> port 22

# DNS servers
pass on $en proto { udp tcp } to <dns> port 53

# CS VPN servers
pass on $en proto udp to <cs_vpn> port 443
pass on $en proto udp from <cs_vpn> port 443


Topic Author
someonesomewhere

Re: HOWTO: OS X VPN Leak Block

Postby someonesomewhere » Thu Jan 08, 2015 3:54 pm

someonesomewhere wrote:I just tested this for the first time over WiFi, and it pretty much allowed any traffic through. I have amended the "/etc/pf.anchors/<name-your-anchor-file>" file by removing the AirDrop and AirPrint rules which has fixed the issue.

Code: Select all

# These variables may not be correct on your system.
# Physical interfaces found at "Apple > About This Mac > System Report… > Network"
vpn      = "utun0"
loopback = "lo0"

# These are private network addresses. Choose the one that is suitable to network(s)
# you wish to be compatible with.
table <private> const { 192.168.0.0/16, 172.16.0.0/12, 169.254.0.0/16, 10.0.0.0/8 }

# Return on block instead of dropping packets.
set block-policy return

# Ignore loopback interface.
set skip on $loopback

# Scrub all packets.
scrub in all

# Block everything by default.
block all

# Block all IPV6 packets. No support yet for IPV6.
block quick inet6

# Block all ICMP packets. Can't hurt, right?
block quick proto icmp

# Allow DHCP packets. Not needed if manually configuring network.
pass out quick proto udp from any             port 68 to 255.255.255.255 port 67
pass in  quick proto udp from 255.255.255.255 port 67 to any             port 68

# Allow local network traffic.
pass from <private> to <private>

# Allow DNS servers. Replace Xs with OpenNIC DNSCrypt server IP address.
pass out quick proto udp to   XXX.XXX.XXX.XXX
pass in  quick proto udp from XXX.XXX.XXX.XXX

# Allow traffic on VPN interface.
pass on $vpn


Turns out this may have been a different issue. It seems the issue was due to the interface being busy when the rules were being loaded. I wasn't expecting this as it should wait for the interfaces to be ready before loading the rules. One potential solution is to always turn the WiFi (in OS X) off before shutting down.


vinchat
Posts: 15
Joined: Mon Nov 03, 2014 2:46 pm

Re: HOWTO: OS X VPN Leak Block

Postby vinchat » Sat Mar 21, 2015 9:31 pm

Has anyone experienced delayed iMessages when using pf? iMessage uses TCP over 5223, 443, 80 . I've added this rule, but doesn't help:

Code: Select all

pass quick on $en proto tcp from any port 5223 to any port 5223


Topic Author
someonesomewhere

Re: HOWTO: OS X VPN Leak Block

Postby someonesomewhere » Wed Jun 10, 2015 11:15 am

vinchat wrote:Has anyone experienced delayed iMessages when using pf? iMessage uses TCP over 5223, 443, 80 . I've added this rule, but doesn't help:

Code: Select all

pass quick on $en proto tcp from any port 5223 to any port 5223


If you have Tunnelblick set to route all traffic through the VPN, then that rule won't have any effect when you are connected to the VPN. I get a very long delay as well. Unfortunately, I am not sure how to resolve the issue.

The only solution I can think of is to have Tunnelblick make exceptions for certain applications. Then that rule should apply. Furthermore, measures probably should be taken to ensure only iMessage has access.


Return to “guides, HOWTOs & tutorials”

Who is online

Users browsing this forum: No registered users and 3 guests

Login