Craig P Hicks copyright 2020 see LICENSE.md for license
Javascript module to create (from a virgin generic ubuntu lxc) an unprivileged linux container running firefox, vpn, and the X-server Xephyr. This setup allows
- VPN-anonymous browing
- (perhaps some degree of) fingerprint-anonymous browsing
- (perhaps some degree of) protection against snooping of Xserver memory
Audio and clipboard(*) are enabled. (Functions are provided to transfer between host and container clipboards, it does not happen automatically as that would be a security risk.) Those can be mapped to keyboard shortcuts.
Openbox window manager is used on the container.
The resulting unprivileged linux container has no access to the host filesystem.
Avaliable on npm - https://www.npmjs.com/package/browser-on-lxc-vpn-xephyr
This was conducted as an experiment to test the efficiacy fingerprint tracking, and see if running a browser with a different GL signature through a different IP would prevent fingerprint identification.
The conclusion is that it does not prevent. As the browser was being run without ad blockers, ads soon appeared. The first was an advert for UV LED lights, a very obscure item that I had searching for on my normal browser a couple of weeks before.
Among other possibilities, my identity would be known to Linode (the VPS provider) as they have my payment information. That could be part of the fingerprint.
Another possibility is that the container browser fingerprint was was recorded when I used it for a very brief moment without VPN to check local IP address (googling "my ip").
In conclusion, the efficacy of tracking is probably near perfect, with every possible data source utilized to automatically update advertising databases in real time.
This software was tested on a host running Ubuntu 18.04. It should certainly work on Ubuntu 18.x, 19.x.
-
node
versionv10.16.3
or higher -
npm
version6.14.4
or higher -
A openvpn VPN should already be setup, and the openvpn client certificate should already be placed on the host as a file named
/home/<username>/ffvpn-client.ovpn
See section Setting up VPN on a VPS for more information. -
LXD version 4.0.0 or greater
- There should be an LXD network configuration
lxdbr0
with the following information:
- There should be an LXD network configuration
% lxc network show lxdbr0
config:
ipv4.address: <a.b.c.d>/<n>
...
...
where <a.b.c.d>/<n>
is an ip4 network range in CIDR format, e.g.
10.64.64.1/24
-
node index.js init [-nufw] [-ntz]
Initialize container-
-nufw
Don't automatically add ufw rule.
Use when ufw is not the host firewall, or when sudo requires a password. -
-ntz
Don't use host /etc/timezone in container, the default is UTC.
-
-
node index.js browse [-nxephyr] [-screen <W>x<H>] [-xephyrargs <string of pass thru args>]
Launch Firefox browser-nxephyr
Don't use Xephyr on container, use host Xserver directlyscreen <W>x<H>
Initial size of Xephyr screen. Default is taken from host screen size.-xephyrargs <string of pass thru args>
Pass addition args directly to invocation of Xephyr
-
node index.js ufwRule
Print out what the ufw rule would be to allow container to 'phone home' on init completion. -
node index.js clip-to-cont
Copy the content of the host clipboard to the container clipboard. It is expected this call would be mapped to a shortcut key. -
node index.js clip-from-cont
Copy the content of the container clipboard to the host clipboard. It is expected this call would be mapped to a shortcut key.
- Re:
init
- Container only needs to be initialized once. It will automatically reboot.
- Two reasons for not adding the ufw rule -
a)ufw
is not installed on the system
b)sudo
requires a password
If the rule is not added, the user must ensure that the phone home action signaling the containers end of initialization is not blocked by a firewall.
- Re:
browse
browse
requires
a) That the container be in the running state.
b) That another Xephyr instance is not already running on the container.- Xeprhyr acts a thin Xserver, but Xephyr sends some X requests in the reverse direction over ssh to the host X server.
- Running without Xephyr causes all X requests to be sent in the reverse direction over ssh directly to the host X server.
- When using the
-xephyrargs <xephyr args string>
option the following values for<xephyr args string>
may be of interest:-reset -terminate
as a pair will cause Xephyr to terminate when firefox is shutdown. However, that means a Firefox restart will cause Xephyr to shutdown.-fullscreen
will cause Xephyr to use the whole screen. However, that means the Xephyr close 'x' icon will not be visible.
- The program will not exit until Xephyr and the browser are closed. (Or in no-Xephyr mode, until the browser is closed). You may run in the background with "node index.js browse &" to free up the terminal.
- Only when using Xephyr - You may find that when clicking on firefox menu icon the menu doesn't drop down correctly. To fix that try typing 'about:profiles' into the address bar, and then clicking on "Restart without addons". When Firefox reopens, the menu might work. Otherwise,
<ctrl>+<shift>+w
will close firefox, and the setting page can be accessed withabout:preferences
. - VPN function can be confirmed by searching for
myip
with the browser- the VPN address should appear.
Other parameters and some default values are hard coded at the top of index.js. Most likely there is no need to change these.
This is a quick and dirty way to set up a VPN server on a VPS.
- Linode currently offers a nanode vanilla VPS for $5 a month at an hourly rate. The hourly rate means saving money by deleting and the recreating if it is not going to be used for some time.
- Linenode allows specifying root password and ssh public key to go in
authorized_keys
before creating the node. - Once the node is created, set up firewall rules on the VPS:
ufw allow 22
ufw allow 1194
- If using port 443 instead of 1194 as the VPN post then write 443 instead of 1194.
- Enable the firewall
ufw enable
- Browser search for "github road warrior" for instuctions on the one liner for
an intereactive install. It is
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
- You might want to change the VPN port from the default
1194
to443
. - Set client name to
ffvpn-client
- From your local host, as your normal user, use
scp root@<vps address>:/home/root/ffvpn-client.ovpn ~/
to copy the certificate to the necessary local host location.
https://superuser.com/a/311830, https://askubuntu.com/a/857458, https://lists.linuxcontainers.org/pipermail/lxc-users/2016-January/010802.html, https://www.systutorials.com/docs/linux/man/5-pulse-daemon.conf/, https://askubuntu.com/questions/70556/how-do-i-forward-sound-from-one-computer-to-another-over-the-lan
In the end most if wasn't neccesary.