Hacker VPN
A DEF CON 33 Workshop by Eijah & Cave Twink
Abstract
The Internet is a dangerous place. Fortunately, hackers have created tools to make it safer. VPNs anonymize traffic but still expose IP addresses. Companies claim not to log, but how quickly will they hand over our data when they receive a warrant? Tor networks reroute traffic, but performance suffers as a result. Can we trust these distributed networks? Who owns the exit nodes? Finally, apps like Signal offer E2EE secure comms but in a proprietary and siloed way. Open source means very little if an app operates in a Walled Garden. Are there back doors? Is our data really safe?
In this workshop we'll create a Hacker VPN that combines the best of VPNs, Tor, and E2EE secure comms apps. We'll use modern-day PQC encryption to implement a secure protocol. We'll support packet sharding, random noise injection, multi-hop routing, and 100% anonymity between network endpoints. We'll do all this on Linux with standard C++, CMake & OpenSSL. At the end of this workshop you'll have all the tools you need to take the Hacker VPN to the next level. Why trust outdated software from shady companies when you can build your own modern day, kick-ass implementation?
Yes, the Internet is a dangerous place. But it's much safer when we take control.
Prerequisites
Please come prepared to maximize your workshop time. Your machine must meet the following requirements:
Host System Hardware
- A laptop with a multi-core 64-bit processor (4+ cores recommended).
- 8 GB of RAM (minimum).
- At least 20 GB of free disk space.
- A functional wireless network adapter that supports bridged mode.
Host System Software
- VirtualBox (latest version) installed and running. Administrator rights are required to install and run VirtualBox.
- Note for Linux Hosts: Secure Boot is known to cause issues with bridged mode adapters in VirtualBox.
Default Setup Instructions
Step 1: Download Required Files
All workshop downloads are now available. To save time, you must download the Virtual Machine (VM) before arriving. Verify the integrity of your download using the provided SHA256 checksums below. If you are unable to use the default VM method, it is your responsibility to read through the alternative options and set up your environment ahead of time. The workshop files and presentation slides are optional downloads for your reference, as the necessary files are already inside the VM.
SHA256: D0BF51FE825B8C2D726D9053D99D9EFC4E11B7D444AFF698AD4049E32AB0934D
SHA256: 2898B6ED061E3D93EB826A22A2AB8F71BE571360F1E679657185ED8F797D025A
SHA256: 5A81ACB391741BBB234470B18A9EC52480E835C0073FC1D7FED40D4AD025DDB6
SHA256: 0588AF3945C86E44162B77EEAABEC2B14F37513A60E8CB8C9B2770C9DA9D3A24
Step 2: Prepare the Virtual Machine
- Extract the
Hacker_VPN_ova.ziparchive. This will produce a file namedHacker_VPN.ova. - The OVA is a pre-configured Debian VM with an XFCE desktop environment and all necessary development tools (
build-essential,gdb,cmake,ninja-build,VS Code, etc.).
Step 3: Import the VM into VirtualBox
- Open VirtualBox.
- Go to
File > Import Appliance...in the menu. - Select the
Hacker_VPN.ovafile you extracted. - Follow the on-screen instructions to import the appliance. You can leave the default settings.
- Verify that your wireless adapter is selected and you are using bridged.
- Start the VM to ensure it boots correctly.
Step 4: Final Prep
- The most important step is to have the Virtual Machine downloaded and imported into VirtualBox before arriving at the workshop.
- All necessary workshop files are pre-loaded into the VM for your convenience. The other downloads are optional.
- The VM username/password and the workshop wireless network details will be provided at the beginning of our session.
Alternative Setup Instructions
Hopefully the default instructions work for you. If you have issues following the default instructions, here are some alternatives. They are not the only options, but are to help point people in the right direction that have different system configurations. In the worst case, you can follow along without compiling.
Linux VM
- You can attempt to get VirtualBox running on Linux, but there are issues with the bridged mode drivers when using Secure Boot. You can troubleshoot this yourself or you can use the alternative method below.
- Download the .qcow2 from the link above.
- Use KVM to create a virtual machine with the required CPU, RAM, bridged network adapter, and downloaded qcow2 disk.
- Start the virtual machine and ensure it boots correctly.
Linux Native x86-64
- Note: The code and included libs have only been tested on Debian 12 x86-64.
- Install the dependencies:
build-essential gdb cmake ninja-build - You can use a text editor for coding but the workshop is structured around using VS Code. You can download and install VS Code for your distribution here https://code.visualstudio.com/.
- Download the Workshop Files from above which includes the code and docs.
- The defcon folder in the downloaded Workshop Files archive needs to be located in /defcon to follow along with the presentation.
- You can verify your setup by running the build script in /defcon/code/
Mac
- You can use UTM to create a virtual machine emulating x86-64.
- Download the .qcow2 from the link above.
- Create a new emulated x86-64 virtual machine in UTM.
- Ensure correct CPU, RAM, qcow2 disk, and bridged network adapter settings.
- Verify that your wireless adapter is selected and you are using bridged.
- Start the VM to ensure it boots correctly.
Other
- Note: The code and included libs have only been tested on Debian 12 x86-64.
- We recommend using a VM and emulation for non-native x86-64 CPUs.
- In the worst case, you can follow along without compiling.