This is the general scheme:

*img*

Here the data flows of our anonymous surfer Jon Do...

Requirements:

  1. A box with a dual core processor, two network interfaces and two hard drives.

  2. Ubuntu server 12.04 64 bit.

  3. RAID 1 (if paranoia/comfort > 1 then whole disk encrypted) and/or: random key encrypted swap, random key encrypted tmp logical volume and random key encrypted cache volume.

  4. ISC DHCP, Bind9, DnsCrypt, NTPD, Squid3, N Privoxy instances, N TOR instances (where N is 8 * deep web surfer), I2P, Tahoe-LAFS-I2P, Freenet, Apache2, OpenVPN

  5. Patience and passion ;-)


How it works:

  1. Jon Do adds in the AnonGW the MAC address of his new laptop (or tablet or smartphone or anything else with the capability of web browsing and a known physical address...)

  2. The laptop broadcasts its presence in the LAN, asking networking settings ==> the DHCP server (isc-dhcp) instructs which IP address, default gateway, NTP server, DNS server and which DNS domain to search are needed. The domain will be the local LAN domain and the VPN's domains (office, datacentre, etc.).

  3. he laptop starts to synchronize its clock with the clock of the AnonGW. Jon Do searches "http://www.debian.org" in his browser and its DNS client queries AnonGW DNS server to resolve it. If the answer is not cached, the DNS server (bind9) forwards the query via TOR network or, as last attempt, via DnsCrypt on OpenDNS

  4. HTTP request is intercepted by the cache proxy (Squid3) and "round robin" balanced over the N (ex. 8) Privoxy parent peers. The browser user agent are dinamically modified by a script (uagent.py) and forwarded via N (ex: 8) TOR instances.

  5. Jon Do searches https://www.eff.org and open a ssh session on a public server: both connections are "transported" by two different instances of TOR.

  6. Jon Do opens a new tab in his web browser and searches his Tor Mail "http://jhiwjjlqpyawmpjx.onion": the DNS server forwards directly to the TOR DNS service that resolves the ".onion" domain with a private address (ex: 10.192.0.1). HTTP request is intercepted by Squid and forwarded to Privoxy: it recognizes the "dot onion" domain and forwards it in the TOR network to find the "hidden service".

  7. Jon Do opens again a new tab and searches "http://killyourtv.i2p/debian/": the DNS server forwards directly to the TOR DNS service that resolves the ".i2p" domain with a private address (ex: 10.192.0.2). HTTP request is always intercepted by Squid and forwarded to Privoxy: it recognizes the "dot i2p" domain and forwards it in the I2P network to find the "eepsite".

  8. Entering only "i2p" in his address bar he has access to the i2p console or to a invisible torrent client on "https://i2p/i2psnark/": the DNS find in its local zones and resolves it with the AnonGW IP and the HTTP/HTTPS request is authenticated by the Apache2 I2P.JonDolocaldomain virtual host and forwarded via its reverse proxy to the i2p router.

  9. Entering only "tahoe" in his address bar he has access to the Tahoe-LAFS welcome page: Jon Do can find the KYTV's Tahoe-LAFS debian repository on:

https://tahoe/uri/URI:DIR2-RO:mvp3so6kemo6fn6abddzjthnuu:jjg475us6hbmya3ccyydqigp2vc3mxzztoh6r5364pqevw2ka7nra/debian/index.html
  1. Entering only "freenet" in his address bar he has access to the Freenet console and can read the Toad's Flog on:
https://freenet/freenet:USK@yGvITGZzrY1vUZK-4AaYLgcjZ7ysRqNTMfdcO8gS-LY,-ab5bJVD3Lp-LXEQqBAhJpMKrKJ19RnNaZMIkusU79s,AQACAAE/toad/45/
  1. Jon Do can access to the LAN of his office via VPN: he has configured the DNS zone and the VPN service on his Anonymous Gateway. Anonet is the same concept: he has configured a VPN but the DNS forwards the ".ano" queries to the Anonet DNS.

  2. Jon Do needs to do a different research and removes his MAC address from the "Deep Web Proxy rules" from the AnonGW and search "http://grep.geek": the DNS server forwards the queries to the OpenNIC DNS servers. He can surf free TLDs and normal clearnet without anonymization.