Hacker VPN

A DEF CON 33 Workshop by Eijah & Cave Twink

Abstract

The Internet is a dangerous place. Fortunately, hackers have created tools to make it safer. VPNs anonymize traffic but still expose IP addresses. Companies claim not to log, but how quickly will they hand over our data when they receive a warrant? Tor networks reroute traffic, but performance suffers as a result. Can we trust these distributed networks? Who owns the exit nodes? Finally, apps like Signal offer E2EE secure comms but in a proprietary and siloed way. Open source means very little if an app operates in a Walled Garden. Are there back doors? Is our data really safe?

In this workshop we'll create a Hacker VPN that combines the best of VPNs, Tor, and E2EE secure comms apps. We'll use modern-day PQC encryption to implement a secure protocol. We'll support packet sharding, random noise injection, multi-hop routing, and 100% anonymity between network endpoints. We'll do all this on Linux with standard C++, CMake & OpenSSL. At the end of this workshop you'll have all the tools you need to take the Hacker VPN to the next level. Why trust outdated software from shady companies when you can build your own modern day, kick-ass implementation?

Yes, the Internet is a dangerous place. But it's much safer when we take control.

Prerequisites

Please come prepared to maximize your workshop time. Your machine must meet the following requirements:

Host System Hardware

A laptop with a multi-core 64-bit processor (4+ cores recommended).
8 GB of RAM (minimum).
At least 20 GB of free disk space.
A functional wireless network adapter that supports bridged mode.

Host System Software

VirtualBox (latest version) installed and running. Administrator rights are required to install and run VirtualBox.
Note for Linux Hosts: Secure Boot is known to cause issues with bridged mode adapters in VirtualBox.

Default Setup Instructions

Step 1: Download Required Files

All workshop downloads will be available starting **Monday, August 4th**. To save time, you must download the Virtual Machine (VM) before arriving. If you are unable to use the default VM method, it is your responsibility to read through the alternative options and set up your environment ahead of time. The workshop files and presentation slides are optional downloads for your reference, as the necessary files are already inside the VM.

Download VM (Default) - Live Aug 4th Download Workshop Files (Optional) - Live Aug 4th Download Presentation PDF (Optional) - Live Aug 4th Download qcow2 (Optional) - Live Aug 4th

Step 2: Prepare the Virtual Machine

Extract the vm.zip archive. This will produce a file named hacker_vpn.ova.
The OVA is a pre-configured Debian VM with an XFCE desktop environment and all necessary development tools (build-essential, gdb, cmake, ninja-build, VS Code, etc.).

Step 3: Import the VM into VirtualBox

Open VirtualBox.
Go to File > Import Appliance... in the menu.
Select the hacker_vpn.ova file you extracted.
Follow the on-screen instructions to import the appliance. You can leave the default settings.
Verify that your wireless adapter is selected and you are using bridged.
Start the VM to ensure it boots correctly.

Step 4: Final Prep

The most important step is to have the Virtual Machine downloaded and imported into VirtualBox before arriving at the workshop.
All necessary workshop files are pre-loaded into the VM for your convenience. The other downloads are optional.
The VM username/password and the workshop wireless network details will be provided at the beginning of our session.

Alternative Setup Instructions

Hopefully the default instructions work for you. If you have issues following the default instructions, here are some alternatives. They are not the only options, but are to help point people in the right direction that have different system configurations. In the worst case, you can follow along without compiling.

Linux VM

You can attempt to get VirtualBox running on Linux, but there are issues with the bridged mode drivers when using Secure Boot. You can troubleshoot this yourself or you can use the alternative method below.
Download the .qcow2 from the link above
Use KVM to create a virtual machine with the required CPU, RAM, bridged network adapter, and downloaded qcow2 disk.
Start the virtual machine and ensure it boots correctly.

Linux Native x86-64

Note: The code and included libs have only been tested on Debian 12 x86-64.
Install the dependencies: build-essential gcc gdb cmake ninja-build
Download the Workshop Files from above which includes the code and docs.
The defcon folder in the downloaded Workshop Files archive needs to be located in /defcon to follow along with the presentation.
You can verify your setup by running the build script in /defcon/code/

Mac

You can use UTM to create a virtual machine emulating x86-64.
Download the .qcow2 from the link above.
Create a new emulated x86-64 virtual machine in UTM.
Ensure correct CPU, RAM, qcow2 disk, and bridged network adapter settings.
Verify that your wireless adapter is selected and you are using bridged.
Start the VM to ensure it boots correctly.

Other

Note: The code and included libs have only been tested on Debian 12 x86-64.
We recommend using a VM and emulation for non-native x86-64 CPUs.
Cave Twink and Eijah wish you luck on any non-covered endeavors ❤️
In the worst case, you can follow along without compiling.