Home » Articles » Next Level OPSEC with PORTAL
Click Here To Hide Tor

Next Level OPSEC with PORTAL

PORTAL is the “Personal Onion Router To Assure Liberty”. Despite it being highly beneficial to OPSEC and it requiring just an old Raspberry Pi, it’s not that talked about.

With just one script, you can turn any old Raspberry Pi into a router specifically for the Tor network, meaning that when you’re connected to it, it will always send all of your traffic through Tor. The Raspberry Pi is a great option but it’s not the only one; You can do the same to any router with enough memory and space to install and run Tor, though that can be an issue which requires after-market hardware mods to achieve. PORTAL was created in 2012 by TheGrugq and its goal is to have you fail closed, which is the ability to fail safely behind the PORTAL, giving up no trace of your real IP. To achieve this, the PORTAL project creates a hardware separation between your computer and your WAN connection, and as a result your workstation simply doesn’t know what’s beyond your PORTAL. Your workstation cannot give up your real IP because it simply doesn’t know it.

Protection from Exploits

PORTAL sets out to ensure that all of your traffic is transparently sent over Tor with the goal of removing your ability fall victim to exploits like those seen used on Flash, Firefox and JavaScript, which exposed the targets’ real IPs by having their workstation make a request to a remote server, outside of their Tor connection, which would log the IP which made the request and any other identifying information the request may have contained. For example, in the FBI’s attack on Freedom Hosting, a JavaScript exploit was used to cause users of various dark net websites, who had not disabled JavaScript, send specific information about the computer being used via a request to an FBI-owned server.

Briefly, this payload connects to and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash.” – Vlad Tsyrklevich

While PORTAL leaves the task of obfuscating your hostname and MAC address to you, it would have meant a Tor exit node querying that FBI server rather than your home IP address. Your MAC address and username might be enough to get you busted, but it’s much less likely when they’re not paired with your home IP.

Protection from Yourself

Aside from exploits, there have been notable cases such as the one of LulzSec, specifically Sabu, where his real identity was revealed by merely forgetting to use Tor just one time when he was connecting to a public IRC channel in which there were agents watching. As a result, he was arrested and made to decide that his best option was to turn into a rat for the FBI, which ultimately helped bring down the rest of his team, LulzSec. Logging into any nefarious accounts even once without Tor is enough to get you busted.

Why not a VPN too?

To further improve the usefulness and anonymity of your new PORTAL setup, you can easily pair it with a VPN. There’s an added freedom of being able to chain VPNs together with Tor, so that even if Tor itself is exploited, it would only reveal your VPN’s IP, which you would be connecting to via another instance of Tor. For example, if you were to run a VPN on your workstation computer, your connection would look like this:

WAN → [PORTAL] → Tor → [Workstation] → VPN → [Tor Browser] → Tor → deepdot35wvmeyd5.onion

However, this addition is not foolproof and may cause more harm than good if you allow the VPN to be connected to your person in any way. Paying with a method which isn’t associated with your person and using Tor when you purchase, as well as always using Tor to connect to the VPN should be enough to keep you separated.

Pairing with 3g

TheGrugq, in the talk that’s embedded here, mentions that it’s possible to connect your PORTAL to a 3g connection using a 3g dongle. Even if its IP is somehow given up, they can be purchased anonymously and aren’t effectively tracked. Your connection would look like this:

[3g Dongle] → WAN → [PORTAL] → Tor → [Workstation] → VPN → [Tor Browser] → Tor → deepdot35wvmeyd5.onion

Why not Tails?

The Tails project essentially has a PORTAL built into the operating system. It’s a workstation OS with IPTABLES rules which attempts to have you route all of your traffic through Tor, but you have to trust the OS and all the applications on it to not give up your real IP. It’s great, but without the separation from your WAN connection that an external gateway gives, your OS knows that IP – It has to, else it wouldn’t be able to connect you to the internet.

Can I pair TailsOS and PORTAL?

Yes, but you shouldn’t. Your setup would look like this:

WAN → [PORTAL] → Tor → [TAILS OS] → Tor → deepdot35wvmeyd5.onion

Connecting to Tor over Tor is probably a bad idea. According to the Tor Project team, it’s not received significant testing yet.

When using a transparent proxy, it is possible to start a Tor session from the client as well as from the transparent proxy, creating a “Tor over Tor” scenario. Doing so produces undefined and potentially unsafe behavior. In theory, however, you can get six hops instead of three, but it is not guaranteed that you’ll get three different hops – you could end up with the same hops, maybe in reverse or mixed order. It is not clear if this is safe. It has never been discussed.” – Source.

Why not Whonix?

With Whonix, you can use applications and run servers anonymously over the internet. DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP. Like PORTAL, there’s a gateway that creates an isolated network for a workstation, only with Whonix it’s achieved with virtual machines rather than hardware. If your home OS is compromised, so are your virtual machines. Whonix is a lot better than just Tor browser on Linux, and probably better than Tails because of the improved isolation of the workstation from the knowledge of your WAN IP.


Why not both? Well, why not? With Whonix on your workstation you could easily have a setup that looks like this:

WAN → [PORTAL] → Tor → [Workstation] → VPN → [Whonix Gateway] → Tor → [Whonix Workstation] → VPN → [Tor Browser] -> Tor → deepdot35wvmeyd5.onion

What NOT to do with PORTAL

Using PORTAL isn’t necessarily good for OPSEC because every tool can be used improperly. For example, if you connect your normal workstation to it, you’ll likely be telling several services your Tor IP. Every account you sign in to or are already signed into will now know which Tor exit node you’re using and at specifically what time, making correlation attacks likely. For further reading, Whonix’s wiki is a great resource for learning what’s not good to do with your new isolated workstation. There’s also.

One comment

  1. Qubes OS has a similar method to this. You can set a vm to route all traffic through a tor vm. Of course it is possible an attacker could escape the vm, take control of the underlying os and bypass tor but that hasn’t been proven to have happened.

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *