Links can be spooky. You receive some URL from someone you know, but you're not entirely sure you trust it. You could open it on your machine, but there may be an exploit that can escape and infect your computer. While the scenario is unlikely, it is why browser isolation technology is popular for security applications.

In this blog post/guide, I go over installing Kasm Workspaces on a cloud server to give you the boosted security of browser isolation, and the best part is Kasm is totally free for personal use. But we're not stopping there. We're cranking our browser isolation game up a notch with the help of Control D, a DNS service on steroids that allows you to proxy traffic, masking your instance's IP address from websites, trackers, and all sorts of bad stuff.

Limitations

Before we begin, I'd like to go over some limitations to using Kasm and Control D.

• Control D is not a VPN service. While we can tunnel most of our traffic via their proxy servers, direct IP traffic will always go direct. If you want all of your traffic to be protected, setting up an on-premises server with a VPN may be better. If you are more advanced, you can also configure a firewall to only allow traffic to Control D's DNS and proxy ingress servers.
• If deploying in the cloud, you need to be aware of any data egress costs or quotas you have.
• Since these are containers streaming to your browser, performance may take a hit. To mitigate this, allocate more resources to your server and Kasm containers.
• You also need to trust your service provider to not be keeping logs of traffic. While this guide will include configuring DNS over HTTPS, it is still possible for providers to know which sites you are visiting by capturing the SNI header, which is unencrypted. This is planning to be resolved with Encrypted Client Hello (ECH).

What Is Kasm Workspaces?

Kasm Workspaces is a container-streaming platform that you can self-host on any machine. Kasm will spin up prebuilt Docker containers with an application of choice (Chrome, Firefox, Brave, Ubuntu Desktop, and yes, Doom) for you to do whatever you want. The best part of it all is it's completely ephemeral. All you have to do is delete the session when done, and it vanishes. Gone. Deleted. Never to be seen again.

Kasm Workspaces uses the power of Docker. Docker is a lightweight, wicked-fast container engine that can start isolated containers faster than you can say the word banana. The good news is that you need zero Docker knowledge. I will tell you everything you need to know, and Kasm will handle a lot of our work.

Installing Kasm

Kasm is extremely easy to install and very versatile. As for where to install it, it's up to you. You can install it in the cloud (Hetzner, AWS, Linode, etc.) or on-premises with an old PC or virtual machine. I will be using the cloud.

You will need the following minimum requirements:

• 2 CPU cores
• 4 GB RAM
• 50 GB storage (I recommend 75)
• x64 or ARM64*
• Any of the following Linux distributions. It must also support Docker.

For a 1-person install, these specifications should work fine. However, if you intend to use Kasm for higher-cost applications or multi-user environments, I recommend going higher spec.

This guide will assume you are somewhat familiar with Linux and do not have issues running basic commands and install scripts and that you have your distro of choice set up. This guide will also not cover setting up SSL or a reverse proxy; please consult the documentation if you want to do this (recommend for production deployments).

Step 1: Creating a Swap Partition

The first step to installing Kasm is to create a swap partition. Kasm highly recommends you create a swap partition for better stability in your containers even when you have enough memory.

Execute the following series of commands:

sudo dd if=/dev/zero bs=1M count=1024 of=/mnt/1GiB.swap
sudo chmod 600 /mnt/1GiB.swap
sudo mkswap /mnt/1GiB.swap
sudo swapon /mnt/1GiB.swap
echo '/mnt/1GiB.swap swap swap defaults 0 0' | sudo tee -a /etc/fstab

Step 2: Downloading the Installer

In a browser, right-click and copy the URL on the download button located on Kasm's download page, and wget this into your home or /tmp directory.

For example:

wget https://kasm-static-content.s3.amazonaws.com/kasm_release_1.10.0.238225.tar.gz

Next, extract this and run the installer as root/sudo!

tar -xf kasm_release*.tar.gz
sudo bash kasm_release/install.sh

Accept the EULA, and get a cup of coffee. Depending on the speed of your connection and server, it can take a few minutes to get everything installed.

When the installation finishes, you will see a list of credentials for admin, database, etc. Save these somewhere; it's important.

Step 3: Log Into Kasm

Navigate to https://YOUR_SERVER_IP. You will receive a browser warning about self-signed certificates; this is normal and can be ignored.

Protip: It may not let you proceed due to "scrambled credentials" on some browsers. Simply type "thisisunsafe" in the window (it doesn't matter where) and refresh. It shouldn't go without saying you should never do this on actual websites.

If everything goes well, you should be dropped onto the login screen as shown:

Enter your admin UI credentials ([email protected]), and you're in!

*ARM-based installations have a limited number of images. Please reference the Kasm Documentation for what will be provided.

Configuring Kasm

Once you've logged in, you will be dropped onto the admin dashboard. You can immediately click on Workspaces and start having fun inside them, but I'd like to go over some configurations to help optimize your instances. On the admin dashboard, click the "Images" link on the sidebar to be brought to your images. For this demonstration, I will be modifying the Chromium instance. Click the 3 dots and then "Edit" to be brought to the configuration page.

Allocating More CPU/RAM

Browsers can be resource-intensive and require more than 1 CPU or 1 GB of RAM. To change this, there are "Cores" and "Memory" on the edit page. Allocate more or fewer resources as you wish. Keep in mind the number of Kasm's you can run in parallel is relative to your CPU core count. For example, 4 Kasm's can be run if you have 4 cores and each Kasm has 1 core.

Switch to Rolling Release

The default images Kasm comes with are not the latest versions, so you may find that you are running outdated versions of software/browsers. To change this, switch to the rolling release by adding -rolling to the end of the "Docker Image". The rolling images update every night and will be pulled automatically, ensuring you are always on the latest versions and bleeding edge.

Cranking It To 11 With Control D

Now we're getting to the fun stuff and taking our browser isolation game to the next level. Control D is a DNS service created by the team behind Windscribe VPN. Control D will allow us to have maximum control over the containers we spin up, allowing us to block categories of websites, allow certain ones, or send traffic over a network of proxies allowing us to mask our IP address and pretend as if we're in another location. All without the need for a VPN.

Control D is not free. It costs $40/year for the full plan; however there is a 30-day trial with no credit card required to try it out. I will be setting it up via the DNS over HTTPS method, which allows us to take advantage of the entire feature set Control D offers.

Step 1: Setting up Control D

Click the Get Started link in the top right corner of the home page, and select the Free Trial for "Full Control". Put in your Email, Password, and Starting Configuration if you like (we will be making our own profile). I recommend starting fresh.

Feel free to play around or walk through the guides as you wish. On the top center of the page, there is an indicator of which profile you are on; since you are starting out, it is likely your Default Profile. Click it, and a dropdown list will appear. Click "Manage Profiles & Devices."

You will be placed on the screen where you manage all of your profiles and devices. In the lower right-hand corner, click the "+" button. Firstly, we will be creating a new profile. Feel free to call it whatever you want, but I will be calling mine Kasm for easy remembering. Now repeat this process but instead, add a Device and link it to the profile you just created. While the OS type doesn't matter, I chose Linux.

You should see your newly created profile and device on the devices screen. Click "Configure Device". In the setup wizard that appears, click "Skip to Resolvers". You will see legacy IPv6 DNS addresses followed by your DNS-over-HTTPS URL. This is what you want. Copy it. Once you have copied this URL, close out Manage Profiles & Devices. Go back to the center top and select your Kasm profile.

At this point, begin configuring what you want! For this demonstration and simplicity, I will be configuring the Default Rule to redirect all traffic through a Control D location. Click the globe on "Default Rule" and select either Auto or Manual if you'd like to follow. Since you have not configured your Control D profile on your device, you can ignore the warning it gives.

1/2/2023 Edit - Kasm 1.12.0

A recent update to KasmVNC released in Kasm Workspaces 1.12.0 utilizes STUN servers for UDP transit support. Control D does not support UDP traffic, so connections made to it will fail. This will cause your container to not load.

To fix this, create a "Bypass" rule for Google's STUN server, stun.l.google.com.

Step 2: Installing cloudflared

Next up, we're going to be installing cloudflared. cloudflared is a tunnel client for the Cloudflare network but contains a DNS-over-HTTPS stub. That's what we will be using.

Find the url to your architecture:

AMD64:
Debian: https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
Fedora: https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm 

ARM64:
https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64

Run these commands for your specific install:

wget https://github.com/cloudflare/cloudflared/releases/latest/download/{ARCHITECTURE}
sudo apt-get install ./cloudflared-linux-amd64.deb 
OR 
sudo yum install ./cloudflared-linux-x86_64.rpm

Once cloudflared is installed, we need to grant it permission to bind to privileged ports, and we will create a user for cloudflared. This way we do not need to give root to cloudflared and follow principles of least privilege.

sudo setcap 'cap_net_bind_service=+ep' /bin/cloudflared
sudo useradd -s /usr/sbin/nologin -r -M cloudflared

Now we are going to proceed in configuring it. Create a cloudflared directory in /etc and execute nano on config.yml in this directory.

sudo mkdir /etc/cloudflared
sudo nano /etc/cloudflared/config.yml

Inside nano, we will make our values for our DoH proxy. I will explain what we're doing here.

• We are enabling the proxy-dns function.
• We are binding to port 53 for DNS.
• We are binding to the Docker Gateway (default is 172.17.0.1), allowing us to easily configure our Kasm containers to point to our DNS server without any other complicated setup.
• We are setting our upstream to Control D with the URL we specified.

proxy-dns: true
proxy-dns-port: 53
proxy-dns-address: 172.17.0.1
proxy-dns-upstream:
  - https://dns.controld.com/YOUR_RESOLVER_URL

Once that is done, save and close the file (Ctrl+X). Now, all we have to do is install the service. Please note this is for systemd.

sudo nano /etc/systemd/system/cloudflared.service

Copy and paste this configuration. No need to make any changes, and save.

[Unit]
Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

[Service]
Type=simple
User=cloudflared
ExecStart=/usr/local/bin/cloudflared --config /etc/cloudflared/config.yml
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl start cloudflared
sudo systemctl status cloudflared

If everything looks good, you've done it!

Step 3: Configuring Kasm Images

This is the easiest part, now we've got to tell our Kasm images to use Control D. Edit an image of your choosing (I will use Chromium), and we will modify the "Docker Run Config Override" to tell the container when to run, use the cloudflared stub as the DNS server.

{"hostname":"kasm","dns":["172.17.0.1"]}

That's it! Save the image. Now let's see if it's working. Launch the image you configured and access an IP checker such as myip.wtf.

Great success! We have configured everything properly, and your traffic is now going through a Control D proxy server. Also, if your server does not support IPv6, you can access IPv6 websites as well. Cool huh? Now you can stick it to large internet companies who still want to argue on IPv6 peering all these years later.

Conclusion

Kasm Workspaces is a great software that brings the perks of browser and app isolation to the masses. There are many use cases for it beyond browser isolation, such as having an always-available remote workspace, live-streaming apps, application testing, and so much more. If you catch something bad, you can always trash the session, and the container will just disappear like David Copperfield, never to be seen again.

We also took it up a bit and configured Control D, an extremely flexible DNS service that gives you total control over your networks, and for this post, our Kasm containers. Feel free to go nuts over it and have so many combinations of rules and functionality as there is so much more to Kasm and Control D. Want to make some streaming machine? You got it. Browse in peace of mind? Sure. Access your stuff from anywhere? Yes, yes, and yes. Never get internet AIDS again and just browse the way you want to browse.