Hi Agreeting to all, are a new user. Is it possible to usea vpn and tor together? Have you ever tried? What protection do I have? Do you have a vpn recommend? I have to first use the vpn and then tor or the opposite? Thanks
Yes, Tor and a VPN is a good combination. Much has been written about it in other threads on Wilders but the general rule is Tor after a VPN. Here is a good place to start reading: https://www.wilderssecurity.com/threads/i-have-two-new-privacy-guides-online.367864/
Generally you want the VPN first, and then tunnel Tor through the VPN. That prevents your ISP (and its friends) from seeing that you use Tor. It's rarely good to tunnel a VPN through Tor, because it reduces the anonymity that Tor can provide. However, by using a VPN through Tor, you can access websites that discriminate against Tor exits, or don't even allow connections via Tor.
Did you read about that vile, hideous, crazy nut that that was evidently some type of chief of cyber security for a government agency who got busted?. I won't mention what he was about because I can't stand to even see the words typed. He made Charlie Manson sound like a guy you'd want to sit down and have a cup of coffee with. But he told some FBI under cover guy about times that he was on the net using Tor. So they checked who was using tor at those times from ISP's and found him. Had he been using a VPN they wouldn't have been able to catch him. Unless the VPN was started at the exact same times. And them 'maybe' the VPN might confirmed that he was using tor. Or unless he was running a VM with a VPM (tor running through that, the VM VPN), and another vpm on the real machine playing a youtube video or something. Then what they were looking for couldn't compare. Same with the stupid kid that called in a bomb threat from campus using Tor (on the campus ISP). Had he been conected to a reliable VPN, they would not have found him. Or better yet, connected through a public wifi, from a distance out of site....VPM first , of course. Paid with cash or maybe a trial. PS I am not trying to give people ideas to hurt others, but I definitely think more people are being hurt by not being about to speak freely by far!!!!!
Tunneling a VPN through Tor prevents circuit changes. That gives an adversary more time to attack that circuit. If Tor were a gung fu fighter, that would be like nailing one of its feet to the floor
Like Mirimir; I also prefer to use a VPN bridge and then TOR (hint: you are not limited to one VPN by the way). I strongly suggest using TOR from within a VM too because it adds a strong layer of machine identification isolation that is NOT available if you are surfing from the "host" operating system (even on TOR from within the host). There are many threads around here about the security isolation adds. Some quick reading over on the Whonix forum and you don't have to be using Whonix to get the idea of why isolation. TOR supports/hosts hidden services which can be "powerfully" bad and dangerous. A vpn provides privacy/security but not hidden services in the way TOR does. Its just a fact that 3 letter agencies monitor TOR users with more "intention" than a vpn only user. TOR is a great circuit software that has wonderful uses and can be equally as powerful for GOOD. It unfortunately mostly gets a reputation for the bad uses because the "bad guys" have learned LE finds it near impossible to break without operator error. I spend the vast majority of my net time on TOR (now for instance). I hate the thought of someone looking over my shoulder. At least 5 hops or so would make someone work their tail off to do it. And remember the circuit changes every ten minutes so good luck.
Right. Browsing random Tor hidden service sites is risky. There's no oversight of any kind, and anything goes. At a minimum, it's wise to work from a VM, and that's easy using Whonix. Never use Windows. Running Tails (a LiveCD) on a machine with no hard drive is probably the safest option. But to route Tor through a VPN, you'd need a router running a VPN client.
Right. A router running a VPN client makes everything easier. Here is how I get Tails to run through a VPN with zero coding or configuration. I use a TinyHardwareFirewall (THF) from the website of the same name. It has an OpenVPN client built in, a battery, and two Interfaces. It is smaller than my iPhone and the battery lasts about 8 hours. I just throw it in my bag. One Interface points to the Internet and the other points to my laptop. There is a DHCP server on the internal interface facing my laptop. The Laptop runs Mint and also boots into Tails via a USB stick. The firewall rules stop any unsolicited packets from getting through to the Laptop. It also sends ALL traffic through the VPN. Here are the steps. 1. Turn on the THF. 2. Boot the Laptop (not into Tails yet) 3. Log onto the THF and tell it to connect to an access point. 4. Tell the THF to turn on the VPN (on port 443 using UDP), there are several choices. 5. Reboot Laptop into tails. 6. When Tails starts it gets an IP4 private ip address from the DHCP server on the THF and after a few more seconds it reports that it is connected to the TOR network. If I go to http://icanhazip.com after steps 3,4, and 6 I get three different ip addresses. There are some benefits to this. First, on the local network everything is encrypted so active sniffers will not see anything useful, not even DNS calls. The local ISP can’t see any TOR traffic, so that is good. Yes you now have a “static” exit point from the vpn server, but if there are many of those to choose from and hundreds of people concurrently using your vpn server then, assuming the vpn company is not actively tracking you specifically, it seems like a pretty safe place to have your traffic come out and go right to TOR. It is harder to correlate your traffic with traffic coming out of the VPN exit node. If someone is sniffing the unencrypted traffic at the exit of the VPN they will just see encrypted TOR traffic. If you set up your own personal VPN server in the cloud and your traffic is the only traffic going through it that is easier to correlate and track back to you. Unless someone compromises the commercial VPN server that won't happen. Also, TOR still gets to change your route through TOR this way. I think having the hardware separation makes this easier and more defensible. Even if tails is flawed it never knows what your real ip address is, just what the THF gave it. Anyway, just my two tech cents. If it helps anyone save time, then good.
I am also intrigued! I am visualizing the "circuit" setup with its attributes. Few questions coming up here. Hope you don't mind. Devil's advocate: if your THF fell into an adversary's hands what particular information (such as log in credentials, etc...) would be compromised? Do you have any concerns about carrying your THF and losing stealth if someone demanded to see your "bag" with the equipment? It may be that all your login credentials are in Mint on the machine (encrypted OS?), which instructs THF how to connect. Between steps 4 and 5 you halt Mint to bring up TAILS, but at the same time THF remains UP and connected ----- is that correct? If that is correct then THF functions like a home pfsense/VPN router, only its portable. The portability is sweet as long as the contents of the physical hardware don't reveal too much upon examination. I especially like the way you can use TAILS without configurations and are STILL bridged via the VPN. With TAILS running, and especially if your hard drive is encrypted, there would be NO marks on your system while using TAILS. I still have the TAILS vs pure TOR controversy running in my mind, but that is the subject for another thread. LOL!!
