Two days ago (although it seems like weeks) someone asked on tor-talk about advantages and disadvantages of using VPNs together with Tor in various ways. This is an old question on tor-talk, and on Wilders as well. In particular, they asked about tunneling a VPN through Tor (Tor -> VPN) versus tunneling Tor through a VPN (VPN -> Tor). As y'all might expect, I've had a lot to say on the matter. Several others have have offered insightful perspectives. I was especially pleased to see comments from Paul Syverson, one of the original Tor developers, and a senior scientist at the U.S. Naval Research Laboratory. See https://lists.torproject.org/pipermail/tor-talk/2015-January/036644.html Conversely, I have been bedeviled (maybe even reduced to a raving lunatick) by a slide from Grugq's 2012 Hack In The Box presentation "OPSEC: Because Jail is for wuftpd" at 46:25. See http://www.youtube.com/watch?v=9XaYdCdwiWU I've had a lot to say about this on tor-talk, more or less coherently. Here's my best shot: Code: VPN -> Tor VPN connection to Tor == Tor connection through VPN getting your anonymity (Tor) more privately (VPN) easy setup; VMs not needed; firewall prudent; use PayPal for VPN safe with Tor browser; easy to fail with other apps Tor -> VPN Tor connection to VPN == VPN connection through Tor getting your privacy (VPN) more anonymously (Tor) hard setup; use VMs and firewalls; buy and use VPN anonymously classic fails: buying VPN with PayPal, using VPN sans Tor
After going thru this article https://thetinhat.com/tutorials/darknets/tor-vpn-using-both.html I am still confused on how a malicious exit-node can still see unencrypted traffic using a VPN>Tor setup. Also, are the dangers of exit-nodes the same when going on the 'clearnet' vs the hidden services? Or are exit-nodes referring only to connecting to the clearnet?
So from what I've seen from the links it's being based on the idea that if the VPNs are compromised, or watched, or even log then it makes no sense to run Tor through a VPN (or is that only a percentage of the whole story?) But most ISPs ALREADY log and watch traffic, or even the old example of the guy who used Tor at his university and he was one of only two people at the place at the time to be running Tor so they tracked him down easy enough, and he confessed. That video is also 3 years old now, so I wonder if he still stands by what he said then, now (cause stuff changes and advances, opinions change, etc). I still have to watch the whole thing. But his case example can be argued and like Paul is saying, it's based on your needs with benefits and issues with both methods. The whole privacy/anonymity can be separate things, can be coexisting. But his whole slide in the video of GOTOJAIL is a bit worst case, and I think simplifying that VPNs are for Privacy and Tor is for Anonymity is misleading. Tor -> VPN Wherever your connection starts from, could know you're connecting to Tor. If compromised on the leaving end, they'd go to the VPN who'd then just say "dur, twas someone using Tor". But that's under the assumption that the VPNs you'd be using are untrusted or compromised. But I get we can't really go on assumptions with security. And like you said, hardest to setup, many things could go wrong setting it up if you aren't savvy. That is the setup if you have "LEO" wanting to make an example out of a high level target. But again, vid was from 2012- the NSA leaks have caused a lot of VPNs and security services to up their game and can now even bank on media siding with any stories of being forced into being compromised. Look at Yahoo. VPN -> Tor You might have the same risks from just using Tor from your ISP than a VPN, but obviously most if not all ISPs are CERTAIN to log and none are known to go out of their way to even try to protect privacy. But if you're already tipped off your ISP you've used Tor (or Linux, or whatever they flag now out of their insanity and paranoia) you might already be on a higher watch list, maybe not so much after the NSA leaks and the masses that have used it since. I'm not sure. Even then, there are so many things between the person's finger tips and the end destination that can go wrong, software bugs being one, browser finger printing... It just does not end. For whatever reason, I still seem to think VPN -> Tor would have better overall perks, for me anyway.
Using VPN>Tor, the VPN just gets you to Tor entry guards. Everything else is just Tor. Tor exits see all of your traffic to clearnet. So you need end-to-end encryption. However, with hidden services, there are no exit nodes. Both clients and hidden services create Tor circuits, and they meet at rendezvous points. Everything between clients and hidden services is encrypted.
After reading through some guides that were making the argument "remember, no one is going to go to jail for you" I kinda retract my previous post. Hook, line and sinker, no, it's more the adversaries take the route of commercial net fishing entire oceans for Moby Dick, and any other fish that just happens to be in the same ocean gets caught up too. So we get this type of stuff: https://en.wikipedia.org/wiki/Lavabit#Connection_to_Edward_Snowden The more I learn the more I wish I didn't know and that I was instead some cave hermit.
The whole point of distributing trust is to avoid putting anyone at risk of "going to go to jail for you". As long as collusion is limited and/or takes enough time to arrange, anyone pressured can cooperate fully. It's best if they've set stuff up so cooperating will do minimal damage, of course It's also prudent to think before acting, and to avoid putting resources that you depend on (and their providers) unnecessarily at risk
I've recently secured another vpn (with 3 hops *wink*) and would like to use it in whonix workstation. Should I use pfsense (no idea to set it up) in VBox or is there already something to handle this in the Whonix workstation. My host (win7) is running another vpn and the default gateway ip is removed after OpenVpn connects ( https://forums.comodo.com/firewall-help-cis/configuring-to-block-all-nonvpn-traffic-t91413.15.html) instead of adding rules to the firewall. edit: Just noticed MIrimir guides on ivpn. Guess I need to get reading .
I haven't watched the video yet but I would think that starting the VPN first and then connecting to Tor would be the safest bet as far as being anonymous. But of course not giving away any personal identifiable information through the tor exit node. The ISP sees a VPN. And the VPN sees the entry node, right? The exit node knows nothing of the VPN. So I would think this would be the safest bet. Certainly just for surfing or going to a hidden service or something.
Yes. For using a VPN through Tor, the key issue is "not giving away any personal identifiable information" to the VPN provider. You get two benefits: 1) bypassing anti-Tor blocks, and reducing CAPTCHAs; and 2) ability to use apps that require UDP traffic. But as I've noted, better would be VPN services that operate as Tor hidden services. Perhaps they would only accept payment via anonymous tokens. And perhaps the tokens might be sold by third parties, who would accept payment only via Bitcoin mixing services.
Well somebody somewhere is going to "see" your first connection. Your ISP connection has to go somewhere first. Because of that unavoidable fact I prefer the first connect to be a VPN. How long my connection tunnel is and what happens after the first connect shall remain a mystery to my ISP. There are lots of folks that would say they prefer the first connect to be a TOR entry node. I can't debate that call its a preference. What happens after the first connect is very important, and especially ANY activity that is post exit node from the connection tunnel end. Doesn't matter if the final node is vpn, tor, ? because when you leave and go to clearnet you need to THINK so you don't throw away all your hard planning and configurations. I spend significant time on hidden servers and enjoy the fact that there is in effect no exit node on that setup.
Such a service does not exist to my knowledge. I hope one will be built very soon. I have searched the entire dark web, every privacy & anonymity forum out there, even most of the exclusive .ru forums that you need 2 vouches for two become a member, I've looked at bulletproof hosting services from around the world, and finally researched nearly every VPN service located offshore in the world and nothing comes close to even 95% anonymity. The best you can hope for is chaining anonymity services or proxy services together. I've seen VPN-TOR-VPN-DEDICATED_BULLETPROOF_SERVER-SSH-SSH mentioned as one of the safest chaining methods. I wouldn't know honestly as I have no use for such levels of anonymity.
Would it be possible to use a laptop connected via Ethernet and running a Tails live DVD to create an ad hoc wireless network? This works with VPN and whatever other linux distro quite easily. I think a setup of Tor Wifi secured with WPA --> anonymously purchased VPN 1 --> anonymously purchased VPN 2 in a VM would be both the most anonymous and secure setup that I could imagine.
I've done it. It's easy. You setup just like any hidden service. The problem is finding hosting services that would allow such exits. They're effectively Tor exit nodes. One can use VPN services as exits, but that's just a stopgap, because your users would burn them down pretty quickly. I agree. Same here, of course It's a hobby.
Yeah it is a hobby of mine too. Just trying to see what is possible drives me. I'm a explorer kind of person. My next project is QUBES>WHOINX VM>VPN/SSH chain setup on a fully Veracrypt 256AES/Blowfish encrypted fast i7 CPU SSD PC.
https://www.youtube.com/watch?v=9XaYdCdwiWU this guy clearly states TOR->VPN "safe" from all but agencies and governments (like NSA) - apex predators VPN->TOR == go to jail I have also heard that for a hacker (NSA one 2 as well) is better to attack 1 communication node or server with all the juicy data in it
I hate that "TOR->VPN" vs "VPN->TOR" terminology. I mean, what do they mean? Anyway. Connecting first to a VPN, and then to Tor through the VPN, is safe enough. In the worst possible case, if the VPN drops, you'd just be connecting directly to Tor. Which is what the Tor Project recommends. For better security, you should use firewall rules to 1) allow connections to the VPN server; 2) allow the Tor process to connect via the VPN tunnel; and 3) drop all other traffic. Or you can just use Whonix, with the VPN client running in the host machine, and firewall rules that drop non-VPN traffic. Because the Whonix gateway VM can't reach the internet except through the VPN. But I wouldn't count on any of that being safe from the NSA. Connecting first to Tor, and then to a VPN through Tor, is risky. In doing that, you reduce the anonymity that Tor provides. The VPN connection pins the Tor stream/circuit that it's using, so Tor can't do it's thing of changing circuits every 10 minutes or whatever. Also, all of your traffic goes through the same VPN server, and it could be logging. And then there's the risk that apps which aren't configured properly to use Tor may connect directly through the VPN. But really, that's no worse than the risk that apps won't connect through Tor, without a VPN involved. That's one reason to use firewall rules. You 1) allow the Tor process to connect; and 2) drop all other traffic. Then you configure SOCKS5 in the VPN client to use a Tor SocksPort. That way, the VPN can't connect except through Tor. Not even if you forgot to configure SOCKS5, because the firewall rules would block it. That's also handled if you use Whonix. Just run the VPN client in the Whonix workstation.
Plus there is the unwritten "truth" that where I live you are guilty by association. What I mean is that IF you are seen using TOR your ISP just puts you automatically on a watch list. Not tin foil hat just how it is. Not true everywhere. The thought is that honest law abiding citizens don't need or use TOR. Corporations use VPN's to secure traffic all the time so VPNs don't draw attention, at least nothing like TOR does. In my case some days a spend a great deal of time on TOR, but my ISP has no idea that I do. Its important for me that they see a secure VPN connection and nothing else. MY .02 ps - I actually posted this same thought several posts higher in this thread, but after a year or so its important to remind users that in many parts of the world TOR= guilt by association!
wouldn't you feel bad for spying someone innocent 24/7? we live in a shitty world if that is true. I am sure very happy when they catch a criminal but being on a list for testing a tech or reading about it is too much. I've heard they do it with matching search queries and at tor installation. That is unacceptable from moral/ethical standpoint. Not too far from this time we live in, there will be cameras in our toilet with bots and sensors deciding and doing telemetry, smart toilets, if you remove sensors it means you have soemthing to "hide" in your own toilet I think chrome is "better" (I prefer security over privacy) because TOR is subject to exploits, see the frequency of updates and the bounty program, if someone finds an exploit in TOR how likely it is he will give it to the TOR community rather than sell it to bad actors and organizations? you could add an online service to increase bandwidth, ie connect with 1 mb (max 2mb due to your setup) to a cloud with exit 1000gb, only useful in some scenarios though and doesn't solve most problems of slow connection thanks that conference guy is an idiot then, good to know, I saw few more of that Opsec conferences and got bored, defcon/blackhat is better
