TOR under a VPN

I've been following along here for several months and understand that Tor under a VM, or Tails live CD under VM with public wifi is ideal for anonymity....but what about using one of the VPN services who do not log (I read the article), and then Tor?

Wouldn't that be better than TOR under your regular ISP? Or is there anything that happens, technically, when using a VPN first and then Tor, that would make this a bad combo?

I tried searching out an answer but never found the same topic or question; sorry if it's a repeat.

Thanks

 

I'm not sure if there are any unwanted side-effects of using both a VPN & Proxy simultaneously. I hope not, because I do it occasionally. I do know that it enhances your privacy when using both as opposed to using just a VPN by using tests on various sites. Here is an example from another post in here:

https://www.wilderssecurity.com/showthread.php?t=309936

As you can see, the 2'nd time I took the test (with both a VPN & proxy), far less information was gathered. And it airballed on my OS. I was using the proxy built into Ixquick, not TOR.

 

If you're using Vidalia which makes this easier, in the settings to use a Proxy, you can use a proxy from a VPN if they have one to give you, so when you connect to Tor you're connecting first through the VPN, at least this is my understanding, I've done this before.

I would hope to think by doing this, you're protecting your actual IP and just giving up the one from the vpn proxy...

The thing is, you have to first figure out, can you handle the speeds of Tor, while it has improved it can still be a bit slow at times...

 

@luciddream - thanks for that link and test, wow, glad I asked. Note to self - find a new VPN!

@dasfox - Yes, I'm familiar with the old days of Tor...the days when half the Tor packages downloaded were corrupt, and Tor moved, err...it didn't move, lol. I was surprised to see the new site and a bit freaked out not to see checksums on their downloads.

Thanks for the heads up, and for your other Tor response on the exit node...that's very handy for social network surveillance where you don't want an IP address from France.



Thanks again guys!

 

There are pgp signatures

 

Thanks for pointing them out...I simply overlooked them.

 

Also if you simply connect to a VPN then run Tor, it's routed over the VPN, just like any other internet application...

 

I have an off topic but related question. I've tried VPN connections over Tor a few times, but it's never worked very well. If you have managed to make it work, please share how.

 

Look at it like this, you use a VPN and run your browser surfing the internet, through the VPN connection correct?

Well Tor is just a browser that has to first go through your network connection to get online to get on the Tor network, so all you do is just start your VPN, then start Tor, Tor is going through the VPN to the Tor network.

Also if your VPN provides a Socks VPN Proxy, you can connect to that, then in the Vidalia's 'Settings - 'Network' for using a proxy to access the internet, you can add the Socks proxy there and connect through the VPN, either way works...

 

I get that. I mean the oposite way: connecting to the VPN server through Tor. It just doesn't seem to connect, or at least not for long enough to use. But a TCP based VPN is just TCP, so Tor should handle it OK, right? Maybe there's too much latency with Tor.

 

This is where people get confused about stuff like this...

Tor has it's own network, but we get to it by means of their software, which does nothing at the network level on the computer.

OpenVPN however works the other way around, you do use software to connect to a VPN server, but you are then going over the network at the network layer, meaning, a TUN/TAP layer...

Tor works on the software layer, has no effect on your own computer network.

VPN works on the network layer and has an effect and changes the computing network.

The network layer is what provides the greatest level of security, so even if you could do what you want, you are opening yourself up to greater risks.

So hopefully I haven't confused you, but look at it this way, the VPN is your internet connection, if you're not connected to it, then you don't get online, so how is Tor going to get online if you're not connected? This is really how it is with a VPN... Make sense?

TOR= Software layer
VPN= Network layer

If you're running Windows you can see the VPN network layer for the adapter in the 'Network Connections'; (Tap-Win32 Adapter)

http://www.surfbouncer.com/images/tap_adapter.jpg

The big question is, why would you want to do what you're trying to do? Even if it could be done, Tor is less secure...

Here's how you want to look at this;

Tor = Greater anonymity, less secure, less private

VPN = Greater security and privacy, less anonymity, but a great vpn could provide good anonymity, the question is, do they have the technology to do it? Most VPN providers just provide you anonymity by having you share a static or dynamic ip with everyone else, but that's more like what is called, pseudo anonymity.

 

I agree that it's confusing on one machine, because you want to route all application traffic traffic over the virtual VPN interface, leaving only encrypted VPN packets using the physical interfaces. But you can run your VPN client on one VM, and route the OpenVPN tunnel to a virtual LAN. Then you can feed that to another VM, effectively as WAN, and route Tor traffic through it, just as if it were a real interface connected to a real ethernet cable. You can even bridge that virtual VPN LAN to a spare physical interface, and set up a physical network with the VPN tunnel as WAN (aka OpenVPN router). So why shouldn't Tor work through that?

 

First, so we are both clear here, you said;

---> Connecting to the VPN server through Tor.

Now you're last reply you said;

---> Route Tor traffic through it

So which is, you want to route Tor through the VPN or the VPN through Tor?

 

I was wasted when I wrote that I want to run the VPN through Tor (for exit-node security).

Actually, I want to run the VPN through Tor, with Tor connecting through another VPN, but baby steps first!

Here's another go at it.

I appreciate that it wouldn't work on one machine, in light of your explanation. I've never tried it. I've used Ra's Tor gateway VM, which establishes Tor circuits, and routes traffic from a virtual LAN (which I'll call "tor-gateway") through them.

I run another VM attached to tor-gateway. You could use Ra's Tor workstation VM, but I prefer Ubuntu. I run my OpenVPN client on the Tor workstation VM, and connect to my VPN provider's server using the TCP option. It's just TCP traffic, so why shouldn't the VPN connection work through Tor? I've not managed it, so far.

 

Well, when you said;

feed that to another VM, effectively as WAN, and route Tor traffic through...

Was this just a theory or someone is doing it?

The thing is, why are you trying to do this, what is the objective here? I think for any of us, the objective is security, privacy and anonymity and in that order too!

If all you're trying to do is add layers making things more complicated, then from what I've tested, that seems the simplest, just use two different VPNs, and Tor, now Tor is routed through two VPNs and you've got 3 layers.

I'm not sure why anyone would want to route a VPN through Tor, when you look at the weakness of Tor.

Ra's Tor gateway is doing what you're asking?

I played with Ra's but I thought this was just using Tor in a VM was all...

 

As I said, I was wasted when I wrote that. Being semiconscious, I was describing routing Tor through VPNs, which is what I routinely do. What I've not managed to do is route a VPN through Tor.

If I access VPN services via Tor, they won't know my IP address. If I also pay anonymously, they won't know who I am. And with a VPN routed through Tor, I'll be protected from evil Tor exit nodes. Also, the VPN can handle all traffic, not just TCP.

That's a great setup. I use it. But you're vulnerable to collusion between your VPN providers, and also vulnerable to evil Tor exit nodes.

The more I consider it, the clearer it seems that VPN-Tor-VPN is more secure than VPN-VPN-Tor.

Yes, Ra's Tor gateway VM routes a virtual network through Tor. I just attach a pfSense VM with OpenVPN configured for a VPN provider. But it doesn't connect. If I attach that same pfSense VM to another virtual network, which is routed through a different VPN, it connects.

 

Well the way I figure it, no matter where you start, someone is going to know your IP unless you get on a WiFi somewhere else that is not yours.

VPN through Tor = Tor knows the IP
Tor through VPN = VPN knows the IP

So it's really who do you want to have and know the IP starting point?

No matter what you do, someone is going to know the IP unless you sit physically at another computer that is not yours or you jump on a WiFi that's not yours...

When I've used Tor, I just used the browser bundle, but if you run Tor just like Ra's you are still making the connection to Tor in the same way, I don't believe Ra's is doing anything special in regards to making a Tor network like you think.

Also Tor uses TCP and most VPNs use UDP so you'll have to be using a VPN that has TCP connectivity, this most likely why you can't get your VM connected through it, wrong protocol...

 

If Tor does what its developers claim, only your entry guards know your IP address. But generally, what you say is true.

Yes. I want that to be a VPN service that's popular among casual users. That way, I don't attract too much attention.

Yes. In any case, they'll know an IP. It may not be associated with you (except via surveillance).

I didn't mean that Ra's Tor gateway VM is different. I was explaining the virtual network setup that I used.

I used TCP for the VPN.

I don't want to debate this. I was just curious whether someone had done it. I've found some prior discussion on Wilders, but nothing definite.

 

For starters I'm not here debating anything, I'm just having a forum chat with you, trying to figure out what you want to do is all.

Yes you can certainly make Tor into a network, getting everything going over it and with the VPN, it's my understand this simply has to be TCP and I don't mean you just change it your client config to 'proto tcp' to get this to work, it has to be supported on the server side to begin with.

You're also confusing me here, I said this;

So it's really who do you want to have and know the IP starting point?

You replied in your last post;

Yes. I want that to be a VPN service that's popular among casual users. That way, I don't attract too much attention.

That means the VPN is the first layer of connectivity, but you keep talking about making it Tor.

So do you want Tor to be the network layer or the VPN?


Cheers

 

I didn't mean "debate" as in "argue", but rather as in "discuss abstractly". I had hoped that someone would just say "I did that, and here's how."

I used a VPN service that offers TCP connections.

Honestly, I started out trying to keep it simple. But you're right, I did say that I wanted to tunnel a VPN through Tor. In fact, I want to tunnel a VPN through Tor, which is itself tunneled through another VPN. That's what I meant by "VPN-Tor-VPN".

Cheers

 

OK all clear now...

So you're trying to do all this with Ra's Tor gateway?

Ra's has some routing stuff going on and that might be the problem, where you need to create an IPtables route to allow the VPN through, this is all I can think of at the moment...

Without understanding exactly what Ra's is doing it makes it hard, but I had a dig around it, it's Linux and I noticed the different IP table routes that were created.

 

Thank you

Yes, plus pfSense VMs for VPN connections, all in VirtualBox.

I don't even want to think about how one might do it in Ra's gateway VM itself (which is OpenWRT). I find it easier to just connect VMs through virtual networks (VNs?).

Maybe I'm being too simple minded about this, but it seems to me that TCP is just TCP. If Ra's Tor gateway can route web pages, it ought to route TCP-based OpenVPN tunnels.

I'll play with it more when I have a chance, and let you know how it went.

 

Well you can certainly just run Tor in one of your VMs and play with it to do the same, but at this point in time I'm not sure how, since I've never done this.

Typically what I see about using Tor, without doing things how Ra's is, Tor is just operating on the Software level, meaning, to use it, then you plug in the 'localhost' 'port' into your apps and use them...

Ra's put Tor into the network layer and maybe if you just play with it, you'll figure it out.

Ra said as long as you use TCP it will work to connect to the VPN.

Be sure you read this;

https://www.wilderssecurity.com/showthread.php?p=1995908#post1995908

 

Thanks, DasFox. I just tried it again, and it works! I'm getting ~500Mbps down, which is low for Tor, but still usable. The routing is VPN3->[Tor->(VPN2->VPN1)].

Edit: I've been asked how I did this.

This employs four VMs and three virtual networks (VNs) in VirtualBox 4.1.6 x64 on an Ubuntu 10.10 x64 host with quad-core AMD Opteron 2376, dual 200GB 10Krpm SATA in RAID1 and 8GB memory. There's a pfSense 2.0 VM (pfS1) which is running an OpenVPN client that connects to a VPN service (VPN1) via UDP. pfS1's WAN interface is NATed to the host, and it runs DHCP server for its (virtual) LAN (VN1). There's an outbound NAT rule that routes the VPN1 tunnel through VN1.

There's a second pfSense 2.0 VM (pfS2) which is running an OpenVPN client that connects to a different VPN service (VPN2) via UDP. pfS2's WAN interface is connected to VN1, and it runs DHCP server for its (virtual) LAN (VN2). There's an outbound NAT rule that routes the VPN2 tunnel through VN2. All traffic to VPN2's entry node passes through the VPN1 tunnel.

There's a Tor fast gateway VM from Ra (TFG) which runs OpenWRT. TFG's WAN interface is connected to VN2, and it routes Tor to its LAN (TGW). All Tor traffic passes through the VPN2 tunnel, which in turn passes through the VPN1 tunnel. Ra's Tor VMs are at -http://ra.fnord.at/2011/05/easy-and-secure-anonymous-internet-usage/

Finally, there's an Ubuntu 10.10 client VM (UC), which is running an OpenVPN client that connects to a third VPN service (VPN3) via TCP. UC's WAN interface is connected to TGW, and it uses VPN3's DNS server. All VPN3 traffic passes through Tor, which in turn passes through the VPN1 and VPN2 tunnels.

I can post specifics for the pfSense OpenVPN clients, if there's interest. I got most of it from the pfSense forum. Using pfSense with VPN anonymity services is a fairly popular topic there.

 

I have a JanusPa sitting at the house that I have never hooked up. I may give it a try. I have wondered before if you could run a VPN through the JanusPa. And then I wondered if you could then fire up the pre-configured Tor browser and run it through the other two. Steve said that running Tor through a VPN is like running a straw through a pipe. So I guess running all 3 would be like 2 straws through a pipe. It may be too slow to work though.