How can I connect computer to TOR and VPN both?

Discussion in 'privacy technology' started by Melita, Dec 10, 2017.

  1. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    65
    Location:
    Canada
    Can I configure Windows XP and 7 to connect to the TOR Browser first and then to a VPN?

    Thank you
     
  2. TravisSturm

    TravisSturm Registered Member

    Joined:
    Oct 9, 2016
    Posts:
    2
    Location:
    United States
    Yes, but there are only a few vpn providers that work this way. The more common way would be to connect to your vpn first.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,235
    @Melita -- You can, but it's not so easy. First, I wouldn't use Tor browser, because the browser controls the Tor client. It's better to use the "Expert Bundle" from https://www.torproject.org/download/download.html.en

    Second, you must configure OpenVPN to use a Tor SocksPort, just as with any app. To do that, you add something like "socks-proxy 127.0.0.1 9050 foo" and "socks-proxy-retry" to the OpenVPN config file. You may not need "foo". Last I used this, there was a bug in OpenVPN that required a value for the SOCKS authorization passphrase. Even if (as for Tor) there isn't one. And it could be anything.

    Anyway, with that in place, the VPN should connect via Tor. But you can't just use Tor browser, because it will only connect via Tor SocksPort. You can fix that, but then you stand out as someone using Tor browser without Tor. Better to just use locked-down Firefox. Also, you'll want firewall rules that prevent all apps except Tor from using the machine's LAN adapter. And that prevent Tor from using the VPN tunnel.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,235
    Alternatively, you could use a VPN service that handles all that in its client.
     
  5. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,055
    Tor Expert Bundle

    This installer must be run as Administrator.

    I take it you can not use it in a LUA (Limited user account)
    in XP or can you set it up in Admin account and then run
    Tor in LUA?

    TBB can be setup and run in a LUA which is more secure
    than running XP in Admin account.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,235
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,951
    There are pro's and con's to both approaches. Taking the "devil's advocate" position on this thread. If you elect to connect to TOR and then your VPN you sacrifice what I perceive as one key attribute of TOR. Namely; auto rotate of the circuit every 10 minutes or so. By connecting to your VPN and then using TOR in the bundled package (or using Whonix), your exit node IP will rotate every 10 minutes. As Mirimir noted above, AirVpn has a great client which makes going the TOR first route pretty easy. I have played with that client and its coded open source so you can change it any way you want. Where I live I feel its detrimental to have my ISP know I use TOR as opposed to a VPN. By locking into a VPN tunnel and then connecting to TOR my ISP has no idea I ever use TOR.
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    4,421
    TOR Over VPN & VPN Over TOR: Which is Better?
     
  9. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    65
    Location:
    Canada
    This is an enormous amount of help here :) A big Thank you to all of you. Is it possible to configure the computer to dump the internet connection if the VPN is disconnected unexpected
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,235
    Many custom VPN clients prevent VPN-bypass leaks. In Windows, I wasn't able to get those from AirVPN, IVPN, Mullvad, Perfect Privacy or SlickVPN to leak. You can also use Windows Firewall. Basically, you set LAN as a private network, and the VPN tunnel as a public network. Then you allow only connections to desired VPN servers on LAN aka private network.
     
  11. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    65
    Location:
    Canada
    When this is done will the internet connection drop if the vpn disconnects inadvertently? Is there a tutorial somewhere showing how to do this? I don't have much knowledge about networks.
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,235
    It's not so much that a connection will drop. It's just that only the VPN client can connect through the LAN interface. Everything else can only connect through the VPN. If the VPN connection goes down, then nothing connects.

    I already told you as much as I remember about configuring Windows firewall. You'll find all sorts of guides about that. But most of them have it backwards. That is, they focus on blocking LAN use by particular apps, rather than blocking everything and allowing the VPN client.

    If you don't want to take time to figure it out, I recommend just using a custom VPN client that doesn't leak. Such as AirVPN, IVPN, Mullvad, Perfect Privacy or SlickVPN.
     
  13. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,951
    I agree with Mirimir for those that just want a basic lock to work. That said we both write and use our own firewalls. I like to set mine so that IF a connection breaks ONLY I can manually re-establish it. With dependable vpn servers a "drop" only happens once a month or less for me and I live online. Most of the clients do a great job and will automatically reconfigure and re-establish a vpn tunnel without leaking anything. I also don't allow LAN devices to see or get a "ping" from my hobby computers. They are on separate LAN hardware from the rest of the house.
     
  14. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    344
    Location:
    Member state of European Union
    There is also another aspect when it comes to setting VPN as final output to the Internet. It is probably important to know, because using two different anynymisation technologies are for paranoid threat-models. If VPN provider would know who you are, they can deanimise you regardless of using Tor. How they can know who you are:
    1. You probably need to pay them for VPN. They can connect payment to your person probably easier than track you Tor connection.
    2. All your data goes through VPN. This means VPN provider tunnels unencrypted metadata and even some unencrypted data (depends whether you use end-to-end crypto). One need to carefully consider that in order to evade deanonimisation.
     
  15. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,568
    Has anyone tried running a tracert on a windows computer while connected to a VPN? Does it reveal the ISP assigned IP address of the local router?
    At the cmd promt,
    tracert google.com
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,235
    If it does, something's wrong. Generally, the first address should be the device on the VPN tunnel network. The second should be the VPN exit.
     
  17. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,568
    Yes but what happens to the original direct connection to the ISP?
    I kinda assumed the VPN was a second interface created after the connection to the ISP was established so they would both be active at the same time...
    That's why I wondered if a trace route would show one or both of them.
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,235
    Yes, both interfaces are there. But OpenVPN clients modify the routing table, so that traffic preferentially uses the VPN interface.
     
Loading...