How to hide VPN end nodes?

Hello all at Wilders,

Well I finally signed up to this extremely informative forum, after browsing and reading through it for months, especially the "privacy" section. Thanks for keeping such a wonderful forum alive!!

I have a few questions:

Let us consider the scenario that I am using a VPN "A" to access a site [noparse]www.any-site.com[/noparse] through an encrypted tunnel.

1. I do not want my ISP to know that I am connecting to a VPN server.

2. I do not want [noparse]www.any-site.com[/noparse] to know that I am accessing the site through the exit node of VPN "A".

How is this possible?

Of course questions 1 and 2 does not need to work in conjunction with each other.

So its either about preventing [noparse]www.any-site.com[/noparse] to know that I am coming from the exit node of VPN "A", while my ISP knows I am connected to VPN "A"

or

[noparse]www.any-site.com[/noparse] knows that I am coming from the exit node of VPN "A", while my ISP does NOT know I am connected to VPN "A".

Some threads out here provide sketchy information on this as this exact thing was not the real concern of the topic, but I did not see a specific elaborate answer

I guess it would be using a VPN through another(how to make that happen??) or some similar setup, but it is surely outside the scope of ANY single anonymity service. More than one service has to be used in conjunction with one another.

Please share your knowledge.

Regards to all.

 

Well, your ISP obviously knows what site(s) it's connecting you to. If you connect primarily to one site, regardless of whatever it purports to be, or whatever your ISP does or doesn't know about it, it's reasonable to assume that it's a proxy or VPN service. Although you could attempt to disguise the traffic, P2P is pretty obvious. More about that later ...

It is possible to route one VPN connection through another. The simplest approach is to use a guest VM. For example, you could connect your physical machine to XeroBank, CryptoCloud, Metropipe, Cryptohippie or whatever. A guest VM (running in VMware Player or whatever) would connect through the VPN channel established by the physical machine. You could then establish an OpenVPN connection on that guest VM to another OpenVPN-based service.

Even better would be to run multiple guest VMs, each doing something different (e.g., Freenet node, torrent client, video streaming, browsing, ...). Each guest VM could connect through a different service. Mixing all of that traffic on the same VPN might confuse an attacker.

On a larger scale, you could run a cryptorouter on your network, connecting to VPN Service A, and each machine could connect to its own secondary VPN service. And of course, each machine could run guest VMs, as discussed above. I haven't gotten to that yet, FWIW.

In attempting any of that, you need to minimize latency. I've obtained best results using an entry node for the "inner VPN" in the same region as the exit node of the "outer VPN".

For that, you could just configure your browser to use a proxy.

 

Thanks for your reply!!
It is possible to route one VPN connection through another. The simplest approach is to use a guest VM.

Is it possible do do the same WITHOUT using a VM?

On a larger scale, you could run a cryptorouter on your network, connecting to VPN Service A, and each machine could connect to its own secondary VPN service.

That's really hi fi and far fetched.....

In attempting any of that, you need to minimize latency. I've obtained best results using an entry node for the "inner VPN" in the same region as the exit node of the "outer VPN".

One of those little yet practical tips that no manual can teach you, and comes only from experience. Thanks for the share!!

Which proxy service(preferably SOCKS 5) is recommended? Something that provides encryption, does not log and is run from some strategic location to bypass compulsory logging laws?

 

My pleasure

I don't believe so. Someone may correct me. VMs are easy, really. All you need is a non-OEM Win XP installation disk, QEMU and VMware Player. If there's interest, I can post instructions.

Yeah, I'm not there yet. Inexpensive cryptorouters are available, however. You's just set up to connect to your favorite VPN service.

Latency problems are V E R Y obvious (little effective bandwidth). Just play around, and check with speedtest.net or whatever.

I've never needed to use a proxy, and have no clue.

 

Thanks for your reply!!

So for this set up we need to connect to VPN A from the real machine, using their client software or something but NOT the one's whose client softwares work by creating a VM in the PC, as these VM's are not customizable.

Then we need to setup a VM in the PC and install the clent software of some anonymity service and access the internet through it. In essence, this anonymity service connects through the runnel created by VPN 1 running in real machine.

Thus the end website has the IP of the exit note of the anonymity service running in VM, while ISP has the IP of the entry node of VPN 1 running in real PC.

Is the approach correct?

Which service is recommended to run in VM? Could be other anonymous VPN or some non VPN based secure anonymity service? Maybe secure SSH?Please recommend.

 

Yes, that's what I meant. I believe that it'd be best to use OpenVPN-based services for both VM host and guest. XeroBank is still my top choice, followed by CryptoCloud.

 

Well can you suggest an openVPN based anonymous VPN which is FREE for using in the VM?

The one running in real PC would be a top notch one, but a FREE anonymous VPN to run on the VM would be great, as long as it provides decent anonymity.

After all, even if it fails, it just reveals the EXIT node of the VPN running in real PC and not my real IP.

 

I haven't used many free VPNs, and can't recommend one. I do recommend avoiding UltraVPN.fr, because it hides the OpenVPN TAP adapter, apparently affecting all OpenVPN-based services installed, and nontrivial to reverse.

Generally, I recommend testing unknown software on a copy of a clean-install VM.