Is this VPN chaining or VPN nesting? Is it better than TOR?

Discussion in 'privacy technology' started by Ulysses_, Jun 27, 2010.

Thread Status:
Not open for further replies.
  1. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Hi. I have seen this post by SteveTX in a discussion of VPN's:

    1. Is it really possible to chain VPN's just like other proxies can be chained? Because the free VPN I know comes with an executable that creates a special connection through a device called "TAP-Win32 Adapter V9" and thereafter all access to the internet is through that special connection. Would a second VPN provider create a second special connection to the same device? Would the result be encryption occurring in a nested manner, encryption within encryption? Would both VPN providers see the plaintext, or just the second?

    2. I have an idea. The special connection created by the first VPN could be set up to have windows ics enabled (internet connection sharing) so other computers in my private lan can all access the internet through the VPN. Now if one of these other computers has the executable of another VPN provider installed, so it accesses the internet through its VPN which would be forced to go through the first VPN. Is this VPN chaining or VPN nesting? Would both VPN providers see the plaintext, or just the second?

    3. If only one VPN provider can see the plaintext, then is this any worse than TOR where only the exit node can see the plaintext?

    4. If I set up my own VPN provider at a free unix account somewhere, and use that as the last VPN provider in the nest, so only this server can see the plaintext, am I better off than TOR? Or are free unix accounts honeypots just as bad as hostile TOR exit nodes?
     
  2. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Don't worry about hostile Tor exit nodes. As long as you don't voluntarily provide any identifying information over the connection, then you're fine. Remember, the exit node can see the plaintext but he cannot see the source IP. And if possible, try to use HTTPS sites (then the exit node cannot see the plaintext).

    What you're proposing with chaining VPN's seems overly complicated for no extra security.
     
  3. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Sure but I am hoping for both privacy and anonymity, not just anonymity. We are comparing a tor exit node with a vpn exit server in terms of privacy. Both can see the plaintext but who is more likely to abuse access to plaintext:

    1. A tor exit node or
    2. A free vpn (how do they make their money if it's not a honeypot of some kind)?

    How do know there is no extra security compared to a single vpn? No second encryption of the encrypted data? Both vpn providers can see the plaintext?
     
  4. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Here's an example of a free vpn that is accused of abuse:

    http://myvpnreviews.com/proxpn/

    It says there: ""Scammers! ProXPN records your information and steals sensitive data off your computer!"
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Dead :eek:
     
  6. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    @Ulysses_

    You can nest VPNs using VMs. Example -- connect to VPN-a in Win XP, and connect to VPN-b in a Linux VM running in VMware Player. The entry node of VPN-b sees the exit node of VPN-a as the user IP address.
     
  7. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    But you're still left with an exit node seeing plaintext.
     
  8. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Yes, that's true. The final exit node sees plaintext, unless (as you've noted re Tor) there's HTTPS (or other full-path encryption). OTOH, VPN nesting does reduce the risk of anonymity compromise (as long as the VPNs that you've chosen aren't colluding).
     
  9. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    The LAN I was talking about in the first post is a virtual LAN, I have been a vmware user since their beginning. What you are proposing hierophant requires a NAT virtual adaptor which makes it equivalent to Microsoft's ICS from VM to VM that I am proposing. But your suggestion with NAT virtual adaptors has a disadvantage, the host must be internet-facing which is a security risk. Only VMs are internet-facing in a secure vmware setup so if any VM gets infected it is disposed of.

    I would like to test the VPN nesting claim that only the exit server sees the plaintext. Is it difficult to make a VPN?

    Are there any easy instructions for installing one's own VPN? What's the best software for doing this?
     
    Last edited: Jun 28, 2010
  10. katio

    katio Guest

    The quote of SteveTX is about proxies, they are plaintext unless you use https. VPN is always encrypted.
    Accordingly to answer your initial questions:
    1) only the last can see the plaintext
    2) as above
    3) it's worse than tor because:
    a) it's only 2 hop instead of 3
    b) you are still traceable, all it takes is that the VPNs contact each other or if they keep logs one can reconstruct your traffic months later
    4) no it's worse again, the problem is: how do you connect to the account to set it up initially? With your home IP? Apart from that both tor nodes and shell accounts can be honeypots but tor nodes might be monitored, free accounts definitely are. Tor nodes are constantly changing, an attacker might see parts of your traffic but never all, VPNs are more static, if your "end node" is compromised it's always game over.
    In any case, few if any will allow running these kind of services.

    Best software for a DIY VPN is probably openssh or openvpn running on Linux.
     
  11. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Thanks for the useful info.

    What if 10 VPNs are nested? Is it possible that one or more of these VPN providers are in jurisdictions that allow them to not cooperate with others if a trace is attempted?

    I have been advised that the following VPN provider will not give your identity to anyone as long as what you do is legal under the Swedish law.

    http://www.prq.se/?p=tunnel&intl=1

    The account can be set up from an internet cafe. Hopefully that is needed just once.

    What if I drastically change the source code of the VPN and rebuild it with plenty of obfuscation and a minor modification to the encryption scheme so it is impossible to identify it as openvpn? All the honeypot shell account would see is a plaintext connection to a site where I do not post anything, and an unidentifiable encrypted stream to the last VPN server. That VPN server would encrypt the stream again in standard openvpn manner, to finally reach my PC where it is decrypted in standard openvpn manner and then my non-standard encryption is removed.
     
    Last edited: Jun 28, 2010
  12. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    And if the internet cafe has a video camera? There would be a recording of you setting up the account. But then again, you could always wear a disguise.

    nose-moustache-glasses.jpg

    Or maybe even go in drag as Ethyl Merman.:eek:

    ethel_merman_exp.jpg

    That way no one would ever know.
     
  13. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I tried the Tor Vidalia bundle while connected to Xerobank and it worked just fine. But very slow, of course. So I guess you could use JanusVM while connected to Xerobank. Wouldn't that be the same as chaining a VPN?
     
  14. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    What is Xerobank? A regular VPN? Is it a tor network where all the servers belong to one company?

    I don't know about JanusVM. Here it's VPN's inside VPN's, putting Xerobank inside JanusVM is a putting a VPN inside a VPN?
     
    Last edited: Jun 29, 2010
  15. Lyx

    Lyx Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    83
    I don't agree with 3b), for juridictionnal and legal reasons. The "internal" VPN (the one to which you connect first, and the one who knows your real IP) can be in an area were data retention time is short. So, when the external vpn, requested by its land law (wich takes some time), ask the internal one about logs concerning you, these logs could have been legally destroyed few days ago by the internal vpn.

    In such a configuration, the internal vpn knows you, but don't knows what you are doing. And the external one knows what you are doing, but without knowing you.


    So this double vpn config is better imo than simple vpn (or double vpn runned by the same entity).

    This reasonning holds as long as:
    1) The two vpn don't collide
    2) None of them inject maware code on your machine


    I think it's better than Tor from traffic and bandwith point of view (more bw, plus vpn being able to handle UDP traffic). But in anonymity point of view, I think Tor remains better.


    The best way to chain vpn in order to get "layered encryption" between the internal and the external one, is to use a VM.

    A simpler way (but doest it really do what it is supposed to do ?) is to use e.g. a pptp as internal vpn, and an openvpn as external vpn. In short, you first connect to the pptp, and then run the openvpn. I think (without solid proof) that the openvpn only see your pptp ip, and that the traffic, being first encrypted by the openvpn, is unreadable by the pptp. But it's only a conjecture. I would be very interested in knowing what exactly happens in such a config. What is sure is that running an openvpn over a pptp one works. You can also youse a L2T¨P/Ipsec vpn instead of a pptp (and perhaps, an openvpen over a L2TP/IPsec one over a pptp).
     
    Last edited: Jul 1, 2010
  16. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Done this, it has a major disadvantage, VM's need too much memory, they have complete operating systems running in them. Maybe damnsmalllinux can accomodate VPN clients?

    Maybe a network monitoring tool like tcpdump can tell such information?
     
  17. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Is there any reliable way to prevent 2? All I know is Firefox's NoScript plugin to safely disable scripts, and a firewall. Are there other holes too that can be closed?
     
  18. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    If XeroBank were injecting malware, I believe that someone would have reported that by now. Yes? That's probably so for other VPNs that have been around for a while. There are reputations at stake.
     
  19. Lyx

    Lyx Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    83
    I have tested it with wireshark. I'm not a wireshark specialist, but what I saw (and unterstood) leads me to think that openvpn over pptp does what it is supposed to do. But a confirmation would be wellcome.

    Maybe another way would be to use JanusPA (although I don't know what JanusPa exactly do, never having tested it): You connect to openvpn A with janusPA, and then, on your pc, you run pptp or openvpn B. Could some JanusPA's user explain whether or not this method works ?



    I agree, for well established vpn providers as eg Xerobank or Perfect Privacy.

    But what about new/free ones ?
     
    Last edited: Jul 2, 2010
  20. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I still have an Iphantom which is a mechanical device that my connection travels through when it is connected. It is encrypted from the box to their servers. I quit using it for a while and then started using it again many months ago when xerobank failed a few times. It said I was connected when it wasn't. But that was a long time ago and it hasn't happened since. And I do not have it connected right now. To tell you the truth it was kind of giving me the creeps because it is in the U.S.

    Now I don't know near as much as you guys. But from what I understand, no matter what I do on my computer, my traffic first goes through that box to Iphantom and then out from there, regardless, because it is physically manipulated to do so.. I actually spoke to an Iphantom rep and told him that I connected a VPN and ran it through the Iphantom servers and he said that it was okay and that it would be encrypted twice.

    So from what I gather, my connection was encrypted first with Xerobank. Then it went through that box and was encrypted again and was then routed through Iphantom and then on to Xerobank. So Iphantom was only seeing an encrypted connection that I had with Xerobank. And Xerobank was only seeing that I was coming from Iphantom, and not my real ISP. I am not so sure that they would like that but of course I have no doubt in my mind that if Steve or Xerobank wanted to know who I was that they most certainly could have found out. I was never confused about that. Nor was I concerned.

    My reason for doing this is that A. Xerobank did fail a couple of times (about 1.5 years ago??). and B. Occasionally I disconnect and just forget to reconnect. And I just hate to go through all of the trouble creating a new email with the VPN and signing up for a discussion group or message board with the VPN....and never logging in without it, only to ruin it all by connecting once without it. I hate that. I do go certain places and disconnect it because they are accounts that I opened up years ago, and sometimes I just want to download a bunch of rapidshare links real quick without having to wait. But for the most part I am always connected to Xerobank, and occasionally cryptohippie....which I keep as a back-up.

    But I actually downloaded the newest Tor bundle and tried it recently and I was really surprised at how fast it was compared to way back when. It just seems so much faster for some reason..
     
  21. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Something funny I thought I might add. Even though I opened up a Myspace account a long time ago with my real IP, and my real location listed in my profile, Myspace will not allow me to login unless I am connected to Xerobank...LOL!:argh:
     
Loading...
Thread Status:
Not open for further replies.