Mirimir, can you please clear this up?

Discussion in 'privacy technology' started by Georgiegie, Mar 27, 2015.

  1. Georgiegie

    Georgiegie Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    8
    for the past 24 hrs i've been reading your posts especially with tor over vpn or vpn over tor. i believe i understand that tor over vpn gives more advantages by encrypting exit node data through their encryption protocols which is something that vpn over tor cannot provide. what do you think about vpn - tor - vpn? my point is that the first vpn covers your initial data traffic, vpn1 will be blocked by tor entry guards, connect to tor, and then connect to another vpn to encrypt data on the exit node.

    do you have any guides available regarding firewall rules in both incoming and outgoing protocols? i'm very interested in giving that a read. i read also about tor today and how it can be configured to strict connect to specific tor relays. do you know any specific countries to avoid or any specific countries i should put in my torcc to strictly connect through the tor relays available in those countries? i'm choosing offshore locations to avoid us jurisdiction as much as possible
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Without end-to-end encryption, intermediaries (your ISP, Internet routers, etc) can easily observe and MitM your traffic. With end-to-end encryption, doing that takes more skill and effort. So an evil Tor exit is no more dangerous than any intermediary that you'd encounter without using Tor. But unless you specify particular exits in torrc, you will cycle through numerous exits, and it's possible that you'll encounter an evil one. Still, if you use end-to-end encryption, you'll most likely be OK.

    Discussions of using Tor with VPNs can get confusing, and that's especially so when using symbols. So I'll avoid that here :) There are two advantages of using Tor over VPN, aka Tor tunneled through VPN. First, your ISP doesn't know that you're using Tor. Your VPN provider does know, but you can choose one that's less likely (than your ISP is) to cooperate with your adversaries.

    Second, the Tor network only sees your VPN exit, rather than your ISP-assigned IP address. So if an adversary compromises a Tor circuit, there's an additional step (compromising the VPN) to identify you. And if you access Tor through a nested chain of VPN services, there are more steps.

    Using a VPN service over Tor (aka VPN tunneled through Tor) is more complicated. First, it's nontrivial to setup a VPN account anonymously, especially if it's not free, because there's a money trail. Even with Bitcoins, there's a money trail, unless you anonymize them adequately through mixing services.

    Second, you don't get that much benefit except for hiding Tor from websites. If you want to open an anonymous account on a site that blocks Tor, that's important. But you're less anonymous, even with perfect OPSEC, simply because you're not just another random Tor user.

    There's also the serious problem that the VPN tunnel pins your Tor client to the same circuit for as long as it's established, and that helps adversaries to deanonymize you. Overall, using VPNs through Tor is probably less anonymous than using Tor alone.

    If you don't know iptables, I recommend using pfSense VMs as VPN routers. My guides on iVPN cover that. But they're out of date for using VPN via Tor, because ra's Tor gateway isn't maintained. You can easily use pfSense as a Tor gateway. The hardest part is getting Tor installed. If you're interested, bug me to post coherent instructions. There's an old version at https://tor.stackexchange.com/questions/1232/me-tor-vpn-how/3395#3395

    For locking down VPNs in Linux, I recommend adrelanos' VPN-Firewall, at https://github.com/adrelanos/VPN-Firewall You'll learn a lot about iptables if you figure out what each of the rules does. But I've come to prefer using iptables-persistent to manage rulesets. Also see https://www.wilderssecurity.com/thr...rkspace-isolation-with-raspberry-pi-2.374336/ The iptables rulesets there (in the gateway and workspace setup pages) will work in Debian VMs.

    I don't have particular opinions about selecting "safe" Tor relays. There are too many unknowns.
     
  3. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    Nice read...
     
  4. Georgiegie

    Georgiegie Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    8
    expected a good reply, got a great reply instead. reading it right now.
     
Loading...