Pros and Cons of creating your own OpenVPN

Hi guys, firstly this is my first post on Wilders, so apologies if it is in the wrong place or commits any other similar errors.
Basically I had a project in mind for a personal privacy solution, and ideally wanted a bit of feedback as to whether you could consider it secure/feasible. My plan is to run my little HP XW8200 Server (using Gentoo) as an OpenVPN server, and also route all outgoing connections from the server through TOR (well Vidalia I would imagine); it would also be set up as a relay node to hopefully add a bit of traffic. I assume it goes without saying that the OpenVPN would be 256 AES with no connection logs. Could this be considered reasonably secure ceteris paribus? Is there anything that could be done to improve it? Or is the idea inherently weak?
Also, I have a few good friends that live in Axis of Evil countries; i.e. heavy web censorship. Was considering building a couple of Ubuntu VMs on a couple of small SSDs (in caddies) with the necessary settings etc so that they could connect to my OpenVPN when they are back home (generally happens for a couple months a year) to keep them safe and also because, well, F*ck censorship.
Finally, I know security is often a moot point if you follow the rabbit hole all the way down - clearly shady groups like the NSA could always track/see where you are and what your doing, but i find it hard to believe that they care enough about what I do on facebook and youtube. Really just looking for a relatively good level of security and anonymity.
Tl;dr - Pros and cons of making a home OpenVPN server that is also connected to the tor network. By my thinking, the OpenVPN should allow privacy, TOR for anonymity.
cheers

 

That should work. But you might want to consider using a VPS as a reverse proxy for your OpenVPN server. That gives you some security (because you're not so tightly tied to its IP address) and you can easily switch to a different VPS if they start blocking you.

 

Sorry, I'm a bit amateur, so correct me if I'm wrong; a vps is essentially a rented server? So the route would be me--256aes-->ISP--256aes-->server-->vps-->tor? Or are the last 2 the opposite order? I'm not overly familiar with vps' (I will now endevour to change that), so you must excuse my ignorance.
Cheers
AA

 

A VPS is a rented virtual server.

This is what I had imagined that you're planning:

[your friends] <-VPN-> [your server running OpenVPN and Tor] <-Tor-> Internet

What I suggested is this:

[your friends] <-VPN-> [your VPS] <-VPN through SSH-> [your server running OpenVPN and Tor] <-Tor-> Internet

 

Ahhh I'm with you, yeah that makes sense. The only problem with using a vps is that it surely defeats the purpose of running my own server. I intended to do that to avoid as many trust issues as possible, surely all my traffic is decrypted on the vps before being sent back to my server, and it can't take much for someone to read it from there I would have thought (again, correct me if I'm getting this wrong). Cheers for your help

 

No, VPN tunnels would be encrypted between your friends and your OpenVPN server. Encrypted UDP packets carrying VPN data would pass through the VPS without being decrypted. Some commercial VPN services do this to hide their servers

 

Okay, so this all made sense to me, until I spoke to the networking expert at work. I work as a hardware technician, so networking certainly isn't my strong point, and figured a bit more info would help. He pointed out that even through a VPN your packets still have the IP and TCP headers viewable so routers know where to direct the next hop etc. He says that the content may well be secure and private, but the connection origin and destination (i.e. origin = my friends middle ground = VPS and destination = my server; I know thats not the final destination). So theoretically although all the connections are private, they are not, and technically should never be, anonymous (since the packet headers, which will be unencrypted by necessity, they just gain size and information. The origin IP will just be printed on there). Now, this is the explanation I was given, which is making it difficult to grasp some of the concepts at play here (mostly due to being a rank amateur ha). I feel fairly certain I'm missing something vital here - as otherwise whats the point in TOR etc? Is there a method to prevent traceroutes from working with a VPN system like a mentioned in the first post? Any help is vastly appreciated - apologies if this is a stupid question etc.
Thanks in advance

 

Your coworker is basically right. But he's assuming that information is being shared among providers.

Let's say that you're using the VPS. Your friends' ISPs (and likely, governments) could see that they're connecting to your VPS. Your VPS provider could see connections to your friends, and also to your OpenVPN server. And your ISP (and likely, government) could see connections to your VPS.

But neither your friends' ISPs and governments, nor yours, could see that your friends are connecting to your OpenVPN server, unless your VPS provider cooperates with them. Therefore, you want a privacy-friendly VPS provider that operates in a jurisdiction that's unlikely to cooperate with either your friends' governments or yours.

For additional security, you could access your VPS through commercial VPNs (nested, even) and pay for it anonymously.