TOR and VPN

Discussion in 'privacy technology' started by MilenKidane, Apr 16, 2013.

Thread Status:
Not open for further replies.
  1. MilenKidane

    MilenKidane Registered Member

    Joined:
    Apr 16, 2013
    Posts:
    6
    Hello all, I have a rather trivial question.

    I'm using Fedora and I have an VPN account at RiseUP and from time to time I have to use TOR.

    I would not like my ISP to see that I'm using TOR, so I'm trying to use TOR over VPN.

    So I have configured my VPN in network manager and I use TOR Browser bundle, starting it after I start the VPN. I wanted to check if TOR really goes through VPN, so I started EtherAPE.

    On interface wlan0, everything connects to VPN server address (except some multicast connections like 224.0.0.1 or igmp.mcast.net.

    If I change to "tun0" interface, I see traffic from all over (including TOR network).

    So, my question is, as soon as I start the VPN, is everything (includin trafic from TOR) dirrected through it, and my ISP will see a single ME-->VPN connection? Is there any posibility that some trafic passes through the normal interface, not VPN?

    Thank you
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Yes, as long as routing is configured properly, so that tun0 replaces the default gateway. Using the "--redirect-gateway" option generally does that. See https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

    That may happen if the VPN connection fails. To prevent leaks, you need iptables rules. See the Linux firewall section in the openvpn manpage.
     
  3. MilenKidane

    MilenKidane Registered Member

    Joined:
    Apr 16, 2013
    Posts:
    6
    Hello and thank you very much.

    I have read the page for OpenVPN, as I understood redirect-gateway changes routes.

    In network manager I have no specific option for redirect-gateway, but I tryed to see if it does it by default.

    Before starting VPN, route output looks like this:

    Destination Gateway Genmask Flags Metric Ref Use Iface
    default speedtouch.lan 0.0.0.0 UG 0 0 0 wlan0
    192.168.10.0 * 255.255.255.0 U 0 0 0 wlan0

    After starting:

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    default 172.27.0.1 0.0.0.0 UG 0 0 0 tun0
    172.27.0.0 * 255.255.252.0 U 0 0 0 tun0
    192.168.10.0 * 255.255.255.0 U 0 0 0 wlan0
    kite.riseup.net 192.168.10.254 255.255.255.255 UGH 0 0 0 wlan0

    Does that mean that everything is redirected through dns gateway? As I understand, yes.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Yes, it does.

    But get the openvpn pid ("ps -C openvpn") and kill it ("kill -KILL <openvpn-pid>") and see what happens ;)

    I've posted the old XeroBank shorewall rules a few times. Reading man openvpn, it looks like the rule allowing connections to the openvpn server could be specified better. Maybe someone who knows iptables better could check that out? If not, I'll get to it eventually ;)
     
  5. MilenKidane

    MilenKidane Registered Member

    Joined:
    Apr 16, 2013
    Posts:
    6
    Thanks.

    I will try to kill OpenVPN to see what happens.

    Regarding what you said, someone advised to change default routes after starting VPN and reverse after I close (this will avoid the problem with VPN dying)

    ip route del default via my_gateway_ip
    ip route add host VPN_IP/32 via my_gateway_ip dev eth0/wl0

    How I see it, this could be a fix.
     
  6. anniew

    anniew Registered Member

    Joined:
    Mar 15, 2013
    Posts:
    92
    And have you done this yet? Curious as to the results. :D
     
  7. MilenKidane

    MilenKidane Registered Member

    Joined:
    Apr 16, 2013
    Posts:
    6
    Yes, it actually worked.

    Now I'm not using it anymore as a more elegant solution seems to be VPN -> Virtual Box -> TOR
     
  8. anniew

    anniew Registered Member

    Joined:
    Mar 15, 2013
    Posts:
    92
Loading...
Thread Status:
Not open for further replies.