Hello all, I have a rather trivial question. I'm using Fedora and I have an VPN account at RiseUP and from time to time I have to use TOR. I would not like my ISP to see that I'm using TOR, so I'm trying to use TOR over VPN. So I have configured my VPN in network manager and I use TOR Browser bundle, starting it after I start the VPN. I wanted to check if TOR really goes through VPN, so I started EtherAPE. On interface wlan0, everything connects to VPN server address (except some multicast connections like 224.0.0.1 or igmp.mcast.net. If I change to "tun0" interface, I see traffic from all over (including TOR network). So, my question is, as soon as I start the VPN, is everything (includin trafic from TOR) dirrected through it, and my ISP will see a single ME-->VPN connection? Is there any posibility that some trafic passes through the normal interface, not VPN? Thank you
Yes, as long as routing is configured properly, so that tun0 replaces the default gateway. Using the "--redirect-gateway" option generally does that. See https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage That may happen if the VPN connection fails. To prevent leaks, you need iptables rules. See the Linux firewall section in the openvpn manpage.
Hello and thank you very much. I have read the page for OpenVPN, as I understood redirect-gateway changes routes. In network manager I have no specific option for redirect-gateway, but I tryed to see if it does it by default. Before starting VPN, route output looks like this: Destination Gateway Genmask Flags Metric Ref Use Iface default speedtouch.lan 0.0.0.0 UG 0 0 0 wlan0 192.168.10.0 * 255.255.255.0 U 0 0 0 wlan0 After starting: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 172.27.0.1 0.0.0.0 UG 0 0 0 tun0 172.27.0.0 * 255.255.252.0 U 0 0 0 tun0 192.168.10.0 * 255.255.255.0 U 0 0 0 wlan0 kite.riseup.net 192.168.10.254 255.255.255.255 UGH 0 0 0 wlan0 Does that mean that everything is redirected through dns gateway? As I understand, yes.
Yes, it does. But get the openvpn pid ("ps -C openvpn") and kill it ("kill -KILL <openvpn-pid>") and see what happens I've posted the old XeroBank shorewall rules a few times. Reading man openvpn, it looks like the rule allowing connections to the openvpn server could be specified better. Maybe someone who knows iptables better could check that out? If not, I'll get to it eventually
Thanks. I will try to kill OpenVPN to see what happens. Regarding what you said, someone advised to change default routes after starting VPN and reverse after I close (this will avoid the problem with VPN dying) ip route del default via my_gateway_ip ip route add host VPN_IP/32 via my_gateway_ip dev eth0/wl0 How I see it, this could be a fix.
Yes, it actually worked. Now I'm not using it anymore as a more elegant solution seems to be VPN -> Virtual Box -> TOR
Thanks. Similar to the Whonix solution I've read about: https://www.wilderssecurity.com/showthread.php?t=343615&highlight=whonix http://sourceforge.net/p/whonix/wiki/Home/