TOR through VPN

Discussion in 'privacy technology' started by JoeAverage, Nov 3, 2013.

Thread Status:
Not open for further replies.
  1. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25
    I always thought that running TOR through a VPN would be safer.

    But see what I found in a VPN provider forum:


    What I understand is that he is saying that using TOR through a VPN can compromise your anonimity.


    Please, what you guys think of that, is it better not use TOR through VPN tunnel?
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    My recommendation is to run Whonix over a VPN. Whonix would be running in a VM (2 VM's actually) nested in an encrypted host (my preference). A well constructed VPN connection would leave your "country snoops/ISP" in the dark (if you select a VPN out of jurisdiction). Whonix is super TOR and completely isolates traffic to the TOR system via 2 VMs designed to isolate and "generalize" your browser fingerprint. You would be one of millions of TOR users and mostly they all look alike. I especially like that my ISP cannot under any known circumstances figure out that I use TOR. In some parts of the world simple use of TOR creates too much attention. That is my take.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    That's only an issue if you haven't configured apps to use Tor properly. If you were just using Tor, the DNS leaks would reveal your true IP address.
     
  4. Phil McCrevis

    Phil McCrevis Registered Member

    Joined:
    Mar 25, 2012
    Posts:
    97
    Location:
    US
    So if someone first launches a good well known VPN that has no DNS leaks and then launches Tor Browser Bundle with no flash, javascript or cookies and all plugins disabled then there shouldn't be any problems correct? o_O
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Yes, but it's always best to use routing and firewall rules to make sure.

    The easiest safe way to do Tor via VPN is running Whonix in VirtualBox with the VPN running on the host machine.
     
  6. Zodiac

    Zodiac Lurker

    Joined:
    Nov 4, 2013
    Posts:
    1
    I agree Palancar, just a question, running Tor on a Ubuntu VM is the same?
    I read that neither Ubuntu has dns leaks (even if Whonix is more secure).
     
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592

    This might be covered in one of Mirimir's guides but let me answer you in general terms so you get an overview. I am going to assume that you understand the host system and how to secure the VPN connection from leaks using rules, firewall, etc.... Lets go from there. First understand that Whonix is TOR but its uniquely configured to protect a user in amazing ways. Whonix utilizes two separate VM's (Gateway and Workstation). The way they are configured and its a masterpiece of design, there is no way traffic can leave except via TOR exclusively. As I mentioned earlier in this thread it also greatly helps to generalize the fingerprint so that you don't appear obviously unique out on the net. You are one of many almost identical users. So to answer your question would a near perfect setup of regular TOR be as secure? Likely yes, but I don't have the experience to be assured that I can create such a locked down configuration as Whonix.
     
  8. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25
    Thanks Palancar and mirimir.

    TOR through VPN, but using whonix VM, no leaks.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    With the Whonix VMs in VirtualBox, and one VPN (VPN1) running on the host machine, you get Tor tunneled through the VPN.

    If you install a second VPN (VPN2) on the Whonix workstation, it connects (just as other apps do) through Tor. That's because Tor is running in the Whonix gateway VM, and there's no other way for the workstation to reach the Internet. Anyway, doing that gives you Tor tunneled through VPN1, and VPN2 tunneled through Tor.

    That option doesn't provide access to Tor hidden services, because your traffic exits from the VPN2 exit node. Also, there's probably less anonymity than using Tor alone, because Tor can't switch circuits while VPN2 is connected. You do get some anonymity from VPN2, as long as you've paid for it anonymously, but it probably doesn't make up for preventing Tor from switching circuits every ten minutes.

    To get VPN2 tunneled through VPN1, and Tor tunneled through VPN2, you need to run VPN2 in a pfSense VM, and use the Whonix VMs. Setting up VPNs in pfSense is really not that hard ;)
     
  10. Phil McCrevis

    Phil McCrevis Registered Member

    Joined:
    Mar 25, 2012
    Posts:
    97
    Location:
    US
    Thanks!
     
  11. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    Mirimir,

    The VPN2 model you mentioned above at a cost of onion/hidden sites and 10 minute route auto-switching leaves me feeling that Whonix and one solid trusted VPN is right for me.

    That said I am considering pfsense if for no other reason than a learning experience.
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    pfSense on hardware also makes a great perimeter router/firewall, with many enterprise-level features.
     
  13. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25
    i second that.
     
  14. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25
    I would like to ask if someone prefer the option 1, VPN trough TOR.

    I understand it will bring more privacy for the exit node will be encripted by the VPN.

    Is there anybody using this setup?

    How can it be done?

    Thanks in advance guys.

    P.S, I sucessfully accomplished the setup TOR (WHONIX) trough VPN in the host, thanks to mirimir guide. I found the resolution low, but I follow adrelanos guide to increase resolution without running guest additions and it worked!!!
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    You can also do that with Whonix.

    In the Whonix workstation, get a free SecurityKISS account, and download the setup files. Then install openvpn.

    Copy all of the VPN credentials (*.crt and *.key) and one configuration file (must end with .conf, not .ovpn) to /etc/openvpn. You'll need to do that as root. For openvpn to be happy, permissions must be "-rw-------". In a terminal, run:

    Code:
    cd /etc/openvpn
    ls -lah 
    sudo chmod go-r *.crt *.key *.conf
    ls -lah
    Then run:

    Code:
    sudo service openvpn restart
    KEY EDIT: Make sure the the .conf file has the VPN connecting in TCP mode!

    Then change Tor browser preferences to connect without the Tor proxy, and check your IP address. It should be the SecurityKISS exit, instead of a Tor exit. When you want to use Tor again, go back to the Tor proxy, and stop openvpn:

    Code:
    sudo service openvpn stop
    Other options are:

    Code:
    sudo service openvpn start
    sudo service openvpn status
    If you want to have multiple configuration files, and choose which to run, run this ...

    Code:
    sudo nano /etc/default/openvpn
    ... and uncomment ...

    Code:
    AUTOSTART="none"
    Then you can run ...

    Code:
    sudo service openvpn start route-that-I-want
    That will use "route-that-I-want.conf".
     
    Last edited: Nov 15, 2013
  16. lucygrl

    lucygrl Registered Member

    Joined:
    Nov 6, 2013
    Posts:
    202
    How many relays does TOR pass through? Is it possible to increase the amount of relays?
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Tor uses three relays by default. It's possible to use more. But the Tor Project says that three is optimal, because (as I understand it) using more wouldn't protect that much against attackers who could compromise three, and it would make Tor even slower. You can check out http://tor.stackexchange.com for more about that.
     
  18. RollingThunder

    RollingThunder Registered Member

    Joined:
    Nov 21, 2013
    Posts:
    187
    Location:
    https://www.eff.org/issues/anonymity
    Mirimir on the topic of DNS leaks engendered in the use of a VPN. What is your resolution? I use DNScrypt to encrypt DNS back to OPENdns in the theory that encrypting DNS plugs the VPN leakage. Your evaluation please. Since we are on the subject I use DNScrypt for both my tap adapter and nic adapter. VPN is as you know iVPN. On my tap adapter do you think I am more secure encrypting via DNScrypt? or should I be using Mara the iVPN default? I see pro and con on both sides.

     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    When Tor is set up properly, there's no "DNS leak" because the exit node handles the DNS lookup for the client, using its DNS server(s) of choice.

    It's best, I think, to set up VPNs the same way. If you're using iVPN, then use its DNS server. I only use other public DNS servers with VPNs when I can't get pfSense to use the VPN's own DNS server(s).

    As long as you have the VPN routed and firewalled so no traffic can bypass the VPN tunnel, it's OK to use any public DNS server, except of course your ISP's DNS server(s) or others that you're using at other levels in your VPN chain.
     
  20. RollingThunder

    RollingThunder Registered Member

    Joined:
    Nov 21, 2013
    Posts:
    187
    Location:
    https://www.eff.org/issues/anonymity
    Mirimir what do you mean routed and firewalled so no traffic can escape the VPN tunnel?

     
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Although I know enough Linux to get in trouble, iptables still confuses me. So it's best that I just point at https://github.com/adrelanos/VPN-Firewall and say, "whatever it does".

    I think that I understand FreeBSD's pf (as in pfSense) a little better. There's outbound NAT from LAN (that is, from workstation VMs attached to the router's LAN) only through the VPN tunnel. That's the only route from LAN. Also, there are firewall rules that allow traffic from LAN through the VPN gateway, and everything else is blocked.

    Understanding aside, it's simple. While the VPN is connected, you use Wireshark to capture traffic to and from the Internet. You should see only encrypted packets to and from the remote VPN server. You should not see any other conversations, with DNS servers or whatever. When you kill the VPN tunnel in one way or another, you should see no traffic to the Internet, except for reconnection attempts by the VPN client, if it's alive. You should also see no traffic from the Internet, except for reconnection attempts by the remote VPN server, if it's alive.
     
  22. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    Some Tor questions

    1. Does Tor not automatic disable cookies, flash, java and plugins ? I assume its the same for when running whonix

    2. JoeAverage original post option 2 suggested ".!. This would be what I'd do if I didn't trust my VPN provider" But its Option 1 that will not reveal your real ISP IP to the VPN ? Option 2 your VPN would see your real ISP IP. Correct me if I am wrong on this...

    3.Joes Option 2, I take it your ISP can't see your on Tor since you are connected to your VPN 1st right ?

    3. Tor hidden services, I thought you could access these with either option 1 or 2 ? Or does one have to connect to Tor network then through to VPN ?


    Number 2 threw me right off, I always thought if you connect to Tor 1st, this prevents your ISP from seeing your on Tor network...
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Tor alone doesn't do any of that. If you point apps properly at its proxies, it routes TCP traffic, and also routes DNS queries, which are a type of UDP traffic. But it ignores other UDP traffic, and it just goes wherever it would have gone without Tor, unless blocked/dropped.

    It's the Tor Browser Bundle that does all that disabling. But it does it only in the browser. Anything else that you run is on its own.

    Tails and Whonix include many other common apps that are properly set up to use Tor safely. But there's no free lunch. UDP traffic (except DNS queries, as above) just gets blocked/dropped. It doesn't get routed thrpough Tor. Adding a TCP-based VPN (SSH tunnel, OpenVPN, Onioncat, etc) is the only way to get UDP through Tor.

    It depends on what you mean by "trust". In option 2, your VPN can see your ISP IP address, but it can't see anything else except that you're using Tor. All of your traffic through it is encrypted to/from the Tor entry guard relay.

    Right.

    No. It's only in option 2 that you can access Tor hidden services. That's because you're using the VPN only to reach the Tor entry guard. Once you've done that, everything else works just as if you'd connected directly to the Tor network.

    In option 1, you're using the Tor network to reach the VPN server. Once the VPN tunnel has been established, all of your traffic goes through the tunnel. Consider what happens if you try browsing to some hidden service. Your request goes through the VPN tunnel, and hits the Internet from the VPN exit server. The VPN's DNS server doesn't have entries for foo...bar.onion, so you get nothing. Effectively, it's no different from trying to browse hidden services directly from your ISP gateway without running Tor.

    There is one case where you can access hidden services using a VPN tunneled through Tor. That's when the hidden service is running a VPN server. A VPN client connects to foo...bar.onion through Tor, and then there's a VPN tunnel between you and the hidden service through Tor. But in that case, you're not actually reaching the hidden service through a VPN tunnel.

    No. If you connect to Tor first, your ISP sees that you're connecting to Tor. It's the websites that you're visiting that can't see that you're using Tor.
     
  24. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    My vote is to let websites know I am using TOR/Whonix/Tails but NOT my ISP. For where I live that is a far superior route than the reverse. Your needs may be different.
     
  25. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    thx mirmir once again to my rescue :D

    Yes meant Tor browser not just Tor.... yes connecting to Tor 1st your isp is bound to see it, was getting confused.

    And to confirm in option 2 connecting to VPN then launching Tor broswer or whonix, your ISP sees your connecting to the VPN but only your VPN sees a connection to Tor but they can't see your traffic content ie tor websites etc ?
     
Loading...
Thread Status:
Not open for further replies.