VPN, port forwarding, VM

Discussion in 'privacy technology' started by sanman99, Nov 20, 2013.

Thread Status:
Not open for further replies.
  1. sanman99

    sanman99 Registered Member

    Joined:
    Nov 20, 2013
    Posts:
    6
    (Questions summarized at bottom)



    Hi, I'm researching and am nearing decision to use a VM within a VM, each being connected to a non-logging VPN provider. I might go as far as 3 levels deep.
    is this good?
    Curious, if I don't have ability to port-forward on my network, can a VPN provider such as AirVPN forward it without me setting up the local router?


    So, if I need a Windows OS VM to use, maybe use a couple Puppy Linux containers around it, each on VPNs bought using bitcoin (by paid in cash with separate prepaid cards)




    If I want 2 identities, should I use another VPN not within that daisychain?
    i know only the outermost VPN VM and innermost VPN can see my info, so if I'm paranoid, should i get a 4th account for my other non-related activity?




    Summary:
    Do i need to port-forward even though the VPN port forwards?
    Is this daisychaining method good?
    Is it good to get a 4th VPN for my non-related identity?
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    I've done up to four or five VPN levels. Bandwidth tends to be bad when latency goes much over 400 msec.

    No, only the last VPN must allow port forwarding.

    I think so ;)

    Yes, it's best to use a different exit VPN for each non-related identity. If you want more isolation, use different VPNs for the last two levels. And if low bandwidth is OK, you can use Tor, or Tor plus a VPN.
     
  3. sanman99

    sanman99 Registered Member

    Joined:
    Nov 20, 2013
    Posts:
    6
    Thanks! So, even my local router doesn't need forwarded?
    And I know of some high-bandwidth VPNs, so that might lessen the speed problem aside from unavoidable latency, as you said.
    As for locations (countries), is it acceptable to use each of them in the same Netherlands?
     
  4. DesuMaiden

    DesuMaiden Registered Member

    Joined:
    Jan 25, 2013
    Posts:
    534
    You are more than safe enough :)
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Right. The port is forwarded through the final VPN tunnel.

    Latency can be high even with high bandwidth.

    If you're using different VPN providers, it's probably OK to exit both in NL. I like some variety, though.
     
  6. RollingThunder

    RollingThunder Registered Member

    Joined:
    Nov 21, 2013
    Posts:
    187
    Location:
    https://www.eff.org/issues/anonymity
    I have been doing reading about using a client like proxifier to I guess port chain a proxy to the tor exit node to control where TOR exits. I have also been reading about nesting a vpn on top of TOR and then perhaps doing the same type of proxy chaining. Of course the goal is to control where you geographically pop out in the world when using TOR. Anyone care to express comments regarding efficacy?

     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Using Whonix, it's easy to use proxies and VPNs with Tor. For proxies, you just reconfigure Iceweasel in the Whonix workstation VM, or use a proxy-switcher plug-in. For VPNs, you just install openvpn in the Whonix workstation VM, and configure for your VPN account. You can also do both, tunneling the VPN through Tor, and then connecting to sites through a proxy. Doing either in the same machine that's running Tor is more complicated. VPNs are more reliable than proxies. While all apps use VPNs, you must configure each for proxies. But with proxies you can easily have many different IPs.
     
  8. sanman99

    sanman99 Registered Member

    Joined:
    Nov 20, 2013
    Posts:
    6
    I'm back :p

    If I'm budgeting and don't trust some VPN providers, but want to add some more later (cheap ones who say no logs), should I add the extra one before Tor? I'm wondering where Tor should be in my sequence.
    If have Tor (t) as this sequence: vtv
    And I want to add a cheap VPN (while keeping my well-trusted one up front), should I put it before or after Tor? It's good that I put a VPN before Tor, right?

    Tor is like a stream and I read that it is possible to trace its flow or something (I can keep researching), but generally, any compromised nodes can see my traffic's content but not trace it other than the content's clues.
    And on my local ends of it, my ISP or VPN which connects to it knows that I am one of the many users using Tor (and timestamps can be an issue, but I won't get into that).

    Anyways, add the VPN before or after Tor? I will already put one behind Tor.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    @sanman99

    It depends on what you want.

    If you'll always be using Tor, it provides far more anonymity than any usable combination of VPNs ever could. So you need a VPN before Tor only if you want to hide Tor use from your ISP etc. If it's very important to hide Tor use, then two nested/chained VPNs are better than one.

    The only advantages of tunneling a VPN through Tor are: 1) getting a stable IP address for accessing Google etc; and 2) evading outright Tor exit bans by some websites.

    Tunneling a VPN through Tor actually reduces the anonymity that Tor provides, in at least two ways: 1) you no longer look to websites like all other Tor users; and 2) the VPN tunnel prevents Tor from changing circuits, which it normally does at ten minute intervals.
     
  10. sanman99

    sanman99 Registered Member

    Joined:
    Nov 20, 2013
    Posts:
    6
    For my first persona, I need to port forward. So, would you recommend Tor>Vpn>Vpn or Vpn>Tor>Vpn? It merely changes what LAN and WAN see? It doesn't let Tor work as well?

    No parties involved will care about Tor for my first persona, but the second requires Hidden Service for Tor at the WAN end.
    I'm curious about the differences when I switch things around and nest what in what. I like to think of it like a house within a house or Russian nesting dolls.

    "You no longer look to websites like all other Tor users". I don't quite understand.


    I'm intrigued.
    I somewhat understand what VPN is, but I'll have to research further how Tor functions.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    You can't forward ports to Tor exit nodes. So for that, you'll need a VPN that allows port forwarding. If you want Tor's anonymity, you'll need to tunnel that VPN through Tor. If you want to hide Tor from your ISP etc, you'll need to tunnel Tor through another VPN.

    In order to use hidden services, you can't be using a VPN through Tor, because your traffic doesn't see Tor, being carried by the VPN. However, the Tor client that you're using can also be carrying a VPN etc in other circuits.

    I like tubes withing tubes, or cables within cables.

    Part of Tor's anonymity is having all users look the same to websites. When you tunnel a VPN through Tor, your IP is no longer a Tor exit, it's the IP of that VPN service. And it's not changing every 10 minutes. So you're no longer a random Tor user.

    :)

    The Tor Project website has some good explanations.
     
  12. sanman99

    sanman99 Registered Member

    Joined:
    Nov 20, 2013
    Posts:
    6
    I mean, I know those. The things which you just answered.
    I just need to understand what the difference between Tor>VPN or VPN>Tor, or is there no difference?
    Like, if I was using those VMs, I'd be running Tor within my VPN..

    I understand almost all of it except for how VPN and Tor interact and what it's doing when I run these in VMs.
    I can route VirtualBox/VMWare process through Tor, or I can run Tor within it...?
    The last VM (Windows) can use "Tor Browser", right? How should I nest?

    What order should I use for my "browsing persona"? I might do this with Windows/Tails as my final inner shell, using Tor browser?
    Should I always use a VPN to start my chain/nest?
    What order should I use for my "port forwarding persona"? I want to know at which place I should add Tor, because I do understand I'm using VPN last for the ports.


    I'm asking what would this look like in my VM setup?


    To prove I'm not trying to drag this out further than it needs, I'll show you that I am doing my own research.


    I can't remember how to parse these:
    https://tails.boum.org/blueprint/Two-layered_virtualized_system/
    https://svn.torproject.org/svn/torvm/trunk/doc/design.html
    http://www.howtoforge.com/how-to-se...-virtual-machine-traffic-over-the-tor-network
    http://security.stackexchange.com/q...est-way-to-make-my-internet-traffic-anonymous
    http://www.stayinvisible.com/
    https://www.wilderssecurity.com/showthread.php?t=275888
    and a thread by you, Mirimir https://www.wilderssecurity.com/showthread.php?t=315880



    Thank you for your patience. I hope that this thread can become useful for many people doing a Google search.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    I don't like expressing nesting/chaining of VPNs and Tor that way, because it's ambiguous.

    If "Tor" and "VPN" refer to networking modules, such as Tor and VPN gateway VMs, "Tor>VPN" indicates that your traffic goes first to the Tor module, and then the Tor traffic (which is creating circuits to carry your traffic) goes to the VPN module for routing to the Internet from the VPN's exit server. In other words, you're routing Tor through the VPN.

    Conversely, if ">" is like a funnel opening, and means "goes through", then "Tor>VPN" means that you're routing the VPN through Tor.

    I'd rather just stick to words, or use pictures (as in my guides). Anyway, when you're routing Tor through a VPN, all packets emitted by the Tor client get encrypted and packaged by the VPN client, and sent to the VPN entry server. The VPN exit server removes VPN packaging and decrypts, and then emits to the Internet the packets that originated from your Tor client. As far as observers of the VPN exit server can tell, your Tor client is running locally on it. Return traffic gets routed back through the VPN to the Tor client (waves hands).

    Conversely, when you're routing a VPN through Tor, all packets emitted by the VPN client get encrypted and packaged by the Tor client, and sent to the Tor entry relay (aka guard). After routing through an intermediate Tor relay, the Tor exit relay removes remaining Tor packaging and decryption, and then emits to the Internet the packets from your VPN client. As far as observers of the Tor exit relay can tell, your VPN client is running locally on it. Return traffic gets routed back through the Tor network to the VPN client (waves hands).

    Is that what you wanted?

    You can do either Tor through VPN, or VPN through Tor, or just about any combination you want except going twice through Tor. I've tried that, and it's never worked.

    Maybe I explained enough above.

    VPNs are virtual networks. I imagine them as network cables with a simple NAT router on each end. You route traffic through them just like you route traffic through an Ethernet cable running from one room to another in your house or whatever.

    Tor circuits are SOCKS proxies, not tunnels. And they carry only TCP traffic. If the Tor exit relay were a simple SOCKS proxy, you'd just connect to it through the Internet. But the Tor network effectively allows you to use that SOCKS proxy remotely, with the connection mediated by the Tor onion-routing network.

    Yes. If there are no VPNs involved, both connecting a VM to a Tor gateway VM and running Tor within the VM will give you a VM that sees the Internet through Tor.

    But you get different results when you add a VPN client to the VM. If the VM is using a Tor gateway, the VPN gets routed through Tor. Conversely, if the VM is running the Tor client, adding a VPN client will result in Tor being routed through the VPN. That's the default behavior, anyway. You can change it with proper routing in the VM, but I've never done that.

    I wouldn't go there. Just be safe and use Whonix for your Tor stuff.

    I don't know what you mean by those terms. If it's casual stuff like Wilders, then one or two nested VPNs should be fine.

    Use Whonix.

    I always do, because I'd rather be flagged as a VPN user and not a Tor user.

    If you need Tor level anonymity, then tunnel a suitable VPN through Tor, with Tor tunneled through another VPN. If you don't need Tor, just tunnel VPNs.

    I don't see any benefit to nesting/chaining two or more VPNs after Tor. So tunnel Tor through one or two VPNs, and then tunnel the last VPN through Tor.

    That's all in my guides.

    Simple setup:

    VPN on host machine
    Ubuntu VM for casual browsing [could run 2nd VPN]
    Whonix Tor gateway VM
    Whonix workstation VM, running VPN for port forwarding

    To add additional VPNs, you'd need to use VPN gateway VMs (pfSense, OpenWrt, etc).
     
  14. RollingThunder

    RollingThunder Registered Member

    Joined:
    Nov 21, 2013
    Posts:
    187
    Location:
    https://www.eff.org/issues/anonymity
    Saman99:

    I have not responded to you, but here is my two cents. The reason to run a vpn behind TOR is to hide the fact that you are running TOR from your ISP. Also as Comcast is redirecting port 53 via a transparent proxy just changing your DNS if you are Comcast is not good enough anymore. I use DNScrypt (OpenDNS) on both my tap and nic connection to encrypt my dns to OpenDNS.

    Your next question is one of nesting. Meaning is there a need to nest a secondary VPN after you run TOR. The answer to that is it all depends what you are doing. If you are having an issue of some site seeing that you are coming out of an exit node the answer to that is yes. A second nested VPN might not be up to the task if you legitimately need to fool some type of geographic sensor for say a financial institution. In that case you might need to chain a proxy onto the end of TOR using a client like Proxifier. Bear in mind saman that much of what you are asking is dependent on your individual risk profile, who your adversary is and why you need to do what a given task.

     
  15. sanman99

    sanman99 Registered Member

    Joined:
    Nov 20, 2013
    Posts:
    6
    Ok, sounds good. I'll look at more of your guides and such.
    So, I might use VPN first within a VM, because I don't want my other network traffic related. Then inside that first VM, I may run another VM through Tor, then that will be for browsing on the Hidden Services. Optionally a second VPN for not being IP-blocked (maybe a socks proxy).
    Then, the same thing for my other profile, except always having that VPN to port forward. It will be a different VPN at that ending, most likely.

    I'll just have to figure out how to minimize losing those securities of Tor, how VPN changes its functioning. If there's no getting around it, how you said it won't change every 10 minutes, I'll just live with it.
    That's only if Tor isn't the last on the chain? So, maybe I'll only chain some Socks proxies to get myself a suitable IP.

    Thank you for your help. Thanks very much.
     
Loading...
Thread Status:
Not open for further replies.