VPNs and Tor

Discussion in 'privacy technology' started by mirimir, Feb 1, 2015.

  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Two days ago (although it seems like weeks) someone asked on tor-talk about advantages and disadvantages of using VPNs together with Tor in various ways. This is an old question on tor-talk, and on Wilders as well. In particular, they asked about tunneling a VPN through Tor (Tor -> VPN) versus tunneling Tor through a VPN (VPN -> Tor).

    As y'all might expect, I've had a lot to say on the matter. Several others have have offered insightful perspectives. I was especially pleased to see comments from Paul Syverson, one of the original Tor developers, and a senior scientist at the U.S. Naval Research Laboratory. See https://lists.torproject.org/pipermail/tor-talk/2015-January/036644.html

    Conversely, I have been bedeviled (maybe even reduced to a raving lunatick) by a slide from Grugq's 2012 Hack In The Box presentation "OPSEC: Because Jail is for wuftpd" at 46:25. See http://www.youtube.com/watch?v=9XaYdCdwiWU
    I've had a lot to say about this on tor-talk, more or less coherently. Here's my best shot:
    Code:
    VPN -> Tor
       VPN connection to Tor == Tor connection through VPN
       getting your anonymity (Tor) more privately (VPN)
       easy setup; VMs not needed; firewall prudent; use PayPal for VPN
       safe with Tor browser; easy to fail with other apps
    
    Tor -> VPN
       Tor connection to VPN == VPN connection through Tor
       getting your privacy (VPN) more anonymously (Tor)
       hard setup; use VMs and firewalls; buy and use VPN anonymously
       classic fails: buying VPN with PayPal, using VPN sans Tor
     
  2. Kiebler

    Kiebler Registered Member

    Joined:
    Feb 3, 2015
    Posts:
    15
    After going thru this article https://thetinhat.com/tutorials/darknets/tor-vpn-using-both.html I am still confused on how a malicious exit-node can still see unencrypted traffic using a VPN>Tor setup. Also, are the dangers of exit-nodes the same when going on the 'clearnet' vs the hidden services? Or are exit-nodes referring only to connecting to the clearnet?
     
  3. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    So from what I've seen from the links it's being based on the idea that if the VPNs are compromised, or watched, or even log then it makes no sense to run Tor through a VPN (or is that only a percentage of the whole story?) But most ISPs ALREADY log and watch traffic, or even the old example of the guy who used Tor at his university and he was one of only two people at the place at the time to be running Tor so they tracked him down easy enough, and he confessed.

    That video is also 3 years old now, so I wonder if he still stands by what he said then, now (cause stuff changes and advances, opinions change, etc). I still have to watch the whole thing. But his case example can be argued and like Paul is saying, it's based on your needs with benefits and issues with both methods. The whole privacy/anonymity can be separate things, can be coexisting. But his whole slide in the video of GOTOJAIL is a bit worst case, and I think simplifying that VPNs are for Privacy and Tor is for Anonymity is misleading.

    Tor -> VPN
    Wherever your connection starts from, could know you're connecting to Tor. If compromised on the leaving end, they'd go to the VPN who'd then just say "dur, twas someone using Tor". But that's under the assumption that the VPNs you'd be using are untrusted or compromised. But I get we can't really go on assumptions with security. And like you said, hardest to setup, many things could go wrong setting it up if you aren't savvy. That is the setup if you have "LEO" wanting to make an example out of a high level target. But again, vid was from 2012- the NSA leaks have caused a lot of VPNs and security services to up their game and can now even bank on media siding with any stories of being forced into being compromised. Look at Yahoo.

    VPN -> Tor
    You might have the same risks from just using Tor from your ISP than a VPN, but obviously most if not all ISPs are CERTAIN to log and none are known to go out of their way to even try to protect privacy. But if you're already tipped off your ISP you've used Tor (or Linux, or whatever they flag now out of their insanity and paranoia) you might already be on a higher watch list, maybe not so much after the NSA leaks and the masses that have used it since. I'm not sure.



    Even then, there are so many things between the person's finger tips and the end destination that can go wrong, software bugs being one, browser finger printing... It just does not end.

    For whatever reason, I still seem to think VPN -> Tor would have better overall perks, for me anyway.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Using VPN>Tor, the VPN just gets you to Tor entry guards. Everything else is just Tor. Tor exits see all of your traffic to clearnet. So you need end-to-end encryption. However, with hidden services, there are no exit nodes. Both clients and hidden services create Tor circuits, and they meet at rendezvous points. Everything between clients and hidden services is encrypted.
     
  5. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    After reading through some guides that were making the argument "remember, no one is going to go to jail for you" I kinda retract my previous post. Hook, line and sinker, no, it's more the adversaries take the route of commercial net fishing entire oceans for Moby Dick, and any other fish that just happens to be in the same ocean gets caught up too. So we get this type of stuff: https://en.wikipedia.org/wiki/Lavabit#Connection_to_Edward_Snowden

    The more I learn the more I wish I didn't know and that I was instead some cave hermit.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    The whole point of distributing trust is to avoid putting anyone at risk of "going to go to jail for you". As long as collusion is limited and/or takes enough time to arrange, anyone pressured can cooperate fully. It's best if they've set stuff up so cooperating will do minimal damage, of course :)

    It's also prudent to think before acting, and to avoid putting resources that you depend on (and their providers) unnecessarily at risk :)
     
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Ditto from start to finish!!
     
  8. Kiebler

    Kiebler Registered Member

    Joined:
    Feb 3, 2015
    Posts:
    15
    I've recently secured another vpn (with 3 hops *wink*) and would like to use it in whonix workstation. Should I use pfsense (no idea to set it up) in VBox or is there already something to handle this in the Whonix workstation.

    My host (win7) is running another vpn and the default gateway ip is removed after OpenVpn connects ( https://forums.comodo.com/firewall-help-cis/configuring-to-block-all-nonvpn-traffic-t91413.15.html) instead of adding rules to the firewall.

    edit:
    Just noticed MIrimir guides on ivpn. Guess I need to get reading :).
     
    Last edited: Feb 16, 2015
  9. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I haven't watched the video yet but I would think that starting the VPN first and then connecting to Tor would be the safest bet as far as being anonymous. But of course not giving away any personal identifiable information through the tor exit node. The ISP sees a VPN. And the VPN sees the entry node, right? The exit node knows nothing of the VPN. So I would think this would be the safest bet. Certainly just for surfing or going to a hidden service or something.
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Yes.

    For using a VPN through Tor, the key issue is "not giving away any personal identifiable information" to the VPN provider. You get two benefits: 1) bypassing anti-Tor blocks, and reducing CAPTCHAs; and 2) ability to use apps that require UDP traffic.

    But as I've noted, better would be VPN services that operate as Tor hidden services. Perhaps they would only accept payment via anonymous tokens. And perhaps the tokens might be sold by third parties, who would accept payment only via Bitcoin mixing services.
     
  11. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Well somebody somewhere is going to "see" your first connection. Your ISP connection has to go somewhere first. Because of that unavoidable fact I prefer the first connect to be a VPN. How long my connection tunnel is and what happens after the first connect shall remain a mystery to my ISP. There are lots of folks that would say they prefer the first connect to be a TOR entry node. I can't debate that call its a preference. What happens after the first connect is very important, and especially ANY activity that is post exit node from the connection tunnel end. Doesn't matter if the final node is vpn, tor, ? because when you leave and go to clearnet you need to THINK so you don't throw away all your hard planning and configurations. I spend significant time on hidden servers and enjoy the fact that there is in effect no exit node on that setup.
     
  12. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,424
    Such a service does not exist to my knowledge. I hope one will be built very soon.

    I have searched the entire dark web, every privacy & anonymity forum out there, even most of the exclusive .ru forums that you need 2 vouches for two become a member, I've looked at bulletproof hosting services from around the world, and finally researched nearly every VPN service located offshore in the world and nothing comes close to even 95% anonymity.

    The best you can hope for is chaining anonymity services or proxy services together.

    I've seen VPN-TOR-VPN-DEDICATED_BULLETPROOF_SERVER-SSH-SSH mentioned as one of the safest chaining methods.

    I wouldn't know honestly as I have no use for such levels of anonymity.
     
  13. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Would it be possible to use a laptop connected via Ethernet and running a Tails live DVD to create an ad hoc wireless network? This works with VPN and whatever other linux distro quite easily. I think a setup of Tor Wifi secured with WPA --> anonymously purchased VPN 1 --> anonymously purchased VPN 2 in a VM would be both the most anonymous and secure setup that I could imagine.
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I've done it. It's easy. You setup just like any hidden service. The problem is finding hosting services that would allow such exits. They're effectively Tor exit nodes. One can use VPN services as exits, but that's just a stopgap, because your users would burn them down pretty quickly.
    I agree.
    Same here, of course :) It's a hobby.
     
  15. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,424

    Yeah it is a hobby of mine too. Just trying to see what is possible drives me. I'm a explorer kind of person.

    My next project is QUBES>WHOINX VM>VPN/SSH chain setup on a fully Veracrypt 256AES/Blowfish encrypted fast i7 CPU SSD PC.
     
Loading...