NaDre 154 Posted ... I have been playing with connecting to AirVPN through Tor, on my Windows 7 system. By default, the tor.exe proxy program (the program that provides the SOCKS server listening on 127.0.0.1 and connects to the Tor network) does not bind a specific IP address for its connections. It uses the default gateway. But when one starts up the OpenVPN connection via the SOCKS proxy tor.exe provides (listening on 127.0.0.1:9150), the default gateway will change to the VPN connection! Indeed, watching the tor.exe process using Process Explorer, if I generate lots of connections with my browser over the VPN interface, I see tor.exe making all new connections via the VPN gateway, and connections using the real interface start to disappear. This of course cannot lead to a good result. Fortunately the original connection that tor.exe allocated for the OpenVPN TCP is connection is still there. For a while anyway. But can it be relied upon to remain there? Note that any packets tor.exe sends on the VPN gateway, if they do make the trip, would have to make two trips through Tor and the VPN! Think about it. So I have one suggestion and one question: Suggestion: Modify the torrc file (file Data\Tor\torrc within the "Tor Browser Bundle" package) that controls tor.exe to add an "OutboundBindAddress" parameter specifying the IP address of the real IP interface. EDIT:If you want to use OutboundBindAddress on a Linux or BSD/MacOS system, you have to set up source address routing. See:https://airvpn.org/topic/21340-airvpn-tor-obfs4-bridges/?p=58426END of EDIT You can see determine what the IP address of the real IP interface is (among other ways) by using this command at a command prompt ("Start Menu/All Programs/Accessories/Command Prompt"):route print This should produce something like this:C:\Users\user>route print ... Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.63 10 ... The routing table entry shown (with the "Network Destination" and "Netmask" values of 0.0.0.0) is for the real default gateway. The address under "Interface" (192.168.1.63 in the example above) is what you want. If you want to run run tor.exe without having to have vidalia.exe and tbb-firefox.exe running (with a minimized window on your task bar), then you can place a Windows script file (ending in .bat) in the root folder within the "Tor Browser Bundle" package containing this:App\tor.exe -f Data\Tor\torrc DataDirectory Data\Tor pauseQuestion: Am I correct that adding the "OutboundBindAddress" parameter would improve the stability and longevity of the OpenVPN connection? I have not read up on the Tor spec. But perhaps someone else here has? Will the "virtual TCP connection" that tor.exe provides for the OpenVPN client survive indefinitely (assuming that none of the PC-s acting as relays along the way get rebooted)? Presumably the Tor exit node must remain fixed, since I presume OpenVPN insists on one TCP connection remaining for the whole time? But what about everything in between? Can that change? Since tor.exe makes new connections when I am using my browser via the VPN interface, it would seem so. And if so, then without "OutboundBindAddress", this won't work as intended? Might not the last "real" connection ultimately disappear? Answer: I found this statement in the Tor FAQ: "But note that a single TCP stream (e.g. a long IRC connection) will stay on the same circuit forever -- we don't rotate individual streams from one circuit to the next." So if OutboundBindAddress is not used, then so long the OpenVPN client does not decide that it needs to abandon the TCP connection it has and reconnect, the virtual TCP connection via Tor should persist, so long as no hop along the circuit decides to drop out. New Question: But without OutboundBindAddress, any reconnection attempt by the TCP client will fail? Since it will try to use the VPN gateway, which itself needs Tor? Or does the OpenVPN client remove the routing table entries during a reconnection attempt? I believe I have seen reconnection events in my logs where it left the routing table entries (and therefore the VPN gateway as the default gateway) in place during the reconnection. === Another suggestion: I have seen discussion in this forum about using Tor over OpenVPN over Tor by running the Tor browser bundle in a virtual machine. But there is no need for a virtual machine. The trick is to run the tor.exe instance that OpenVPN uses by itself, without using "Start Tor Browser.exe", as described above, in a second copy of the Tor Browser Bundle Package. In that second copy add the Windows script file (ending in .bat) in the root folder to run tor.exe by itself (as described above), add then not only add an OutboundBindAddress parameter for the real IP address to Data\Tor\torrc, but also modify these parameters:SocksPort 9152 ControlPort 9153 Then the OpenVPN config file uses port 9152 instead of 9150:socks-proxy 127.0.0.1 9152After doing this, the original Tor browser bundle can be run as normal (i.e., unmodified, with no changes to torrc). The unmodified Tor browser bundle will use the VPN gateway just as it would have used the real gateway. You will end up with two tor.exe processes running, listening on different ports. Quote Share this post Link to post
amnesty 18 Posted ... Question: Am I correct that adding the "OutboundBindAddress" parameter would improve the stability and longevity of the OpenVPN connection? I have not read up on the Tor spec. But perhaps someone else here has? Will the "virtual TCP connection" that tor.exe provides for the OpenVPN client survive indefinitely (assuming that none of the PC-s acting as relays along the way get rebooted)? Presumably the Tor exit node must remain fixed, since I presume OpenVPN insists on one TCP connection remaining for the whole time? But what about everything in between? Can that change? Since tor.exe makes new connections when I am using my browser via the VPN interface, it would seem so. And if so, then without "OutboundBindAddress", this won't work as intended? Might not the last "real" connection ultimately disappear? === I'm not too familiar with Tor. Just started checking it out. If I'm not mistaken the circuit (including the exit node) changes ~ 10 minutes perhaps sooner depending on congestion or the port(s) being used as the exit nodes advertise which ports they will accept. I suppose the latter doesn't apply with VPN over Tor.When the circuit changes, does the exit node remain and only the relays change during a session? Or are the circuits session specific and remain the same throughout the session? Quote Share this post Link to post
NaDre 154 Posted ... I found this statement in the Tor FAQ: "But note that a single TCP stream (e.g. a long IRC connection) will stay on the same circuit forever -- we don't rotate individual streams from one circuit to the next." So if OutboundBindAddress is not used, then so long as the OpenVPN client does not decide that it needs to abandon the TCP connection it has and reconnect, the virtual TCP connection via Tor should persist, so long as no hop along the circuit decides to drop out. But any reconnection attempt by the TCP client will fail? Since it will try to use the VPN gateway, which itself needs Tor? Or does the OpenVPN client remove the routing table entries during a reconnection attempt? I believe I have seen reconnection events in my logs where it left the routing table entries in place during the reconnection. Quote Share this post Link to post
Not connected, Your IP: 3.147.103.202
Online: 23071 users - 283789 Mbit/s total BW