Using AirVPN with Tor

[difflehuffy 0]

I don't understand the concept of the "Using AirVPN with Tor" section.

 

The AirVPN guide says "Does APP use Tor directly?" ..like the Tor browser.  In the "Yes" direction it points away from the AirVPN server.  Does this mean I can't use AirVPN with the Tor browser?? 

 

If an APP does not use Tor directly does this refer to an APP that uses Tor indirectly?  What would an example of such an APP?

[InactiveUser 185]

I don't understand the concept of the "Using AirVPN with Tor" section.

 

The AirVPN guide says "Does APP use Tor directly?" ..like the Tor browser.  In the "Yes" direction it points away from the AirVPN server.

 

 

 

 

 

 

This graphic for "Using AirVPN with Tor" describes the following situation:

1. you run a Tor client - let's say via Tor Browser. Tor will be listening on local port 9150
2. you want to use AirVPN through Tor (meaning your traffic first goes through Tor, then exits through through AirVPN). To achieve that, you configure AirVPN to use Tor via port 9150.

Now the question is, what happens if some application connects to the internet? What "path" does the connection take?

That's the question the "arrows" try to answer.

 

"Does App use Tor directly" simply means: Has the app been configured to proxy through local port 9150?

 

Example A: Chromium browser. Does this app use Tor directly? No, that browser is not configured to use any proxies.

So, we have to follow the "No" arrow: Any of Chromium's connections will use the AirVPN connection, which in turn is tunneled through Tor. That's why that path is annotated "ENCRYPTED by VPN & Tor".

 

Example B: Tor Browser. Does this app use Tor directly? Yes, it does, because it's configured to use SOCKS5 proxy 127.0.0.1:9150. Local connections won't get tunneled through the VPN, which is why the arrow is annotated "(only) ENCRYPTED by Tor".

 

 

All this really means is: If you tunnel AirVPN through Tor Browser's Tor client, but then use that Tor Browser to browse the web, your request will still only go through Tor, but not through the VPN.

 

 

If an APP does not use Tor directly does this refer to an APP that uses Tor indirectly?  What would an example of such an APP?

 

This would be my example A: If you tunnel AirVPN through Tor, most applications would make their connections through AirVPN, without knowing anything about AirVPN being tunneled through Tor first - thus, they would be using Tor indirectly.

 

 

Does this mean I can't use AirVPN with the Tor browser??

 

Not at all. You can hook up Tor and AirVPN in both directions; either tunneling AirVPN through Tor or tunneling Tor through AirVPN.

There's just that little "gotcha" that you can't tunnel AirVPN through Tor Browser and then expect your browsing in Tor Browser to also go through AirVPN.

 

This does not apply at all if you connect to AirVPN directly and then use Tor Browser on top (tunneling Tor through AirVPN).

Slightly off-topic but I'd claim that it usually makes more sense to tunnel Tor through AirVPN instead of the other way 'round, but that's entirely up to you.

[difflehuffy 0]

ok.  So you start the Tor browser to initiate a Tor circuit (outside of AirVPN) and THEN you use a non-Tor browser like Chrome, regular old Firefox, or even a usenet application to go through the circuit and thence to AirVPN and then to the world. 

 

Is my thinking right:

 

'AirVPN over Tor' would generally be used for protection from hostile Tor exit nodes,

 

..while 'Tor over AirVPN' would generally be used for protection from hostile ISPs?

 

 

What would be my point of greatest vulnerability if I were to send an untraceable bitcoin payment for an AirVPN account using an anonymous IP, and then only log in to AirVPN from my home IP whilst using 'AirVPN over Tor'?

[InactiveUser 185]

More or less, although "Tor over VPN" is more about hostile VPNs, not hostile ISPs. Both Tor and VPNs can already be useful on their own to combat hostile ISPs.

I have previously compiled a list of pros and cons for "Tor over VPN" vs "VPN over Tor".

 

I'm not sure there are any striking weak points in your hypothetical, but the significant "cons" I list in my other post still apply.
As far as Bitcoins are concerned, you will probably find that many of the popular methods aimed at erasing Bitcoin's traces don't hold up to scrutiny.
 

[eyes878 43]

VPN over Tor is for if you don't want to trust AirVPN. If you didn't pay anonymously then there's minimal reason to do this. You will also have a substantially slowed speeds with this.

 

Tor over VPN is what I would recommend. Your trust is placed in AirVPN, and they hide your usage of Tor. Your ISP and anybody watching over is going to be more suspicious of you using Tor than simply an OpenVPN connection. The only downside I see to this is that you are not protected against hostile exit nodes.

[Staff 9744]

Tor over VPN is what I would recommend. Your trust is placed in AirVPN, and they hide your usage of Tor. Your ISP and anybody watching over is going to be more suspicious of you using Tor than simply an OpenVPN connection. The only downside I see to this is that you are not protected against hostile exit nodes.

 

Hello!

 

Well, with Tor over Air you don't put your trust on AirVPN. Our servers will see only traffic encrypted by Tor and only to/from various Tor guards (at least for your applications using Tor). So it's quite a good partition of trust. If you don't use end-to-end encryption you put a lot, really a lot, of your trust on the Tor exit-nodes operators, watch out.

 

Tor over OpenVPN with end-to-end encryption is really good and, as we have seen from leaked documents, it is a "huge", huge problem even for NSA.

 

Kind regards

[difflehuffy 0]

Thx everyone for the great info

 

More or less, although "Tor over VPN" is more about hostile VPNs, not hostile ISPs. Both Tor and VPNs can already be useful on their own to combat hostile ISPs.

I have previously compiled a list of pros and cons for "Tor over VPN" vs "VPN over Tor".

 

I'm not sure there are any striking weak points in your hypothetical, but the significant "cons" I list in my other post still apply.
As far as Bitcoins are concerned, you will probably find that many of the popular methods aimed at erasing Bitcoin's traces don't hold up to scrutiny.
 

 

The con "VPN provider is able to snoop on your traffic" means packets are not encrypted between VPN and the world, including source and destination information?

 

 

VPN over Tor is for if you don't want to trust AirVPN. If you didn't pay anonymously then there's minimal reason to do this. You will also have a substantially slowed speeds with this.

 

Tor over VPN is what I would recommend. Your trust is placed in AirVPN, and they hide your usage of Tor. Your ISP and anybody watching over is going to be more suspicious of you using Tor than simply an OpenVPN connection. The only downside I see to this is that you are not protected against hostile exit nodes.

 

Do you mean to say "If you paid anonymously then there's minimal reason to do this"?

 

 

 

Tor over VPN is what I would recommend. Your trust is placed in AirVPN, and they hide your usage of Tor. Your ISP and anybody watching over is going to be more suspicious of you using Tor than simply an OpenVPN connection. The only downside I see to this is that you are not protected against hostile exit nodes.

 

Hello!

 

Well, with Tor over Air you don't put your trust on AirVPN. Our servers will see only traffic encrypted by Tor and only to/from various Tor guards (at least for your applications using Tor). So it's quite a good partition of trust. If you don't use end-to-end encryption you put a lot, really a lot, of your trust on the Tor exit-nodes operators, watch out.

 

Tor over OpenVPN with end-to-end encryption is really good and, as we have seen from leaked documents, it is a "huge", huge problem even for NSA.

 

Kind regards

 

"Tor over OpenVPN"...is that different than Tor over Eddie or same thing?

 

Does "end-to-end encryption" mean using only https sites?  That is, http sites would be a security vulnerabilty?

[InactiveUser 185]

The con "VPN provider is able to snoop on your traffic" means packets are not encrypted between VPN and the world, including source and destination information?

 

 

Right, a VPN only provides an encrypted channel between you and the VPN server, but it does not somehow encrypt the packets going through that channel: If you send unencrypted data into a VPN, that's how they will go out to the world.

 

Whatever you use as an exit point for your traffic will be in a position to:

• observe where you're going to
• observe who you are (only true for a direct VPN connection; not true for VPN-over-Tor; virtually not true for Tor itself)
• read the contents of unencrypted connections (HTTP, FTP, Telnet, old email servers not using TLS, etc.)
• modify the contents of unencrypted connections (change DNS requests, change website content, inject ads, inject malicious content)
• to some extent, attack encrypted connections (downgrade attacks; SSLStrip; replace valid with rogue certificates)

This is true for both VPNs and Tor exit nodes (if used as your exit point).

An argument can be made that using a VPN as your exit point is potentially more dangerous than using Tor as your exit point:

A VPN service is controlled by a single entity, whereas Tor nodes are controlled by a number of different entities.

 

VPN as exit point:

If the VPN service were to act maliciously (or get compromised), all your traffic would be affected all the time (fixed exit point).

 

Tor as exit point:

If some Tor exit nodes were to act maliciously (or get compromised), some of your traffic would be affected some of the time (constantly changing exit points)

 

 

Touching on some of your other questions:

 

No, "Tor over OpenVPN" and "Tor over Eddie" don't refer to different things: Eddie is just AirVPN's custom graphical interface to OpenVPN. In this context, VPN/OpenVPN/AirVPN/Eddie will often be used interchangeably.

 

Yes, unencrypted traffic like HTTP should always be considered a (potential) security vulnerability and (definite) privacy issue.

[eyes878 43]

 

Tor over VPN is what I would recommend. Your trust is placed in AirVPN, and they hide your usage of Tor. Your ISP and anybody watching over is going to be more suspicious of you using Tor than simply an OpenVPN connection. The only downside I see to this is that you are not protected against hostile exit nodes.

Hello!

 

Well, with Tor over Air you don't put your trust on AirVPN. Our servers will see only traffic encrypted by Tor and only to/from various Tor guards (at least for your applications using Tor). So it's quite a good partition of trust. If you don't use end-to-end encryption you put a lot, really a lot, of your trust on the Tor exit-nodes operators, watch out.

 

Tor over OpenVPN with end-to-end encryption is really good and, as we have seen from leaked documents, it is a "huge", huge problem even for NSA.

 

Kind regards

That is true, I forgot about that. The trust is in you in regards to that you see the source IP, but your data is encrypted due to Tor.

[difflehuffy 0]

When I run AirVPN over Tor on Windows 7 I get:

 

"Unable to communicate with TOR (Unable to find IP address of TOR first node of an established circuit.). Is TOR up and running?"

 

When I hit test I get:

 

"515 Authentication failed. Password did not match HashedControlPassword *or* authentication cookie"

 

 

 

Tor is up and running.  As far as i can tell the Tor guide applies to Linux.  Not sure what to do.

 

Also, can I expect problems with running Tor in bridged mode?

[difflehuffy 0]

woops never mind.  cookies were not disabled by default in tor.  Unchecked it good to go.

[Weasel 16]

I am confused by this:  "An argument can be made that using a VPN as your exit point is potentially more dangerous than using Tor as your exit point:
A VPN service is controlled by a single entity, whereas Tor nodes are controlled by a number of different entities."

 

If I connect VPN and then launch TOR and a malicous exit node is tracking me isn't it just going to trace back to the VPN server which has mulitple persons on it?  How would they know user 1 was using TOR and user 2 was not?  Does not the VPN server put up a wall so the only way they could trace me is to request logs from AIRVPN, something they state they don't carry?

[zhang888 1065]

I am confused by this:  "An argument can be made that using a VPN as your exit point is potentially more dangerous than using Tor as your exit point:

A VPN service is controlled by a single entity, whereas Tor nodes are controlled by a number of different entities."

 

If I connect VPN and then launch TOR and a malicous exit node is tracking me isn't it just going to trace back to the VPN server which has mulitple persons on it?  How would they know user 1 was using TOR and user 2 was not?  Does not the VPN server put up a wall so the only way they could trace me is to request logs from AIRVPN, something they state they don't carry?

 

You are confusing the threat model here. "Tracing back" is not the main point, but more like activity correlation and chances of being a victim of a targeted (browser) attack, or phishing, by adversary that controls the VPN exit.

The idea of this argument is generally correct - if a VPN provider is malicious or compromised, they can see all of your traffic, all the time. Consider it as bad exit in Tor - but 100% of the time.

With Tor - you exit to each location with a different exit relay, and those relays are changed every few minutes. Given that a small % of relays monitor and record exit traffic, it's still not all your activity, and it's also mixed with other users.

You gain more security by decentralization - a generally correct practice not only related to VPNs and Tor.

[Weasel 16]

Ok, I think I understand what you are saying.  So if my TOR browser were the target of an attack, like when they had the java attack several years ago, if I went VPN over TOR and my browser was compromised somehow then VPN as the web connection would protect me as opposed to TOR being the web connection?  Sorry if I am still confused, I have been trying to educate myself on this stuff and each website seems to add to the ball of string.

 

What are the chances of a VPN server being compromised?  Also, if the VPN is not compromised than my assumption is correct, the TOR trail would hit a wall at the VPN server?

[zhang888 1065]

Don't mix attacks that are targeted against your own software - in case this attack is successful, both Tor and VPN would be useless. This is what the attacks against Tor users

generally mean, when you read about them in the news. Several attacks are carried in order to deanonimize and unmask users.

 

Also, don't mix the Tor browser, which is just a hardened fork of Firefox, with the Tor routing concept. If your Tor browser is attacked and the attacker managed to run code

on your device, both Tor and VPN will be useless - same as the case of getting infected with malware.

 

The chances of VPN server being compromised brings the question who your adversary is. A strong enough adversary will not need to gain access to the server at all - they

can use the beurocratic chain in order to pressure the ISP of the VPN server into logging whatever is needed. In most of this cases they will already know who the user is,

so in order to build the case they will need to gather more intelligence/evidence (depending on who the adversary is).

If you consider yourself being a target of something that is described above, Tor might be a temporary solution, because all people make mistakes.

 

The general rule is, if you are accessing content which is highly questionable in your country, using only a single VPN server is less advised.

For all other use-cases, such as browsing,file sharing and avoiding ISP blocks, VPN is the way to go.

[Weasel 16]

Thanks.  After doing some reading I see where I was confused.  A compromised exit node is if you leave the TOR network to go to a regular .com website.  If you stay on the tor network then you never encounter an exit node.  Onion sites are always encypted so your activity will be hidden unless you donwload something that has a tracker in it that runs, but just clicking on an onion site should not compromise security.  I find TOR confusing and just looking through a site that list onion pages makes me not want to go there at all, or use TOR.  One page just listed about 100 onion addresses with no information as to what they are, how dangerous is that!  Really, what is the purpose of this?

[zhang888 1065]

Not sure what part of it is still confusing for you, but generally Tor Browser can be configured exactly for untrusted sites.

All you have to do is clicking the green onion near the URL bar, click on Privacy and security settings and set it on High.

 

For extra security you can use the built-in NoScript plugin to block all Javascript on new/untrusted sites.

All browser exploits from the past required Javascript in order to run, Flash/Java/Silverlight are not bundled, so this makes this browser a pretty safe choice.

 

If you want paranoid level of security, install a virtualized live OS, such as the great Tails, and use it on High security mode to access any unknown sites. The complexity of bypassing all those mechanisms makes it

very hard to compromise your real machine.