Is using VPN over Tor on a mobile device a bad idea?

[rikotap 0]

In my other thread (different topic), a user posted this:

 

"Unless you have a big reason to use VPN over Tor on mobile, don't."

 

I think this is potentially important information and I didn't want it getting lost in my other thread... So, why is VPN over Tor a bad idea? Or is it?

 

Why would VPN over Orbot / Orwall / Orweb combo on mobile be less effective regarding anonymity and security than VPN over Tor on a desktop device? Or are they?

[eyes878 43]

I believe I was the one that said that.

 

My reasoning is that there's no easy and tested way of doing it, it will require a few hacks and hence my statement, only do it if you have to. If you need a way of hiding the OpenVPN connection/fingerprint itself then I recommend you follow the stunnel on Android how-to that was recently posted.

 

I'm happy to answer questions to the best of my knowledge, but no promises.

[Br0wnb3ar 0]

I believe I was the one that said that.

 

My reasoning is that there's no easy and tested way of doing it, it will require a few hacks and hence my statement, only do it if you have to. If you need a way of hiding the OpenVPN connection/fingerprint itself then I recommend you follow the stunnel on Android how-to that was recently posted.

 

I'm happy to answer questions to the best of my knowledge, but no promises.

Diagree hacks are needed.

 

iOS for example...

- openvpn connect

- use no log shared IP VPN

- choose a non eyes exit server,

- all device traffic exits device is via that server

- open iOS onion browser (there are a few on App Store but onion browser recommended)

- spoof browser type in settings

- first jump INTO Tor is from VPN exit

- ISP doesn't know using Tor, just a vpn connection

- VPN knows you're using Tor but doesn't keep log (assuming trustworthy) and has no idea where you went.

[InactiveUser 185]

Br0wnb3ar, the idea is to hide the OpenVPN connection (which is necessary to thwart firewalls that block OpenVPN, but may allow SSL, SSH or some configurations of Tor).

Your suggested approach would not accomplish that.
Not to get too far off-topic, but I would like to point out a few other problems:

1. iOS

• While iOS might very well have better security design than other mobile platforms, it is a very hostile environment for Free Open Source Software. It's impossible to achieve any level of reliable, verifiable privacy or anonymity without FOSS.
• iOS is a very hostile environment for tinkerers. You do it the Apple Way™ or you don't do anything at all. I demonstrated that it's possible to use stunnel + OpenVPN on stock, non-rooted Android, using nothing but FOSS. It's not at all possible on iOS. You might be able to hack something together on a jailbroken iOS device, but that would mean:
  • resorting to outdated iOS versions (jailbreaks are unlikely to be available for the most recent version)
  • trusting a 3rd party to exploit a root-level security vulnerability on your device (that's how jailbreaks are installed!)
  • for those two reasons alone, I don't think jailbreaks can be considered a viable solution, especially for privacy-conscious people. They rather compound the problem.

2. iOS Onion Browser (assuming you mean this one, but my points would apply to any other app as well)

• How do you know this one to be better (or more trustworthy) than its competitors? How are you able to verify it actually contains an unmodified, un-backdoored Tor release? You can't do any of that on a locked down, DRM-encumbered, proprietary platform.
• Tor is released under the GPL license. As mentioned above, GPL software cannot (legally) be distributed in Apple's appstore. The ramifications go beyond legal rhetoric, they are in fact very practical: By distributing through Apple's store, the app's developer restricts the users' abitilies to freely use, read, modify and redistribute Tor as intended by Tor Project and the GPL license.
• The app has last been updated on March 31, 2015, which means the included Tor and OpenSSL versions are woefully out of date.

 
 
Back to the original topic: I agree with eyes878, VPN-over-Tor on mobile is probably not a very usable setup, and here is why:

• Tor on mobile works well. It handles constantly changing network conditions (or your device going to sleep) reasonably well and quickly re-uses its circuits or opens new ones as soon as connectivity is restored.
• a VPN will, in my experience, take just that little bit longer to re-establish the connection each time. This will, no doubt, be compounded if you tunnel it through Tor.

For this reason, I prefer to exclusively use Tor on mobile devices, unless I know connectivity to be very reliable, in which case I might use a VPN exclusively or Tor-over-VPN.

[Br0wnb3ar 0]

Still disagree. It all depends on the size of your tin foil hat, risk, where you live, speed of the connection, whether you're a target of a government entity and what you're up to. We could go around and around for days re: VPN, Proxy, Tor, VPN over Tor, Tor over VPN. There are pros and cons to each spending on how you're using them.

 

Let me ask you this, can you truly trust AirVPN? Your hurdle may be higher than others yet actually do nothing to better secure your privacy and anonymity. You have to determine your own level of trust.

 

1) OpenVPN Connect comes from the gang at OpenVPN. Open source? AirVPN uses OpenVPN?

2) If you use a VPN all the time, who cares? Plus your Tor activities are encrypted within the VPN until it hits the exit.

3) Using Tor only when you browse makes you less suspect? I'd prefer my ISP has no idea what I do.

4) Most top tier VPNs are reliable. Worst case configure for TCP if you're concerned about packet loss.

5) Speed. Depends on what you're doing. It's irresponsible to stream or torrent over Tor.

6) Jailbreaking makes operating systems more configurable but security is at greater risk. Plenty of examples lately.

7) Out of all the iOS onions bowsers, OBs dev is involved with the Tor project, has a good reputation in privacy circles and actually had a couple security audits conducted (disclosed) which found bugs that were quickly fixed. I'd say that leans in the right direction more than the others.

8) Be great if the Tor project did their own mobile browser for each platform but existing ones are using their source code if memory's serves. Better than someone writing it from scratch.

[InactiveUser 185]

No, it doesn't depend on your tin foil hat, it depends on principles.

 

Let me ask you this, can you truly trust AirVPN?

 

Well, I "trust" AirVPN slightly more than my internet providers, but that's about it. I don't foster any false belief in VPN providers, where did I give this impression? I recommend Tor instead of VPNs every chance I get.

Responding point by point:

1) I don't care where your OpenVPN Connect originally came from. It's distributed as proprietary software on a proprietary platform, containing who knows what, bound to all kinds of crazy clauses and restrictions. I don't use proprietary apps or proprietary platforms. I know exactly where my OpenVPN is coming from - compiled from source myself or compiled by someone who I have solid reason to trust. Give me one reason why I should trust Apple's platform with that task. Especially given all the recent hoopla about mandatory government crypto backdoors. iOS app installations are bound to your account. If you're personally targeted, it's very easy to deploy backdoored versions exactly and only to your account. This alone should be reason enough to avoid any sort of personalized app store.

2) "who cares" means you don't care. I do. If I use inherently untrustable applications on top of my VPN usage, everything I did was for nought.

3) In today's age, everyone is a suspect. Just talking about VPNs or Tor makes you a suspect. If your government cares about Tor, they also care about VPNs - see China. We weren't talking about avoiding being a suspect, but avoiding OpenVPN-blocking firewalls. Tor may sometimes be a way to accomplish that. I wasn't saying anything more or anything less than that.

4) Not sure what you mean by "reliable". Yes, AirVPN has been reliable for me. Mobile networks have not and that's why I use Tor on mobile instead, because in my experience, Tor handles network hiccups more gracefully than OpenVPN. Nothing more, nothing less.

5) True. Where exactly did I claim otherwise? Who torrents on a mobile data budget?

6) Agree, exactly what I said. Jailbreaks eek out a little bit of configurability on a hostile platform, at the cost of security. And at the cost of exploring alternative platforms instead.

7) I know about their audit. Great they fixed bugs, but what about all the security holes since freakin' March this year? I mean, great, they had their source code audited - but how do you know the audited source code equals your binary obtained from the app store? You don't and you can't. Also, the Onion Browser developer might be in contact with Tor Project, but they certainly are not involved. On Tor Project's site, there is an official reference to Orbot. None to Onion Browser or iOS (for good reason). Onion Browser is in no way condoned, recommended or referenced to by Tor Project.

8) Anonymity on mobile platforms is a hard problem to solve. That's why you haven't seen an offcial mobile version of Tor Browser. That's why you will never see an official version for iOS, especially if you take into consideration the licensing problems I mentioned. Guardian Project's Orfox for Android is on its way, though.