Jump to content
Not connected, Your IP: 34.236.38.146
Noobiana_2014

AirVPN must offer Multi-Hop double VPN and Tor OverVPN in openvpn config ?

Recommended Posts

It is already possible.  I do it all the time.  In fact I am combining those now and using 5 hops to key this post.  You can use 3 Air servers in a chain if you want, and/or combine TOR usage with Air.  Its running very smoothly on my end and the connection is very reliable.  You simply have to "teach" yourself how to do it, and its not that difficult to do!

Share this post


Link to post

It is already possible.  I do it all the time.  In fact I am combining those now and using 5 hops to key this post.  You can use 3 Air servers in a chain if you want, and/or combine TOR usage with Air.  Its running very smoothly on my end and the connection is very reliable.  You simply have to "teach" yourself how to do it, and its not that difficult to do!

 

could someone please elaborate on this. 

Share this post


Link to post

 

It is already possible.  I do it all the time.  In fact I am combining those now and using 5 hops to key this post.  You can use 3 Air servers in a chain if you want, and/or combine TOR usage with Air.  Its running very smoothly on my end and the connection is very reliable.  You simply have to "teach" yourself how to do it, and its not that difficult to do!

 

could someone please elaborate on this. 

I would also like for you to elaborate on this. Thanks

Share this post


Link to post

To set this up you might use one on the router, on on your main OS (windows, linux, ...) and for a third layer you might use a VM running linux which uses your third connection.

I believe 5 hops (with tor) is overkill. If you use tor you'll know that 1 layer already slows it down a lot, this is normally barely an issue when just using it to post on the forum but if you try to watch videos (e.g. youtube) it will be very slow.

 

On my setup my router randomly chooses a Europe IP And then I setup a second connection (preferably other country) from linux/windows


Helping mankind one line of code at a time.

Kind regards, Me

Share this post


Link to post

 

 

It is already possible.  I do it all the time.  In fact I am combining those now and using 5 hops to key this post.  You can use 3 Air servers in a chain if you want, and/or combine TOR usage with Air.  Its running very smoothly on my end and the connection is very reliable.  You simply have to "teach" yourself how to do it, and its not that difficult to do!

 

could someone please elaborate on this.

 

I would also like for you to elaborate on this. Thanks

 

 

If you want to do this without separate machines (physical or virtual), then this may help:

 

https://airvpn.org/topic/11277-its-possible-connect-two-vpn-at-the-same-time/?p=16345

 

You have to manage your routing table yourself, rather than using OpenVPN's default set up.

 

Since that was posted, AirVPN has switched from "net30" to "subnet" topology, which means that the procedure in that post will no longer work without another tweak. This is because if you attempt to make multiple connections using UDP on port 443 (for example), the remote address for all of them will be 10.4.0.1, resulting in a conflict. This can be overcome, but not simply. I don't want to spend time explaining unless you are still interested after reading the post above.

 

To avoid the conflict, you could try the procedure with one connection using UDP on port 443, and another using TCP on port 443, so that the connection using TCP will have a remote end with IP address 10.5.0.1.

 

I should add that in the past AirVPN staff have questioned the value of doing this unless the VPN connections are from independent providers.

Share this post


Link to post

 

 

 

If you want to do this without separate machines (physical or virtual), then this may help:

 

https://airvpn.org/topic/11277-its-possible-connect-two-vpn-at-the-same-time/?p=16345

 

You have to manage your routing table yourself, rather than using OpenVPN's default set up.

 

Since that was posted, AirVPN has switched from "net30" to "subnet" topology, which means that the procedure in that post will no longer work without another tweak. This is because if you attempt to make multiple connections using UDP on port 443 (for example), the remote address for all of them will be 10.4.0.1, resulting in a conflict. This can be overcome, but not simply. I don't want to spend time explaining unless you are still interested after reading the post above.

 

To avoid the conflict, you could try the procedure with one connection using UDP on port 443, and another using TCP on port 443, so that the connection using TCP will have a remote end with IP address 10.5.0.1.

 

I should add that in the past AirVPN staff have questioned the value of doing this unless the VPN connections are from independent providers.

 

That does work, but yeah if it's just multi-hop between AirVPN servers it has very little value, and adding it so that you can connect to non-AirVPN servers through AirVPN server would be a lot of work and tho they do have Tor over Air and such so it would be possible if they made changes, and then just make it so like with Viscosity you provide server info and it connects and routes.

Share this post


Link to post

That does work, but yeah if it's just multi-hop between AirVPN servers it has very little value

 

I don't agree with that and here is why:

 

I believe the Air tunnel is pretty much impenetrable from the outside.  Lets assume that any adversary cannot penetrate the tunnel and read anything passing through regardless of the length (number of relays Air/Tor).  That assumption standing, now an adversary can setup OUTSIDE of the tunnel and does so by monitoring the datacenters hosting VPN servers.  This happens all the time and is completely beyond Air's control.  So as an adversary I start logging ALL IP's coming into a target datacenter.  Picture a bicycle wheel where the spokes are incoming IP's and the center is the datacenter/server.  If I continue watching this bicycle wheel I will start to determine what a given spoke on the wheel is actually doing over time.  Its a little beyond this post as to how its done but with time and one hop its not that difficult a process.  Once I have zero'd in on a target IP I can then search the web for it using advanced tools.  By using multiple hops and especially TOR I can effectively avoid an adversary zero'ing in on my actual IP because it is so removed from the exit node via hops.

 

In the bicycle wheel metaphor picture 3 wheels where my one spoke comes to the center and then jumps from the center to become a spoke on wheel two and again the process contines until I become a spoke on wheel 3.  The adversary watching the IP of wheel three's spoke is so removed.  I hope this simplistic metaphor of the wheel helps to make it clear for you.  This is easy on one computer using VM's/BSD/PfSense type stuff.

 

Obviously, it would be better to have completely independent service providers since an "inside actor" compromise would leave you intact.

Share this post


Link to post

Yes, but this is a very specific scenario you are describing. In general, you don't need such a high amount of anonymity. Theoretically you are right, but it doesn't matter for the "average" user, who just wants a bit privacy.

 

IMO the advantage of multi-hop doesn't outweigh the drawback in form of a heavy speed hit.

 

But that is just my opinion on this.

 

Regards

 

Fox

Share this post


Link to post

the kind of multi-hop other VPN companies offer isn't tunnel within tunnel but a true hop from one datacenter to another that they've pre-programmed.  You access the program based on the port to which you connect.  Not the usual ports of 443 or 53 but things like 52465 and such.  There are thousands to choose from so plenty to have a program for every possible multi-hop within their system.

Share this post


Link to post

the kind of multi-hop other VPN companies offer isn't tunnel within tunnel but a true hop from one datacenter to another that they've pre-programmed.  You access the program based on the port to which you connect.  Not the usual ports of 443 or 53 but things like 52465 and such.  There are thousands to choose from so plenty to have a program for every possible multi-hop within their system.

 

 

Do you have a link on this to support your post?  By support (not being adversarial), I really mean to help us all visualize how its being internally handled.  Self directing of a "tunnel within a tunnel" provides a safety factor in that I am controlling its construction, and thereby managing the avoidance of a breach in protocol.  I would love to study this as described by you.

Share this post


Link to post

 

the kind of multi-hop other VPN companies offer isn't tunnel within tunnel but a true hop from one datacenter to another that they've pre-programmed.  You access the program based on the port to which you connect.  Not the usual ports of 443 or 53 but things like 52465 and such.  There are thousands to choose from so plenty to have a program for every possible multi-hop within their system.

 

 

Do you have a link on this to support your post?  By support (not being adversarial), I really mean to help us all visualize how its being internally handled.  Self directing of a "tunnel within a tunnel" provides a safety factor in that I am controlling its construction, and thereby managing the avoidance of a breach in protocol.  I would love to study this as described by you.

 

You'd have to ask them how they actually do it.

 

The provider I use (in addition to Air) actually calls them "chains" and you can build your own with several hops.

 

https://thatoneprivacysite.net/vpn-comparison-chart/

 

that comparison chart shows there are currently 17 providers that provide multi-hop.

Share this post


Link to post

the kind of multi-hop other VPN companies offer isn't tunnel within tunnel but a true hop from one datacenter to another that they've pre-programmed.  You access the program based on the port to which you connect.  Not the usual ports of 443 or 53 but things like 52465 and such.  There are thousands to choose from so plenty to have a program for every possible multi-hop within their system.

 

If it's not a tunnel within a tunnel, what's the purpose? We think about multi-hopping as a way to solve the problem of a wiretapped VPN server: the traffic transiting through the first hop defeats the wiretapping purposes because the "real payload" is still encrypted.

 

But if the traffic in the first hop is not tunneled into the second hop tunnel, but it is just decrypted, re-encrypted and routed/forwarded to another server operated by the same company, the wiretapping is successful in any case.

 

So, the REAL multi-hopping is what we already provide. The useless "multi-hopping" which is just a way to make your routing longer and nothing else is probably marketing fluff and as usual we will provide neither marketing fluff nor bloat-ware. If we miss something really useful for our mission in multi-hopping without multi-tunneling, please feel free to comment.

 

Kind regards

Share this post


Link to post

 

the kind of multi-hop other VPN companies offer isn't tunnel within tunnel but a true hop from one datacenter to another that they've pre-programmed.  You access the program based on the port to which you connect.  Not the usual ports of 443 or 53 but things like 52465 and such.  There are thousands to choose from so plenty to have a program for every possible multi-hop within their system.

 

If it's not a tunnel within a tunnel, what's the purpose? We think about multi-hopping as a way to solve the problem of a wiretapped VPN server: the traffic transiting through the first hop defeats the wiretapping purposes because the "real payload" is still encrypted.

 

But if the traffic in the first hop is not tunneled into the second hop tunnel, but it is just decrypted, re-encrypted and routed/forwarded to another server operated by the same company, the wiretapping is successful in any case.

 

So, the REAL multi-hopping is what we already provide. The useless "multi-hopping" which is just a way to make your routing longer and nothing else is probably marketing fluff and as usual we will provide neither marketing fluff nor bloat-ware. If we miss something really useful for our mission in multi-hopping without multi-tunneling, please feel free to comment.

 

Kind regards

 

 

Thank you.

 

That was exactly my point several posts up in this thread.  Also, I'ld like to add that this method allows the user (ME in this case) to self construct my circuit where I have control on what happens within it.  I would be weary as can be to submit my circuit to a "closed system" design where I just assume things are being handled securely.  In a sense its part of my assuming a "partition of trust" responsibility.

Share this post


Link to post

 

If it's not a tunnel within a tunnel, what's the purpose? We think about multi-hopping as a way to solve the problem of a wiretapped VPN server: the traffic transiting through the first hop defeats the wiretapping purposes because the "real payload" is still encrypted.

 

But if the traffic in the first hop is not tunneled into the second hop tunnel, but it is just decrypted, re-encrypted and routed/forwarded to another server operated by the same company, the wiretapping is successful in any case

 

could u describe this a little bitmor in detail ? whats the major difference from yours to other ones 

 

regards 

Share this post


Link to post

 

the kind of multi-hop other VPN companies offer isn't tunnel within tunnel but a true hop from one datacenter to another that they've pre-programmed.  You access the program based on the port to which you connect.  Not the usual ports of 443 or 53 but things like 52465 and such.  There are thousands to choose from so plenty to have a program for every possible multi-hop within their system.

 

If it's not a tunnel within a tunnel, what's the purpose? We think about multi-hopping as a way to solve the problem of a wiretapped VPN server: the traffic transiting through the first hop defeats the wiretapping purposes because the "real payload" is still encrypted.

 

But if the traffic in the first hop is not tunneled into the second hop tunnel, but it is just decrypted, re-encrypted and routed/forwarded to another server operated by the same company, the wiretapping is successful in any case.

 

So, the REAL multi-hopping is what we already provide. The useless "multi-hopping" which is just a way to make your routing longer and nothing else is probably marketing fluff and as usual we will provide neither marketing fluff nor bloat-ware. If we miss something really useful for our mission in multi-hopping without multi-tunneling, please feel free to comment.

 

Kind regards

 

If you run a VM with its own NIC and connect to a completely different VPN service in that VM is that a tunnel within a tunnel? (obviously the host machine is connected to its own VPN through its own NIC).


VG8gZXJyIGlzIGh1bWFuLCB0byByZWFsbHkgZnVjayB1cCB0YWtlcyBhIGNvbXB1dGVyIQ==

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...