[SOLVED] Connecting to AirVPN via SOCKS proxy

[shiro21 4]

Hello! It's me again!

So, I'm curious to see if I can run a VPN connection via SOCKS proxy so that I can connect through TOR and/or my dedicated SSH tunnel. I wanted to see how much security layer I can run with! My goal is to do this:

localhost(127.0.0.1) --> Router(24.xx.xx.xx) --> SSH Proxy(54.xx.xx.xx) --> VPN(108.xx.xx.xx) --> Tor(xx.xx.xx.xx) --> Internets

I intend to do it by running a Tor browser connected to Tor on 127.0.0.1:9050. This Tor connection gets routed through VPN which is connecting through an SSH tunnel at 127.0.0.1:8080 and the whole thing goes on an epic odyssey to my SSH server, then VPN, then bounce around Tor, then finally whatever destination. It sounds feasible!

I am able to connect to my SSH server just fine and can pipe my browser and FTP browser through it using SOCKS proxy. Same for Tor. But I can't seem to pipe my VPN connection through either one! I can establish connections to the proxy and in my SSH server, can enter my credentials, but it spits out the same error.

Here are the logs of my attempts to connect to my SSH tunnel via SOCKS, my SSH tunnel via HTTP, and Tor via SOCKS:

// Connecting to SSH tunnel //

_________________________

Mar 30 18:13:07: Viscosity 1.3.5 (1051)

Mar 30 18:13:07: Checking reachability status of connection...

Mar 30 18:13:07: Connection is reachable. Starting connection attempt.

Mar 30 18:13:10: OpenVPN 2.2.1 x86_64-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Aug 1 2011

Mar 30 18:13:09: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Mar 30 18:13:09: LZO compression initialized

Mar 30 18:13:09: Attempting to establish TCP connection with 127.0.0.1:8080 [nonblock]

Mar 30 18:13:12: TCP connection established with 127.0.0.1:8080

Mar 30 18:13:17: recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=36)

Mar 30 18:13:17: SIGTERM[soft,init_instance] received, process exiting

_________________________

// Connecting to SSH tunnel via HTTP proxy //

_________________________

Mar 30 18:21:58: Viscosity 1.3.5 (1051)

Mar 30 18:21:58: Checking reachability status of connection...

Mar 30 18:21:58: Connection is reachable. Starting connection attempt.

Mar 30 18:22:00: OpenVPN 2.2.1 x86_64-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Aug 1 2011

Mar 30 18:22:25: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Mar 30 18:22:25: LZO compression initialized

Mar 30 18:22:25: Attempting to establish TCP connection with 54.xx.xx.xx:443 [nonblock]

Mar 30 18:22:26: TCP connection established with 54.xx.xx.xx:443

Mar 30 18:22:26: recv_line: TCP port read failed on recv(): Operation now in progress (errno=36)

Mar 30 18:22:26: SIGTERM[soft,init_instance] received, process exiting

_________________________

// Connecting to Tor via SOCKS //

_________________________

Mar 30 18:24:46: Viscosity 1.3.5 (1051)

Mar 30 18:24:46: Checking reachability status of connection...

Mar 30 18:24:46: Connection is reachable. Starting connection attempt.

Mar 30 18:24:48: OpenVPN 2.2.1 x86_64-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Aug 1 2011

Mar 30 18:24:48: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Mar 30 18:24:48: LZO compression initialized

Mar 30 18:24:48: Attempting to establish TCP connection with 127.0.0.1:9050 [nonblock]

Mar 30 18:24:51: TCP connection established with 127.0.0.1:9050

Mar 30 18:24:51: TCPv4_CLIENT link local: [undef]

Mar 30 18:24:51: TCPv4_CLIENT link remote: 127.0.0.1:9050

Mar 30 18:25:08: [server] Peer Connection Initiated with 127.0.0.1:9050

Mar 30 18:25:13: TUN/TAP device /dev/tun0 opened

Mar 30 18:25:13: /sbin/ifconfig tun0 delete

Mar 30 18:25:13: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

Mar 30 18:25:13: /sbin/ifconfig tun0 10.5.1.142 10.5.1.141 mtu 1500 netmask 255.255.255.255 up

Mar 30 18:25:13: Initialization Sequence Completed

Mar 30 18:27:13: [server] Inactivity timeout (--ping-restart), restarting

Mar 30 18:27:13: SIGUSR1[soft,ping-restart] received, process restarting

Mar 30 18:27:14: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Mar 30 18:27:14: LZO compression initialized

Mar 30 18:27:14: Attempting to establish TCP connection with 127.0.0.1:9050 [nonblock]

Mar 30 18:27:15: TCP connection established with 127.0.0.1:9050

Mar 30 18:27:20: recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=36)

Mar 30 18:27:20: SIGTERM[soft,init_instance] received, process exiting

_________________________

As you can see, I got the most progress with Tor but even that crapped out before I can even establish a VPN connection. What to do, admin? What to do...?

[EDIT]

For comparison, here is my FTP log showing successful connection via SSH:

_________________________

18:17:40 Status: Connecting to ***********.********.com through proxy

18:17:40 Status: Resolving address of localhost

18:17:40 Status: Connecting to 127.0.0.1:8080...

18:17:40 Status: Connection with proxy established, performing handshake...

18:17:40 Status: Connection established, waiting for welcome message...

18:17:42 Response: 220 ProFTPD 1.3.3e Server (******** FTP server) [178.xx.xx.xx]

18:17:42 Command: AUTH TLS

18:17:43 Response: 234 AUTH TLS successful

18:17:43 Status: Initializing TLS...

18:17:43 Status: Verifying certificate...

18:17:43 Command: USER *******

18:17:43 Status: TLS/SSL connection established.

18:17:44 Response: 331 Password required for ********

18:17:44 Command: PASS *******

18:17:44 Response: 230 User ******* logged in

18:17:44 Command: SYST

18:17:44 Response: 215 UNIX Type: L8

18:17:44 Command: FEAT

18:17:45 Response: 211-Features:

18:17:45 Response: MDTM

18:17:45 Response: MFMT

18:17:45 Response: TVFS

18:17:45 Response: UTF8

18:17:45 Response: AUTH TLS

18:17:45 Response: MFF modify;UNIX.group;UNIX.mode;

18:17:45 Response: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;

18:17:45 Response: LANG bg-BG;fr-FR;ja-JP;zh-CN;zh-TW;ko-KR;it-IT;en-US*;ru-RU

18:17:45 Response: PBSZ

18:17:45 Response: PROT

18:17:45 Response: REST STREAM

18:17:45 Response: SIZE

18:17:45 Response: 211 End

18:17:45 Command: OPTS UTF8 ON

18:17:45 Response: 200 UTF8 set to on

18:17:45 Command: PBSZ 0

18:17:45 Response: 200 PBSZ 0 successful

18:17:45 Command: PROT P

18:17:45 Response: 200 Protection set to Private

18:17:45 Status: Connected

18:17:45 Status: Retrieving directory listing...

18:17:45 Command: CWD /

18:17:46 Response: 250 CWD command successful

18:17:46 Command: PWD

18:17:46 Response: 257 "/" is the current directory

18:17:46 Command: TYPE I

18:17:46 Response: 200 Type set to I

18:17:46 Command: PASV

18:17:47 Response: 227 Entering Passive Mode

18:17:47 Command: MLSD

18:17:47 Status: Connecting to 127.0.0.1:8080...

18:17:47 Status: Connection with proxy established, performing handshake...

18:17:47 Response: 150 Opening ASCII mode data connection for MLSD

18:17:49 Response: 226 Transfer complete

18:17:49 Status: Directory listing successful

18:17:56 Status: Disconnected from server

_________________________

[EDIT 2]

I tried to regenerate a new config file from AirVPN using TCP 443 SOCKS 127.0.0.1. That showed a bit of progress because I can establish a connection to VPN server but it'd time out.

_________________________

Mar 30 19:40:09: Viscosity 1.3.5 (1051)

Mar 30 19:40:09: Checking reachability status of connection...

Mar 30 19:40:09: Connection is reachable. Starting connection attempt.

Mar 30 19:40:11: OpenVPN 2.2.1 x86_64-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Aug 1 2011

Mar 30 19:40:11: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Mar 30 19:40:11: LZO compression initialized

Mar 30 19:40:11: Attempting to establish TCP connection with 127.0.0.1:8080 [nonblock]

Mar 30 19:40:14: TCP connection established with 127.0.0.1:8080

Mar 30 19:40:14: TCPv4_CLIENT link local: [undef]

Mar 30 19:40:14: TCPv4_CLIENT link remote: 127.0.0.1:8080

Mar 30 19:40:25: [server] Peer Connection Initiated with 127.0.0.1:8080

Mar 30 19:40:28: TUN/TAP device /dev/tun0 opened

Mar 30 19:40:28: /sbin/ifconfig tun0 delete

Mar 30 19:40:28: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

Mar 30 19:40:28: /sbin/ifconfig tun0 10.5.1.142 10.5.1.141 mtu 1500 netmask 255.255.255.255 up

Mar 30 19:40:28: Initialization Sequence Completed

Mar 30 19:42:30: [server] Inactivity timeout (--ping-restart), restarting

Mar 30 19:42:30: SIGUSR1[soft,ping-restart] received, process restarting

Mar 30 19:42:30: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Mar 30 19:42:30: LZO compression initialized

Mar 30 19:42:30: Attempting to establish TCP connection with 127.0.0.1:8080 [nonblock]

Mar 30 19:42:31: TCP connection established with 127.0.0.1:8080

Mar 30 19:42:33: TCPv4_CLIENT link local: [undef]

Mar 30 19:42:33: TCPv4_CLIENT link remote: 127.0.0.1:8080

Mar 30 19:42:44: [server] Peer Connection Initiated with 127.0.0.1:8080

Mar 30 19:42:47: TUN/TAP device /dev/tun0 opened

Mar 30 19:42:47: /sbin/ifconfig tun0 delete

Mar 30 19:42:47: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

Mar 30 19:42:47: /sbin/ifconfig tun0 10.5.1.142 10.5.1.141 mtu 1500 netmask 255.255.255.255 up

Mar 30 19:42:47: Initialization Sequence Completed

Mar 30 19:44:48: [server] Inactivity timeout (--ping-restart), restarting

Mar 30 19:44:48: SIGUSR1[soft,ping-restart] received, process restarting

Mar 30 19:44:48: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Mar 30 19:44:48: LZO compression initialized

Mar 30 19:44:48: Attempting to establish TCP connection with 127.0.0.1:8080 [nonblock]

Mar 30 19:44:49: TCP connection established with 127.0.0.1:8080

Mar 30 19:44:52: TCPv4_CLIENT link local: [undef]

Mar 30 19:44:52: TCPv4_CLIENT link remote: 127.0.0.1:8080

Mar 30 19:45:02: [server] Peer Connection Initiated with 127.0.0.1:8080

Mar 30 19:45:05: TUN/TAP device /dev/tun0 opened

Mar 30 19:45:05: /sbin/ifconfig tun0 delete

Mar 30 19:45:05: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

Mar 30 19:45:05: /sbin/ifconfig tun0 10.5.1.142 10.5.1.141 mtu 1500 netmask 255.255.255.255 up

Mar 30 19:45:05: Initialization Sequence Completed

_________________________

[Staff 9750]

Hello!

Since you use Viscosity, please read here: http://www.thesparklabs.com/forum/viewtopic.php?f=3&t=189

We're looking forward to hearing from you, Mac users might be interested in your setup.

EDIT: see also this article http://www.niteoweb.com/blog/openvpn-over-ssh that is not completely related to your case but that can anyway be useful.

Kind regards

[shiro21 4]

I figured it out!!

Thanks to your second article, I learned the critical flaw!! I had to add my SSH server's IP to the routing table to route the SSH connection outside VPN! I'm so stupid! How can you run a tunnel inside a tunnel that's inside the first tunnel?!

Coming to you live via SSH, VPN, and Tor!! And my god, is it slow.

Here's what my packets probably went through trying to connect to airvpn....

Packets gets encrypted in SSL for HTTPS. Gets another encryption in Tor. Gets another encryption in VPN. Gets final encryption in SSH disguised as SSL traffic. (Critical for VPN hating firewalls who only allow port 80 and 443, and deep-packet inspection wielding ISPs)

Packets leaves localhost and router on port 443 disguised as humble SSL traffic on with proper handshake and all to a non-blacklisted IP. Passes nosy ISP inspection and firewall and hits my SSH server somewhere far away. SSL disguised SSH layer is removed. Packets goes to VPN server somewhere else far away where VPN server sees me coming from SSH proxy. VPN encryption is removed. Packet enters Tor node, gets bounced around, leaves Tor node and loses Tor encryption. Since packets is still SSL encrypted, any evil Tor exit node can't do anything and my packets arrive at https://airvpn.org safe a few hundred milliseconds later!!

Take THAT, Big Brother!!

[shiro21 4]

After further research and thinking, this setup is really NOT that much beneficial over using any of these security connections individually. To understand, we must look at the benefits or purpose of each security measures.

SSL encrypts your connections. They obscure and lock your payload. But they do not hide where your connections are coming from or going to. Any such connection attempts are obvious to observers and can simply be blocked such as how Iran is blocking all SSL/TSL connections.

SSH and VPN also encrypts you connections but also does not hide your immediate origin and destination. This can be mitigated if they are used with a proxy. Or two... or three... or five.... But such proxies can and sometimes do track your connections and can blow your cover if you piss off a very powerful entity who threatens your SSH and VPN hosts.

Tor functions as a swarm of proxies bouncing your connections around in an effort to obscure and anonymize your traffic origin and destination like a huge school of fishes. They don't track your connections within the nodes so no Tor nodes, run by volunteers, can give you up. However, since anyone can create a relay node or exit node, you are essentially trusting your payload to a bunch of strangers who can and have intercepted valuable information from exit nodes. And since a huge swarm of nodes is so obvious, it draws attention to itself and your connections and payload, often by targeting known Tor relays and exit nodes. Any attempts to access Tor relays from a paranoid ISPs can be blocked, although Tor bridges addresses this, it does not address servers blocking access from known Tor nodes. Any connections, even SSL connections exiting the Tor network can be intercepted and spoofed. And that is the weakest point, in my opinion.

So, the ideal set up is to hide you attempt to access a known Tor relay and add an extra layer of encryption to survive the Tor network and leaving the exit node, and hide the fact you came from a Tor node.

This means, SSL -> SSH -> Tor -> VPN -> Internets

Why not switch SSH and VPN around so that SSH is last step? Because most VPN hosts are shared VPNs. Your external VPN IP address will be shared with other users and that is a good thing against certain trackers on websites. Even better, some VPN servers give you different shared external IP addresses each time you connect. So you get some of the anonymizing benefits of Tor without the notoriety of Tor while still hiding your origin from your VPN host. As far as I know, SSH hosts can also be shared but I don't know how it works. Still, I feel that since SSH hosts aren't too common yet, and most people just set up their own dedicated SSH servers, you don't get much of the "security through obscurity" anonymizing benefit of sharing IPs with other users.

In light of this, I want to see if I can figure out how to run VPN over Tor over SSH. I'll get back to you on that.