shiro21 4 Posted ... Hello! It's me again! So, I'm curious to see if I can run a VPN connection via SOCKS proxy so that I can connect through TOR and/or my dedicated SSH tunnel. I wanted to see how much security layer I can run with! My goal is to do this: localhost(127.0.0.1) --> Router(24.xx.xx.xx) --> SSH Proxy(54.xx.xx.xx) --> VPN(108.xx.xx.xx) --> Tor(xx.xx.xx.xx) --> Internets I intend to do it by running a Tor browser connected to Tor on 127.0.0.1:9050. This Tor connection gets routed through VPN which is connecting through an SSH tunnel at 127.0.0.1:8080 and the whole thing goes on an epic odyssey to my SSH server, then VPN, then bounce around Tor, then finally whatever destination. It sounds feasible! I am able to connect to my SSH server just fine and can pipe my browser and FTP browser through it using SOCKS proxy. Same for Tor. But I can't seem to pipe my VPN connection through either one! I can establish connections to the proxy and in my SSH server, can enter my credentials, but it spits out the same error. Here are the logs of my attempts to connect to my SSH tunnel via SOCKS, my SSH tunnel via HTTP, and Tor via SOCKS: // Connecting to SSH tunnel // _________________________ Mar 30 18:13:07: Viscosity 1.3.5 (1051) Mar 30 18:13:07: Checking reachability status of connection... Mar 30 18:13:07: Connection is reachable. Starting connection attempt. Mar 30 18:13:10: OpenVPN 2.2.1 x86_64-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Aug 1 2011 Mar 30 18:13:09: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mar 30 18:13:09: LZO compression initialized Mar 30 18:13:09: Attempting to establish TCP connection with 127.0.0.1:8080 [nonblock] Mar 30 18:13:12: TCP connection established with 127.0.0.1:8080 Mar 30 18:13:17: recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=36) Mar 30 18:13:17: SIGTERM[soft,init_instance] received, process exiting _________________________ // Connecting to SSH tunnel via HTTP proxy // _________________________ Mar 30 18:21:58: Viscosity 1.3.5 (1051) Mar 30 18:21:58: Checking reachability status of connection... Mar 30 18:21:58: Connection is reachable. Starting connection attempt. Mar 30 18:22:00: OpenVPN 2.2.1 x86_64-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Aug 1 2011 Mar 30 18:22:25: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mar 30 18:22:25: LZO compression initialized Mar 30 18:22:25: Attempting to establish TCP connection with 54.xx.xx.xx:443 [nonblock] Mar 30 18:22:26: TCP connection established with 54.xx.xx.xx:443 Mar 30 18:22:26: recv_line: TCP port read failed on recv(): Operation now in progress (errno=36) Mar 30 18:22:26: SIGTERM[soft,init_instance] received, process exiting _________________________ // Connecting to Tor via SOCKS // _________________________ Mar 30 18:24:46: Viscosity 1.3.5 (1051) Mar 30 18:24:46: Checking reachability status of connection... Mar 30 18:24:46: Connection is reachable. Starting connection attempt. Mar 30 18:24:48: OpenVPN 2.2.1 x86_64-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Aug 1 2011 Mar 30 18:24:48: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mar 30 18:24:48: LZO compression initialized Mar 30 18:24:48: Attempting to establish TCP connection with 127.0.0.1:9050 [nonblock] Mar 30 18:24:51: TCP connection established with 127.0.0.1:9050 Mar 30 18:24:51: TCPv4_CLIENT link local: [undef] Mar 30 18:24:51: TCPv4_CLIENT link remote: 127.0.0.1:9050 Mar 30 18:25:08: [server] Peer Connection Initiated with 127.0.0.1:9050 Mar 30 18:25:13: TUN/TAP device /dev/tun0 opened Mar 30 18:25:13: /sbin/ifconfig tun0 delete Mar 30 18:25:13: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure Mar 30 18:25:13: /sbin/ifconfig tun0 10.5.1.142 10.5.1.141 mtu 1500 netmask 255.255.255.255 up Mar 30 18:25:13: Initialization Sequence Completed Mar 30 18:27:13: [server] Inactivity timeout (--ping-restart), restarting Mar 30 18:27:13: SIGUSR1[soft,ping-restart] received, process restarting Mar 30 18:27:14: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mar 30 18:27:14: LZO compression initialized Mar 30 18:27:14: Attempting to establish TCP connection with 127.0.0.1:9050 [nonblock] Mar 30 18:27:15: TCP connection established with 127.0.0.1:9050 Mar 30 18:27:20: recv_socks_reply: TCP port read timeout expired: Operation now in progress (errno=36) Mar 30 18:27:20: SIGTERM[soft,init_instance] received, process exiting _________________________ As you can see, I got the most progress with Tor but even that crapped out before I can even establish a VPN connection. What to do, admin? What to do...? [EDIT] For comparison, here is my FTP log showing successful connection via SSH: _________________________ 18:17:40 Status: Connecting to ***********.********.com through proxy 18:17:40 Status: Resolving address of localhost 18:17:40 Status: Connecting to 127.0.0.1:8080... 18:17:40 Status: Connection with proxy established, performing handshake... 18:17:40 Status: Connection established, waiting for welcome message... 18:17:42 Response: 220 ProFTPD 1.3.3e Server (******** FTP server) [178.xx.xx.xx] 18:17:42 Command: AUTH TLS 18:17:43 Response: 234 AUTH TLS successful 18:17:43 Status: Initializing TLS... 18:17:43 Status: Verifying certificate... 18:17:43 Command: USER ******* 18:17:43 Status: TLS/SSL connection established. 18:17:44 Response: 331 Password required for ******** 18:17:44 Command: PASS ******* 18:17:44 Response: 230 User ******* logged in 18:17:44 Command: SYST 18:17:44 Response: 215 UNIX Type: L8 18:17:44 Command: FEAT 18:17:45 Response: 211-Features: 18:17:45 Response: MDTM 18:17:45 Response: MFMT 18:17:45 Response: TVFS 18:17:45 Response: UTF8 18:17:45 Response: AUTH TLS 18:17:45 Response: MFF modify;UNIX.group;UNIX.mode; 18:17:45 Response: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; 18:17:45 Response: LANG bg-BG;fr-FR;ja-JP;zh-CN;zh-TW;ko-KR;it-IT;en-US*;ru-RU 18:17:45 Response: PBSZ 18:17:45 Response: PROT 18:17:45 Response: REST STREAM 18:17:45 Response: SIZE 18:17:45 Response: 211 End 18:17:45 Command: OPTS UTF8 ON 18:17:45 Response: 200 UTF8 set to on 18:17:45 Command: PBSZ 0 18:17:45 Response: 200 PBSZ 0 successful 18:17:45 Command: PROT P 18:17:45 Response: 200 Protection set to Private 18:17:45 Status: Connected 18:17:45 Status: Retrieving directory listing... 18:17:45 Command: CWD / 18:17:46 Response: 250 CWD command successful 18:17:46 Command: PWD 18:17:46 Response: 257 "/" is the current directory 18:17:46 Command: TYPE I 18:17:46 Response: 200 Type set to I 18:17:46 Command: PASV 18:17:47 Response: 227 Entering Passive Mode 18:17:47 Command: MLSD 18:17:47 Status: Connecting to 127.0.0.1:8080... 18:17:47 Status: Connection with proxy established, performing handshake... 18:17:47 Response: 150 Opening ASCII mode data connection for MLSD 18:17:49 Response: 226 Transfer complete 18:17:49 Status: Directory listing successful 18:17:56 Status: Disconnected from server _________________________ [EDIT 2] I tried to regenerate a new config file from AirVPN using TCP 443 SOCKS 127.0.0.1. That showed a bit of progress because I can establish a connection to VPN server but it'd time out. _________________________ Mar 30 19:40:09: Viscosity 1.3.5 (1051) Mar 30 19:40:09: Checking reachability status of connection... Mar 30 19:40:09: Connection is reachable. Starting connection attempt. Mar 30 19:40:11: OpenVPN 2.2.1 x86_64-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Aug 1 2011 Mar 30 19:40:11: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mar 30 19:40:11: LZO compression initialized Mar 30 19:40:11: Attempting to establish TCP connection with 127.0.0.1:8080 [nonblock] Mar 30 19:40:14: TCP connection established with 127.0.0.1:8080 Mar 30 19:40:14: TCPv4_CLIENT link local: [undef] Mar 30 19:40:14: TCPv4_CLIENT link remote: 127.0.0.1:8080 Mar 30 19:40:25: [server] Peer Connection Initiated with 127.0.0.1:8080 Mar 30 19:40:28: TUN/TAP device /dev/tun0 opened Mar 30 19:40:28: /sbin/ifconfig tun0 delete Mar 30 19:40:28: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure Mar 30 19:40:28: /sbin/ifconfig tun0 10.5.1.142 10.5.1.141 mtu 1500 netmask 255.255.255.255 up Mar 30 19:40:28: Initialization Sequence Completed Mar 30 19:42:30: [server] Inactivity timeout (--ping-restart), restarting Mar 30 19:42:30: SIGUSR1[soft,ping-restart] received, process restarting Mar 30 19:42:30: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mar 30 19:42:30: LZO compression initialized Mar 30 19:42:30: Attempting to establish TCP connection with 127.0.0.1:8080 [nonblock] Mar 30 19:42:31: TCP connection established with 127.0.0.1:8080 Mar 30 19:42:33: TCPv4_CLIENT link local: [undef] Mar 30 19:42:33: TCPv4_CLIENT link remote: 127.0.0.1:8080 Mar 30 19:42:44: [server] Peer Connection Initiated with 127.0.0.1:8080 Mar 30 19:42:47: TUN/TAP device /dev/tun0 opened Mar 30 19:42:47: /sbin/ifconfig tun0 delete Mar 30 19:42:47: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure Mar 30 19:42:47: /sbin/ifconfig tun0 10.5.1.142 10.5.1.141 mtu 1500 netmask 255.255.255.255 up Mar 30 19:42:47: Initialization Sequence Completed Mar 30 19:44:48: [server] Inactivity timeout (--ping-restart), restarting Mar 30 19:44:48: SIGUSR1[soft,ping-restart] received, process restarting Mar 30 19:44:48: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mar 30 19:44:48: LZO compression initialized Mar 30 19:44:48: Attempting to establish TCP connection with 127.0.0.1:8080 [nonblock] Mar 30 19:44:49: TCP connection established with 127.0.0.1:8080 Mar 30 19:44:52: TCPv4_CLIENT link local: [undef] Mar 30 19:44:52: TCPv4_CLIENT link remote: 127.0.0.1:8080 Mar 30 19:45:02: [server] Peer Connection Initiated with 127.0.0.1:8080 Mar 30 19:45:05: TUN/TAP device /dev/tun0 opened Mar 30 19:45:05: /sbin/ifconfig tun0 delete Mar 30 19:45:05: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure Mar 30 19:45:05: /sbin/ifconfig tun0 10.5.1.142 10.5.1.141 mtu 1500 netmask 255.255.255.255 up Mar 30 19:45:05: Initialization Sequence Completed _________________________ Quote Share this post Link to post
Staff 9973 Posted ... Hello! Since you use Viscosity, please read here: http://www.thesparklabs.com/forum/viewtopic.php?f=3&t=189 We're looking forward to hearing from you, Mac users might be interested in your setup. EDIT: see also this article http://www.niteoweb.com/blog/openvpn-over-ssh that is not completely related to your case but that can anyway be useful. Kind regards Quote Share this post Link to post
shiro21 4 Posted ... I figured it out!! Thanks to your second article, I learned the critical flaw!! I had to add my SSH server's IP to the routing table to route the SSH connection outside VPN! I'm so stupid! How can you run a tunnel inside a tunnel that's inside the first tunnel?! Coming to you live via SSH, VPN, and Tor!! And my god, is it slow. Here's what my packets probably went through trying to connect to airvpn.... Packets gets encrypted in SSL for HTTPS. Gets another encryption in Tor. Gets another encryption in VPN. Gets final encryption in SSH disguised as SSL traffic. (Critical for VPN hating firewalls who only allow port 80 and 443, and deep-packet inspection wielding ISPs) Packets leaves localhost and router on port 443 disguised as humble SSL traffic on with proper handshake and all to a non-blacklisted IP. Passes nosy ISP inspection and firewall and hits my SSH server somewhere far away. SSL disguised SSH layer is removed. Packets goes to VPN server somewhere else far away where VPN server sees me coming from SSH proxy. VPN encryption is removed. Packet enters Tor node, gets bounced around, leaves Tor node and loses Tor encryption. Since packets is still SSL encrypted, any evil Tor exit node can't do anything and my packets arrive at https://airvpn.org safe a few hundred milliseconds later!! Take THAT, Big Brother!! Quote Share this post Link to post
shiro21 4 Posted ... After further research and thinking, this setup is really NOT that much beneficial over using any of these security connections individually. To understand, we must look at the benefits or purpose of each security measures. SSL encrypts your connections. They obscure and lock your payload. But they do not hide where your connections are coming from or going to. Any such connection attempts are obvious to observers and can simply be blocked such as how Iran is blocking all SSL/TSL connections. SSH and VPN also encrypts you connections but also does not hide your immediate origin and destination. This can be mitigated if they are used with a proxy. Or two... or three... or five.... But such proxies can and sometimes do track your connections and can blow your cover if you piss off a very powerful entity who threatens your SSH and VPN hosts. Tor functions as a swarm of proxies bouncing your connections around in an effort to obscure and anonymize your traffic origin and destination like a huge school of fishes. They don't track your connections within the nodes so no Tor nodes, run by volunteers, can give you up. However, since anyone can create a relay node or exit node, you are essentially trusting your payload to a bunch of strangers who can and have intercepted valuable information from exit nodes. And since a huge swarm of nodes is so obvious, it draws attention to itself and your connections and payload, often by targeting known Tor relays and exit nodes. Any attempts to access Tor relays from a paranoid ISPs can be blocked, although Tor bridges addresses this, it does not address servers blocking access from known Tor nodes. Any connections, even SSL connections exiting the Tor network can be intercepted and spoofed. And that is the weakest point, in my opinion. So, the ideal set up is to hide you attempt to access a known Tor relay and add an extra layer of encryption to survive the Tor network and leaving the exit node, and hide the fact you came from a Tor node. This means, SSL -> SSH -> Tor -> VPN -> Internets Why not switch SSH and VPN around so that SSH is last step? Because most VPN hosts are shared VPNs. Your external VPN IP address will be shared with other users and that is a good thing against certain trackers on websites. Even better, some VPN servers give you different shared external IP addresses each time you connect. So you get some of the anonymizing benefits of Tor without the notoriety of Tor while still hiding your origin from your VPN host. As far as I know, SSH hosts can also be shared but I don't know how it works. Still, I feel that since SSH hosts aren't too common yet, and most people just set up their own dedicated SSH servers, you don't get much of the "security through obscurity" anonymizing benefit of sharing IPs with other users. In light of this, I want to see if I can figure out how to run VPN over Tor over SSH. I'll get back to you on that. Quote Share this post Link to post