Jump to content
Not connected, Your IP: 3.235.246.51

Recommended Posts

Just wandering what protection AirVPN has against timing correlation attacks on the exit servers like ProtonVPN has called secure-core feature ? https://protonvpn.com/support/secure-core-vpn/
Here's a cut from the article on their site and I apologise if theirs already a thread on this but a quick search didn't give me any results.

ProtonVPN’s unique Secure Core architecture allows us to protect our users from network attacks that other VPNs cannot defend against. A classic VPN setup involves a client passing traffic through a VPN server en-route to the final destination. If an attacker can get control of the VPN server, or monitor the network of the server, they will be able to match VPN clients with their traffic, nullifying the privacy benefits of the VPN.


 

Share this post


Link to post

Funny marketing fluff. :) Since AirVPN birth we allow multi-hop connections (opt-in) between different VPN servers, between VPN servers and SOCKS or HTTPS proxies, or (better solution) between VPN servers and Tor nodes. Safer and better than marketing fluff.

HOWEVER, it must be known that there are some errors in the article you linked. It mixes at least two totally different attack types and makes a lot of confusion.  Timing attacks can be performed anyway even on Tor network (in any low latency mix based protocol network, in general) given an adversary with enough power to monitor vast portions of the Internet., so the general analysis provided by the article is... imaginative, to say the least. :)

Kind regards
 

Share this post


Link to post
Guest
11 hours ago, Staff said:

Funny marketing fluff. :) Since AirVPN birth we allow multi-hop connections (opt-in) between different VPN servers, between VPN servers and SOCKS or HTTPS proxies, or (better solution) between VPN servers and Tor nodes. Safer and better than marketing fluff.

HOWEVER, it must be known that there are some errors in the article you linked. It mixes at least two totally different attack types and makes a lot of confusion.  Timing attacks can be performed anyway even on Tor network (in any low latency mix based protocol network, in general) given an adversary with enough power to monitor vast portions of the Internet., so the general analysis provided by the article is... imaginative, to say the least. :)

Kind regards
 

Hi! What do you mean by opting-in to multi-hop connections? Did you refer to your Geo-routing feature or to the inofficial Qomui client?

Best!

Share this post


Link to post
@HannaForest

Hello!

More simply, by using Tor (either Tor over OpenVPN or OpenVPN over Tor, supported by Eddie desktop editions) or using two connection slots from the same machine (for example with the aid of a VM attached to the host via NAT). First solutions are better because you don't multi-hop on servers all belonging to the same company (AirVPN).

Kind regards
 

Share this post


Link to post

Thank you for this clarification. I wonder if you might be able to point to the instructions for opting-in to the following: Since AirVPN birth we allow multi-hop connections (opt-in) between different VPN servers,

Share this post


Link to post

I think it's almost trivial to connect to internet via multi hop OpenVPN system, at least on Linux. Thanks to AirVPN for allowing multiple connections at the same time!
The hopping can be made with the following bash script by Perfect Privacy (https://www.perfect-privacy.com/en/manuals/linux_openvpn_terminal_cascading).

At first, you download the ovpn configurations for your favorite servers. I use only one hop so in practice, I need two different OpenVPN servers with their entry IP addresses.
Then you follow the instructions of the script. For example, if your first server is in Siauliai, you run

sudo openvpn --config AirVPN_LT-Siauliai_Porrima_UDP-443.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec
Then read the output of the above command and insert the given gateway IP address to the next hop:
sudo openvpn --config AirVPN_LV-Riga_Meissa_UDP-443.ovpn --script-security 2 --route remote_host--persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 10.xxx.yyy.zzz
(Note that the hop script looks also for update-resolv-conf  script to update the DNS, so install it if necessary from https://github.com/jonathanio/update-systemd-resolved).

Then the traffic goes through two VPN servers! Your ISP sees UDP traffic to the first hop, meanwhile your external IP looks to be the exit IP address of the second server. If you want to apply leak protection, you can use Eddie. The second option is to apply Eddie's leak protection and then export the generated iptables rules to a file:
sudo iptables-save > iptables-rules.txt
sudo iptables-restore iptables-rules.txt
If your iptables rules were empty before leak protection, you can recover that state by
sudo iptables -F

The last step is really not necessary, but rather for peace of mind. Latest Linux distros may have peculiar DNS behaviour (not leak, because even DNS requests are tunneled in the VPN connection), you can remove the nasty entry of
DNS Domain: ~.
from your systemd-resolved daemon by command (assumed that your interface is called wlan0)
sudo systemd-resolve -i wlan0 --set-domain local
I don't know, if the local argument is a proper one, but at least is forces away the value ~. and ipleak.net shows that non-AirVPN DNS servers are not used at all.

 

Share this post


Link to post

Hello Rohko
Thank you so much for that. I'll give it a go. As it I use linux but am still learning. This is a good learning experience.

Share this post


Link to post
7 hours ago, telemus said:

Hello Rohko
Thank you so much for that. I'll give it a go. As it I use linux but am still learning. This is a good learning experience.


Glad my post was helpful. 😃
BTW the speed of the double hop connection will be of course worse than a single connection, but I am quite happy with it.
I usually select two servers, which are located close to each other (like Lithuania and Latvia) so the latency won't increase too much while the extra protection against correlation sniffing is achieved (compared to the case where both servers are located in the same country).

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...