Jump to content
Not connected, Your IP: 3.237.254.197
curhen57

Thoughts about about Tor+VPN (and who to trust)

Recommended Posts

Lately I've been thinking about the prospect of using VPN's in conjunction with the Tor proxy and done some research.
I know there are both pros and cons to Tor-over-VPN and VPN--Over-Tor connections and played with the idea of using both connection types at once - something I like to call the "Sandwiched Connection" in that you layer your Tor connection between two separate VPN connections.

Please correct me if I got any details wrong or missing.

First, you have your plain naked internet connection without a VPN or proxy so your ISP and local network can see everything you're doing.

Next, you connect to a VPN server. It masks your IP address and location from your ISP as well as encrypts your web traffic so they have no idea what you're doing. However, the company managing the VPN server will have access to your real IP address, location and web traffic that will be decrypted in their servers - making it important it is a trustworthy service provider that doesn't keep logs of your activities and allows you to create your account with a temporary email address, no personal details and paid with cryptocurrency (that is untraceable like Z-Cash and Monero).

You connect to your Tor proxy. Ordinarily, the Tor entry node will know your IP address and location. Since you are using a VPN, it will only know the masked address provided by the VPN server. Not only that but the Tor proxy will further encrypt your web traffic so even the VPN provider won't know what you are doing, just like how it, in turn, hides it from your ISP. Even better? Your ISP won't even know you are using Tor in the first place.

However, the Tor exit node decrypts your web traffic and has full access to it as if you were never using a VPN to begin with.
If the exit node happens to be malicious or operated by any authority that doesn't like what you're doing, they could potentially call whoever is operating the entry node and/or follow the mask IP address to the VPN service provider and contact them for details concerning you. Again, a trustworthy VPN provider with a no-logs policy is important.

Then comes the second VPN connection. After you connect to Tor, you connect to that second VPN server which should encrypt your web traffic from the tor exit node. Whatever company is managing that second server (it could be the same service as the first one or a different one) will only know the IP address and location provided by the Tor proxy and first VPN server but it will know your web traffic as it is being fed to their servers and decrypted. Not to mention that this "sandwiched connection" will deliver a big dent to your connection performance so it helps if you have a powerful router connected via ethernet.

So at the end of the day, I figured, someone has to know what you're up to online which leaves the question "Who do you trust with your personal information?"
Plus this is all just theory, as far I can tell.

Has anyone ever tried putting this into practise?
Can anyone provide any further insight into the "sandwiched connection"?

I look forward to talking about it.

Share this post


Link to post
59 minutes ago, curhen57 said:

However, the Tor exit node decrypts your web traffic and has full access to it as if you were never using a VPN to begin with.
If the exit node happens to be malicious or operated by any authority that doesn't like what you're doing, they could potentially call whoever is operating the entry node and/or follow the mask IP address to the VPN service provider and contact them for details concerning you.


Hello!

Thank you for your article.

Just a correction on the quoted part. That's not possible because the Tor exit-node does not know your "real" and/or your "VPN" IP address. In general the exit-node receives all the traffic from middle-relays, which in turn receive the traffic from Tor guards (the entry-nodes).

As far as it pertains to your purposes, consider the following setup, especially when high throughput is not a priority:
  • connect the host over "OpenVPN over Tor"
  • run a Virtual Machine attached to the host via NAT
  • Tor-ify everything in the VM
  • use end-to-end encryption, exclusively
  • use only VM traffic for any sensitive task

The above setup, we think, should meet all of your requirements. Furthermore, the main fault of "OpenVPN over Tor" (fixed circuit) is completely resolved by Tor in the VM.

Kind regards
 

Share this post


Link to post

I would like to add another consideration, which I feel is important in the equation.  My preference is VPNs (1 or 2) first, then before workspace I go to Virtual Machines wherein I connect via TOR.  The virtual machines mask any host motherboard hardware which can also betray you with an adversary that can ping it with skill.  The big factor overlooked in a "sandwich" approach is that TOR cannot automatically change the circuit route every 10 minutes or so.  While I am surfing my original two VPN's are constant (although I rotate them when starting every single session so they are rarely the same two) and the TOR exit IP keeps changing automatically.  The TOR entry guard is more constant (assuming you know how the guard works in TOR).  I would not want to sacrifice that capability when I spend hours surfing around.  ALWAYS close the TOR browser when leaving a site and going to another.  My approach, you decide if there is merit for your needs.

Share this post


Link to post
On 3/1/2020 at 10:15 PM, iwih2gk said:

I would like to add another consideration, which I feel is important in the equation.  My preference is VPNs (1 or 2) first, then before workspace I go to Virtual Machines wherein I connect via TOR.  The virtual machines mask any host motherboard hardware which can also betray you with an adversary that can ping it with skill.  The big factor overlooked in a "sandwich" approach is that TOR cannot automatically change the circuit route every 10 minutes or so.  While I am surfing my original two VPN's are constant (although I rotate them when starting every single session so they are rarely the same two) and the TOR exit IP keeps changing automatically.  The TOR entry guard is more constant (assuming you know how the guard works in TOR).  I would not want to sacrifice that capability when I spend hours surfing around.  ALWAYS close the TOR browser when leaving a site and going to another.  My approach, you decide if there is merit for your needs.

Hello.
I'm just trying to understand what you're saying here.
So let me get it straight. You prefer to use one or two VPNs before connecting to Tor on a virtual machine. No Onion Sandwich (VPN>Tor>VPN)?
The virtual machine can mask the host motherboard which can "betray" me? You mean anyone good enough can tell I am using a VM and crack right through to my host machine, is that it? If that's so, what if I used a Xen-based virtual machine? I hear they are more secure.

I presume by rotating VPN's you mean switching to different VPN servers every time - that's a good practise. While the Tor Exit IP changes by itself automatically, the entry node IP doesn't which is why you suggest I reset the Tor connection between visiting different websites so I connect through a different route of Tor nodes every time, is that what you're saying?

Could you clarify what capability it is you don't want to sacrifice though? I only ever dipped my toes in using the Tor browser a couple of times and never used it for a full blown browsing session so I'm really learning as much as I can before I know how to use it properly.

Thanks.

Share this post


Link to post
22 hours ago, curhen57 said:
Hello.
I'm just trying to understand what you're saying here.
So let me get it straight. You prefer to use one or two VPNs before connecting to Tor on a virtual machine. No Onion Sandwich (VPN>Tor>VPN)?
The virtual machine can mask the host motherboard which can "betray" me? You mean anyone good enough can tell I am using a VM and crack right through to my host machine, is that it? If that's so, what if I used a Xen-based virtual machine? I hear they are more secure.

I presume by rotating VPN's you mean switching to different VPN servers every time - that's a good practise. While the Tor Exit IP changes by itself automatically, the entry node IP doesn't which is why you suggest I reset the Tor connection between visiting different websites so I connect through a different route of Tor nodes every time, is that what you're saying?

Could you clarify what capability it is you don't want to sacrifice though? I only ever dipped my toes in using the Tor browser a couple of times and never used it for a full blown browsing session so I'm really learning as much as I can before I know how to use it properly.

Thanks.

Item;  the motherboard betray part of the quote above -- forget anything about using a VM for a second.  My point was when you use an operating system bare metal on a machine the actual motherboard has characteristics/components that can be discovered by a medium level adversary.  By making queries while you are interacting on a website and such you can effectively and accurately be "fingerprinted" by its uniqueness.  Those characteristics cannot be changed because they are unique and ARE identifiable to YOUR motherboard.  Now usage of a VM allows you to only visit workspace via virtual drivers with changeable MACs and other characteristics.  Those can change automatically or any time you want.  BTW, workspace is defined by me as internet usage/surfing, or going outside your machine to the clearnet workspace.  So use of a proper host OS means that system NEVER goes to workspace, but rather its is the "iron lung" supporting/hosting the VM's that are bridged/NAT'd through it.  The VMs see the workspace and therefore the websites they visit only see the virtual drivers, MAC's, etc..... and never the actual motherboard.  Once you mount your VM you can then place the Tor Browser Bundle on its Desktop and you will be using TOR for workspace.  That TOR workspace follows the VPN, which in my case is on the host.  Its a solid combo.  I don't prefer to sandwich (your term).  The browser bundle will auto cycle the circuit every 10 minutes or so.  Another simple option.  The browser bundle is maybe 250 meg so its small.  You can place several bundles on the Desktop and then only go to one specific site on each bundle making sure that "anything" from other sites are viewed in a separate bundle.  Compartmentalization the easy way.  Its not the strictest security but its very good unless you need to go "DEEP" on onion.  That is another thread.

Share this post


Link to post
@iwih2gk

Hello!

A few remarks to your last message.

1) MAC address is never included in IPv4 packets. Not even our VPN servers can see your network interface MAC address in IPv4. Similar safeguards are nowadays applied in modern OS for IPv6 too (IPv6 packets do have a specific allocation space for a MAC address).

2) Data passed voluntarily by a browser to a web site can be blocked or altered, either in browser configuration or through dedicated add-ons. Examples include spoofing browser user agent (which includes Operating System etc.) (**), blocking fingerprinting through canvas by generating "noise" and randomizing different fingerprints for each stream (*), and working without any previous tracking cookie by cleaning cookies at each session and working in browser "private" mode. Such safeguards should be applied even when working inside a VM, if your threat model needs them.

(*) Example: Canvas Defender for Firefox. "Instead of blocking JS-API, Canvas Defender creates a unique and persistent noise that hides your real canvas fingerprint"

(**) Example: User Agent Switcher and Manager for Firefox.

Kind regards
 

Share this post


Link to post
On 3/18/2020 at 8:09 PM, Staff said:
1) MAC address is never included in IPv4 packets. Not even our VPN servers can see your network interface MAC address in IPv4. Similar safeguards are nowadays applied in modern OS for IPv6 too (IPv6 packets do have a specific allocation space for a MAC address).
You mean to say that, as long as I am only using IPv4, my MAC address can never be found out?

Share this post


Link to post
@curhen57

Hello!

Roughly, in IPv4 MAC addresses (more in general link layer addresses) are obtained via ARP (Address Resolution Protocol) requests, which are necessary when a node must physically find the final destination node otherwise identified only by an IP address. So your router knows the MAC address of your computers network interface, your nearest ISP upstream point knows your router network interface MAC address (and not your computers network interface one) and so on and so forth. Our VPN servers don't know anything about MAC addresses of your computer, router...

For a more rigorous definition and information please see for example:
https://en.wikipedia.org/wiki/Address_Resolution_Protocol

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...