Warning! Think twice before being critical of your government using only VPN

[hisik22091 1]

Hi,

I have written about this topic earlier under a different username, but couldn't get my head around it at that point and wasn't able to pinpoint the problem, which I am now.

Using AirVPN (a great servie btw) I have written something critical on wikipedia about the European monarchy in which I live. It's a smaller country with a population less than 10 million. I made more than 2 edits connecting from different AirVPN servers and now I realize that they can find my true identity by simply see which IP (or subscriber depending on how they log) was connected to the different AirVPN servers at that time. Wikipedia is so kind as to provide IP and time stamp if you are editing without a username.

A user recommended using VPN + tor in the other thread, which I am now passing on.

Best regards

[OpenSourcerer 1359]

European monarchy… I know there are some left but they're all constitutional, are they not? Which makes them somewhat less… monarchist in my eyes. Anyway…
 

3 hours ago, hisik22091 said:

I made more than 2 edits connecting from different AirVPN servers and now I realize that they can find my true identity by simply see which IP (or subscriber depending on how they log) was connected to the different AirVPN servers at that time. Wikipedia is so kind as to provide IP and time stamp if you are editing without a username.

You must elaborate on that. How is that possible the way you see it?

Be advised that Wikipedia is not a review site for anything, it's an encyclopedia. I hope you at least backed up your words with good references.

[hisik22091 1]

Nope, very much a monarchy. The monarch signs every single law into effect, meets with the elected government once per week, have their own military (or at least access to them), I'm not sure if they stille are or but until recently (decade) had the command over the military by law. I would had liked to write about these things, but since there are only a handfull of critical articles available and they all deal with the finances, that is the only thing one can be critical about. So yes, I used only public news articles as sources (only critical about finances). Also they are immune. I actually think that the UK is the only country with "monarchists" as you describe it. 

Okay, here is how I see it:

MyIP connect to server 1.1.1.1 in country X at 1 PM
MyIP connec to server 2.2.2.2 in country Y at 2 PM.
MyIP connect to server 3.3.3.3 in country Z at 3 PM.

At wikipedia they can see that it is the same person who made all the edits, hence they search for a user/IP that were connected to 1.1.1.1 at 1 PM, 2.2.2.2 at 2 PM and 3.3.3.3 at 3 PM. I am certain that this is a unique combination.

Lets say that there are 10000 people online (from the same country) at any given time and they connect to 50 different servers and that their connection is completely random (which of course it is not, but for the sake of argument). There is a 0.005% chance of a user connecting to server X. There is a 0.005%*0.005% chance of a user connecting to server X and 1 hour later to server Y. There is a 0.005%*0.005%*0.005% chance of a user connecting to server X at 1 PM, server Y at 1 PM and server Z at 1 PM. 

By using this argument you can say that there is a 0,000000125% chance of a person connecting using this combination. 0,000000125%*10000 meaning that 0.00125~1 person connects using this combination. 

[jilol83144 0]

Okay, second thoughts about the math. 

There is a 0.005% (50/10000) chance for anyone in the group of 10000 people to connect to a server at any given time. 

[Staff 9745]

@hisik22091

Hello!

Yes, please run Tor and use a Tor browser after you have connected to some VPN server when your threat model includes adversaries with the power of a government agency using legal or illegal tools in Europe.

It's very important to not underestimate such risks, regardless of the documentation you're able to provide to substantiate any sentence and word, as even European countries have shown that they can infringe human rights with impunity: consider UK torturing a journalist (Julian Assange) for a long time and infringing other human rights, in spite of the United Nations reports, just to make an example.

We use different entry and exit-IP addresses on VPN servers, but that's a weak defense against a government which can infer which exit-IP address is related to which entry-IP addresses. Unfortunately Wikipedia tends to block editing from a lot of Tor nodes,. a terrible and idiotic choice in our opinion, especially when anyone can see which IP address an edit was made from (or can obtain it through a court order). For a solution in such a case, keep reading.

Note anyway that a government that performs such a correlation does not obtain a PROOF that someone wrote something, because they can't know from us which users were connected to which VPN servers at any given time, as we do not inspect and/or log traffic content and/or metadata.

Also check what we wrote in 2013 about the importance of partition of trust:
https://airvpn.org/forums/topic/54-using-airvpn-over-tor/?do=findComment&comment=1745

If you find editing Wikipedia articles from Tor nodes diffiicult, you can consider OpenVPN over Tor. It's not as secure because the Tor circuit is fixed (it will not change at each new TCP stream), and it's not as easy to use as Tor over OpenVPN is, but it poses a probably impossible challenge for a government to find out the identity of the author.

Wikipedia sees and records the VPN server exit-IP address, but your government does not see that you connected to that VPN server address, because your traffic goes through some Tor circuit first. Only the Tor exit-node knows that the traffic ends to our VPN server entry-IP address, but the Tor exit-node does not know your real IP address, because you connect OpenVPN to the first Tor guard. The correlation you fear is therefore destroyed.

OpenVPN over Tor usage is made easier by our Eddie desktop edition software.

Kind regards
 

[hisik22091 1]

Yes, I will look into OpenVPN.

Thank you for the great work you guys are doing, can't imagine using internet without VPN today. 

[Stack of computer parts 9]

Could the OP not just use two vpns inline as well? Keep which ever vpn connection faces the public IP static so an adversary only sees the initial connection from public ip to vpn. Then use a second vpn connection that you can change at will to write or browse wherever?

For instance, the router connects to the vpn and the pc that is using to the router also connects to a different server.
Or if the router cannot handle the vpn, have the pc connect to the vpn, then have a virtual machine inside the pc make the second connection and do all of your browsing from there.

This is similar to what some people do with Qubes. The performance hit is not as bad as using Tor, and some websites just wont accept tor connections even if you were willing to use it.

[Staff 9745]

@Stack of computer parts

Hello!

Yes, the OP could do that. It's essential that the Virtual Machine is attached to the host via NAT, in this case, and not bridged.

Kind regards
 

[cehos54487 1]

Sorry for the late reply. 

Yes, that is the solution I ended up with. Didn't want to share the solution/workaround though, as it does double the traffic on the AirVPN servers.

I've tried it on Windows, ubuntu and Arch Linux. Can't remember if I also tried on debian. I didn't want to do the VirtualMachine solution and the other solutions I found online require some knowledge about networking I think.

 

Did manage to get it working on linux though, without Virtual Machine.

 

Using Arch Linux with Gnome and NetworkManager (with openVPN) -> Add internet connection -> Add VPN connection -> Autostart VPN on connection (nm-connection-editor) -> Install Eddie UI (airvpn-bin from AUR) -> Reboot -> PC connects automatically to VPN with NetworkManager -> Manually connect to a second VPN through Eddie UI

So basically, when my computer boots it connects to a VPN through NetworkManager and autostarts Eddie UI. I then manually choose a server to connect to through Eddie.

 

When the PC starts the exit IP is the VPN through NetworkManager. When I connect with Eddie UI the exit IP is the one I connected through Eddie. I have tested the solution by monitoring the bandwidth through the AirVPN client site showing connection statistics. I can see that I have 2 connections open and that both connections transfer the data. Also, I can monitor my network traffic at my ISP's site and I can see that the data is not downloaded twice meaning that there is not some sort of bouncing back and fourth I think.

Edited ... by cehos54487

[Terry Stanford 11]

Just wanted to say thanks for this, a very neat solution to an interesting problem!
I was looking for threads about Tor over VPN or vice versa (I was trying to learn the difference!). But the sites I need to visit are very mainstream like Google/Youtube/Twitter and no doubt will block Tor IPs (or give me hell one way or another!), so I wondered if there was a way to stay inside the VPN, but make it 100% impossible for, say, Google to track back to originating source. I might try your solution, if I read it right....

I could set up a VM (i know you didn't do that, but i want this separate to my normal activity) and install Ubuntu on there.
Use NM to connect to AirVPN
Install Eddie client as well. (Do you need two different VPN accounts for this I wonder, say Eddie plus another good one, to half the risk of someone giving up your details?)
So am I right in thinking that doing this means:

Data gets encrypted first by Eddie, and 'mailed' to the server chosen in Eddie, but before leaving the machine it gets re-encrypted by NM and sent to that server first, where it is decrypted back to one layer of encryption, and then sent to the 'Eddie' server where the last layer of encryption is removed and it goes out to the internet?

IF so, that sounds good, as Google will allow connections from Air servers, yet I think I am pretty much protected as well as I would be on Tor, but without the performance hit and the problems of Google barring me due to Tor IP.

Does this sound about right?
Thanks again, great thread.

[pitibij554 0]

I didn't manage to use double VPN (NetworkManager + Eddie UI) with ubuntu - can't remember the error I got, but it was unsuccessful. 

The staff wrote one could use VM with NAS and then connect to a VPN from within the VM while the host was also connected to a VPN. Haven't tried it myself, so doesn't know anything about it - but it seems to be the solution many people prefer, as there are dozens how-to's on google.

Honestly I doesn't know if my solution actually works, but since no one has commented otherwise I like to think that it does. NM connects to a VPN which is the connection the ISP sees, I think. Eddie UI then connects within this connection to a second VPN which acts as the exit IP for browsing and so on. So the ISP thinks you are connected to the NM VPN while in fact you are using the Eddie UI as exit IP. Again, this is my guessing.

Youtube works fine with VPN (you will obviously see content from the country exit IP). Google is a bit tideous as it gives you captcha almost always (I am clearing cookies on exit, don't know if that is has something to do with it) but accepts connections. 

Again, this is my personal opinion/understanding - from Google's perspective it doesn't matter if you are using a single VPN or double VPN. Google's interest is pure commercial or things that could lead them to things they could capatilize on (i.e. human interaction and behavior). They are interested in identifying "you" as a number and then link behavior to "you" (interests, search terms, occupation, language and so on). If you doesn't clear cookies or have a unique browser fingerprint etc. it doesn't matter how many VPN's you are using, they can still identify "you".

Again, personal opinion; let's say Google monitors all internet traffic in the whole world and can identify all IP's, they would then be able to identify you no matter how many VPN's you are connected to - over time your usage will leave traces, i.e. you listen to the same songs on youtube and search for niche topics on Google. When enough time has gone by they could see what IP had a possible connection to the exit IP and since they monitored all the internet traffic in the whole world they could also build the bridges from your personal IP to the exit IP. So they could gather that it is you (with name and address) that like this and that song and search for this and that. But the return for such effort would probably be very, very small if any and the risks of public disclosure big - so this is propably not a scenario. If you listen to 100 rock songs on youtube and then (without cookies) listen to 1 pop song, they would never be able to identify you as the person who listened to pop. If you use 1 VPN anyone connected to that one VPN more or less have an equal chance of listening to that song (especially if you don't listen to any rocks song before or afterwards). If you are connected to 2 VPNs anyone on those two VPNs more or less have an equal chance, and so on. 

The reason VPN's work is because no single instance monitors all the internet traffic in the whole word and if a country wishes to spy on a user or gather information they would have to go through official channels and leave paper work, so there is some sort of civil protection.

Dictators and other suppressors are interested in identifying you as a person with a name and address so they can register you and what not. If you connect using double VPN they cannot link the information they have (the connection from your IP to the first VPN). They can guess based on VPN provider as you also write. 

I think the reason TOR works is because basically you are connected through a random pool of "VPNs" consisting of millions of servers. You would have to do the same thing a very big number of times for anyone being able to connect your personal IP with a certain behavior (assuming that "anyone" have access to monitor all internet traffic in the whole world). If you buy 3 or 4 different VPN subscriptions using bitcoin or something similar and perhaps gain access to 5000 different servers, over time there would be a pattern (i.e. you would be the only user capable of the connection, as the connections established between the different VPN servers would build "bridges" back to your personal IP) and you would not be as safe I think, but still safe. 

So this is all my opinion 

[Terry Stanford 11]

Yes I get the theory, I take precautions against fingerprinting etc, and like you I delete all cookies and history etc. I use Firefox Temporary Containers, every tab has it's own set of data which is auto deleted when the tab closes, I like it very much. Plus some other extensions, canvas blocker etc.

In your last paragraph, there is one thing I disagree with. I dont think chaining VPNs together would leave a footprint, because the whole idea is (just like Tor) your "bridges" are only known to you and ONE VPN company. so unless someone had control over ALL the VPN companies you're using, and logging all the data through the chain, then maybe they could spot the "chain". I wouldn't bother with that. I trust Air, but I like the idea of using two in this case, just to make 100% sure if my trust was found to be incorrect or they got raided or something, my data is encrypted by another VPN protocol. Thats my thinking anyway. and like you, its just my opinion! I am far from an expert, and this all looks very silly to those who say "just use Tor", but for me that's not an option as I know the ISP flags such users. Yes, it MAY also flag VPN users, but having been an Air (and others) VPN user for a decade or more, that ship has already sailed so I am already flagged if that's the case! I would rather not add a Tor flag to my name especially in these strange times with laws where they can store your DNA for ever if you go to the doctors (in my country) and similar! I think it's safest now to just behave like you're a criminal, even if you're not, and I most certainly am not! I just damn well like my privacy, which is soon to be a crime I am sure, it's already seen as a criminal action by most people in authority in my country, just the "desire" to "hide" my activity online. What a sorry state of affairs!