Jump to content
Not connected, Your IP: 3.145.40.33
Staff

Using AirVPN over TOR

Recommended Posts

If you need to transfer information for which protection of your identity is highly critical, please read all the thread carefully.

Kind regards

Share this post


Link to post

Would this work on debian using torify command? i.e. say i wanted to torify an ssh connection, what would be the signal path?

my pc -> vpn ->tor entry node -> tor exit node -> ssh server?

Or is that wrong?

Thanks

Pete

Share this post


Link to post

anonmc wrote:

Would this work on debian using torify command? i.e. say i wanted to torify an ssh connection, what would be the signal path?

my pc -> vpn ->tor entry node -> tor exit node -> ssh server?

Or is that wrong?

Thanks

Pete

Hello!

You have described TOR over VPN. We recommend VPN over TOR, so that we can't see your real IP address and the TOR nodes see encrypted OpenVPN traffic.

The correct path of your config is:

PC (OpenVPN with proxy) -> TOR entry -> TOR exit -> VPN server -> SSH server

There should be no need to torify anything. Every application should transparently use VPN over TOR (thanks to OpenVPN proxy features). Furthermore, UDP traffic now can go through TOR (it's TCP over UDP, done by OpenVPN)!

In this way:

- SSH server sees VPN server exit-IP address

- VPN server sees TOR exit node IP address

- VPN server sees SSH encrypted traffic

- TOR servers see OpenVPN+SSH encrypted traffic

The packets which finally go out have the SSH server IP address on their header. So please note that if the SSH server is owned by you and you have given your real identity to rent or house it, you might destroy completely the anonymity layer.

Kind regards

AirVPN

Share this post


Link to post

I see this point being made that VPN should be running over Tor but if it is the case that no logs are kept by the VPN, then why is it necessary? Assuming that logs of IP addresses are not kept, why should running Tor be necessary so that the VPN server only sees the Tor exit node? Does it actually matter that the VPN sees my IP in this instance?

Share this post


Link to post

heyyou wrote:

I see this point being made that VPN should be running over Tor but if it is the case that no logs are kept by the VPN, then why is it necessary? Assuming that logs of IP addresses are not kept, why should running Tor be necessary so that the VPN server only sees the Tor exit node? Does it actually matter that the VPN sees my IP in this instance?

Hello!

We recommend that solution when someone has to transfer critical information and does not want to put his/her trust on us. It is a layer of anonyimity "by design" where trust on us is not necessary.

You might be interested in reading this:

https://airvpn.org/index.php?option=com_kunena&Itemid=55&func=view&catid=3&id=892

Kind regards

AirVPN admins

Share this post


Link to post

Could you please explain the technical side of your VPN over Tor solution?

I mean, 127.0.0.1:9050 is usually used by the Tor client (Vidalia). So, how can both the OpenVPN client and Vidalia share the same socket?

Also, would that method work in case the whole system traffic is to be torified, e.g. if you're using Liberte Linux which does so?

Share this post


Link to post

Could you please explain the technical side of your VPN over Tor solution?

I mean, 127.0.0.1:9050 is usually used by the Tor client (Vidalia). So, how can both the OpenVPN client and Vidalia share the same socket?

Also, would that method work in case the whole system traffic is to be torified, e.g. if you're using Liberte Linux which does so?

Hello!

Connections over http or over SOCKS proxy are a smart feature of OpenVPN. http://openvpn.net/index.php/open-source/documentation/howto.html#http

The method we suggest in our example can be used successfully in Linux Liberte as well.

https://airvpn.org/tor

Please do not hesitate to contact us for any further information.

Kind regards

Share this post


Link to post

We recommend that solution when someone has to transfer critical information and does not want to put his/her trust on us. It is a layer of anonyimity "by design" where trust on us is not necessary.

 

Doesn't AIR VPN need to see what user logs in to know if it should be allowed to connect or not, so if the site ur connecting to see the AIR VPN IP adress

they know what server connected and when and could match that to airvpn as you can log the user logins, so the trust is back on the your service to uphold

the control over the information.

Share this post


Link to post
Quote

 

Quote

We recommend that solution when someone has to transfer critical information and does not want to put his/her trust on us. It is a layer of anonyimity "by design" where trust on us is not necessary.

 

Doesn't AIR VPN need to see what user logs in to know if it should be allowed to connect or not, so if the site ur connecting to see the AIR VPN IP adress

they know what server connected and when and could match that to airvpn as you can log the user logins, so the trust is back on the your service to uphold

the control over the information.


Hello!

 

The VPN server needs to check whether an account is on premium status in order to allow the connection but does not keep any information about any account, it queries for authorization a backend server. We recommend NOT to put information in your account data that can be exploited to disclose your identity. As long as we don't know who you are, we can't tell anybody who you are. With Air over TOR, you can also prevent our servers to know your real IP address, even while you are connected.

 

The AirVPN system, if used correctly, is designed to defeat an adversary that has up to the following abilities:

 

  • the ability to fully monitor the customer's line AND (the relevant portion of the Tor network OR all of the Air VPN servers)
  • the ability to fully monitor any financial transaction of the customer
 

An adversary with such abilities can be defeated in the following way:

 

  • the customer subscribes to AirVPN with a Bitcoin transaction or a transaction performed through some cryptocurrency designed to keep an anonymity layer on the transaction (check Monero, we accept it without intermediaries)
  • the transaction is performed by tunneling the cryptocurrency transaction and any other operation of that wallet over Tor
  • the transaction is performed with a wallet exactly fit for that transaction
  • the wallet is destroyed immediately after the transaction success (safe deletion of the wallet)
  • the customer always performs "partition of trust" (with the proper account) between parties from now on
  • the customer does NOT insert personally identifiable information in his/her payload, unless he/she wants explicitly to be known by the final recipient: remember that a VPN or Tor or any other system are impotent if you insert personally identifiable information in your content
 

Partition of trust is essential, so that a betrayal of trust by one party does not compromise the anonymity layer. An example of partition of trust is AirVPN over Tor: the Tor nodes see only encrypted (by OpenVPN) traffic and AirVPN servers do not see the real IP address of the user (they see the TOR exit node IP address). On top of that, entry-IP and exit-IP addresses of AirVPN servers are different (to emulate a 2-hop VPN in addition to the multi-hop provided by Tor) in order to prevent correlation attacks. The VPN admins therefore do not know the identity of the customer while the TOR nodes admins do not know the content, the real origin and the real destinations of the packets from/to the Air customer.

The drawback of the above setup is that Tor will use always the same circuit, so when this is a concern, you should consider Tor over AirVPN: just run Tor after the system has connected to the VPN and use only Tor-configured applications to transfer sensitive data. In this way, our VPN servers will see your real IP address, but will not know the real, final origin and destinations of such data.

Additionally, your packets are still encrypted by Tor when passing through the VPN. The VPN will act as a jumping point to reach Tor, will hide Tor usage from the eyes of an adversary wiretapping the customer's line (extremely useful when someone can be targeted for the mere fact of using Tor), and will at least provide a first protection for UDP flows (if any) and system flows that might be originated by the system and that can't be handled by Tor.

Furthemore, the customer should add an encryption layer to protect her packets payload once they get out of our servers or while they transit through the Tor circuits (trivial examples, use GnuPG for e-mails, HTTPS if you reach web sites, SFTP or FTPES for FTP transfers, and so on) in case the payload could be exploited (for example by a second adversary, even unrelated to the first, that monitors the line of the final recipient) to disclose the customer's identity.

Always use end-to-end encryption. Always.

 


An adversary with superior abilities may not be defeated by the above setup. Typical examples:

 

  • an adversary with the ability to monitor the customer's line AND the relevant portion of the Tor network AND all the AirVPN servers
  • an adversary with the ability to fully control the hardware or software of the customer, without the customer's knowledge AND while the customer uses this hardware or software (it's only up to customer to take care against this threat, we can't do anything about it)
  • a global adversary

 

The first kind of adversary requires additional trust partition(s). The second kind of adversary renders the anonymity layer outside the victim's hardware irrelevant. The global adversary theoretically can never be defeated on the Internet. Luckily, the very existence of the global adversary (an adversary with the ability to monitor, store, analyze and correlate all the connections in the world continuously) is highly debatable.

 

Please do not hesitate to contact us for any further information or support.

 

Kind regards

Share this post


Link to post

Do you have any plans to allow access via a hidden service so that users can potentially get better performance by avoiding congestion at the exit nodes?

Share this post


Link to post

The method we suggest in our example can be used successfully in Linux Liberte as well.

airvpn.org/index.php?option=com_content&...id=64&Itemid=122

returns 404

Share this post


Link to post

The method we suggest in our example can be used successfully in Linux Liberte as well.

airvpn.org/index.php?option=com_content&...id=64&Itemid=122

returns 404

Hello!

Please replace that link with this one:

https://airvpn.org/tor

Kind regards

Share this post


Link to post

I installed Airvpn v1.7, but I can't find any SOCKS proxy option.

(*) AirVPN 1.6 or higher is required. The SOCKS proxy option is not available in older versions.

Share this post


Link to post

I installed Airvpn v1.7, but I can't find any SOCKS proxy option.

(*) AirVPN 1.6 or higher is required. The SOCKS proxy option is not available in older versions.

Hello!

Please right-click on the Air dock icon and select "Preferences". In the "Proxy" field select "Type: Socks".

Kind regards

Share this post


Link to post

Hey there, i've got a question :

I mostly, when i'm connected through TOR, only go to .onion websites, or https clearnet, so, is the VPN through TOR really relevant in this case ?

i had some trouble understanding how the stuff work, let me explain myself:

when i'm in this config :

Computer / ISP / VPN / TOR (.onion website) , something like that should happens :

the VPN encrypts the data coming from TOR and pass it through my ISP... the data is decrypted by my computer.. and the TOR encrypted data is decrypted by TOR, am I right ? i may have misunderstood some point.

my ISP only sees VPN crypted data, right ? i don't care if you know my real IP, since all the data you catch is TOR encrypted, am i right ? so whatever..

but... if I use your recommended SOCKS config, in my mind, here's what happens :

Computer / ISP / TOR (.onion) / VPN

When i'm surfing the clearweb, it's really effective indeed, since you don't see my IP address and TOR nodes don't see any clear datas, right...

but... when i'm surfing .onion, (tell me if i'm right) :

As the .onion traffic doesn't leave TOR, the VPN doesn't even see / crypt it right ? and my ISP doesn't see any VPN traffic, but only TOR traffic ? which can be really annoying right ?

i may have misunderstood something, but this solution seems, in this case, less secure.

I don't think i'd made myself clear, but i hope so.

Regards.

Share this post


Link to post

Hey there, i've got a question :

As the .onion traffic doesn't leave TOR, the VPN doesn't even see / crypt it right ? and my ISP doesn't see any VPN traffic, but only TOR traffic ? which can be really annoying right ?

Hello!

If you don't want to let your ISP know that you use TOR when you connect to .onion sites, please use TOR over Air instead of Air over TOR. Your ISP will see only encrypted traffic to and from our servers.

Kind regards

Share this post


Link to post

I suppose what I'm saying is that since Microsoft's Certificate was compromised and the Flame attack was through Windows Update, how confident can we be in TLS?

Again, I'd -really- enjoy hearing someone from Air comment about this.

Thanks.

Share this post


Link to post

I suppose what I'm saying is that since Microsoft's Certificate was compromised and the Flame attack was through Windows Update, how confident can we be in TLS?

Again, I'd -really- enjoy hearing someone from Air comment about this.

Thanks.

Hello!

The problem in the first article pertains to SSL certificates issued by "authorities", so it may affect us on the website, in case the certificate were stolen from the authority which issued it to us, not on the OpenVPN connections.

Kind regards

Share this post


Link to post

Hey there, i've got a question :

As the .onion traffic doesn't leave TOR, the VPN doesn't even see / crypt it right ? and my ISP doesn't see any VPN traffic, but only TOR traffic ? which can be really annoying right ?

Regards.

Why would TOR traffic be more annoying to your ISP than Air traffic?

Thanks for explaining.

Share this post


Link to post

Hi i followed the instruction above https://airvpn.org/tor/ (with the difference that tor changed port from 9050 to 9151) but i can't connect with openvpn because it says :

Attempting to establish TCP connection with 127.0.0.1:9151

TCP connection established with 127.0.0.1:9151

socks_handshake: Socks proxy returned bad status

TCP/UDP: Closing socket

SIGTERM[soft,init_instance] received, process exiting

can u help me?

Share this post


Link to post

Hi i followed the instruction above https://airvpn.org/tor/ (with the difference that tor changed port from 9050 to 9151) but i can't connect with openvpn because it says :

Attempting to establish TCP connection with 127.0.0.1:9151

TCP connection established with 127.0.0.1:9151

socks_handshake: Socks proxy returned bad status

TCP/UDP: Closing socket

SIGTERM[soft,init_instance] received, process exiting

can u help me?

Hello!

Can you please make sure that you have selected a TCP port for the OpenVPN connection and that port 9151 is actually the SOCKS Port (i.e. not the Control Port)?

Kind regards

Share this post


Link to post

you have right... the port is 9150 but then Tor tell me:

[Warning] socks5: command 3 not recognized. Rejecting.

[Warning] Fetching socks handshake failed. Closing.

and openvpn's log tell me the same previous thing...

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...