Jump to content
Not connected, Your IP: 3.138.135.201
hdavis83

VPN over Tor with OpenVPN

Recommended Posts

I used to follow this guide when I was a Mullvad customer to run my VPN over Tor, (Me -> Tor -> VPN -> Site)

After Mullvad cut port-forwarding, I've switched to AirVPN. This is a killer feature for me.
As this forum-post shows, its definitely possible with AirVPN, but this covers how to do it using the eddie client. I'd like to know how to do it on a headless system with an .ovpn or wireguard.conf

Any networking wizards able to help out?

Share this post


Link to post
Posted ... (edited)
4 hours ago, OpenSourcerer said:

This covers how to do it with the AirVPN/Eddie client, My environment unfortunately makes it NOT POSSIBLE to use the Eddie client (along with all other software not explicitly whitelisted via a binary hash) and I need to know which changes I have to make to my .ovpn with just a text editor.

The AirVPN guide does not make clear what needs to be done when just working with an .ovpn. The Mullvad guide I linked has 3 lines that are to be appended to the .ovpn file, appending the same to an AirVPN .ovpn does not succeed, and I've tried changing the route IP to what I think would work with AirVPN but have not succeeded. Edited ... by hdavis83
added extra information

Share this post


Link to post
@hdavis83

Hello!

Caveat: this answer isn't written by an Eddie developer. If you need more details or information please tell us so and someone more competent on the matter will be queried for a reply in the next days.

The guide you linked features an apparently different connection mode. To establish OpenVPN over Tor connection and route all the system traffic (except the traffic directly going to Tor) over OpenVPN over Tor, Eddie talks to Tor Control (that's why Tor must be already running: Eddie will not run it by itself), obtains the IP address of the Tor entry guard, routes it outside the VPN tunnel to prevent infinite routing loop, and establishes the VPN connection to the final VPN server over Tor SOCKS proxy:
https://github.com/AirVPN/Eddie/blob/a9ebf22515133616811b630caee762b3ef970149/src/Lib.Core/TorControl.cs#L25

Observe the routing table, consult the configuration file (dynamically generated by Eddie) and read Eddie log when you connect over OpenVPN over Tor with Eddie (use some testing system with a DE for example). In order to simplify communications with Tor Control, you may consider something like the following CLI tool:
https://github.com/adrelanos/tor-ctrl

Kind regards

 

Share this post


Link to post
On 11/3/2023 at 4:35 PM, Staff said:
@hdavis83

Hello!

Caveat: this answer isn't written by an Eddie developer. If you need more details or information please tell us so and someone more competent on the matter will be queried for a reply in the next days.

The guide you linked features an apparently different connection mode. To establish OpenVPN over Tor connection and route all the system traffic (except the traffic directly going to Tor) over OpenVPN over Tor, Eddie talks to Tor Control (that's why Tor must be already running: Eddie will not run it by itself), obtains the IP address of the Tor entry guard, routes it outside the VPN tunnel to prevent infinite routing loop, and establishes the VPN connection to the final VPN server over Tor SOCKS proxy:
https://github.com/AirVPN/Eddie/blob/a9ebf22515133616811b630caee762b3ef970149/src/Lib.Core/TorControl.cs#L25

Observe the routing table, consult the configuration file (dynamically generated by Eddie) and read Eddie log when you connect over OpenVPN over Tor with Eddie (use some testing system with a DE for example). In order to simplify communications with Tor Control, you may consider something like the following CLI tool:
https://github.com/adrelanos/tor-ctrl

Kind regards

 
Im unfortunately unable to use the Eddie client, I only have the .ovpn available to me. Is it not possible with your service to OpenVPN over Tor without Eddie?

Share this post


Link to post
4 hours ago, hdavis83 said:
On 11/3/2023 at 5:35 PM, Staff said:
Im unfortunately unable to use the Eddie client, I only have the .ovpn available to me. Is it not possible with your service to OpenVPN over Tor without Eddie?

Hello!

It's explained in our previous message, the one you quoted, to let you see all the required steps.

Kind regards
 

Share this post


Link to post
Posted ... (edited)

What you are asking is quite simple, unless I am misunderstanding something.

1. Take WireGuard out of your head. WiregGuard is UDP only VPN, and Tor only transports TCP streams. So, you cannot use it to connect to WireGuard  -- this is not something AirVPN specific, this is something universal, it's how WireGuard works. Our Tor guide should be updated with a mention of this, of course for cases where users want to connect TO AirVPN VIA Tor without Eddie and just using raw OpenVPN or WireGuard software.

2. You can connect easy with OpenVPN conf file via Tor. Just

a) Make sure there is a Tor daemon or Tor Browser instance running on the machine, or it is somehow reachable via a ssh tunnel or maybe internal network, I don't know. Let's pretend in example 1: it runs on same machine (localhost) on port 9050 (default for Tor Linux Daemon) or in example 2: it's on the internal network router running with SocksPort open to 192.168.1.1 port 9050

b) Go to AirVPN -> Config Genrator -> Advanced config.
Make sure you select from the list OpenVPN TCP protocol  -- this is very important otherwise it will not work. It needs to be TCP protocol.

edit with a text editor the openvpn .conf file downloaded from AirVPN and add as first line one entry:
socks-proxy 127.0.0.1 9050 # for example 1
or
socks-proxy 192.168.1.1 9050 # for example 2

There are more advanced things you can do that are outside the scope, for example if Tor's SocksPort is password protected you can add a pass.txt argument to the socks-proxy line with a path to a file that contains the credentials to authenticate to the socks5 server. Read OpenVPN manual if you need this, otherwise it should work simply without anything more as described above.

P.S. I recommend you using [::1] instead of 127.0.0.1 and fe80::something instead of 192.168.1.1 - somehow examples still look good with IPv4 notations but it's really end of 2023 so we have to be over them at some point for good :)

Edited ... by ss11

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...