AirVPN client as Socks Proxy

trekkie.forever

To prevent leaks on accidental disconnections (without a packet filter), it would be nice to have the option of the AirVPN client become a SOCKS server similar to TOR so connections drop rather than continue on the regular internet connection on accidental disconnections. Possible?

rchunter

I would love to see Airvpn offer a separate socks5 proxy that is not part of the airvpn client. There are other vpn services that are offering it. No reason you guys can't also. I would definitely subscribe to your vpn service if you had it.

Staff

To prevent leaks on accidental disconnections (without a packet filter), it would be nice to have the option of the AirVPN client become a SOCKS server similar to TOR so connections drop rather than continue on the regular internet connection on accidental disconnections. Possible?

Hello,

if you run Linux you have the option of a much more elegant solution which has the same effect, does not need packet filtering, but at the same time does not put you under the performance and protocols limitations of a proxy:

http://daniel-lange.com/archives/53-Binding-applications-to-a-specific-IP.html

Just like you need to configure every single application to be tunneled over a proxy, you will need to launch every application you want to secure with an LD_PRELOAD shim to bind it to the VPN IP address.

With Windows you can use ForceBindIP, unfortunately it does not work with every Windows version.

Some more options (already available natively on every Air server):

https://airvpn.org/ssl

https://airvpn.org/ssh

Of course all of the above does not make sense in comparison to securing the connection with a packet filtering tool. Also, SSL/SSH services are aimed against OpenVPN connections disruptions.

@rchunter

About providing an external, pure SOCKS5 server... why do you need it, what would it be useful for?

Kind regards

rchunter

Staff, I use it with utorrent. My main vpn connection is set up via tomato router with a gateway in the usa. But it would be nice to have access to a offshore socks5 sever that way when i'm running utorrent i'm protected from any disconnects while torrenting. There's a certain vpn company. I won't name names but they have socks5 Netherlands access. I'm sure you know who i'm refering to. Anyway, i'm just saying it would be nice if you guys did also. Something I hope you consider some day.

Staff

Hello,

for your purpose just bind uTorrent to your VPN IP address or write a couple of rules with a firewall and use a VPN, not a proxy.

If privacy is your concern, a SOCKS proxy for p2p is not the appropriate tool. A SOCKS proxy by itself is a tool for circuit-level gateways and also for circumvention, it has nothing to do with privacy or data stream protection. First, there are several real IP addresses leak problems to be considered. These attacks:

http://hal.inria.fr/docs/00/47/15/56/PDF/TorBT.pdf

and also the problem with UDP packets (through which a torrent client may communicate the real IP address to UDP trackers and/or to peers via DHT).

Second, but maybe more important, your traffic is not encrypted, so your ISP and any Man In The Middle can see very well the whole p2p traffic you send out and receive and can profile your p2p activities, inspect the contents you share, inject forged packets, send you warnings etc. etc.

It seems strange that a company advertises a SOCKS proxy as a privacy measure for torrent (or for anything else). Maybe it's a different service, in conjunction with SSH?

Kind regards

trekkie.forever

I have seen a VPN company that uses a program that opens an SSH connection and the program opening the SSH connection also serves as a local SOCKS proxy so a BT client (or any program that can be) is now configured to use the local proxy (say 127.0.0.1) so connections in/out of the BT client are not routable if the SSH connection goes down. Seems to me an interesting way to protect from leaks.

NaDre

I have seen a VPN company that uses a program that opens an SSH connection and the program opening the SSH connection also serves as a local SOCKS proxy so a BT client (or any program that can be) is now configured to use the local proxy (say 127.0.0.1) so connections in/out of the BT client are not routable if the SSH connection goes down. Seems to me an interesting way to protect from leaks.

I looked into these ideas a few months ago. I thought it might provide a convenient way to use the VPN/proxy only for bit torrent traffic. I looked in particular at the idea of running a SOCKS server(such as Dante) on my PC that was bound to the VPN IP address.

I believe that neither uTorrent nor Vuze accept incoming connections through SOCKS5 when configured to use SOCKS5. They still listen for incoming connections via IP. So you still need to block these from coming in on the real interface. I also believe that few SOCKS servers support receiving incoming connections, even though this is specified in the protocol. If you are concerned at all about seeding back effectively, I believe you would be concerned about receiving incoming connections?

In the end I decided that it would actually be simpler and more reliable to configure the bit torrent clients to use the VPN IP, block traffic on the real IP with the firewall and put back the real gateway by configuring the routing table appropriately.

trekkie.forever

Vuze states Proxy limitations here: http://wiki.vuze.com/w/Proxy_support so yes, as you state the SSH/SOCKS combination is not ideal in a P2P model. However, isn't SSH/SOCKS still a feasible way to prevent leaks for a broswer or chat client without a packet filter and without binding to interface?

rchunter

Hello,

for your purpose just bind uTorrent to your VPN IP address or write a couple of rules with a firewall and use a VPN, not a proxy.

If privacy is your concern, a SOCKS proxy for p2p is not the appropriate tool. A SOCKS proxy by itself is a tool for circuit-level gateways and also for circumvention, it has nothing to do with privacy or data stream protection. First, there are several real IP addresses leak problems to be considered. These attacks:

http://hal.inria.fr/docs/00/47/15/56/PDF/TorBT.pdf

and also the problem with UDP packets (through which a torrent client may communicate the real IP address to UDP trackers and/or to peers via DHT).

Second, but maybe more important, your traffic is not encrypted, so your ISP and any Man In The Middle can see very well the whole p2p traffic you send out and receive and can profile your p2p activities, inspect the contents you share, inject forged packets, send you warnings etc. etc.

It seems strange that a company advertises a SOCKS proxy as a privacy measure for torrent (or for anything else). Maybe it's a different service, in conjunction with SSH?

Kind regards

A lot of people don't need their bittorent traffic encrypted. Just hiding the IP is all that's needed in some cases. That's fine if you don't plan on offering it. I just thought i'd ask.

Staff

I have seen a VPN company that uses a program that opens an SSH connection and the program opening the SSH connection also serves as a local SOCKS proxy so a BT client (or any program that can be) is now configured to use the local proxy (say 127.0.0.1) so connections in/out of the BT client are not routable if the SSH connection goes down. Seems to me an interesting way to protect from leaks.

Hello,

yes, the problems we talked about are pertaining to SOCKS proxies alone. You can have an equivalent security against leaks already now with AirVPN, without the limitations of SOCKS + SSH. See also NaDre's messages.

Kind regards

Staff

A lot of people don't need their bittorent traffic encrypted. Just hiding the IP is all that's needed in some cases. That's fine if you don't plan on offering it. I just thought i'd ask.

Hello,

understood, but as we said a SOCKS proxy alone is not a safe solution to hide your real IP address in a p2p torrent swarm or against "p2p enemies".

Offering an external SOCKS5 proxy may be or may be not a nice plus, anyway we can't advertise it for p2p and it should not be used for it. We would provide a technically inadequate service (see also NaDre's posts) for such purpose, which would be not only against our mission, but also a sort of hoax against our customers. We're not interested in providing gullible people with bad solutions, moreover deceptive advertising is something we look at with disgust. That's why we are inquiring about what a SOCKS proxy would be useful for, if there's anything that a SOCKS proxy can offer that isn't already provided (in a proper way) by AirVPN.

Kind regards

rchunter

If you offered it, and opened up your service to more than one connection at a time people could have a choice of using vpn and proxy at the same time. Like I said it's nice to have my vpn traffic on a us gateway so I can do my banking and other things. And at the same time be on a Netherlands proxy with utorrent.

NaDre

If you offered it, and opened up your service to more than one connection at a time people could have a choice of using vpn and proxy at the same time. Like I said it's nice to have my vpn traffic on a us gateway so I can do my banking and other things. And at the same time be on a Netherlands proxy with utorrent.

You can do that without SOCKS:

https://airvpn.org/topic/9549-guide-to-setting-up-vpn-just-for-torrenting-on-windows-thanks-to-nadre/

That guide is for Windows and Windows firewall, by the ideas should be adaptable to Comodo on Windows as the firewall, or to Linux or Mac. You may need to configure the torrent client to use a fixed port for outgoing traffic in order to block outgoing traffic on the real IP though.

rchunter

If you offered it, and opened up your service to more than one connection at a time people could have a choice of using vpn and proxy at the same time. Like I said it's nice to have my vpn traffic on a us gateway so I can do my banking and other things. And at the same time be on a Netherlands proxy with utorrent.

You can do that without SOCKS:

https://airvpn.org/topic/9549-guide-to-setting-up-vpn-just-for-torrenting-on-windows-thanks-to-nadre/

That guide is for Windows and Windows firewall, by the ideas should be adaptable to Comodo on Windows as the firewall, or to Linux or Mac. You may need to configure the torrent client to use a fixed port for outgoing traffic in order to block outgoing traffic on the real IP though.

Yeah, well i'm still limited to only one connection using this service. If I want to use utorrent on a foreign gateway i'm stuck shutting it all down and switching to US any time I want to do my banking and other things. Not to mention being on a USA gateway is nice for your gaming and ping time. With a vpn AND proxy I can set the vpn to a usa gateway in my router and forget about it. Fire up utorrent with socks5 proxy and be downloading from a foreign gateway at the same time. Real simple real easy. That's really OK if you guys don't see the need. I'm just glad there are choices, and I don't think I will be switching services until AirVPN offers it;.

NaDre

If you offered it, and opened up your service to more than one connection at a time people could have a choice of using vpn and proxy at the same time. Like I said it's nice to have my vpn traffic on a us gateway so I can do my banking and other things. And at the same time be on a Netherlands proxy with utorrent.

You can do that without SOCKS:

https://airvpn.org/topic/9549-guide-to-setting-up-vpn-just-for-torrenting-on-windows-thanks-to-nadre/

That guide is for Windows and Windows firewall, by the ideas should be adaptable to Comodo on Windows as the firewall, or to Linux or Mac. You may need to configure the torrent client to use a fixed port for outgoing traffic in order to block outgoing traffic on the real IP though.

Yeah, well i'm still limited to only one connection using this service. If I want to use utorrent on a foreign gateway i'm stuck shutting it all down and switching to US any time I want to do my banking and other things. Not to mention being on a USA gateway is nice for your gaming and ping time. With a vpn AND proxy I can set the vpn to a usa gateway in my router and forget about it. Fire up utorrent with socks5 proxy and be downloading from a foreign gateway at the same time. Real simple real easy. That's really OK if you guys don't see the need. I'm just glad there are choices, and I don't think I will be switching services until AirVPN offers it;.

I had assumed in my response that you were in the U.S..

I am in neither the U.S. nor the U.K.. I have two memberships at AirVPN. One I use for P2P and nothing else (in the Netherlands as you say). Most of the time I use my real IP for everything else (while teh first connection is running). I can switch back and forth between using the VPN connection or my real IP by just running short cut to a .bat file (see the guide).

On occasion, when I want to use a geo-restricted site in the U.K. or the U.S. that is not available via AirVPN's automatic re-routing from the Netherlands servers, I use the second connection to get at it, while still running the first connection for P2P. See the edit at the end of this post:

https://airvpn.org/topic/9491-guide-to-setting-up-vpn-just-for-torrenting-on-windows/?p=10326

rchunter

If you offered it, and opened up your service to more than one connection at a time people could have a choice of using vpn and proxy at the same time. Like I said it's nice to have my vpn traffic on a us gateway so I can do my banking and other things. And at the same time be on a Netherlands proxy with utorrent.

You can do that without SOCKS:

https://airvpn.org/topic/9549-guide-to-setting-up-vpn-just-for-torrenting-on-windows-thanks-to-nadre/

That guide is for Windows and Windows firewall, by the ideas should be adaptable to Comodo on Windows as the firewall, or to Linux or Mac. You may need to configure the torrent client to use a fixed port for outgoing traffic in order to block outgoing traffic on the real IP though.

Yeah, well i'm still limited to only one connection using this service. If I want to use utorrent on a foreign gateway i'm stuck shutting it all down and switching to US any time I want to do my banking and other things. Not to mention being on a USA gateway is nice for your gaming and ping time. With a vpn AND proxy I can set the vpn to a usa gateway in my router and forget about it. Fire up utorrent with socks5 proxy and be downloading from a foreign gateway at the same time. Real simple real easy. That's really OK if you guys don't see the need. I'm just glad there are choices, and I don't think I will be switching services until AirVPN offers it;.

I had assumed in my response that you were in the U.S..

I am in neither the U.S. nor the U.K.. I have two memberships at AirVPN. One I use for P2P and nothing else (in the Netherlands as you say). Most of the time I use my real IP for everything else (while teh first connection is running). I can switch back and forth between using the VPN connection or my real IP by just running short cut to a .bat file (see the guide).

On occasion, when I want to use a geo-restricted site in the U.K. or the U.S. that is not available via AirVPN's automatic re-routing from the Netherlands servers, I use the second connection to get at it, while still running the first connection for P2P. See the edit at the end of this post:

https://airvpn.org/topic/9491-guide-to-setting-up-vpn-just-for-torrenting-on-windows/?p=10326

Thank you. I'll look into this. But I guess it still means buying 2 connections. That's not ideal by any means....

trekkie.forever

I have seen a VPN company that uses a program that opens an SSH connection and the program opening the SSH connection also serves as a local SOCKS proxy so a BT client (or any program that can be) is now configured to use the local proxy (say 127.0.0.1) so connections in/out of the BT client are not routable if the SSH connection goes down. Seems to me an interesting way to protect from leaks.

Hello,

yes, the problems we talked about are pertaining to SOCKS proxies alone. You can have an equivalent security against leaks already now with AirVPN, without the limitations of SOCKS + SSH. See also NaDre's messages.

Kind regards

I am looking for a solution to prevent leaks without dealing with routing tables and firewall configuration. My suggestion is to implement your SSH solution in reverse. Instead of creating an SSH tunnel and tunnelling OpenVPN through that, the option is to create an Open VPN tunnel and then run an SSH tunnel through the OpenVPN tunnel. The SSH tunnel program creates the local proxy so individual programs that need to be protected from leaks can be set to use the proxy.This removes the onus from the user and does not create specialized firewall rules that need to be changed if connected to a different network.

An extra layer somewhat similar in theory to your OpenVPN over TOR idea.

Staff

@trekkie.forever

Good idea. You can anyway achieve the same purpose more quickly without SSH, therefore without sacrificing performance, and without firewall (see our previous post in this thread https://airvpn.org/topic/9594-airvpn-client-as-socks-proxy/?do=findComment&comment=10948 ).

We are also working to study a possible implementation of IP binding in Eddie (the next client release).

Kind regards

AirVPN client as Socks Proxy

Recommended Posts

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Join the conversation