Jump to content


Photo
* * * * - 1 votes

Using AirVPN over TOR


  • Please log in to reply
86 replies to this topic

#1 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 4463 posts

Posted 05 October 2010 - 04:35 PM

If you need to transfer information for which protection of your identity is highly critical, please read all the thread carefully.

Kind regards

#2 dr

dr

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 10 October 2011 - 10:41 AM

how can i use air vpn

#3 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 4463 posts

Posted 10 October 2011 - 12:19 PM

dr wrote:

how can i use air vpn



Hello!

Please follow the instructions here: https://airvpn.org/i...id=68&Itemid=57

If you need help to use AirVPN over TOR, please do not hesitate to contact us again.

Kind regards
AirVPN admins

#4 anonmc

anonmc

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 13 October 2011 - 02:20 AM

Would this work on debian using torify command? i.e. say i wanted to torify an ssh connection, what would be the signal path?

my pc -> vpn ->tor entry node -> tor exit node -> ssh server?

Or is that wrong?

Thanks

Pete

#5 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 4463 posts

Posted 13 October 2011 - 10:20 AM

anonmc wrote:

Would this work on debian using torify command? i.e. say i wanted to torify an ssh connection, what would be the signal path?

my pc -> vpn ->tor entry node -> tor exit node -> ssh server?

Or is that wrong?

Thanks

Pete



Hello!

You have described TOR over VPN. We recommend VPN over TOR, so that we can't see your real IP address and the TOR nodes see encrypted OpenVPN traffic.

The correct path of your config is:
PC (OpenVPN with proxy) -> TOR entry -> TOR exit -> VPN server -> SSH server

There should be no need to torify anything. Every application should transparently use VPN over TOR (thanks to OpenVPN proxy features). Furthermore, UDP traffic now can go through TOR (it's TCP over UDP, done by OpenVPN)!

In this way:

- SSH server sees VPN server exit-IP address
- VPN server sees TOR exit node IP address
- VPN server sees SSH encrypted traffic
- TOR servers see OpenVPN+SSH encrypted traffic

The packets which finally go out have the SSH server IP address on their header. So please note that if the SSH server is owned by you and you have given your real identity to rent or house it, you might destroy completely the anonymity layer.

Kind regards
AirVPN

#6 heyyou

heyyou

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 26 October 2011 - 02:17 AM

I see this point being made that VPN should be running over Tor but if it is the case that no logs are kept by the VPN, then why is it necessary? Assuming that logs of IP addresses are not kept, why should running Tor be necessary so that the VPN server only sees the Tor exit node? Does it actually matter that the VPN sees my IP in this instance?

#7 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 4463 posts

Posted 26 October 2011 - 09:34 AM

heyyou wrote:

I see this point being made that VPN should be running over Tor but if it is the case that no logs are kept by the VPN, then why is it necessary? Assuming that logs of IP addresses are not kept, why should running Tor be necessary so that the VPN server only sees the Tor exit node? Does it actually matter that the VPN sees my IP in this instance?



Hello!

We recommend that solution when someone has to transfer critical information and does not want to put his/her trust on us. It is a layer of anonyimity "by design" where trust on us is not necessary.

You might be interested in reading this:
https://airvpn.org/i...&catid=3&id=892

Kind regards
AirVPN admins

#8 nemonobody

nemonobody

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 04 February 2012 - 04:58 PM

Could you please explain the technical side of your VPN over Tor solution?
I mean, 127.0.0.1:9050 is usually used by the Tor client (Vidalia). So, how can both the OpenVPN client and Vidalia share the same socket?

Also, would that method work in case the whole system traffic is to be torified, e.g. if you're using Liberte Linux which does so?

#9 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 4463 posts

Posted 04 February 2012 - 06:36 PM

Could you please explain the technical side of your VPN over Tor solution?
I mean, 127.0.0.1:9050 is usually used by the Tor client (Vidalia). So, how can both the OpenVPN client and Vidalia share the same socket?

Also, would that method work in case the whole system traffic is to be torified, e.g. if you're using Liberte Linux which does so?



Hello!

Connections over http or over SOCKS proxy are a smart feature of OpenVPN. http://openvpn.net/i...howto.html#http

The method we suggest in our example can be used successfully in Linux Liberte as well.
https://airvpn.org/tor

Please do not hesitate to contact us for any further information.

Kind regards

#10 Anontor

Anontor

    Member

  • Members
  • PipPip
  • 10 posts

Posted 12 March 2012 - 12:20 PM


We recommend that solution when someone has to transfer critical information and does not want to put his/her trust on us. It is a layer of anonyimity "by design" where trust on us is not necessary.



Doesn't AIR VPN need to see what user logs in to know if it should be allowed to connect or not, so if the site ur connecting to see the AIR VPN IP adress
they know what server connected and when and could match that to airvpn as you can log the user logins, so the trust is back on the your service to uphold
the control over the information.

#11 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 4463 posts

Posted 12 March 2012 - 12:35 PM


We recommend that solution when someone has to transfer critical information and does not want to put his/her trust on us. It is a layer of anonyimity "by design" where trust on us is not necessary.



Doesn't AIR VPN need to see what user logs in to know if it should be allowed to connect or not, so if the site ur connecting to see the AIR VPN IP adress
they know what server connected and when and could match that to airvpn as you can log the user logins, so the trust is back on the your service to uphold
the control over the information.



Hello!

The VPN server needs to check whether an account is on premium status in order to allow the connection but does not keep any information about any account, it queries for authorization a backend server. We recommend NOT to put information in your account data that can be exploited to disclose your identity. As long as we don't know who you are, we can't tell anybody who you are. With Air over TOR, you can also prevent our servers to know your real IP address, even while you are connected.

The AirVPN system, if used correctly, is designed to defeat an adversary that has up to the following abilities (please note that this is a very harsh scenario, in most cases the following steps are required only in countries controlled by repressive regimes):

- the ability to fully monitor the customer's line AND (the relevant portion of the TOR network OR all of the Air VPN servers)
- the ability to fully monitor any financial transaction of the customer

An adversary with such abilities can be defeated in the following way:

- the customer subscribes to AirVPN with a Bitcoin transaction toward an independent AirVPN reseller (in our case, bitcoincodes.com)
- the transaction is performed by tunneling Bitcoin over [AirVPN over] TOR
- the transaction is performed with a wallet exactly fit for that transaction
- the wallet is destroyed immediately after the transaction success (safe deletion of the wallet)
- the customer always performs "partition of trust" (with the proper account) between parties from now on

Partition of trust is essential, so that a betrayal of trust by one party does not compromise the anonymity layer. An example of partition of trust is AirVPN over TOR: the TOR nodes see only encrypted (by OpenVPN) traffic and AirVPN servers do not see the real IP address of the user (they see the TOR exit node IP address). On top of that, entry-IP and exit-IP addresses of AirVPN servers are different (to emulate a 2-hop VPN in addition to the multi-hop provided by TOR) in order to prevent correlation attacks. The VPN admins therefore do not know the identity of the customer while the TOR nodes admins do not know the content, the real origin and the real destinations of the packets from/to the Air customer.

Finally (this is not our competence, but obviously highly recommended) the customer should add a further encryption layer to protect her packets payload once they get out of our servers (trivial example, use GnuPG for e-mails) in case the payload could be exploited (for example by a second adversary, unrelated to the first, that monitors the line of the final recipient) to disclose the customer's identity.

An adversary with superior abilities may not be defeated by the above setup. Typical examples:

- an adversary with the ability to monitor the customer's line AND the relevant portion of the TOR network AND all the AirVPN servers
- an adversary with the ability to fully control the hardware of the customer, without the customer's knowledge AND while the customer uses this hardware (it's only up to customer to take care against this threat, we can't do anything about it)
- a global adversary

The first kind of adversary requires additional trust partition(s). The second kind of adversary renders the anonymity layer outside the victim's hardware irrelevant. The global adversary theoretically can never be defeated on the Internet. Luckily, the very existance of the global adversary (an adversary with the ability to monitor, store, analyze and correlate all the connections in the world continuously) is highly debatable.

Please do not hesitate to contact us for any further information or support.

Kind regards

#12 justusranvier

justusranvier

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 17 July 2012 - 01:38 AM

Do you have any plans to allow access via a hidden service so that users can potentially get better performance by avoiding congestion at the exit nodes?

#13 tvhawaii

tvhawaii

    Member

  • Members
  • PipPip
  • 15 posts

Posted 22 July 2012 - 12:58 AM

The method we suggest in our example can be used successfully in Linux Liberte as well.
airvpn.org/index.php?option=com_content&...id=64&Itemid=122

returns 404

#14 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 4463 posts

Posted 22 July 2012 - 01:58 AM

The method we suggest in our example can be used successfully in Linux Liberte as well.
airvpn.org/index.php?option=com_content&...id=64&Itemid=122

returns 404



Hello!

Please replace that link with this one:
https://airvpn.org/tor

Kind regards

#15 tvhawaii

tvhawaii

    Member

  • Members
  • PipPip
  • 15 posts

Posted 22 July 2012 - 03:07 AM

I installed Airvpn v1.7, but I can't find any SOCKS proxy option.

(*) AirVPN 1.6 or higher is required. The SOCKS proxy option is not available in older versions.

#16 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 4463 posts

Posted 22 July 2012 - 07:51 AM

I installed Airvpn v1.7, but I can't find any SOCKS proxy option.

(*) AirVPN 1.6 or higher is required. The SOCKS proxy option is not available in older versions.



Hello!

Please right-click on the Air dock icon and select "Preferences". In the "Proxy" field select "Type: Socks".

Kind regards

#17 f0xh0und

f0xh0und

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 25 July 2012 - 02:13 PM

Hey there, i've got a question :

I mostly, when i'm connected through TOR, only go to .onion websites, or https clearnet, so, is the VPN through TOR really relevant in this case ?

i had some trouble understanding how the stuff work, let me explain myself:

when i'm in this config :
Computer / ISP / VPN / TOR (.onion website) , something like that should happens :
the VPN encrypts the data coming from TOR and pass it through my ISP... the data is decrypted by my computer.. and the TOR encrypted data is decrypted by TOR, am I right ? i may have misunderstood some point.

my ISP only sees VPN crypted data, right ? i don't care if you know my real IP, since all the data you catch is TOR encrypted, am i right ? so whatever..

but... if I use your recommended SOCKS config, in my mind, here's what happens :

Computer / ISP / TOR (.onion) / VPN

When i'm surfing the clearweb, it's really effective indeed, since you don't see my IP address and TOR nodes don't see any clear datas, right...

but... when i'm surfing .onion, (tell me if i'm right) :

As the .onion traffic doesn't leave TOR, the VPN doesn't even see / crypt it right ? and my ISP doesn't see any VPN traffic, but only TOR traffic ? which can be really annoying right ?

i may have misunderstood something, but this solution seems, in this case, less secure.

I don't think i'd made myself clear, but i hope so.

Regards.

#18 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 4463 posts

Posted 25 July 2012 - 02:37 PM

Hey there, i've got a question :

As the .onion traffic doesn't leave TOR, the VPN doesn't even see / crypt it right ? and my ISP doesn't see any VPN traffic, but only TOR traffic ? which can be really annoying right ?



Hello!

If you don't want to let your ISP know that you use TOR when you connect to .onion sites, please use TOR over Air instead of Air over TOR. Your ISP will see only encrypted traffic to and from our servers.

Kind regards

#19 tvhawaii

tvhawaii

    Member

  • Members
  • PipPip
  • 15 posts

Posted 25 July 2012 - 09:23 PM

Speaking of encryption, I'd appreciate hearing your thoughts on key management expressed in this article:
http://www.networkworld.com/news/2012/072512-blackhat-ylonen-261134.html?source=NWWNLE_nlt_security_2012-07-25

How safe are we really?

#20 tvhawaii

tvhawaii

    Member

  • Members
  • PipPip
  • 15 posts

Posted 26 July 2012 - 10:16 PM

I suppose what I'm saying is that since Microsoft's Certificate was compromised and the Flame attack was through Windows Update, how confident can we be in TLS?
Again, I'd -really- enjoy hearing someone from Air comment about this.
Thanks.





Similar Topics Collapse

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online.Servers online.
Users: 2285 - BW: 6423 Mbit/s
Not connectedNot connected.
Your current IP: 54.204.66.38
Guest Access.