Leaderboard

Please see also here for an updated baseline guide for systems newer than 2.3 (updated 2021/02/20): https://nguvu.org/pfsense/pfsense-baseline-setup/ pfSense_fan's Guide How To Set Up pfSense 2.3 for AirVPN Guide is updated to pfSense Version 2.3 This guide will work on 2 or more interfaces. Please inform me of any and all errors found! Feedback is appreciated! Please rate this post or leave a comment to share if this worked for you! Table of Contents: Step 1: Disable IPv6 System Wide Step 2: Entering our AirVPN CA, Certificate and Key General Settings and Preparation Step 3: Setting up the OpenVPN Client Step 4: Assigning the OpenVPN Interface & Setting the AirVPN Gateway Step 5: IP and Port Alias Creation to Aid Interface Setup Step 6: Setting up an AirVPN Routed Interface Step 7: General Settings, Advanced Settings and Other Tweaks Step 8: Setting up the DNS Resolver -----

Lately I've been thinking about the prospect of using VPN's in conjunction with the Tor proxy and done some research. I know there are both pros and cons to Tor-over-VPN and VPN--Over-Tor connections and played with the idea of using both connection types at once - something I like to call the "Sandwiched Connection" in that you layer your Tor connection between two separate VPN connections. Please correct me if I got any details wrong or missing. First, you have your plain naked internet connection without a VPN or proxy so your ISP and local network can see everything you're doing. Next, you connect to a VPN server. It masks your IP address and location from your ISP as well as encrypts your web traffic so they have no idea what you're doing. However, the company managing the VPN server will have access to your real IP address, location and web traffic that will be decrypted in their servers - making it important it is a trustworthy service provider that doesn't keep logs of your activities and allows you to create your account with a temporary email address, no personal details and paid with cryptocurrency (that is untraceable like Z-Cash and Monero). You connect to your Tor proxy. Ordinarily, the Tor entry node will know your IP address and location. Since you are using a VPN, it will only know the masked address provided by the VPN server. Not only that but the Tor proxy will further encrypt your web traffic so even the VPN provider won't know what you are doing, just like how it, in turn, hides it from your ISP. Even better? Your ISP won't even know you are using Tor in the first place. However, the Tor exit node decrypts your web traffic and has full access to it as if you were never using a VPN to begin with. If the exit node happens to be malicious or operated by any authority that doesn't like what you're doing, they could potentially call whoever is operating the entry node and/or follow the mask IP address to the VPN service provider and contact them for details concerning you. Again, a trustworthy VPN provider with a no-logs policy is important. Then comes the second VPN connection. After you connect to Tor, you connect to that second VPN server which should encrypt your web traffic from the tor exit node. Whatever company is managing that second server (it could be the same service as the first one or a different one) will only know the IP address and location provided by the Tor proxy and first VPN server but it will know your web traffic as it is being fed to their servers and decrypted. Not to mention that this "sandwiched connection" will deliver a big dent to your connection performance so it helps if you have a powerful router connected via ethernet. So at the end of the day, I figured, someone has to know what you're up to online which leaves the question "Who do you trust with your personal information?" Plus this is all just theory, as far I can tell. Has anyone ever tried putting this into practise? Can anyone provide any further insight into the "sandwiched connection"? I look forward to talking about it.

Hello. I'm just trying to understand what you're saying here. So let me get it straight. You prefer to use one or two VPNs before connecting to Tor on a virtual machine. No Onion Sandwich (VPN>Tor>VPN)? The virtual machine can mask the host motherboard which can "betray" me? You mean anyone good enough can tell I am using a VM and crack right through to my host machine, is that it? If that's so, what if I used a Xen-based virtual machine? I hear they are more secure. I presume by rotating VPN's you mean switching to different VPN servers every time - that's a good practise. While the Tor Exit IP changes by itself automatically, the entry node IP doesn't which is why you suggest I reset the Tor connection between visiting different websites so I connect through a different route of Tor nodes every time, is that what you're saying? Could you clarify what capability it is you don't want to sacrifice though? I only ever dipped my toes in using the Tor browser a couple of times and never used it for a full blown browsing session so I'm really learning as much as I can before I know how to use it properly. Thanks.

I would like to add another consideration, which I feel is important in the equation. My preference is VPNs (1 or 2) first, then before workspace I go to Virtual Machines wherein I connect via TOR. The virtual machines mask any host motherboard hardware which can also betray you with an adversary that can ping it with skill. The big factor overlooked in a "sandwich" approach is that TOR cannot automatically change the circuit route every 10 minutes or so. While I am surfing my original two VPN's are constant (although I rotate them when starting every single session so they are rarely the same two) and the TOR exit IP keeps changing automatically. The TOR entry guard is more constant (assuming you know how the guard works in TOR). I would not want to sacrifice that capability when I spend hours surfing around. ALWAYS close the TOR browser when leaving a site and going to another. My approach, you decide if there is merit for your needs.

Hello! Thank you for your article. Just a correction on the quoted part. That's not possible because the Tor exit-node does not know your "real" and/or your "VPN" IP address. In general the exit-node receives all the traffic from middle-relays, which in turn receive the traffic from Tor guards (the entry-nodes). As far as it pertains to your purposes, consider the following setup, especially when high throughput is not a priority: connect the host over "OpenVPN over Tor" run a Virtual Machine attached to the host via NAT Tor-ify everything in the VM use end-to-end encryption, exclusively use only VM traffic for any sensitive task The above setup, we think, should meet all of your requirements. Furthermore, the main fault of "OpenVPN over Tor" (fixed circuit) is completely resolved by Tor in the VM. Kind regards