Jump to content
Not connected, Your IP:


  • Content Count

  • Joined

  • Last visited

  • Days Won


Posts posted by sheivoko

  1. The issue seems to be that you can't access your server once the server itself is connected to AirVPN. This makes sense. You would need to forward the RDP port to AirVPN: airvpn.org/ports

    Then you could RDP to airvpn_server:port which will be forwarded to your_server_ip:rdp-port



    (Another idea would be to have to separate network interfaces on the server - one that gets tunneled through VPN and one that doesn't - but port forwarding should be the easier way of doing this, I think.)

  2. X-Forwarded-For is related to HTTP headers and is used by non-anonymous HTTP proxies, this is how it is usually used:


    1. you access a site going through such a proxy

    2. the proxy accesses the site for you, adds X-Forwarded-For (containing your IP address) to HTTP header

    3. site reads HTTP header and now knows your IP/location


    I would say you can safely add a fake X-Forwarded-For, regardless of your use of (Air)VPN.

    It will only defeat a small portion of georestriction methods, but if it helps in your specific case, go ahead.

  3. As long as you're connected to the VPN, any "Tor leaks" would expose your VPN's IP, not your own. 


    You might also find it worthwile to create a firewall rule set to prohibit any connections should your VPN connection drop, or if you forget to enable it.

    User jessez has provided good advice for OS X users:


    using pf (on OS X Lion and newer)



    using ipfw (on OS X Snow Leopard and older)



    Provided you set it up correctly (test it!) and don’t get infected by root-privileged malware (which would be able to disable your firewall), nothing could get around the VPN tunnel, no matter if you're currently connected to the VPN or not.

  4. I agree with virtualization being an additional layer of security.

    I disagree with TBB being "highly exploitable". The leaked presentation clearly shows that digging up native FF vulns is a pain in the ass, even for the NSA.

    So, they won't waste such vulns for wide-spread attacks against Joe Blow users. ¹ ³


    Also, VirtualBox is not a security product and it's maintained by Oracle, a commercial vendor with an awful track record wrt to code quality and security management. ²




    ¹ Case in point: The FF vuln recently used by FBI for their "Torsploit" was no 0day, it was long patched - which either means they didn't have a better vuln for a more effective exploit - or they didn't want to waste it for this particular attack. 

    ² https://www.whonix.org/wiki/Advanced_Security_Guide#About_VirtualBox

    ³ "The good news is that they went for a browser exploit, meaning there's no indication they can break the Tor protocol or do traffic analysis on the Tor network. (..) you can target individuals with browser exploits, but if you attack too many users, somebody's going to notice." from: https://blog.torproject.org/blog/yes-we-know-about-guardian-article

  5. If you connect to AirVPN via Tor and browse the web like support staff suggested to you, you have a "partitioning of trust" situation. In short, you can use AirVPN without trusting AirVPN and you can use Tor without trusting Tor.


    • you benefit from Tor, but exit nodes cannot sniff or log your traffic. All they can see is that you connect to a  VPN
    • you benefit from using AirVPN (you can use sites that block Tor)
    • you don't need to trust AirVPN - if the datacenters AirVPN uses get raided or AirVPN gets compromised somehow, all the attacker would see is your Tor IP, not your real IP. Remember, even if AirVPN doesn't store connection data, they do see, and have to see, the IP of your current connection. 

    It is, of course, a huge performance hit. Tor will slow you down significantly. From my point of view, it makes more sense to use AirVPN directly and on top of that, browse with Tor Browser. But this is a totally different scenario, and everybody has different needs, so find out what you need and what works best for you.


    And, do not forget to test your setups. Tor via VPN, VPN via Tor, this browser, that browser, lots of confusing situations. Just as important as getting all this to work is to make sure it doesn't fail - firewalling, blocking non-VPN connections, ...

  6. Yes, if you browse with Tor Browser, you cannot do that.


    1. There is a theoretical way to limit Tor to only choose Exit nodes from specific countries (read: https://www.torproject.org/docs/tor-manual.html.en scroll to ExitNodes and read the warnings, too). It kills your anonymity and is cumbersome, so really, don't do that.
    2. If you need a Singaporian IP, use a VPN and a normal browser. (Don't forget that Tor Browser does more than just give you a Tor IP. Tor Browser has lots of security patches and privacy adjustments that you won't have with other browsers.)



  7. xer:


    Part 1 of your question: Yes, leave Tor alone. For all recent versions of TBB, the port number is 9150 (and open by default). All you have to do is to make an application, like for example your OpenVPN client, use it.


    Part 2 of your question:


    1) You --> TBB = browsing via Tor


    2) Your application --> TBB's Socks port = your application connects to world through Tor


    If that application is your OpenVPN client, pointed at Socks port 9150:


    3) You --> VPN (while VPN is connected through Tor, see 2)! ) --> Internet 



    Now, your question was, why does TBB not show the VPN IP address?

    Well, because internally, TBB's Firefox uses Socks port 9150 to connect to the Tor process. It's the same procedure as in 2) !  So, whatever you do with your VPN configuration -  in Tor Browser, you will always see a Tor IP. 


    Please ask again if it is still unclear!


    I have a slightly different need. I want to only have this kind of protection when I'm running certain programs, e.g. P2P, and otherwise allow normal internet traffic to "leak" if the VPN goes down.


    You cannot do application-level rules with ufw.
    Iptables has an "--uid-owner" option, which isn't application-level either, but you could use it like this:
    - create a user account "p2puser"
    - launch your p2p apps with this new user account
    - deny traffic coming from user id "p2puser" on eth0/wlan0
    - allow all other traffic on eth0/wlan0
    (eth0 / wlan0 as examples for your non-VPN network interfaces).
    I have not tried this myself, I loathe iptables. Good luck, I hope someone else has a better idea than this

  9. VPNs next?



    The sad reality is - nothing can really protect you from big-budget agencies. Not Tor, not VPNs.

    They (NSA, GCHQ, FBI, ...) already attack / sniff VPN users whenever they can:


    - decrypting flawed VPN crypto / protocols (like PPTP)

    - matching incoming / outgoing traffic flows if they're unable to break the crypto


    Using VPNs with good crypto - like AirVPN - requires them to fall back to the second method, which is more work, so we should definitely keep using VPNs to make it harder for them.



    P.S.: the title saying "Controlled Tor Servers" makes it sound as if they compromised Tor and its node infrastructure itself. This is not the case. They "only" took over one website hosting service. This attack could have been carried out with a pwned www site just as well. Tor itself was and is fine. The out-dated browser that was exploited to harm Tor users wasn't. This is a subtle but encouraging difference to me.


    These task forces are rarely a good idea, but this does not stop them from existing.

    If the Tor Project was not part of this task force, who else will:


    - educate that group about how Tor can actually help protect victims of abuse and stalking?

    - stop that group from mistaking Tor for a criminal network that has to be fought against?


    That is why I want Tor folks sitting at this table. This is lobbying, not collaboration with the enemy.


    Of course - I would be extremely worried to see Tor compromise itself by implementing selective censorship or worse. But there is no evidence whatsoever that this is starting to happen.

  11. Fingerprint tracking: https://panopticlick.eff.org

    Cookieless cache tracking:  http://lucb1e.com/rp/cookielesscookies/


    One more Firefox addon suggestion: 

    "Secret Agent", constantly rotates user agent string and spoofs several other headers



    It is very difficult to stay anonymous / untrackable with a regular browser. If you are really serious about this topic, there is no way around using Tor Browser, in my opinion.

  • Create New...