Multihop

[Anonymous Writer 2]

Have the AirVPN admins entertained the notion of implementing a multihop network of two to three servers per cascade?

You would still maintain the existing network of single servers. However, you would also create cascades of predefined servers or you could allow users to determine their own individual cascades.

The former would be more uniform and perhaps too predictable to attackers, including governments. But the latter may have far less users per cascades; thus, resulting in potentially more problems.

A multihop is exceedingly rare in the VPN market and I recommend AirVPN to take the initiative

Right now there are about a dozen servers or so and if each cascade has two to three servers, it would amount to a fair amount of cascades.

I would also suggest the following:

Creating multiple continent cascades.

There are plenty of U.S. based servers and each one can be used to multihop to a European server, with some entry and some exit nodes.

[Staff 9750]

Hello!

It's a nice idea and we have evaluated it. However we consider OpenVPN over TOR much more secure. A multihop VPN with all servers belonging to the same entity might add just a very thin additional security layer. Of course we could create separate entities/companies which handle various servers, however it's difficult to see a real advantage in comparison to Air over TOR.

Kind regards

[Anonymous Writer 2]

Hello!

It's a nice idea and we have evaluated it. However we consider OpenVPN over TOR much more secure. A multihop VPN with all servers belonging to the same entity might add just a very thin additional security layer. Of course we could create separate entities/companies which handle various servers, however it's difficult to see a real advantage in comparison to Air over TOR.

Kind regards

Ah, yes, I wrote the same in my book. As important as architectural anonymity is, it is equally important who the operators are. Independent operators would allow a far superior set up. However, I still think a multihop will help attacks against the size and timing of streamed data--to some extent.

Yes, chaining Air to independent servers would be more anonymous, but there are some advantages to a multihop as well. Especially if the operators of the servers are in different jurisdictions than the servers.

[telemus 16]

Hello!

 

It's a nice idea and we have evaluated it. However we consider OpenVPN over TOR much more secure. A multihop VPN with all servers belonging to the same entity might add just a very thin additional security layer. Of course we could create separate entities/companies which handle various servers, however it's difficult to see a real advantage in comparison to Air over TOR.

 

Kind regards

Hi there. Thanks for this post, which is very informative.

Just a query of clarification. You say "Air over ToR" - do you mean, start ToR first and then start Air?

I've read other posts about the relative advantages of each.

The other query is that if you run Air over Tor and then say go to an onion site, the onion site would see what IP? The Air ip or a ToR exit node?

I'm just puzzling over this as I've been reading various stories in the press about how bad people have been caught, and don't really follow the explanation. It seems ToR is not that robust against a determined adversary.

Thanks for your time. And I for one appreciate the advice/knowledge folks share here.

[willowbrook 16]

 

Hello!

 

It's a nice idea and we have evaluated it. However we consider OpenVPN over TOR much more secure. A multihop VPN with all servers belonging to the same entity might add just a very thin additional security layer. Of course we could create separate entities/companies which handle various servers, however it's difficult to see a real advantage in comparison to Air over TOR.

 

Kind regards

Hi there. Thanks for this post, which is very informative.

Just a query of clarification. You say "Air over ToR" - do you mean, start ToR first and then start Air?

I've read other posts about the relative advantages of each.

The other query is that if you run Air over Tor and then say go to an onion site, the onion site would see what IP? The Air ip or a ToR exit node?

I'm just puzzling over this as I've been reading various stories in the press about how bad people have been caught, and don't really follow the explanation. It seems ToR is not that robust against a determined adversary.

Thanks for your time. And I for one appreciate the advice/knowledge folks share here.

Did a bit of research myself and basically air over tor means running an airvpn connection through a static tor connection. If you use any application other than Tor, connection to airvpn will be routed through a static tor circuit. However, if you use Tor for example, browsing .onion (hidden services) sites the connection will just be routed through tor circuits (no airvpn involved).

 

On the other hand, running Tor over airvpn means starting airvpn first and then running Tor on top of Airvpn connection. Using torrent, chrome etc. anything other than Tor is just routing traffic through Airvpn server like normal. If you use Tor to visit hidden services (.onion) after connecting to airvpn, you are basically routing Airvpn and Tor encrypted traffic through you-->ISP-->Airvpn server and the Tor circuit is not static. This way, ISP cannot see that you are connected to Tor entry guard, but will see that you are connected to airvpn server and is encrypted twice.

 

Both methods have pros and cons, but remember that visiting hidden services via Tor has very good end-to-end encryption alone. Adding a vpn on top of a tor circuit to visit non-hidden services with other browsers than Tor can do more harm than good. If your VPN account is fully anonymous, feel free to use airvpn over Tor. However, to visit .onion sites, you must use Tor either way. In this case, I highly recommend Tor over Airvpn.

[telemus 16]

Hi Willowbrook

That's a neat explanation. Thanks for your time putting it together. It is an intriguing world in which we live and I'm constantly amazed at the amount of talent in the community where people invent things like ToR, and maintain it - because they believe in something (freedom, democracy) and other folks do their darnedest to tear it down. Ever thus, I suppose.

Thanks again for your time. 

[willowbrook 16]

Hi Willowbrook

That's a neat explanation. Thanks for your time putting it together. It is an intriguing world in which we live and I'm constantly amazed at the amount of talent in the community where people invent things like ToR, and maintain it - because they believe in something (freedom, democracy) and other folks do their darnedest to tear it down. Ever thus, I suppose.

Thanks again for your time. 

We are all thankful to those supporting privacy and anonymity

[telemus 16]

 

Hello!

 

It's a nice idea and we have evaluated it. However we consider OpenVPN over TOR much more secure. A multihop VPN with all servers belonging to the same entity might add just a very thin additional security layer. Of course we could create separate entities/companies which handle various servers, however it's difficult to see a real advantage in comparison to Air over TOR.

 

Kind regards

Ah, yes, I wrote the same in my book. As important as architectural anonymity is, it is equally important who the operators are. Independent operators would allow a far superior set up. However, I still think a multihop will help attacks against the size and timing of streamed data--to some extent.

 

Yes, chaining Air to independent servers would be more anonymous, but there are some advantages to a multihop as well. Especially if the operators of the servers are in different jurisdictions than the servers.

 

Hi there. I've been doing a bit of snooping round (unsupervised, I know; dangerous...) and also mulling over the comments here and information (thanks Willowbrook).

I think that ToR is becoming weaker almost daily - sure some individuals make errors, but it also seems from the court cases, that even quite modest but enthusiastically repressive governments (e.g some in the middle east) have means of overcoming ToR. 

It does seem that a multihop + ToR approach is much more robust - particularly, if as Anonymous writes, the entry and exit servers are in different countries as are the intermediate servers. 

The VPNs that offer multihop have bewilderingly complex instructions for using it on linux. The win app they offer is better. But at least one of the vpns leaks dns on multihop, making it kind of pointless unless one uses ToR as well.

This is a long winded way of asking the airvpn folks to have another look at implementing multihop. Air has a really good service and this could only make it even better.

Oh, I meant to say that having the entry IP and exit ip being only one digit different give a huge tell to any advesary. If they can see that the exit ip is, say XX.XX.XXX.XX1 and they know that the Ip will differ by only one digit (as appears when I look at eddie on my linux machine) then the adversary could guess that the entry IP is XX.XX.XXX.XX0 or XX.XX.XXX.XX2 - and it is then not too difficult to see the origin of traffic to that entry ip [well, according to the stuff I've been reading  - usual caveats, apply] I would be happy to be wrong on this. ToR would help but if it can be compromised, then the may be a problem.

Thanks for your time and for reading. And for folks who take the time to inform. Very helpful.

[iwih2gk 92]

There are several of us linux users here that use multi hop via AirVpn.  You will set it all up yourself, but in the end it gives YOU control over the configuration.  That is far superior to a generic client.  Another plus is that you can use any combination of servers you want to.  Most of the multi hop VPN providers have e.g. two routes.  That means when an adversary sees a particular IP at the exit node they already pretty much know the entry is the one designated server at the beginning of the two hop circuit.  Hope that makes sense to you.  With over 200 servers I can setup a two or three hop circuit using any of 200.  That makes virtually unlimited combinations.  Then of course I place TOR with 3 more behind the Air circuit.  Speed is fine unless I need an FTP > 1Gig file moved or similar.  My posts here all go through TOR behind multi hops.  Easy actually.

[telemus 16]

Hi iwih2gk. Thank you for your very informative post. It does make sense to me. I researched this topic and found only a couple of vpns that permitted selection of servers - most had fixed cascades and only a couple of hops. And I could see the vulnerability in that. I have a friend who studies this and she just a little while ago said the same thing.

I too use linux - but am novice.

I have two further queries, if I may.

The first is when you say "ToR behind Airvpn", do you mean you start airvpn and then start ToR? I'm not terribly technically minded, I'm afraid.

The second is that I looked through the forums to see if there was a detailed guide to setting up a cascade / multihop. But I could not find one (owing to my rubbish search skills, no doubt).

Could you post some instructions?

Thanks heaps for your taking the time to reply to my posts.

Regards

T

 

 

[shivadiva 1]

There are several of us linux users here that use multi hop via AirVpn.  You will set it all up yourself, but in the end it gives YOU control over the configuration.

 

I would be very interested in that as well. Could you please tell us how you do this or point us in the right direction by mentioning a few keywords so we can research this ourselves?

Thanks a lot in advance.

[iwih2gk 92]

I'll give a quick "box" description to start you off.  Before I do; I make mention that just as Staff indicated, using TOR over Air is a better option IF you are only going to use one enhanced circuit method.  Using TOR over Air and from within a virtual machine greatly enhances your tunnel strength and the VM further fortifies against a malware breakout to the host, which would lead back to your original IP (bad thing of course).  Its a separate subject but use of virtual machines is pivotal in easily blocking access to your host motherboard and its unique ID, which can betray your identity.  Just saying.

 

1.  One easy two hop method would be to install ddwrt (optional) and place AirVpn directly on your router.  That way ALL devices on your LAN go through one hop.  Next you would connect your computer via another Air server and I am assuming at this point you know how to secure Linux firewall rules, or simply use Eddie to engage a network lock on your OS (I write my own rules via IPtables and UFW, but Eddie is another way to go).  Now you are on two servers of your choice, but still I want to encourage you to consider adding virtual machines to pull your host OS out of workspace and eliminate lots of potential problems.

 

2.  Assuming you do NOT want to operate your router permanently through Air you have other options.  A learning curve will confront you but its doable for anyone willing to read and study.  You would connect your host linux OS to Air via whatever method you wish (just like you do now most likely).  Now you need to install VirtualBox or similar and then create a PfSense VM that will be NAT'd or Bridged to the host.  This will be relay/server 2 on your circuit.  Relay 2 will only see relay1 because they are forming a chain.  Next you build a linux VM and construct it so that it can ONLY connect and see relay 2.  This workspace VM cannot connect or see relay 1 under any circumstances.  If you stop at this point and connect to the internet (I call this workspace) any site you visit will see the exit IP of relay 2 and nothing of relay 1 will ever be seen.  Obviously, the true IP before relay 1 is a complete ghost as well.  We have lots of PfSense stuff here, or at IVPN, or other security sites.  Once you understand the process it is trivial to engage a third server as well, if desired.  Its just another link in the chain.  I only use two, but I do then add another 3 via TOR in private VM's.  This is all I am prepared to place here for now.  It gives you a starting point.

[shivadiva 1]

Thank you very much for taking the time to share your approach with us, iwih2gk!

And thanks for reminding me of IVPN, their privacy guides are great. Time for a refresher

[telemus 16]

Hi iwih2gk Thanks heaps for posting. That is very helpful and as you say, a learning curve for someone like me.

And Thanks for the IVPN reference.

As shivadiva said, time to brush up....

[abarski 0]

Hello

[pr1v 36]

Hello

Please don't post like that in a thread you didn't begin. And... do you want to receive spam in your email?. Change your username and never post with your email as your username.

[OpenSourcerer 1359]

Mr. pr1v, his/her email is in your quote

 

Sent via Tapatalk. Means, I don't have a computer available now.

[pr1v 36]

Someone deleted it, if it was in my quote then I am sorry, my fault

 

 

Mr. pr1v, his/her email is in your quote

 

Sent via Tapatalk. Means, I don't have a computer available now.

[telemus 16]

Hi there.

Thanks to the various posters who provided such excellent advice. I remembered that I had an old router in my cupboard. I did some duckduckgo-ing and found a guide to flash it with DD-WRT, and set it permanently to a vpn. It then connects to my non-vpn router. When I want double hope, I start airvpn on my pc, but use a wifi connection to the vpn router and then on to the internet. My reason for this was to see if a person like my, with no technical aptitude could manage to do this. I could.

I'm now going to have a crack at the virtual machine approach.

Thanks for your time and reading.