Silk Road forums

Discussion => Security => Topic started by: goblin on November 25, 2012, 03:03 pm

Title: Tor run through VPN
Post by: goblin on November 25, 2012, 03:03 pm
Every now and then this topic comes up, and never have I seen a satisfactory answer. So I decided to try again. Can someone provide a brief yet lucid and not too technical explanation or even tutorial on how this can work securely and safely?

I'm still a non-techie when it comes to computers and such.

goblin
Title: Re: Tor run through VPN
Post by: echo_ on November 25, 2012, 03:18 pm
You mean like using Tor inside a VPN or SSH tunnel?
Title: Re: Tor run through VPN
Post by: goblin on November 25, 2012, 03:42 pm
You mean like using Tor inside a VPN or SSH tunnel?
Yes, exactly.
Title: Re: Tor run through VPN
Post by: w0ju2hnq on November 25, 2012, 08:01 pm
The way I've done it in the past is to run your tor server on the VPN server itself and then use an SSH tunnel to link local clients to it.

Hopefully that gives you a place to start.  Google is your friend.
Title: Re: Tor run through VPN
Post by: goblin on November 25, 2012, 10:05 pm
The way I've done it in the past is to run your tor server on the VPN server itself and then use an SSH tunnel to link local clients to it.

Hopefully that gives you a place to start.  Google is your friend.
But doesn't that mean that you have to have control of the VPN server? How in the world would you do that. without being a hacker or cracker? I mean, if you pay a VPN service for the tunnelling, obviously what I want to know is how to do the "torring" after I connect through the VPN.

The tor people themselves say that if you don't know what you're doing, it's better not to even try it or you could make things worse for yourself. Unfortunately they don't even give you a clue as to how to "do it".

goblin
Title: Re: Tor run through VPN
Post by: farmer1 on November 25, 2012, 10:33 pm
Read more about what a VPN is. People use them for different applications and privacy is just one of those.

When you use a VPN your data is encrypted at your computer and sent via your ISP to your VPN, who then decrypts it and goes and fetches whatever you want from the internet. The return data is also encrypted by your VPN and sent back to your computer where it is decrypted. All you are doing is making it so your ISP can't see what you are doing. The VPN service can.

When you add Tor to the mix your data is encrypted by Tor, then encrypted again for your VPN. The VPN sheds a layer of encryption as it passes your data on to your Tor entry node. The Tor encryption is shed at the Tor exit node.

You need to think out your VPN usage and what it really does. ISP->Tor->VPN is very different then ISP->VPN->Tor. A VPN is essentially a 2nd ISP that hides your data from your 1st ISP. If you choose to use one it is recommended you pick one that you can pay for anonymously (with bitcoins) and still to treat it as if everything that passes through it is being monitored. Pick one that doesn't keep logs.

It all depends. With a VPN you are able to keep prying eyes from seeing that you are using Tor. On the other hand, with a VPN you could link all your browsing activity to your identity, even when using Tor (but not for hidden services like the SR, only clearnet activities) if you pay with a CC and go ISP->Tor->VPN->incriminating web activity.
Title: Re: Tor run through VPN
Post by: goblin on November 26, 2012, 02:17 am
Read more about what a VPN is. People use them for different applications and privacy is just one of those.

When you use a VPN your data is encrypted at your computer and sent via your ISP to your VPN, who then decrypts it and goes and fetches whatever you want from the internet. The return data is also encrypted by your VPN and sent back to your computer where it is decrypted. All you are doing is making it so your ISP can't see what you are doing. The VPN service can.

When you add Tor to the mix your data is encrypted by Tor, then encrypted again for your VPN. The VPN sheds a layer of encryption as it passes your data on to your Tor entry node. The Tor encryption is shed at the Tor exit node.

You need to think out your VPN usage and what it really does. ISP->Tor->VPN is very different then ISP->VPN->Tor. A VPN is essentially a 2nd ISP that hides your data from your 1st ISP. If you choose to use one it is recommended you pick one that you can pay for anonymously (with bitcoins) and still to treat it as if everything that passes through it is being monitored. Pick one that doesn't keep logs.

It all depends. With a VPN you are able to keep prying eyes from seeing that you are using Tor. On the other hand, with a VPN you could link all your browsing activity to your identity, even when using Tor (but not for hidden services like the SR, only clearnet activities) if you pay with a CC and go ISP->Tor->VPN->incriminating web activity.
farmer1, do you have set up ISP->VPN->Tor yourself? Have you done it before?

I imagine that is the better (more secure) setup, but I still don't know how to implement it. I suppose finding a VPN service that accepts bitcoins is no easy matter, not trivial in the least bit.
Title: Re: Tor run through VPN
Post by: goblin on November 26, 2012, 02:27 am
Wow, I was wrong! I very easily found at least half a dozen VPNs that accept bitcoin as payment. Am checking them out one by one.

goblin
Title: Re: Tor run through VPN
Post by: farmer1 on November 26, 2012, 03:12 am
I am not going to say what I do specifically, but I have played around with them before.

Don't suppose anything. If you learned about the SR, Tor, bitcoins, PGP, and even made your own .onion web page then you will have no trouble learning enough about VPNs to make an informed decision based on your specific needs.
Title: Re: Tor run through VPN
Post by: kipperswithcheese on November 26, 2012, 04:13 am
From what I'm reading here, I suppose that just running Hotspot Shield is not recommended? I figured it was a good idea since it works with TorBrowser, but maybe I should've read up more.
Title: Re: Tor run through VPN
Post by: Api on November 26, 2012, 04:34 am
I currently use privateinternetaccess VPN they accept bitcoin, can max out my connection at a reasonably price while allowing me numerous freedoms  ;)
Title: Re: Tor run through VPN
Post by: goblin on November 26, 2012, 12:27 pm
I currently use privateinternetaccess VPN they accept bitcoin, can max out my connection at a reasonably price while allowing me numerous freedoms  ;)
That's cool, Api. Do you use your installed torbrowser bundle to connect to the openvpn and then can access onion sites like this? I ask because one of the vpn providers I looked up, called torvpn, says that I could use their service, connect to their openvpn, then use their installed tor package on their server to connect to onion sites, but that they DON'T recommend using this. So i figure that they would recommend connecting with them through my tor, then with both services piggybacked so to speak, I would go merrily on my way to onionland.

Title: Re: Tor run through VPN
Post by: farmer1 on November 26, 2012, 08:01 pm
goblin,

Don't use 'their installed tor package'. This is the kind of thing that can bring you down using a VPN. In this set up you are going: encrypt data on your computer with PPTP/OpenVPN only -> VPN -> VPN decrypts your data and can see everything in plain text -> VPN re-encrypts your data for Tor and sends it to a Tor entry node -> blah blah blah wherever you choose to go.

After receiving your data the VPN will be able to see what addresses you are going to via Tor and even see your password and login information. Very bad. This is essentially the same as using a .onion.to address to access SR.


Use YOUR Tor browser. It encrypts your data *on your computer* as it heads out the door and you can be sure that your ISP and the VPN can not read it.

The VPN is just an encrypted tunnel for your data. It is like a snail mail forwarding service for all your incoming and outgoing letters. People think they are writing to you in Florida because that is where all your mail comes and goes from, but really you live in Colorado and only the forwarding service knows your real address. This doesn't mean you should trust the mail forwarding service to not open your mail. If you have sensitive information being sent back and forth you need to treat the situation as if they *are* reading all your mail and encrypt it so it means nothing to them when they open your letters.
Title: Re: Tor run through VPN
Post by: goblin on November 26, 2012, 09:57 pm
goblin,

Don't use 'their installed tor package'. This is the kind of thing that can bring you down using a VPN. In this set up you are going: encrypt data on your computer with PPTP/OpenVPN only -> VPN -> VPN decrypts your data and can see everything in plain text -> VPN re-encrypts your data for Tor and sends it to a Tor entry node -> blah blah blah wherever you choose to go.

After receiving your data the VPN will be able to see what addresses you are going to via Tor and even see your password and login information. Very bad. This is essentially the same as using a .onion.to address to access SR.


Use YOUR Tor browser. It encrypts your data *on your computer* as it heads out the door and you can be sure that your ISP and the VPN can not read it.

The VPN is just an encrypted tunnel for your data. It is like a snail mail forwarding service for all your incoming and outgoing letters. People think they are writing to you in Florida because that is where all your mail comes and goes from, but really you live in Colorado and only the forwarding service knows your real address. This doesn't mean you should trust the mail forwarding service to not open your mail. If you have sensitive information being sent back and forth you need to treat the situation as if they *are* reading all your mail and encrypt it so it means nothing to them when they open your letters.
Thanks, farmer1, that's very helpful. I am still in the beginning stages here and am sure to learn much more in the coming days.
Title: Re: Tor run through VPN
Post by: goblin on November 29, 2012, 08:03 pm
Say farmer1, can I pick your brain one more time? I don't want to PM you as I think that's presumptuous and you may not want to be bothered.

The last three days I have studied this matter carefully and arrived at some conclusions. The most important really is more of a catch 22 and I'd like to throw it at you and see what you think.

There are just two types of connections to be made here: either tor "over" (rather through) openvpn, or openvpn over tor. In the first case, the vpn servers will absolutely know your real IP no matter how you pay them. And in this case, you can connect to tor hidden servers such as SR.

BUT, the second way, openvpn over tor, they will not know your real IP (they will see the IP of the tor exit node instead) but you can't access tor hidden services. If you do choose to connect to onion sites, then the connection will default automatically over tor alone, and openvpn will be out of the picture, so any advantage of using an openvpn in addition to tor will be totally lost IN THIS case.

So it seems to me that the better, more private way (the second) doesn't allow what we are here for, and if you want to do what we are here for, you have to use the worse, less private way. (Even so, the vpn servers will not see what you are connecting to in tor land, but they will know who you are if only by the IP, and trhey will know that you're using tor, but to connect to what, they won't.)

Is all this correct in your view or am I muddling the picture?

Thanks again for your help.

goblin
Title: Re: Tor run through VPN
Post by: farmer1 on November 29, 2012, 08:57 pm
Say farmer1, can I pick your brain one more time? I don't want to PM you as I think that's presumptuous and you may not want to be bothered.

The last three days I have studied this matter carefully and arrived at some conclusions. The most important really is more of a catch 22 and I'd like to throw it at you and see what you think.

There are just two types of connections to be made here: either tor "over" (rather through) openvpn, or openvpn over tor. In the first case, the vpn servers will absolutely know your real IP no matter how you pay them. And in this case, you can connect to tor hidden servers such as SR.

BUT, the second way, openvpn over tor, they will not know your real IP (they will see the IP of the tor exit node instead) but you can't access tor hidden services. If you do choose to connect to onion sites, then the connection will default automatically over tor alone, and openvpn will be out of the picture, so any advantage of using an openvpn in addition to tor will be totally lost IN THIS case.

So it seems to me that the better, more private way (the second) doesn't allow what we are here for, and if you want to do what we are here for, you have to use the worse, less private way. (Even so, the vpn servers will not see what you are connecting to in tor land, but they will know who you are if only by the IP, and trhey will know that you're using tor, but to connect to what, they won't.)

Is all this correct in your view or am I muddling the picture?

Thanks again for your help.

goblin


I think you are seeing things clearly now.  :)

The first method (VPN->Tor):
You make a good point about the VPN provider having access to your IP address no-matter how you pay them. Some claim to not keep logs. I wouldn't trust that there really aren't any logs, but if it is true then it could be an advantage to keeping yourself anonymous. The fact that the VPN has your IP address is a major reason many don't think a VPN helps at all. Some also claim that using a VPN makes your account suspicious to your ISP.

The second method (Tor->VPN):
This method has its uses, but you are absolutely correct, the advantages do not apply when visiting Tor hidden services. One use of this method could be to access a clearnet website that does not allow incoming connections from the Tor network. You would be able to still use the anonymity the Tor network provides while appearing to come from a non-Tor IP. If the VPN is not paid anonymously then this method is not safe. In this case it doesn't matter if they keep logs. If you use the same VPN account for method 2 that you also have used for method 1 then you are no longer anonymous, even with Tor in the mix.

Feel free to contact me anytime. It would be great to hear some of the security gurus here chime in with their opinions on this. While I believe what I am saying is correct it always helps to have our ideas proofed by the others reading this forum. Be careful about receiving security advice in private as you can never be sure if that person 'helping' you is really trying to get you in a corner. If we go over this stuff publicly and I tell you something wrong hopefully someone will jump in to correct us.
Title: Re: Tor run through VPN
Post by: Party Girl on November 30, 2012, 01:06 am
Hi guys!  Does anyone have a recommendation for a VPN?  Since you you cannot count on them to be honest about retaining logs files,  should I seek out a foreign or domestic VPN or does it matter if you choose Method #2? 

I see https://www.privateinternetaccess.com/ mentioned allot and they take BTC and are reasonable at about $40USD per year.  However, they are based in the US and this is what they state in their Privacy Policy this is noted:

PrivateInternetAccess.com does not collect or log any traffic or use of its Virtual Private Network ("VPN").

DISCLOSURE

    If under subpoena, PrivateInternetAccess.com may release data in order to comply with legal obligations or in order to enforce the PrivateInternetAccess.com Terms of Service and/or other agreements.
    PrivateInternetAccess.com may release data in order to protect the rights, property and/or safety of PrivateInternetAccess.com, its constituents, and/or other visitors and clients.


What could they possibly release to authorities if you paid by BTC and used TOR via Method #2.  My story is I am a privacy advocate and run TOR bridges for countries that are being suppressed by their governments.




Title: Re: Tor run through VPN
Post by: goblin on November 30, 2012, 02:01 am
Hey Party Girl, great to hear from a fellow lover of freedom and privacy, we're having less and less of both in this country! I congratulate you on your willingness to help others who are in an even more precarious condition than we here.

But getting back to business, I see AirVPN as being very good, at least they have a good tutorial on how to set up their openvpn client to tunnel through tor (tor > openvpn) and they seem to go on about how this guarantees that they cannot see your IP at all, which is true. But really, the more I read about this topic, the more I'm beginning to see openvpn as kind of a red herring. I mean, if for onion sites you have to rely strictly on tor, as apparently even if you're using tor > openvpn, if you use the tor button on your tor browser, the connection will fall straight through tor only, leaving openvpn out of the picture (am I right on this, security gurus?), then what good is it? Yeah, only for those clearnet sites that you want to visit without leaving any traces using tor without the danger of yuour IP being leaked in case of javascript opr what have you. But for our SR and other hidden services, openvpn is just so much fluff.

And as for the other method, openvpn > tor, I do not like their being able to see my real IP, even if they won't know what I'm visiting or downloading with tor.

I sure hope an absolutely super expert will chime in here, cause I'm just winging it!

goblin
Title: Re: Tor run through VPN
Post by: Party Girl on November 30, 2012, 02:36 am
@Goblin:  I don't see where they accept BTC and without anonymous payments, there is little chance of anonymity.  In fact worse yet, they only accept PayPal!    YUK!
Title: Re: Tor run through VPN
Post by: goblin on November 30, 2012, 03:07 am
Yes, they do accept bitcoins, it's just kind of hidden. I can't recall the exact url on their site right now, but you can find it by searching for vpns that accept bitcoins, or this: http://www.bestvpnservice.com/blog/vpn-with-bitcoin-payments and there's a link to several vpns among them airvpn. Also this:

http://bitcoincodes.com/index.php?unit=store&op=browse&cat=10

goblin
Title: Re: Tor run through VPN
Post by: Party Girl on November 30, 2012, 11:46 am
Thanks and would you mind telling me why you chose them say over www.privateinternetaccess.com? 

Luv,
PG
Title: Re: Tor run through VPN
Post by: goblin on November 30, 2012, 01:45 pm
Thanks and would you mind telling me why you chose them say over www.privateinternetaccess.com? 

Luv,
PG
PG, I didn't choose anything, I do not use a VPN, open or otherwise. I may in the future, or not, I haven't decided. I merely thought this is a good vpn as they offer a straightforward way of configuring the client to do the tor > vpn thing.

goblin