blog-contributions/opsec/torthroughvpn/index.html

264 lines
16 KiB
HTML

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>Using Tor Safely: Tor through VPN or VPN through Tor?</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-anon" href="\index.html">The Nihilism Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-04-30</ba></p>
<h1>Using Tor Safely: Tor through VPN or VPN through Tor? </h1>
</br></br>
<h2><b>Tor and VPNs comparison Recap</b></h2>
<p>As we went over this comparison in the previous blogpost <a href="torvsvpn">here</a> i will briefly recap it here:</p>
<b>VPNS:</b>
<p>VPNs can provide Privacy from your ISP <img src="../su0.png">, but by using one you are getting privacy from someone (most likely your ISP), but the VPN provider can see what you're doing with your internet connection.<img src="../su2.png"></p>
<p>In other words, you're just shifting the privacy problem from your ISP to your VPN provider. You are moving your trust from one centralized entity <img src="../ce2.png">to another</p>
<b>Tor:</b>
<p>The Tor Network provides Anonymity by routing your traffic through 3 random servers that are spread across the world. </p>
<p>Using Tor means you are employing Decentralisation, <img src="../ce0.png">by using it you are placing your trust into 3 random entities (which can be individuals, companies or adversaries), in 3 different legislations (due to being in 3 different countries), rather than in one centralized entity, hence providing Anonymity on the IP layer. <img src="../on0.png"></p>
<p>There is always a low probability of risk, where if you are unlucky and tor circuits go through 3 nodes that are hosted by the same malicious entity, leading to deanonymization. <img src="../on2.png"></p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Tor and VPNs combinations</b></h2>
<p>Combining Tor and VPNs require to be justified depending on the <b>clientside context</b>, and on the <b>serverside context</b>: </p>
<img src="11.png" class="imgRz">
<p>First comes the clientside context: <b>Does your country allow anonymity ?</b></br> </p><p>Check if your country allows Tor traffic or not. If it's not illegal, you can use tor traffic as is. </br><b>(you -> tor)</b></p>
<p>If you are in a country where tor traffic is illegal, you need to hide tor use behind a vpn </br><b>(you -> vpn -> tor)</b></p>
<p>If you are in a country where both Tor and VPNs are illegal, <b>know that this is too risky to try and be anonymous online</b> personally i wouldn't even try to be anonymous online in that context, <b>because you risk being persecuted for just using the technology</b>. If you still want to have anonymity anyway, you'll have to <a href="https://github.com/net4people/bbs/issues">use censorship evasion techniques</a> like using <a href="../tor/bridge/index.html">tor bridges.</a></br> <b>(you -> tor bridge -> tor)</b></p>
<img src="12.png" class="imgRz">
<p>Second comes serverside context: <b>Does the service allow anonymity?</b></br></p><p> Check if you can use the service using tor only,</br><b>(tor -> website)</b></p>
<p>If the website doesn't allow tor traffic, hide tor traffic behind a VPN </br><b>(tor -> vpn -> website)</b></p>
<p>If the website doesn't allow vpn traffic either, personally i would stop trying there, but you could try using residential proxies </br><b>(tor -> residential proxy -> website)</b></p>
</br>
<p>In conclusion, there are only 4 valid Tor / VPN combinations:</p>
<pre><code class="nim">
#country allows tor traffic:
you -> Tor -> service
you -> Tor -> VPN -> service
#country doesn't allow tor traffic, but allows VPNs:
you -> VPN -> Tor -> service
you -> VPN -> Tor -> VPN -> service
</pre></code>
<p>If you want to experiment with multiple tor / vpn setups at once (as part of the <a href="../internetsegmentation/index.html">internet segmentation</a> Opsec practice), you can try each setup in a VM separately like so:<p>
<img src="133.png" class="imgRz">
<p><u>Sidenote:</u> there is no point in having a setup that is going twice through Tor, only once is enough to obtain anonymity.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Use DAITA when trying to use VPNs for Anonymity</b></h2> </br> </br>
<p>When trying to use VPNs for anonymity, take note that we need to prevent traffic correlation as much as possible, hence we want to protect against AI-guided traffic analysis, <b>in order to make sure our VPN traffic looks the same as with other users.</b> To do so we enable DAITA (Defense Against AI-guided traffic analysis) in the mullvad VPN:</p>
<img src="18.png" style="width:250px;">
<img src="19.png" style="width:250px;">
<img src="20.png" style="width:250px;">
<img src="21.png" style="width:250px;">
<p>Once enabled this will prevent an adversary watching connections to and from a VPN server to figure out which VPN user (that is currently using a VPN server) is visiting which website, based on the packet size and traffic patterns. (see <a href="https://mullvad.net/en/vpn/daita">this article</a> for more details on how DAITA works)</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>First Goal: Accessing websites that block Tor</b></h2> </br> </br>
<p>Great, you found out about Tor, you want to be anonymous while browsing the web, and now you start to use your favorite centralised services (google, youtube for example) <b>but you realize that they don't allow you to use their service while you use tor!</b></p>
<img src="1.png" class="imgRz">
<pre><code class="nim">
You -> Tor -> Destination
</pre></code>
<p>Keep in mind that <a href="https://metrics.torproject.org/rs.html#search/flag:exit">Tor exit nodes are all public</a>, it's easy for website administrators to block Tor exit nodes IPs by blocking their public IPs directly. So you can expect popular services that are openly hostile to both anonymity and privacy to block Tor traffic. </p>
<p>So the constraint here is to access the service <b>without showing up as a tor exit node IP from their end.</b></p>
<p>To get around that problem, the idea is to force a VPN to connect through Tor (VPN through Tor Setup):</p>
<img src="2.png" class="imgRz">
<pre><code class="nim">
You -> Tor -> VPN -> Destination
</pre></code>
<p>That way, we have the following result:</p>
<ol>
<li><p>Your ISP only sees Tor traffic</p></li>
<li><p>The VPN provider does not know who's using their infrastructure</p></li>
<li><p>The website administrators of popular services think you are using their service using a simple VPN</p></li>
</ol>
<p>A constraint here of course is to acquire the VPN connection anonymously, to do so we only use Tor and Monero as explained in my tutorial on <a href="../anonymity/index.html">Anonymity Management</a>:</p>
<img src="6.png" class="imgRz">
<p>If the popular service does not block VPNs, you're good to keep using their service while still maintaining Anonymity.</p>
<p>/!\ Be warned that this setup takes into account that you're properly segmenting your <a href="../internetsegmentation/index.html">Internet Usage</a>, because initially when you use this setup (you -> tor -> VPN), you may be anonymous, but <b>depending on your usage over time, you are increasingly more likely to be deanonymized if you are improperly segmenting your internet usage.</b> (see details on <a href="../opsec/index.html">OPSEC</a> for more details)</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Second Goal: Hiding Tor usage from your ISP</b></h2> </br> </br>
<p>Another scenario is when you need to hide the fact that you're using Tor from your ISP, we have the following setup which is useful to prevent <a href="https://edition.cnn.com/2013/12/17/justice/massachusetts-harvard-hoax">Tor usage correlation</a>.</p>
<img src="5.png" class="imgRz">
<pre><code class="nim">
You -> VPN -> Tor -> Destination
</pre></code>
<p><u>WARNING:</u> in this setup you are trusting your VPN provider to not snitch to your ISP that you are using Tor!</p>
<p>From your ISP's point of view, using Tor alone definitely stand out from regular traffic, a popular option you can go for is to use a VPN (as this is a much more common occurrence), and to use the Tor browser while keeping the VPN connection open.</p>
<p>In the unlikely event that you get deanonymized while using Tor, <b>only your VPN IP would get revealed instead of your home IP address</b>. And if the VPN provider has strict no-log policies and <a href="https://www.theverge.com/2023/4/21/23692580/mullvad-vpn-raid-sweden-police">they actually follow through with their promises</a>, <b>it's very unlikely that both your VPN and Tor would be compromised at the same time.</b></p>
<p><u>DISCLAIMER ON VPNs:</u> Keep in mind that if you choose to use a VPN anyway, you must conduct a strict VPN selection, see <a href="https://www.privacyguides.org/en/vpn/">Privacy Guides' Recommendations</a> on that topic, out of which i recommend <a href="https://kycnot.me/service/Mullvad">Mullvad</a> because they accept Monero without any KYC.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Third Goal: Hiding Tor usage (For Heavily Censored Countries)</b></h2> </br> </br>
<p>A popular scenario people encounter, especially in <a href="https://rsf.org/en/index">heavily censored countries</a> (the prime example being <a href="https://iv.nowhere.moe/watch?v=QBp6opkcxoc">China with their "Great Firewall"</a>), is that the state blocks all VPN connections, on top of making them illegal.</p>
<p><b>Citizens don't want their ISP to know that they are using the Tor network. Because otherwise they would be prosecuted for simply using the technology.</b> </p>
<p>Out of that situation, Tor bridge nodes were created. Tor bridge nodes are purposefully not listed in the public Tor directory to avoid being blocked by governments. Tor bridges include multiple <a href="https://tb-manual.torproject.org/circumvention/">pluggable transports</a> to help users in heavily censored countries:</p>
<p>From Torproject's <a href="https://support.torproject.org/censorship/censorship-7/">explanation</a> on tor bridge nodes:</p>
<pre><code class="nim">
Bridges are useful for Tor users under oppressive regimes, and for people who want an extra layer of security because they're worried somebody will recognize that they are contacting a public Tor relay IP address.
Several countries, including China and Iran, have found ways to detect and block connections to Tor bridges. Obfsproxy bridges address this by adding another layer of obfuscation.
</pre></code>
<p><u>WARNING:</u> be aware that this setup may provide transient censorship circumvention, but <b>it does not protect against the threat where an adversary finds out, let's say 5 months later, that you connected to a tor bridge node in the past, and may prosecute you for it.</b> This scenario is to be considered only when <b>all VPNs are blocked or illegal in your country.</b></p>
<p>Personally, if i were to live in a heavily censored country like china, i wouldn't try to be anonymous online, <b>to avoid the risk of being prosecuted for just using the technology</b>, as the risks are too high there.</p>
<img src="4.png" class="imgRz">
<p>Using this setup allows you to use the Tor network even if your government doesn't allow it, <b>but again, you run the risk that they find out later on, that you used tor in the past.</b></p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.</p></br></br><p>Creative Commons Zero: <a href="../../../../opsec/runtheblog/index.html">No Rights Reserved</a></br><img src="\CC0.png">
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FL5jrGV2L_Bb20Oj0aE4Gn-m5AHet9XdpYDotiqpcpGc%3D%40nowhere.moe%2FH4g7zPbitSLV5tDQ51Yz-R6RgOkMEeCc%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAkts5T5AMxHGrZCCg12aeKxWcpXaxbB_XqjrXmcFYlDQ%253D&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22c3Y-iDaoDCFm6RhptSDOaw%3D%3D%22%7D">SimpleX Chat</a><br/>
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About nihilist</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@contact.nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>