blog-contributions/opsec/whentorisblocked/index.html

303 lines
16 KiB
HTML

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>How to Anonymously access websites that block Tor</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-anon" href="\index.html">The Nihilism Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nothing@nowhere - 2023-10-12</ba></p>
<h1>How to Anonymously access websites that block Tor</h1>
<p>In this tutorial we're going to cover how we can circumvent a website's attempts at blocking Tor traffic, by using a VPN. As we discussed <a href="../torthroughvpn/index.html">previously</a>, this is relating to the serverside context required to know if we should combine the use of Tor with the use of a VPN. </p>
<img src="../torthroughvpn/12.png" class="imgRz">
<p><b>Here we are using a VPN to hide from the website owner that we are connecting via Tor.</b> Effectively giving off the impression that we are only connecting via a VPN, while in reality Tor is protecting our Anonymity on the IP level. Now we also need to preserve our Anonymity when we are renting and using the VPN, that's why we have to use <a href="../vpn/index.html">MullvadVPN</a> as they don't care who's using their service (they allow both <a href="../torbrowsing/index.html">Tor connections</a> and<a href="../monero2024/index.html"> Monero</a> payments). <b>We are also blending in their large userbase.</b> (which would not be the case if we were using a VPS with openvpn on it, in which we would be the only one to use it).</p>
<img src="0.png" class="imgRz">
<p><u>DISCLAIMER:</u> Be aware that when doing a (you -> Tor -> VPN -> website) setup, you are getting rid of the stream isolation that is there by default in Whonix, <b>making every application in that Whonix VM go through one circuit, rather than through many circuits.</b> Over time this can lead to traffic use correlation if you start to use this VM for every other Anonymous use.</p>
<img src="300.png" class="imgRz">
<p>So keep in mind that <b>a website blocking Tor traffic is the only scenario in which you need a (you -> Tor -> VPN -> website) setup. the rest of your anonymous activities are to remain in a regular Whonix VM (you -> Tor -> website) setup !</b> </p>
<p><h2><u>OPSEC Recommendations:</u></h2></p>
<ol>
<li><p>Hardware : (Personal Computer / Laptop)</p></li>
<li><p>Host OS: <a href="../linux/index.html">Linux</a></p></li>
<li><p>Hypervisor: <a href="../hypervisorsetup/index.html">libvirtd QEMU/KVM</a></p></li>
<li><p>Application: <a href="../index.html">Host-based VPN</a> (if your ISP doesn't allow Tor traffic) </p></li>
<li><p>VM: <a href="../whonixqemuvms/index.html">Whonix VMs</a> (for any regular long-term Anonymous Use)</p></li>
</ol>
<p>I recommend using this setup into one of the above mentioned VMs, for <a href="../anonymityexplained/index.html">Anonymous use</a>, as per the <a href="../opsec4levels/index.html">4 basic OPSEC levels</a>.</p>
<p><u>Sidenote:</u> If your ISP does not allow Tor traffic, make sure that you <a href="../vpnqemu/index.html">route the QEMU VMs traffic through a VPN</a>, to hide the tor traffic from your ISP (You -> VPN -> Tor) Setup</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Setting up the VM second Whonix Workstation VM </b></h2>
<p>Now the first thing to do here is that we copy the existing the second workstation which will be used as the vpn over tor setup later on so let's copy the .xml and .qcow2 after shutting down the existing workstation:</p>
<p>Be careful that you need 100Gb for the Whonix Gateway, 100Gb for the Whonix Workstation, and another 100Gb for the Whonix Workstation with the VPN setup we want to make. <b>So you need a total of 300Gb disk space at least!</b></p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/0 ] [/mnt/veracrypt1]
→ ls
lost+found WHONIX_BINARY_LICENSE_AGREEMENT Whonix-Gateway.qcow2 Whonix-Workstation.qcow2
refreshvms.sh WHONIX_DISCLAIMER Whonix-Gateway.xml Whonix-Workstation.xml
script.sh Whonix-external.xml Whonix-internal.xml
[ nowhere ] [ /dev/pts/0 ] [/mnt/veracrypt1]
→ cp Whonix-Workstation.qcow2 Whonix-Workstation-vpn.qcow2
nowhere ] [ /dev/pts/23 ] [/mnt/veracrypt1]
→ cp Whonix-Workstation.xml Whonix-Workstation-vpn.xml
[ nowhere ] [ /dev/pts/0 ] [/mnt/veracrypt1]
→ cp Whonix-Workstation.xml Whonix-Workstation-vpn.xml
</code></pre>
<p>Then edit the new xml file to match the new VM name:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/23 ] [/mnt/veracrypt1]
→ vim Whonix-Workstation-vpn.xml
[ nowhere ] [ /dev/pts/23 ] [/mnt/veracrypt1]
→ cat Whonix-Workstation-vpn.xml | grep Workstation2
<<b></b>name>Whonix-Workstation-vpn<</b>/name>
<<b></b>source file='/mnt/veracrypt1/Whonix-Workstation-vpn.qcow2'/>
</code></pre>
<p>Then we include it in the script.sh script:</p>
<pre><code class="nim">
[ nowhere ] [ /dev/pts/23 ] [/mnt/veracrypt1]
→ cat script.sh
#!/bin/bash
if [ $(virsh -c qemu:///system list --all | grep Whonix | wc -l) -ne 0 ];
then
# if the VMs are imported, remove them:
virsh -c qemu:///system destroy Whonix-Gateway
virsh -c qemu:///system destroy Whonix-Workstation
virsh -c qemu:///system destroy Whonix-Workstation-vpn
virsh -c qemu:///system undefine Whonix-Gateway
virsh -c qemu:///system undefine Whonix-Workstation
virsh -c qemu:///system undefine Whonix-Workstation-vpn
virsh -c qemu:///system net-destroy Whonix-External
virsh -c qemu:///system net-destroy Whonix-Internal
virsh -c qemu:///system net-undefine Whonix-External
virsh -c qemu:///system net-undefine Whonix-Internal
else
# if the VMs are not imported, import them:
virsh -c qemu:///system net-define /mnt/veracrypt1/Whonix-external.xml
virsh -c qemu:///system net-define /mnt/veracrypt1/Whonix-internal.xml
virsh -c qemu:///system net-autostart Whonix-External
virsh -c qemu:///system net-start Whonix-External
virsh -c qemu:///system net-autostart Whonix-Internal
virsh -c qemu:///system net-start Whonix-Internal
virsh -c qemu:///system define /mnt/veracrypt1/Whonix-Gateway.xml
virsh -c qemu:///system define /mnt/veracrypt1/Whonix-Workstation.xml
virsh -c qemu:///system define /mnt/veracrypt1/Whonix-Workstation-vpn.xml
# then exit because we dont want to run the rest of wipe.sh
exit $?
fi
[ nowhere ] [ /dev/pts/23 ] [/mnt/veracrypt1]
→ ./script.sh
Network Whonix-External defined from Whonix-external.xml
Network Whonix-Internal defined from Whonix-internal.xml
Network Whonix-External marked as autostarted
Network Whonix-External started
Network Whonix-Internal marked as autostarted
Network Whonix-Internal started
Domain 'Whonix-Gateway' defined from Whonix-Gateway.xml
Domain 'Whonix-Workstation-vpn' defined from Whonix-Workstation-vpn.xml
Domain 'Whonix-Workstation' defined from Whonix-Workstation.xml
</code></pre>
<p>Then edit the new workstation VM to have the 10.152.152.12 ip by default (since the other one has the 10.152.152.11 ip):</p>
<img src="11.png" class="imgRz">
<img src="12.png" class="imgRz">
<p>You need to keep in mind that currently we have not given out any information about ourselves, other than we've used Tor. We won't stop there, and in order to use a VPN anonymously, you need to acquire it through Tor, buy it with Monero, and force the VPN Connection itself through Tor. Cherry on top is that we're going to use a well-used VPN service, so we won't be the only user with that public VPN ip. But what matters is that we do not give any information about us to the VPN provider. If the VPN provider forces you to provide anything personal (if the vpn provider blocks tor connections, or forces you to buy it with something else than monero), then it would not truly be a non-KYC VPN provider, and thus it's against your privacy. That's the only way you can find out which ones are all just marketing.</p>
<img src="104.png" class="imgRz">
<p>Now that's done we can go find a vpn provider for the workstation2, let's try out the very praised mullvad vpn provider <a href="https://kycnot.me/service/mullvad">here</a>, Firstly because it's a non-KYC VPN provider (meaning you can acquire it and use it through Tor, and pay with Monero), also due to the fact that we won't be the only ones using that service, it means we won't need to change the VPN server when we want to have another identity online. On top of that, mullvad gives us the ability to connect to a random server of theirs, via openvpn via TCP on port 443, which is definitely neat because it mimicks web HTTPS traffic, and isn't blockable by tor exit node hosters (which is definitely a trend, most of them block ports that are suceptible to abuse, 443 https being the least likely of them): </p>
<img src="49.png" class="imgRz">
<img src="50.png" class="imgRz">
<p>now to not loose your accesses , make sure to save credentials in a local keepass database on the VM.</p>
<img src="51.png" class="imgRz">
<img src="52.png" class="imgRz">
<img src="53.png" class="imgRz">
<p>Now let's add time to our account, and of course we will pay with <a href="https://iv.nowhere.moe/watch?v=YTTac2XjyFY">the only cryptocurrency that's used</a>:</p>
<img src="54.png" class="imgRz">
<img src="56.png" class="imgRz">
<p>To get some monero you can buy it on localmonero.co, and make sure it arrives on your monero wallet inside the whonix VM, never trust centralised exchanges with your assets, always keep them locally.</p>
<img src="55.png" class="imgRz">
<p>Once it finishes installing, create your monero wallet:</p>
<img src="57.png" class="imgRz">
<p>Then say no to mining and use an onion-based monero daemon, like the one i'm hosting, you can find a full list of other ones <a href="https://monero.fail/">here</a>:</p>
<img src="58.png" class="imgRz">
<p>Wait for it to finish synchronizing, then get some monero from a vendor on localmonero.co (by giving them a wallet address you'd have created: </p>
<img src="59.png" class="imgRz">
<img src="60.png" class="imgRz">
<p>Once you've paid, download the .ovpn file to connect via vpn:</p>
<img src="61.png" class="imgRz">
<p>Then unzip and let's now make sure the vpn goes through tor:</p>
<img src="62.png" class="imgRz">
<img src="63.png" class="imgRz">
<p>To do that we need to make sure the VPN goes through the local SOCKS port 9050, and to mention the entry node which is the gateway 10.152.152.10:</p>
<img src="66.png" class="imgRz">
<p>before we launch it keep in mind this:</p>
<img src="67.png" class="imgRz">
<p>Then launch the VPN and you can then see that you no longer have a tor exit node IP:</p>
<img src="68.png" class="imgRz">
<img src="69.png" class="imgRz">
<p>Now check your ip from Firefox, not the tor browser:</p>
<img src="70.png" class="imgRz">
<p>You can also check if there are any DNS leaks:</p>
<img src="71.png" class="imgRz">
<p>here we see the test revealed a dns ip leak, but upon checking (in shodan.io) we see that it's a tor exit IP address:</p>
<img src="72.png" class="imgRz">
<p>We can also check if there are any WebRTC leaks:</p>
<img src="73.png" class="imgRz">
<p>and there we see that there are no webRTC leaks either, so it's all good.</p>
<p>To make sure the vpn is started automatically we can make it a systemd service:</p>
<pre><code class="nim">
root@workstation:~# cat /etc/systemd/system/vpn.service
[Unit]
Description=VPN
After=network-online.target
Wants=network-online.target
[Install]
WantedBy=multi-user.target
[Service]
Type=simple
WorkingDirectory=/home/user/Desktop/mullvad_config_linux_nl_ams/
ExecStart=/usr/sbin/openvpn /home/user/Desktop/mullvad_config_linux_nl_ams/mullvad_nl_ams.conf
ExecStop=kill -9 $(pidof openvpn)
Restart=always
root@workstation:~# systemctl daemon-reload ; systemctl enable --now vpn.service ; systemctl restart vpn.service
</pre></code>
<img src="103.png" class="imgRz">
<p>Now thanks to that, you can still browse websites anonymously in case if they block tor exit nodes. However as stated above, make sure that you leave the rest of your Anonymous use in the regular Whonix VM, as there is no stream isolation in the Whonix-Workstation-VPN VM.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.</p></br></br><p>Creative Commons Zero: <a href="../../../../opsec/runtheblog/index.html">No Rights Reserved</a></br><img src="\CC0.png">
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FL5jrGV2L_Bb20Oj0aE4Gn-m5AHet9XdpYDotiqpcpGc%3D%40nowhere.moe%2FH4g7zPbitSLV5tDQ51Yz-R6RgOkMEeCc%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAkts5T5AMxHGrZCCg12aeKxWcpXaxbB_XqjrXmcFYlDQ%253D&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22c3Y-iDaoDCFm6RhptSDOaw%3D%3D%22%7D">SimpleX Chat</a><br/>
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About nihilist</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@contact.nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>