Wednesday, July 10, 2013

TOR + 2nd VPN: An additional layer of anonymity

Without going into the reasons why one wants remain anonymous (personally I have some good reasons and these are growing every day) I would like to comment how to add an additional layer of anonymity to the Tor network. Basically the idea is to use a second VPN which is tunneled through TOR. This is nothing new, you can read the combinations of Tor +(VPN, SSH, proxys) in Tor Wiki

What do you get with this? Perhaps the most important benefit is to avoid possible exit nodes compromised in addition to get more nodes to jump through. Note that with this configuration an exit-node won't be able to sniff traffic since it will be encrypted by the 2nd VPN (which can be totally under your control). Note also that the connection to the second VPN comes from a Tor node; this way, by using a chain of two differents VPN, the traceability of the connections will be much more complex. Another advantage is that we can use the Tor infrastructure to connect to networks that filter exit nodes.

The image above represents this scenario; however you can play with differents VPNs, proxys, etc.; for instance, you can link a mix cascade from JonDonym with TOR getting a bigger number of nodes to pivot, or use a VPS with your own VPN server, etc.

Here I leave a simple way to configure this. In our case we wil use our host (Debian Wheezy) as a transparent TOR proxy (you can view this settings in detail from torproject)

root@mordor:~# curl -s | grep -i 'sorry\|congratulations'
<img alt="Sorry. You are not using Tor." src="/images/tor-off.png">
<br><h1 style="color: #A00">Sorry. You are not using Tor.<br>
root@mordor:~# tail -4 /etc/tor/torrc
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53
root@mordor:~# ps aux | grep ^109
109       1971  0.3  0.6  23976 21196 ?        S    12:30   0:02 /usr/sbin/tor
root@mordor:~# cat /etc/resolv.conf
root@mordor:~# netstat -putan | grep 1:53
udp        0      0  *                           1971/tor        
root@mordor:~# cat
iptables -F
iptables -t nat -F
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
for NET in $NON_TOR; do
 iptables -t nat -A OUTPUT -d $NET -j RETURN
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for NET in $NON_TOR; do
 iptables -A OUTPUT -d $NET -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT
root@mordor:~# ./
root@mordor:~# curl -s | grep -i 'sorry\|congratulations'
<img alt="Congratulations. Your browser is configured to use Tor." src="/images/tor-on.png">
Congratulations. Your browser is configured to use Tor.<br>

Once the native machine is configured as a proxy, open the virtual machine from which you willl configure the second VPN (Kali in the example). To get this be sure to configure the network adapter as NAT.

Check that Virtuabox gives you a private IP and that you get a external IP from a exit TOR node.

Finally we create the second VPN connection. Since TOR does not accept UDP traffic you will have to use a VPN server that supports TCP. Some VPN services allow both protocols so be sure to change it in the .conf file.

Now the question is, if I can not manage my own SSH/VPN server what public VPN service could I use? TorrentFreak recently published a post titled "VPN Services That Take Your Anonymity Seriously, 2013 Edition" which supposedly showed the best anonymous VPN services. Personally I do not trust most of them. Take a look at cases like HideMyAss to draw your own conclusions. In addition many of these services does not accept anonymous payment methods so ...
There are easy to find anonymous VPN services that accept Ukash, bitcoins, etc.. and  don't even ask you for an email account, just a username and  password. However, as mentioned before you own VPN server will be the best option.

No comments:

Post a Comment