Combining Tunnels with Tor

From Whonix
Jump to navigation Jump to search

Information on whether Tor gets more or less secure when combining Tor with tunnels such as VPN, SSH, proxies. (User → Tor → proxy/VPN/SSH → Internet) (User → proxy/VPN/SSH → Tor → Internet)

Introduction[edit]

UserTorproxy/VPN/SSHInternet
Userproxy/VPN/SSHTorInternet

It is possible to combine Tor with tunnels like VPNs, proxies and SSH. The traffic can be sent through both Tor and the second tunnel, in either order. However, this is an advanced topic and appropriate only for special cases. Adding a second connection does not automatically improve security, but it will add significant complexity. See also Whonix vs VPNs. On the balance of the evidence VPNs should be avoided, and these same arguments could be made against other tunnels too.

The improper combination of Tor and another service may actually degrade a user's security and anonymity. These configurations are difficult to set up and should only be attempted by advanced users. For the vast majority of Whonix users, using Tor in isolation – without a VPN or proxy – is the correct choice.

Info Tor blocks by destination servers can usually be bypassed using simple proxies, rather than adding an additional tunnel to Tor. In order to circumvent state-level censorship of the Tor network, Bridges or other alternative circumvention tools will probably be required. [1]

The potential positive or negative effects on anonymityarchive.org are being controversiallyarchive.org debatedarchive.org.

The law of triviality / bikesheddingarchive.org applies to VPNs. While VPNs are frequently discussed, related privacy issues receive much less attention, including: browser fingerprinting, website traffic fingerprinting, TCP Initial Sequence Numbers Randomizationarchive.org (tirdadarchive.org); Keystroke Deanonymization (kloakarchive.org); guard discovery and related traffic analysis attacksarchive.org (vanguards); Time Attacks (sdwdate); and Advanced Deanonymization Attacks. See also: Anonymity Bibliography, Selected Papers in Anonymityarchive.org.

Warnings[edit]

Tunnel Link Risks[edit]

Anonymity can be negatively affected under some circumstances by using an additional tunnel, such as a VPN, proxy or SSH. [2] [3] To mitigate any potential risks refer to the background information below, draw your own conclusions and take preventative steps where necessary.

Table: Tunnel Warnings

Configuration Description
Individual Tunnel Links Individual tunnel-links should only be used for a single configuration and never reused in any other tunnel-link chains. If this advice is ignored, any anonymous identities associated with the tunnel-link might be tied to the user's ISP-assigned IP address.
Qubes Tunnel Configuration It is not recommended to run the tunnel software from within a Template. This is because the whonix-gateway-17 Template acts more like a workstation since it is behind sys-whonix and is not sys-whonix itself.

If openvpn is used inside Whonix-Gateway (sys-whonix) or Whonix-Workstation (anon-whonix) as per the Whonix documentation, openvpn will not start inside the whonix-gateway-17 or whonix-workstation-17 Template. [4] In Qubes R4 and above, by default the Templates's NetVM is purposely set to nonearchive.org. (They are upgraded through the qrexec-based updates proxy that is running on sys-whonix.)

Tunnel Provider / Configuration Do not use the same tunnel provider / configuration in more than one place at the same time. For example, do not use the same tunnel setup inside Whonix-Gateway as well as inside Whonix-Workstation. Also do not use the same tunnel setup on the host operating system (OS) (outside any virtual machine (VM)) and inside a Whonix-Gateway or Whonix-Workstation at the same time.

Example:

In tunnel-chain 1, the ISP-assigned IP address is permanently linked to the tunnel-link. In tunnel-chain 2, the same tunnel-link was reused. Since the user's ISP-assigned IP address was previously linked to that same tunnel-link, the "anonymous" identity can now be linked to the user's actual IP address.

  • Tunnel-chain 1: (UserTunnel-link (user's IP address is linked) → TorInternet)
  • Tunnel-chain 2: (UserTorTunnel-link (anonymous activities linked) → Internet)

The previous example also holds true if the tunnel-link is first used with tunnel-chain 2 and then reused in tunnel-chain 1. In this case, all anonymous activities conducted with tunnel-chain 2 would be linked with the user's ISP-assigned IP address.

VPN Tunnel Risks[edit]

As noted in the introduction, whether or not VPNs materially improve security and/or anonymity is a hotly debated topic, and a configuration that is frequently raised in the Whonix forums.

Info Before reviewing the following table VPN risks in combination with Tor, it is recommended to have look at general VPN risks on the Whonix versus VPNs wiki page first.

Table: VPN Risks in Combination with Tor [5] [6]

Domain Description
Anonymity
  • In the UserVPNInternet configuration or UserVPNTorInternet configuration, anonymous payments with Bitcoin, cash and other methods does not improve anonymity because a user is still connecting to the service from their own IP address (which can be logged).
  • In the UserVPNInternet configuration or UserTorVPNInternet configuration the use of shared IP addresses does not confuse modern surveillance systems which have a many additional fingerprinting methods (like user agents) to identify persons of interest.
  • VPN traffic is sensitive to Deep Packet Inspection (DPI)archive.org and Website Traffic Fingerprintingarchive.org, [7] so it is ineffective in hiding use of Whonix and Tor from the ISP or skilled adversaries.
  • Certain variables make it likely Whonix / Tor users can be identified. This includes: the hardened network configuration fingerprint, the list of installed packages and those fetched from repositories, the amount of traffic going to one IP address daily (guard nodes), and examination of dropped (invalid) versus non-dropped packets when the firewall is probed. [8]
  • Apart from a few exceptions (see Use Case Exceptions), VPNs do not provide additional privacy -- it is still possible for adversaries to tap your connection, except at a different point (where traffic leaves the VPN server).
Malware
  • Adversaries who can break Tor Browser to make web requests not travel over Tor are probably also capable of: running arbitrary commands as a non-root user, gaining root privileges, or ultimately performing a VM escape from Whonix. In this case a VPN is useless in providing additional security.
Tor + VPN
  • The UserTorVPNInternet configuration attempts to display an IP address that is not associated with Tor.
  • This throws away many of the anonymity and security benefits associated with Tor and places sole trust in the VPN provider where the traffic exits.
    • Traffic is no longer separated on different browser tabs -- a single circuit is built in the Tor network, and this can break local state separation within Tor Browser.
    • If other things are done over the VPN connection like SSH traffic, IRC traffic, SMTP or OS updates, all of this traffic is sitting right next to each other.
  • Anonymity is affected because the ISP will see connections to the Tor guard (unless trying to hide it with a bridge) and a global adversary is likely capable of performing traffic analysis on the limited number of VPN exit points. Further, the VPN provider is granted greater trust under this configuration.
  • This configuration slows down connection speed because there is a TCP stream (OpenVPN) inside of a TCP stream (Tor). [9]
VPN + Tor
  • It is questionable the UserVPNTorInternet configuration adds any additional protection; see this stackexchange discussionarchive.org.
  • If Tor is blocked for whatever reason it is simpler to configure a bridge with a pluggable transport to try and bypass it. [10]
  • This configuration is unlikely to hide Tor use from a Global Passive Adversary (GPA)archive.org. Since a GPA is capable of watching all traffic enter and exit the Tor network, they are more likely to be capable of watching all traffic enter and exit from a single VPN provider. [11] [12] It has been assessed as difficult beyond practicality to Hide Tor use from the Internet Service Provider with proxies, bridges, VPNs or SSH tunnels.

Challenges in Tunnel-link Provider Selection[edit]

It is essential to consider the following factors when selecting a tunnel-link provider. Anonymity can be materially affected by the chosen network/operator's location, network/operator/IP address commonality with Tor relays, use of shared infrastructure, and other variables.

Table: Provider Selection Considerations

Domain Description
End-to-end Correlation (Confirmation) Attacks
  • Tor avoids using more than one relay belonging to the same operator in the circuits it is building. Legitimate Tor relay operators adhere to Tor's relay operator practices of announcing which relays belong to them by declaring this in the Tor relay family setting. Tor also avoids using Tor relays that are within the same network by not using relays within the same /16 subnet. [13] Tor however does not take into account your real external IP address nor destination IP addresses. [14]
  • In essence, you must avoid using the same network/operator as your first and last Tor relays since this would open up Confirmation Attacks.
Shared IP Addresses
  • Many tunnel providers use shared IP addresses which means that many users share the same external IP address. On the one hand this configuration is beneficial, since it is similar to Tor whereby many users share the same Tor exit relays. On the other hand, in some circumstances this may result in making you, more unique, easier to track because the IP address is known to belong to a VPN provider but only few users are using it.
Operator/Network Shared Infrastructure
  • It is possible to host (run) Tor relays -- including bridges, entry, middle or exit relays -- behind VPNs or tunnel-links. For example, there are VPN providers that support VPN port forwardingarchive.org. This is an interesting way to contribute to Tor while not exposing oneself to too much legal risk. This also means in certain situations a VPN or other tunnel-link could be hosted by the same operator providing support to Tor relays, in the same network or even on the same IP address.
  • In an economy with deep labor division, certain operators are providing a service to host servers (VPS etc.), while others provide VPN and other tunnel-link services and rent such servers. It is therefore not uncommon for diverse customers to run or share the same IP address. This is another situation where a VPN or other tunnel-link could be hosted by the same operator supporting Tor relays, in the same network or even on the same IP address.
Tunnel-link Connection Chain Risk
  • Based on the section immediately above, it follows that adding arbitrary tunnel-links might lead to the same operator/network being used twice in your connection chain. Consider the scenarios below.
  • Scenario 1:
    • A VPN with a fixed IP address is used on the host operating system (OS) (outside any virtual machine (VM)), thereby it acts as the first relay.
    • The same user's Tor client coincidentally selects a Tor exit relay running on the same VPN IP address.
    • The user is now using the same IP address as the first and last proxy, meaning overall anonymity is reduced in this scenario.
  • Scenario 2:
    • A VPN with a fixed IP address is set up inside Whonix-Workstation. This results in the connection scheme UserTorVPNInternet.
    • A Tor entry guard is also hosted on the VPN IP address.
    • The user is now using the same IP address as the first and last proxy, meaning overall anonymity is reduced in this scenario.
Tunnel Provider Criteria
  • Consider the physical location of networks/servers and the legal jurisdiction(s) they are operating in.
  • Perhaps avoid using VPN or SSH providers that support port forwarding.
  • Perhaps only use tunnel-link providers that are assigning private (non-shared), unique IP addresses. However, as noted earlier it is unclear if this does more harm than good.
  • Perhaps use tunnel-link providers that run their own servers rather than relying on shared infrastructure.
  • See also Criteria for Reviewing VPN Providers which equally applies for other tunnel-links.
Tor Relay Selection
  • It might be safer to manually select your Tor relay(s), specifically the Entry Guard(s) or Bridge(s) in operation.
  • Tor documentation generally discourages tampering with Tor's routing algorithm by manually choosing relays. However, if you have decided to extend the length of the Tor chain -- despite the difficulty of this endeavor and potential adverse anonymity impacts -- then it might make sense to pick the entry guard(s) by hand.
  • Using Bridges might be an alternative, but note this warning from experienced Tor developersarchive.org:

    Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards.

Comparison Table[edit]

UserProxyTorInternet UserVPN / SSHTorInternet UserTorProxy / VPN / SSHInternet
Modified Configuration Location Whonix-Gateway Whonix-Gateway [or host operating system (OS) (outside any virtual machine (VM)) (FAQ)] Whonix-Workstation
Changes IP that Destination Websites (such as IP check websites) can see No No Yes, if correctly configured.
Evade Website Tor Bans No No Maybe
Evade Network Censor Tor Bans Maybe [15] [16] Maybe [17] No
Hide Tor and Whonix from ISPs Very weak [18] Very weak [19] No
No Loss of Stream Isolation Yes Yes No
Browser Web Fingerprint is not Worsened Yes Yes No
Extra Tunnel Link does not Require Reconfiguration [20] of Pre-configured Software [21] Yes Yes No
No Permanent Exit Relay Unaffected Unaffected No
Tor Onion Services (.onion) Connections Yes Yes No
Hosting Location Hidden Services No No Proxy: No

VPN: If the VPN supports Remote Port Forwarding, yes
SSH: If the SSH supports Remote Port Forwarding, yes

Increased Tunnel Length Yes Yes Yes
Anonymity Effects Disputed [22] Disputed [22] Disputed [22]
Tunnel UDP over Tor No No Proxy: No

VPN: If supported by the VPN, yes
SSH: Undocumented

Connecting to a Tunnel-link (Proxy/VPN/SSH) before Tor[edit]

Table: Pre-Tor Tunnel-link

Domain Description
Connection Scheme Userproxy/VPN/SSHTorInternet
Network Traffic In this case, your Internet traffic will:
  1. pass through the ISP as proxy/VPN/SSH traffic;
  2. exit the proxy/VPN/SSH server as encrypted Tor traffic;
  3. enter the Tor network; and
  4. exit the Tor network at a Tor exit node as normal Internet traffic (encrypted or unencrypted).
Use Cases
  • You must connect to a VPN or proxy to access the Internet.
  • Your ISP blocks Tor and Tor bridges but does not block the tunnel-link.
  • Concerns exist over de-anonymizing attacks against the Tor network and a user believes a VPN or proxy may help protect their identity in such a case.
Warnings [23]
  • A VPN or proxy that knows your identity and/or location may be more willing and able to compromise your privacy than an ISP.
  • If the software configuration does not block all traffic if/when the VPN connection suddenly disconnects, all encrypted Tor traffic will pass through the ISP without warning. This is the default for most VPN configurations and not a Whonix-specific issue. Workarounds are described in the links below.
  • If Tor use is dangerous in your area, VPNs or SSH may provide insufficient protection (due to software misconfiguration or sophisticated packet inspection). Proxies do not provide encryption and should not be used to try and hide Tor.

How to connect to a VPN before Tor (UserVPNTorInternet)

How to connect to a proxy before Tor (UserproxyTorInternet)

How to connect to SSH before Tor (UserSSHTorInternet)

How to connect to Lantern before Tor (UserLanternTorInternet)

Connecting to Tor before a Tunnel-link (Proxy/VPN/SSH)[edit]

Table: Post-Tor Tunnel-link

Domain Description
Connection Scheme UserTorproxy/VPN/SSHInternet
Network Traffic In this case, your Internet traffic will:
  1. pass through the ISP as encrypted Tor traffic;
  2. exit the Tor network at a Tor exit node as proxy/VPN/SSH traffic; and
  3. exit the proxy/VPN/SSH as normal Internet traffic (encrypted or unencrypted).
Use Cases
  • It is necessary to use a VPN or proxy anonymously for a specific reason.
  • It is necessary to connect to an Internet server who bans Tor exit nodes.
  • Concerns exist over de-anonymizing attacks against the Tor network and a user believes a VPN or proxy may help protect their identity in such a case.
Warnings [24]
  • Even though Tor will hide the IP address from the VPN or proxy, you can still be located via payment methods, usage logs, or other identifying information the tunnel-link service holds.
  • This configuration prevents access to Tor onion (.onion) services. [25]
  • Malware on Whonix-Workstation cannot bypass Tor, but it can ignore the VPN or proxy unless a separate Tunnel-Gateway is configured.
  • It is not simple to configure VPNs, SSH or proxies in a foolproof, leak-free manner. However, in the case of Whonix it is impossible for traffic to bypass Tor, even if the VPN or proxy is misconfigured. [26]
  • Most of the pre-installed software on Whonix-Workstation, including Tor Browser, is configured to take advantage of Stream Isolation. As a side effect, this software will ignore the VPN by default. It is necessary to reconfigure this software to disable stream isolation.
  • When connecting to Tor before a tunnel link, the browser tab stream isolation feature of Tor Browser will be lost (or difficult to access). [27] The reason is Tor Browser will not talk to Tor directly anymore, but will connect to the tunnel-link instead.
  • When using a browser, connecting to Tor before a tunnel link worsens the web fingerprint. The anonymity effects of using the configuration: User → (Proxy / VPN / SSH →) TorProxy / VPN / SSHTor BrowserWebsite are unknown. This setup is so specialized that very few people are likely to configure it, reducing the Tor Browser user pool to a far smaller subset. Due to potential fingerprinting harm it is recommended against.
  • If proceeding despite the risk, the tunnel configuration should not be combined with any browser other than Tor Browser (like Firefox or Chrome). This would further exacerbate the browser fingerprinting risk. [28]

How to connect to Tor before a VPN (UserTorVPNInternet)

How to connect to Tor before a proxy (UserTorproxyInternet)

How to connect to Tor before SSH (UserTorSSHInternet)

How to connect to Tor before I2P (UserTorI2PInternet)

Terminology for Support Requests[edit]

Phrases such as "over Tor" are ambiguous. Please do not coin idiosyncratic words or phrases, otherwise this leads to confusion. Please use the same terms that are consistently referenced in documentation, such as:

  • Connect to a VPN Before Tor (UserVPNTorInternet).
  • Connect to Tor Before a VPN (UserTorVPNInternet).
  • And so on.

Always refer to the connection scheme when requesting support, such as:

  • UserVPNTorInternet, or
  • UserTorVPNInternet.

See Also[edit]

Footnotes[edit]

  1. Users in China are unlikely to circumvent government censorshiparchive.org with vanilla bridges, as they are uniformly blocked. That said, Anon Connection Wizard configured with the meek-amazon or meek-azure pluggable transport was reported to bypass Chinese censorship in late 2017. In 2019, only meek-azure is available in Anon Connection Wizard.
  2. https://lists.torproject.org/pipermail/tor-talk/2016-July/041757.htmlarchive.org
  3. research / document impact for tunnel users if Tor relays hosted at the same tunnel providerarchive.org
  4. This is because file /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.confarchive.org checks the following condition:
    ConditionPathExists=!/var/run/qubes-service/whonix-template
    

    This means if file /var/run/qubes-service/whonix-template exists, which is the case in Whonix Templates, the openvpn@openvpn service will not start.

  5. https://gist.github.com/joepie91/5a9909939e6ce7d09e29archive.org
  6. https://web.archive.org/web/20220609222239/https://matt.traudt.xyz/posts/2016-11-12-vpn-tor-not-net-gain/archive.org
  7. Website traffic fingerprinting is an attack where the adversary attempts to recognize the encrypted traffic patterns of specific web pages without using any other information. In the case of Tor, this attack would take place between the user and the Guard node, or at the Guard node itself.

  8. https://forums.whonix.org/t/hiding-tor-whonix-is-difficult-beyond-practicality/7408archive.org
  9. If any of these streams detect packet loss, then there is backing off of the transmission rates and re-transmitting of packets thought to be lost.
  10. Pluggable transports make Tor traffic look different so it is not fingerprinted, and thus hopefully not blocked.
  11. It is arguably better for a larger Tor user base to form over time and the Tor network to scale up in size to stymie this capability.
  12. It is likely GPAs will also compromise the most popular VPNs as part of their lawless 'Collect It All' philosophy.
  13. https://tor.stackexchange.com/questions/113/how-does-a-tor-client-pick-tor-nodes-for-circuit-creation/114#114archive.org
  14. See Using a Proxy.
  15. This only works against simple IP blocking lists, because connections to proxies are usually not encrypted.
  16. In these situations, VPNs are also often censored. You might be better off using Bridges.
  17. See Using a Proxy.
  18. See Hide Tor and Whonix from your ISP.
  19. Disabling Stream Isolation.
  20. If you did not disable Stream Isolation, then applications still pre-configured for Stream Isolation would only go through Tor and not through the extra tunnel link. You must decide which applications should have Stream Isolation disabled. For example, if for some reason you wanted to use gpg through the extra tunnel link, but not Tor Browser, then only disable stream isolation for gpg.
  21. 22.0 22.1 22.2 See Tor Plus VPN or proxyarchive.org.
  22. These warnings are not specific to Whonix, but are general issues with combining Tor and various tunnel-links.
  23. These warnings are not specific to Whonix, but are general issues with combining Tor and various tunnel-links.
  24. When configuring UserTorproxy/VPN/SSHInternet, it is impossible to connect to Onion Services because the last server is not a Tor relay. The only exception is running another Tor client on top, but this would lead to a Tor over Tor scenario which is discouraged for security reasons.
  25. If setting up a socksifier, proxy settings, transparent proxy with local redirection, SSH tunnel or a VPN in a leak-free manner were easy -- ensuring nothing will bypass the VPN, SSH or proxy -- then it would have been unnecessary to develop Whonix in the first place. The methods described in the tunnel documentation have all been tested to work. In the case of misconfiguration or leak bugs, the protections afforded by Whonix and Tor still apply. This means the leak will still go through Whonix-Gateway and therefore be forced through Tor. The methods in the tunnel documentation are not as safe as a Whonix-Gateway. There were earlier development discussions and some progress (see Dev/Inspiration) towards chaining multiple Gateways (VPNBOX, JonDoBOX, I2PBOX, FreenetBOX and ProxyBOX), but nothing was finished due to the lack of community interest, support and developer input.
  26. Bug #3455: Tor Browser should set SOCKS username for a request based on refererarchive.org
  27. https://forums.whonix.org/t/vpn-after-whonix-inside-workstation-not-work-anymore-with-tbb/2153/5archive.org

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!