Jump to: navigation, search

Tunnels/Introduction


Combining Tunnels with Tor

Introduction[edit]

User -> Tor -> proxy/VPN/SSH -> Internet
User -> proxy/VPN/SSH -> Tor -> Internet

It is possible to combine Tor with tunnels like VPNs, proxies and SSH. Your traffic can be sent through both Tor and the second tunnel, in either order. However, this is an advanced topic and appropriate only for special cases. Adding a second connection does not automatically add security, but will add significant complexity. Eventual positive or negative effects on anonymity are being controversy discussed. The Whonix project stays technologically neutral in that discussion. Improper combination of Tor and another service may decrease your security and anonymity. Such a setup is difficult, and for advanced users only, for almost all users of Whonix, using Tor alone – without a VPN or proxy – is the right choice.

  • Tor avoids using more than one relay belonging to the same operator in the circuits it is building. Legitimate Tor relay operators adhere to Tor's relay operator practices of announcing which relays belong to them by declaring this in the Tor relay family setting. Tor also avoids using Tor relays that are within the same network by not using relays within the same /16 subnet. [3] Tor however does not take into account your real external IP nor destination IP addresses. [4] In essence, you must avoid using the same network/operator as your first and last Tor relays since this would open up end-to-end correlation attacks.
  • Many tunnel providers use shared IP addresses which means that many users share the same external IP address. On one hand this is good since that is similar to Tor, where many users share the same Tor exit relays. On the other hand, this can in some situations lead to actually making you less safe.
  • It is possible to host Tor relays [any... bridges, entry, middle or exit] behind VPNs or tunnel-links. For example, there are VPN providers that support VPN port forwarding. This is an interesting way to contribute to Tor while not exposing oneself to too much legal risk. Therefore, there can be situation, where a VPN or other tunnel-link and a Tor relays could be hosted by the same operator, in the same network or even on the same IP.
  • In an economy with a deep labor division, ones are providing the service to host servers (VPS etc.). Others provide VPN and other tunnel-link services and rent such servers. It is common, that diverse customers run share the same IP address. This is another situation where a VPN or other tunnel-link and a Tor relays could be hosted by the same operator, in the same network or even on the same IP.
  • By adding arbitrary tunnel-links to your connection chain, you could unknowingly use the same operator/network twice in your connection chain.
    • scenario 1)
      • a) User uses VPN IP A on the host, thereby using it as it's first relay.
        • b) User's Tor client happens to pick a Tor exit relay running on VPN IP A.
        • Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.
          • --> By using the VPN the user did not get more, but less secure.
    • different scenario 2)
      • a) User sets up a VPN inside Whonix-Workstation. Thereby that results in user -> Tor -> VPN -> internet. Using VPN IP A.
      • b) A Tor entry guard is being hosted on VPN IP A.
      • Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.
        • --> By using the VPN the user did not get more, but less secure.
  • Choose your tunnel providers wisely.
    • Find out in which physical and legal jurisdiction and network their servers are located.
    • Perhaps avoid using VPN or SSH providers that support port forwarding.
    • Perhaps use only tunnel-link providers that are assigning private - as in not shared with others - unique - IP addresses, however it is not clear if this does more harm than gain as noted above.
    • Perhaps use tunnel-link providers that run their own servers rather than relying on shared infrastructure.
  • Perhaps manually pick your Tor relay[s]. Specifically your entry guard[s] or bridge[s]).
    • Tor documentation generally discourages tampering with Tor's routing algorithm by manually choosing your relays, but since you are trying to be more clever by extending your Tor chain despite all information about the difficulty of this endeavor, perhaps it would make sense to pick your entry guard manually.
    • Using Bridges might be an alternative, but note the following quote. "Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards. Source: bridge vs non-bridge users anonymity."

Comparison Table[edit]

user -> proxy -> Tor -> internet user -> VPN/SSH -> Tor -> internet user -> Tor -> proxy/VPN/SSH -> internet
configuration modification applied where Whonix-Gateway Whonix-Gateway [or host (FAQ)] Whonix-Workstation
evade Tor bans by websites No No possibly
evade Tor bans by network censors maybe [6] [7] maybe [8] No
Hide Tor and Whonix from your ISP very weak [9] maybe [10] No
no loss of Stream Isolation Yes Yes No
when using a browser, does not worsen web fingerprint Yes Yes No
no reconfiguration[11] of pre-configured software required[12] in order to use extra tunnel-link Yes Yes No
no permanent exit relay unaffected unaffected No
can connect to Tor Hidden Services (.onion) Yes Yes No
Hosting Location Hidden Services No No Proxy: No

VPN: if the VPN supports Remote Port Forwarding, yes
ssh: if the SSH supports Remote Port Forwarding, yes

increased tunnel length Yes Yes Yes
effects on anonymity disputed [13] disputed [13] disputed [13]
Tunnel UDP over Tor No No Proxy: No

VPN: if supported by the VPN, yes
ssh: undocumented

Connecting to a tunnel-link (proxy/VPN/SSH) before Tor[edit]

User -> proxy/VPN/SSH -> Tor -> Internet

In this case, your internet traffic will (1) pass through your ISP as proxy/VPN/SSH traffic; (2) exit your proxy/VPN/SSH server as encrypted Tor traffic; (3) enter to the Tor network; (4) exit the Tor network at a Tor exit node as normal internet traffic (encrypted or unencrypted).

Possible uses:

  • You must connect to your VPN or proxy to access the internet.
  • Your ISP blocks Tor and Tor bridges but doesn’t block the tunnel-link.
  • Fear of de-anonymizing attacks against the Tor network; belief that your VPN or proxy is able to protect your identity in such case.

Warnings:

  • Note, the following warnings are not Whonix specific issues. Those are general issues with combining Tor with tunnel-links.
  • A VPN or proxy that knows your identity and/or location may be more willing and able to compromise your privacy than your ISP.
  • If your software configuration doesn’t block all traffic when your connection to your VPN suddenly disconnects, your encrypted Tor traffic will go through your ISP without warning. This is the default nature of most VPN configurations and not an issue specific to Whonix. Workarounds described [in links] below.
  • If the use of Tor is dangerous in your area, VPNs or SSH may not provide enough protection (due to software misconfiguration or sophisticated packet inspection). Proxies do not provide encryption and should not be used to hide Tor use.

How to connect to a VPN before Tor (User -> VPN -> Tor -> Internet)

How to connect to a proxy before Tor (User -> proxy -> Tor -> Internet)

How to connect to SSH before Tor (User -> SSH -> Tor -> Internet)

How to connect to JonDonym before Tor (User -> JonDonym -> Tor -> Internet)

How to connect to Lantern before Tor (User -> Lantern -> Tor -> Internet)

Connecting to Tor before a tunnel-link (proxy/VPN/SSH)[edit]

User -> Tor -> proxy/VPN/SSH -> Internet

In this case, your internet traffic will (1) pass through your ISP as encrypted Tor traffic; (2) exit the Tor network at a Tor exit node as proxy/VPN/SSH traffic; (3) exit your proxy/VPN/SSH as normal internet traffic (encrypted or unencrypted).

Possible uses:

  • As one part of using a VPN or proxy anonymously for some specific reason.
  • You must use Tor, but need to connect to an internet server who bans Tor exit nodes.
  • Fear of de-anonymizing attacks against the Tor network; belief that your VPN or proxy is able to protect your identity in such case.

Warnings:

  • Note, the following warnings are not Whonix specific issues. Those are general issues with combining Tor with tunnel-links.
  • Even though Tor will hide your IP address from your VPN or proxy, you can still be located with your payment method, usage logs, or other identifying information the tunnel-link service knows about you.
  • You will not be able to access Tor hidden services. (.onion) [14]
  • Malware on Whonix-Workstation can't bypass Tor but can ignore your VPN or proxy unless you are using a separate Tunnel-Gateway.
  • It is not simple to configure VPNs, SSH or proxies in a foolproof, leak free manner. However, in case of Whonix, it is impossible for traffic to bybass Tor, even if the VPN or proxy is misconfigured.[15]
  • Most the pre-installed software on Whonix-Workstation, including Tor Browser, is configured take advantage of Stream Isolation. As a side effect, this software will ignore the VPN by default. You must reconfigure this software to disable stream isolation.
  • When using a browser, while you are connecting to Tor before a tunnel link, you probably will not be able to make use of the browser tab stream isolation feature of Tor Browser. [16] This is because Tor Browser would not talk to Tor directly anymore. Tor Browser would connect to the tunnel-link instead.
  • When using a browser, worsens web fingerprint. It is unknown how anonymous it is to use user -> (proxy/VPN/SSH ->) Tor -> Proxy/VPN/SSH -> Tor Browser -> website. How many people show up with a proxy, VPN or SSH IP using Tor Browser? This setup is so special that probably only very few people are doing it. For this reason, recommend against. On the other hand, due to browser fingerprinting, it can't be recommend using any browser other than Tor Browser either. [17]


How to connect to Tor before a VPN (User -> Tor -> VPN -> Internet)

How to connect to Tor before a proxy (User -> Tor -> proxy -> Internet)

How to connect to Tor before SSH (User -> Tor -> SSH -> Internet)

How to connect to Tor before I2P (User -> Tor -> I2P -> Internet)

How to connect to Tor before JonDonym (User -> Tor -> JonDonym -> Internet)

See Also[edit]

Footnotes[edit]

  1. https://lists.torproject.org/pipermail/tor-talk/2016-July/041757.html
  2. research / document impact for tunnel users if Tor relays hosted at the same tunnel provider
  3. http://tor.stackexchange.com/a/114/80
  4. https://lists.torproject.org/pipermail/tor-talk/2016-July/041753.html
  5. This is because file /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf checks the following condition
    ConditionPathExists=!/var/run/qubes-service/whonix-template
    

    Which means, if file /var/run/qubes-service/whonix-template exists, which is the case in Whonix TemplateVMs, the openvpn@openvpn service will not be started.

  6. See Hide_Tor_and_Whonix_from_your_ISP#Using_a_Proxy.
  7. Works only against simplistic IP blocking lists, because connections to such proxies are usually not encrypted.
  8. In these situations, VPNs are also often censored. You might be better off using Bridges.
  9. See Hide_Tor_and_Whonix_from_your_ISP#Using_a_Proxy.
  10. See Hide_Tor_and_Whonix_from_your_ISP.
  11. Disabling Stream Isolation.
  12. If you did not disable Stream Isolation, then applications still pre-configured for Stream Isolation would go only through Tor and not through the extra tunnel-link. It is up to you for which applications you disable Stream Isolation and for which not. If for some reason, you want for example to use gpg through the extra tunnel link, but Tor Browser not, then just disable stream isolation for gpg, but not for Tor Browser.
  13. 13.0 13.1 13.2 See Tor Plus VPN or proxy.
  14. When using User -> Tor -> proxy/VPN/SSH -> Internet, i.e. if the last server is not a Tor relay, you will be no longer able to connect to Hidden Services. (Unless you would run another Tor client on top, but this would lead to Tor over Tor, which is discouraged for security reasons.
  15. If setting up socksifier, proxy settings, transparent proxy with local redirection, SSH tunnel or a VPN in a leak free manner were easy, this means while ensuring nothing will bypass the VPN, SSH or proxy, there would have been no reason to develop Whonix in the first place. The methods described in the tunnel documentation are all tested and should all more or less work. Should there be any misconfiguration or leak bug, you are left to the protections by Whonix and Tor. This means, the leak will still go through Whonix-Gateway and therefore forced through Tor. The methods in the tunnel documentation are not as safe as a Whonix-Gateway. There were development discussions and some progress (see Dev/Inspiration), about chaining multiple Gateways, VPNBOX, JonDoBOX, I2PBOX, FreenetBOX and ProxyBOX, but nothing was finished due to the lack of community interest, support and developers.
  16. Bug #3455: Tor Browser should set SOCKS username for a request based on referer
  17. https://forums.whonix.org/t/vpn-after-whonix-inside-workstation-not-work-anymore-with-tbb/2153/5?u=patrick

Random News:

Do you know our Documentation, Technical Design and Developer Portal already?


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.