Combine Tor with VPN/Proxy

Good day
Maybe this is a topic discussed many times, but I have some dubts. A part of risks of VPN/Proxy controlled by an adversary or don’t offer encryption like socks4/http proxy, if I use a chain (Vpn<–Tor) or (Vpn<–Tor<–Vpn/Socks), we are using Qubes but could include also other OS, when I visit a site with both possibilities, do an adversary know that behind Tor exit relay or Vpn/socks, there is a chain?

Thank you

Good day,

Whether or not the owner of a Server you are trying to access can tell that you are using Tor depends entirely on the Position of the VPN/Proxy in your Connection. If the VPN/Proxy is the last part of the Connection, then a Server will not be able to determine that you Access it via Tor. Keep in mind though that under such circumstances, your ISP will know that you use Tor, though not in what way.

Additionally, regarding the encryption part of your question, all web based VPNs (also known as SSL-VPNs) use encrypted Connections by design. Proxies are a Little more complex. There are Socks Proxies with certain protocols which do offer encryption during Transport, though personally I maintain that they aren’t advantageous over VPNs in any Scenario and in our day and age are mainly present as a core component of certain activities.

Have a nice day,

Ego

Ego:

There are Socks Proxies with certain protocols which do offer encryption during Transport

That’s new to me. In the Whonix wiki it’s claimed there are no socks
proxies that support encryption. Got an example handy?

Good day,

Well, a SSH-Socks-Proxy (for example via OpenSSH) would be the implementation I’d thought about primarily. That’s what I was refering to when writing “Socks Proxies with certain protocols”.

Have a nice day,

Ego

Right, then you got an ssh tunnel, and you’re using a unencrypted local
connection to create to the local socks port.

I guess it’s a definition question if that could be considered an
encrypted socks proxy. Imo referring to it as encrypted socks proxy can
be confusing since it’s primarily an encrypted ssh tunnel. Socks is only
the interface.

If that definition is established elsewhere already, I’ll happily take it.

Good day
Maybe I haven’t write well what I want to say. Some time ago, I don’t see more it, in chain topics there is an alert explains if you want to setup a chain i.e. Vpn<–Tor<–Socks, you have to ask how many people use this chain? Usually the answer was few. My question is born from here, if there was this alert then was possible to know how many Vpn/Proxy/Tor was constituted the chain
Do I have a bad memory?

Good day
Nobody?

http://kkkkkkkkkk63ava6.onion/wiki/Tunnels/Introduction

When using a browser, connecting to Tor before a tunnel link worsens the web fingerprint.

The anonymity effects of using the configuration: User → (Proxy / VPN / SSH ->) Tor → Proxy / VPN / SSH → Tor Browser → Website are unknown. How many people are likely to use a proxy, VPN or SSH IP in this manner? This setup is so specialized that probably very few are doing it, reducing the user pool to a small subset. Due to potential fingerprinting harm, it is recommended against. If proceeding despite the risk, the tunnel configuration should not be combined with any browser other than Tor Browser (e.g. Firefox, Chrome), due to an even greater browser fingerprinting risk. [17]

If you read that entire section and links, you’ll want to do away with this plan altogether.

1 Like

Then it is relevant just when use VPN/proxy over Tor and not if there is one under

When a person is using a VPN/proxy over Tor in other browsers is possible to understand behind it there is a tor exit relay?

The whole “under” “over” “through” Tor is confusing. Better to say User → Tor → VPN → Internet etc.

The docs and Tor Project seem to say that connecting to a VPN last in the chain before the Internet is bad and chancy.

Ego already said:

If the VPN/Proxy is the last part of the Connection, then a Server will not be able to determine that you Access it via Tor. Keep in mind though that under such circumstances, your ISP will know that you use Tor, though not in what way.

But, do you really trust that the VPN will never fail and be configured correctly to hide Tor use behind it?

Also, The Tor Project notes:

You can also route VPN/SSH services through Tor. That hides and secures your Internet activity from Tor exit nodes. Although you are exposed to VPN/SSH exit nodes, you at least get to choose them. If you’re using VPN/SSHs in this way, you’ll want to pay for them anonymously (cash in the mail [beware of your fingerprint and printer fingerprint], Liberty Reserve, well-laundered Bitcoin, etc).

However, you can’t readily do this without using virtual machines. And you’ll need to use TCP mode for the VPNs (to route through Tor). In our experience, establishing VPN connections through Tor is chancy, and requires much tweaking.

Even if you pay for them anonymously, you’re making a bottleneck where all your traffic goes – the VPN/SSH can build a profile of everything you do, and over time that will probably be really dangerous.

So, why is this bad?:

  • VPN sees everything you’re doing.
  • VPNs can (and do) fail.
  • The setup is hard and “chancy” according to the Tor Project.
  • You don’t evade network censor Tor bans.
  • You don’t hide Tor use from ISPs.
  • You lose stream isolation.
  • Your web fingerprint is worsened.
  • You have a permanent exit relay.
  • You can’t connect to Tor hidden services.
  • The anonymity effects are disputed.

See: http://kkkkkkkkkk63ava6.onion/wiki/Tunnels/Introduction#Comparison_Table

So, just to reinforce that - difficult to set up, costs money (with probable honeypot providers), worsens fingerprint, removes stream isolation, will probably fail and reveal Tor use at some stage, and anonymity effects are disputed.

All in all, a terrible plan just to (maybe) hide Tor use from websites.

Re: “Other Browsers”

Don’t use other browsers with Tor. Fingerprinting will kill you and you’ll be obvious to a network adversary i.e. one of the few using Chrome, Chromium etc over the Tor network.

See here:

http://kkkkkkkkkk63ava6.onion/wiki/Tor_Browser#Anonymity_vs_Pseudonymity

http://kkkkkkkkkk63ava6.onion/wiki/Tor_Browser/Advanced_Users#Tor_Browser_Adversary_Model

Try using Proxy Tor server