combining Tor with a VPN or proxy can make you less anonymous

Patrick · July 18, 2016, 9:56pm

Originally published at: News - Whonix Forum

Using a VPN, proxy or SSH can can negatively affect anonymity under some circumstances. ^[1] ^[2] To explain why that is, some background information is required so you can draw conclusions and take actions to avoid this risk. See below.

Tor avoids using more than one relay belonging to the same operator in the circuits it is building. Legitimate Tor relay operators adhere to Tor's relay operator practices of announcing which relays belong to them by declaring this in the Tor relay family setting. Tor also avoids using Tor relays that are within the same network by not using relays within the same /16 subnet. ^[3] Tor however does not take into account your real external IP nor destination IP addresses. ^[4] In essence, you must avoid using the same network/operator as your first and last Tor relays since this would open up end-to-end correlation attacks.
Many tunnel providers use shared IP addresses which means that many users share the same external IP address. On one hand this is good since that is similar to Tor, where many users share the same Tor exit relays. On the other hand, this can in some situations lead to actually making you less safe.
It is possible to host Tor relays [any... bridges, entry, middle or exit] behind VPNs or tunnel-links. For example, there are VPN providers that support VPN port forwarding. This is an interesting way to contribute to Tor while not exposing oneself to too much legal risk. Therefore, there can be situation, where a VPN or other tunnel-link and a Tor relays could be hosted by the same operator, in the same network or even on the same IP.
In an economy with a deep labor division, ones are providing the service to host servers (VPS etc.). Others provide VPN and other tunnel-link services and rent such servers. It is common, that diverse customers run share the same IP address. This is another situation where a VPN or other tunnel-link and a Tor relays could be hosted by the same operator, in the same network or even on the same IP.
By adding arbitrary tunnel-links to your connection chain, you could unknowingly use the same operator/network twice in your connection chain.
- scenario 1)
  - a) User uses VPN IP A on the host, thereby using it as it's first relay.
    - b) User's Tor client happens to pick a Tor exit relay running on VPN IP A.
    - Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.
      - --> By using the VPN the user did not get more, but less secure.
- different scenario 2)
  - a) User sets up a VPN inside Whonix-Workstation. Thereby that results in user -> Tor -> VPN -> internet. Using VPN IP A.
  - b) A Tor entry guard is being hosted on VPN IP A.
  - Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.
    - --> By using the VPN the user did not get more, but less secure.
Choose your tunnel providers wisely.
- Find out in which physical and legal jurisdiction and network their servers are located.
- Perhaps avoid using VPN or SSH providers that support port forwarding.
- Perhaps use only tunnel-link providers that are assigning private - as in not shared with others - unique - IP addresses, however it is not clear if this does more harm than gain as noted above.
- Perhaps use tunnel-link providers that run their own servers rather than relying on shared infrastructure.
Perhaps manually pick your Tor relay[s]. Specifically your entry guard[s] or bridge[s]).

This is now documented here: https://www.whonix.org/wiki/Tunnels/Introduction#Introduction

jasdkjsabd · May 5, 2017, 7:44am

Thank you for Whonix, really loving it!

I have a question about the above problem.

I really feel that I can trust my VPN provider more.
They have accepted bitcoin from day one.
Is in a country where the law does not force a VPN provider to log.
And so on…

Yes I know I can not be sure but I choose to trust them more/instead of my ISP.

This problem:

Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.

Wouldn’t that be fixed if
a) the user chooses to always connect to a VPN that is in a specific country and
b) set the following options in torrc
ExcludeNodes {country_code_of_vpn}
StrictNodes 1

ExcludeNodes
A list of identity fingerprints, country codes, and address patterns of nodes to avoid when building a circuit.

StrictNodes
If StrictNodes is set to 1, Tor will treat solely the ExcludeNodes option as a requirement to follow for all the circuits you generate, even if doing so will break functionality for you

thanks!

torjunkie · May 5, 2017, 11:43am

Don’t ever trust VPNs and here is why…

1) Not using a VPN or rolling your own is probably best. See here (and avoid the list of dodgy VPNs):

[Most VPN Services are Terrible · GitHub]

Short version: I strongly do not recommend using any of these providers. You are, of course, free to use whatever you like. My TL;DR advice: Roll your own and use Algo or Streisand. For messaging & voice, use Signal. For increasing anonymity, use Tor Browser for desktop, and Onion Browser for mobile.

This mini-rant came on the heels of an interesting twitter discussion: https://twitter.com/kennwhite/status/591074055018582016

Again I strongly do not recommend using any of these providers.

Provider / known “Secret” Key

Astril / way2stars
EarthVPN / earthvpn
GFwVPN / gfwvpn
GoldenFrog / thisisourkey
IBVPN / ibVPNsharedPSK!
IPVanish / ipvanish
NordVPN / nordvpn
PrivateInternetAccess (PIA) / mysafety
PureVPN / 12345678
SlickVPN / gogoVPN
TorGuard / torguard
TigerVPN / tigerVPN
UnblockVPN / xunblock4me
VPNReactor / VPNReactor

Yes, I know. Many/most of these offer OpenVPN, or special clients for IPSec. But for all of the above, they are actively placing a significant portion of their user base (particularly those with older Androids and desktops) at risk by not using per-user PSKs. If your threat model is streaming BBC or helping your cousin geo-shift Hulu, go wild and plug into the Mad Max-esque Thunderdome commons and take your chances. If you’re a dissident in Tehran or Riyadh, be extremely cautious of any of these providers.

2) This is why you shouldn’t trust VPN providers in general and why the VPN bottleneck is asking to be pwned (it is a glorified proxy and simply a money spinner).

Trust in them is misplaced (plus most of them are in “Fourteen Eyes” countries anyway):

[Don't use VPN services. · GitHub]

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn’t log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider’s best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you’re paying for your VPN service doesn’t even pay for the lawyer’s coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I’ll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn’t matter. You’re still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don’t provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don’t provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can’t magically encrypt your traffic - it’s simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn’t a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

…

So why do VPN services exist? Surely they must serve some purpose?

Because it’s easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don’t even have to know what you’re doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it’s just one that benefits the provider, not you.

3) Don’t exclude specific nodes in the Tor network - it goes against Tor Project advice and probably makes you less anonymous. Disregard this advice at your own peril.

http://kkkkkkkkkk63ava6.onion/wiki/DoNot#Prevent_Tor_over_Tor_Scenarios

Users can manually choose an entry or exit point in the Tor network, [8] but the best security relies on leaving the route (path) selection to Tor. Overriding the choice of Tor entry and/or Tor exit relays can degrade anonymity in ways that are not well understood. Therefore, Tor over Tor configurations are strongly discouraged.