OK - here's my second attempt awaiting sign-off in the wiki
= Transporting UDP Tunnels over Tor =
According to the Tor Project:https://blog.torproject.org/blog/moving-tor-datagram-transport
Tor transports data over encrypted TLS tunnels between nodes, which is in turn carried by TCP.
The current Tor design does not support the transport of [https://trac.torproject.org/projects/tor/ticket/7830 UDP-based protocols] through exit nodes in the network, and this is unlikely to be supported in the near future due to incompatibility with cryptographic protocols in use and those planned.
The consequence is that UDP-based protocols and applications cannot be used to transmit UDP datagrams between guards and exit nodes in the default environment. Example UDP protocols / applications include:https://en.wikipedia.org/wiki/User_Datagram_Protocol
- Domain Name System (DNS);
- Simple Network Management Protocol (SNMP);
- Routing Information Protocol (RIP);
- Dynamic Host Configuration Protocol (DHCP); and
- Voice and video traffic.
'''Transporting UDP Tunnels over Tor with a VPN'''
A solution to this problem is to use a [https://en.wikipedia.org/wiki/Tunneling_protocol tunneling protocol]. In simple terms, this allows a user to access a foreign protocol or network service that the underlying (Tor) network does not support or provide directly.
The tested and working method in Whonix is to utilize a Virtual Private Network (VPN) with a trusted provider that does not block UDP traffic (User -> Tor -> VPN -> [Other Anonymizing Network] -> Internet). Some VPN protocols such as OpenVPN may use UDP while implementing reliable connections and error checking at the application level.Other VPN implementations may also be useful, but have not been researched yet.
Please first read the related VPN documentation and warnings:
- [https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN Tor Plus VPN or Proxy];
- [[Whonix:General_disclaimer#Whonix_VPN_disclaimer|Whonix VPN disclaimer]];
- [[Tunnels/Connecting to Tor before a VPN| How to connect to Tor before a VPN (User -> Tor -> VPN -> Internet)]]; and
- [[Tunnels/Introduction#Comparison_Table|Tunneling comparison table]].
Before following the instructions to [[Tunnel_UDP_over_Tor|tunnel UDP over Tor]].
The current [http://sec.cs.ucl.ac.uk/users/smurdoch/papers/tor11datagramcomparison.pdf Tor architecture] may cause negative performance impacts on user activities. This arises from high latency due to congestion in the network, queue length on nodes (mixing of traffic across multiple nodes), and TCP mechanisms which attempt to account for lost packets and hold delivery of future packets until a resend is complete.https://guardianproject.info/2012/12/10/voice-over-tor/
Understand that adding a second connection in the tunneling chain adds significant complexity. This potentially increases the security and anonymity risks to the user due to: misconfiguration, the increased attack surface of secure tunneling software, the difficulty in anonymously paying for VPN services, and potential bottlenecks with VPN providers. Depending on your configuration, you may also increase your fingerprinting risk, lose stream isolation of your activities, and have a permanent destination X in the Tor network.Also read the Tor Project warnings here: https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN.
Whonix recommends the use of [https://en.wikipedia.org/wiki/OpenVPN OpenVPN] as the most secure (SSL/TLS-based) protocol, rather than reliance upon IKE, L2TP/IPsec or PPTP. OpenVPN is considered extremely secure when used with encryption algorithms such as AES.IKE is being exploited by the NSA to decrypt IPSec traffic. IPsec configured with pre-shared keys is vulnerable to MITM attacks. PPTP is an obsolete method for VPN implementation with a host of security weaknesses. For further reading on intelligence agency capabilities against VPN protocols see: http://www.spiegel.de/media/media-35515.pdf
A dedicated virtual machine is recommended for this activity, see: [[Multiple Whonix-Workstations]].