Tor + OpenVPN?

GoDanny · May 11, 2018, 1:56am

Can you connect to tor and openvpn at the same time. Many vpn’s support this function. So it should be supported in the firmware.

alzhao · May 11, 2018, 2:39am

You can try this:

Set up vpn on the router then use Tor in your PC. This should be OK.

But if you want to set up Tor on the router then use VPN on your PC, it is meaningless.

Using Tor and VPN together doesn’t make too much sense for both security and anonymity.

GoDanny · May 11, 2018, 2:59am

If you choose to use TOR over a VPN, the benefits are that you would be again, hiding from your ISP the fact that you are using TOR. Also, your VPN would only be able to see that you are connecting to TOR nodes and that you are sending encrypted data. The VPN would not be able to see what data you are sending over TOR unless they decrypted it, because remember, all information relayed over TOR is encrypted.

https://www.deepdotweb.com/jolly-rogers-security-guide-for-beginners/combining-tor-with-a-vpn/

alzhao · May 11, 2018, 3:04am

That is exactly what I want to say. But you are talking about the wrong scenario.

Router: Tor, PC VPN === use VPN over Tor
doesn’t make sense at all.

Router: VPN, PC Tor === use Tor over VPN
hide your ISP

GoDanny · May 11, 2018, 3:13am

Ok with that in mind can the router be setup to use open vpn with the tor firmware installed.

There will be times that maybe I just want to connect the router via tor and sometimes via VPN.

So will I have to reflash the firmware back to get the OPENVPN client?

alzhao · May 11, 2018, 3:17am

Why not use use Router: VPN, PC: Tor to gain flexibility?

GoDanny · May 11, 2018, 3:49am

I can do that.

My thought was why not let the router be the connecting device. If I want to use VPN then I go to it and set it to use VPN. If I only want to use TOR then I go to it as a device and set it to do so. I was also going to use it as a way to make sure application didn’t fail and leak any information(A gateway device to whatever method I want to use to connect).

That was my use case for this device was let it be the gateway. I just pull it out and connect to it instead of utilizing software on my machine to do so. This allows me to use any machine or combination of devices even if they themselves don’t have the functionality to provide tor or vpn.

alzhao · May 11, 2018, 6:06am

yes you are right.

The reason we have a separate Tor firmware is that we want to make it totally open source.

But I think we will put it in our default firmware anyway.

GoDanny · May 14, 2018, 1:55am

Awesome yes it would be nice to have in the default firmware. This is also effectively a kill switch as if all your device connect via this router if no connection exist for it then you are safe from any info leakage.

ziggy · July 10, 2018, 12:11pm

So currently this isn’t possible? I just got an AR300M-Lite for this purpose. I want it to connect to a VPN and then provide Tor as well, so every device connect to the router would go DEVICE->ROUTER->VPN->Tor

alzhao · July 11, 2018, 5:51am

I don’t think it works with vpn and tor in the same box. The configuration is so complicated and also it doesn’t make too much sense.

To use tor in the default firmware, here is a guide. Ar750 device and tor net - #7 by alzhao

Earnest · July 10, 2020, 11:49am

Excuse me, but, is it meaningless this scenario?
PC with VPN
Router with TOR

Are you sure?
Have you ever tried to open an account wherever you want (gmail, facebook, twitter) from a TOR exit node?
But, if those providers see you are coming from a “respectable” VPN service… things change.
And even it is not easy!

Regards!

Johnex · July 10, 2020, 1:47pm

It’s meaningless from a security point. You have routed your traffic via tor, only to use a fixed IP address on the other end, that can trace the traffic back to you. VPN providers are only secure if you can truly trust they don’t have a backdoor or sell info to governments.

Earnest · September 7, 2020, 1:47pm

Ah, you say that they can trace the traffic back to me if I use a fixed IP adress on the other end.

And can you please explain how can they do that?

I am trying to figure out how can it be possible, having in account that Tor is between me and VPN

It is very importante for me.

Thank you in advance.

Johnex · September 7, 2020, 2:44pm

If you use Tor on its own, think of it as a string floating in the wind. The end of the string is constantly changing positions. Every time you connect to a site, it will use a different path. Multiple exit points make it harder and harder to

If you however use a VPN on the other end, how you don’t have a floating string, it is tied on 2 ends. It is possible to match traffic if both ends are monitored.

It would be best if you do it the other way around. You have a VPN on your router, and use Tor Browser on your PC. The connection to Tor will then seem like it started at the VPN.

But as you see you still need to trust that the VPN won’t leak your information to anyone. Ironically you must also trust that the TOR exit node has not been compromised.

But Tor Via VPN is better than VPN via TOR.

Earnest · September 7, 2020, 5:21pm

Ok, I see your point.

I have one Tor entry node, assigned to me by any reason, and it will not be changed for the next two/three months.
I have a VPN to connect, with its fixed IP.
In the middle, as you said, a floating string.

Let´s imagine “they” know and monitor both points: Tor entry node and VPN IP.
Let´s imagine further: they monitor and save all traffic of all nodes of TOR.

They only need to find a match on the traffic.
You mean, connection and disconnection time, amount of bytes, and so on.
Let´s say they find the match.
So they have now one entire session of my connection.
And they know my IP.

Two questions:

How could I avoid that match?
Having an open TOR connection all day long, and have a “every now and then” connection to the VPN?
Anyway, even if they know my IP, are they able to decrypt the data I sent if I allways use HTTPS?

Thanks in advance.

PD: I don´t think about using first VPN and the TOR, because I want to use Facebook, Gmail, Twitter and any resources like that, and when I try to use them coming from TOR… they say “tell me your phone number”.

Johnex · September 7, 2020, 8:14pm

Yeah you must remember that even though traffic is encrypted, if you send say “FooBar” as a string many times, this pattern can be matched by traffic analysis and behavior analysis. And yes size of packets, amount of data, times online and so on can give away the user as well.

The firewall that china deploys for example is very advanced and can detect such patterns, that is why they can magically block VPN traffic even if you have simple levels of obfuscation on top.

Then you can imagine what tools “they” might have, many many times more advanced. Probably deploying AI for analysis of the data.

My recommendation is you force the TOR network to reset every day or so. You can do it from commandline at dead hours of the night, so you end up with a new circuit, to keep the string moving

And yes, use the VPN on top not for all the data, just for the services that nag for phone number and so on.

Phone apps are very dangerous. Apart from GPS location in the background so they know where you really are, if you forget to use the VPN or TOR just 1 time, they can match you from then on; on that phone. And since Facebook is embedded in all sites, they will use that tracking id from the app, and follow you from site to site, regardless of VPN or TOR after that.