Home » Articles » On Public and Private WiFi, VPNs, Tor, and Virtual Machines
Click Here To Hide Tor

On Public and Private WiFi, VPNs, Tor, and Virtual Machines

If you require privacy while connected to the internet – and I mean really require it – there is no reason to only make it part of the way to being safe. In the world we live in today, it’s foolish to ever assume you’re completely untraceable. The most we can accomplish is making it as difficult as possible for the tracing to happen. Nearly every tool we use for privacy has been compromised in some way or another; users are repetitively making careless mistakes and the government is successfully capitalizing on them. Nobody is secure.

That being said, there are ways to make tracking you down so increasingly difficult that only the most well-funded and militantly dedicated entities will pursue you. One instance of this type of set-up, while not as complex as it could be, involves running Tor with multiple VPNs—inside virtual machines. It’s admittedly a major pain in the ass, but it’s one of  the most secure ways to access the internet. I’ll be covering the basics of running Tor within a VPN within a virtual machine.

VPNs

VPNs can be very secure – in fact, a good one could be potentially unbreakable. It’s important to make absolutely sure that the VPN you use is trustworthy. DDW has a great comparison chart of some of the top services on the market. I would also recommend r/VPN and r/VPNReviews as starting points. One of the biggest issues we see talked about in regard to VPNs is logging. Many services claim they don’t keep user logs, but are either intentionally misleading or painfully negligent. The comparison chart points out that you want a VPN that respects your privacy, uses encryption, supports OpenVPN, has a no logging policy and prioritizes Bitcoin as payment. This isn’t an article about picking VPNs so finding one that fits your needs and meets the criteria above is up to you.

I’ll start with one of the most common ways to lose your anonymity, even when using an excellent VPN. DNS Leaking. Internet service providers assign DNS servers to clients on the network and are able to track whenever you send a request to the assigned server. However, when you use a VPN, any DNS requests are supposed to be sent to an anonymous server – through the VPN – preventing the ISP from tracking it. The leak can happen when your browser mistakenly forgets that you’re running a VPN and sends the request to default DNS servers, resulting in the same tracking you were trying to avoid. Leaks are a simple fix, but it’s easy to be unaware until it’s too late. The easiest way to check for leaks is to use dnsleaktest.com and run the standard test option. There will be a list of DNS servers. You want the location to be somewhere other than the country where you are actually located and you need to make sure name in the ISP column is not your actual ISP.

If you are seeing your own location and DNS servers hosted by your ISP – you have a leak – but it’s not a hard problem to solve. By far, the easiest way to eliminate a DNS leak is by simply eliminating the ISP’s DNS server and replacing it with a 3rd party one. Some good examples of these are Google’s Public DNS server @ 8.8.8.8 or the OpenDNS server @ 208.67.222.222. You can do your own review of alternate DNS servers, but those two are well-known and generally have several advantages over others.

There’s also programs that can cause DNS leaks. There’s very few I am aware of but I believe the main culprit here would be Teredo clients. To my knowledge, they aren’t default in any current operating systems, but XP, Vista, and potentially builds of Windows 7 had Teredo support and clients built in. Run Command Prompt as Administrator and enter the following without quotes: “netsh interface teredo set state disabled”. You may need to reboot. And for re-enabling: “netsh interface teredo set state type=default”.

Back to the topic at hand. To benefit from the most possible safety a VPN can offer, you’re going to need to sign up using an anonymous I.P. address and a method of payment that can’t be traced back to you in any conceivable way. For those who don’t know, the majority of crypto-currency is good for this. Obviously Bitcoin is at the top of this list. Using a good tumbler is generally a recommend step to obfuscating bitcoin transactions, destinations, and starting points. Otherwise, they are traceable to some degree. The nature of the blockchain allows transactions to be traced and once your wallet address is known, it’s only a matter of time before all incoming and outgoing bitcoin movements can be trackable. Again, to a degree. Here’s a site that lets you do exactly that. WalletExplorer.com. A good example of coins being traced would be when people buy Bitcoins with a service like Coinbase and send the coins directly to their darknet market wallet, and then have Coinbase close the account for illegal activity.

There’s a major downside to using tumblers – losing your money – either accidentally or using a link to a scam tumbler that’s set up like a real one. There is only one bitcoin cleaner I will recommend and that’s Grams’s Helix. I don’t think there has been a single report of missing coins and Grams has repeatedly proven themselves to be trustworthy. There’s always arguments for both sides of the fence on bitcoin tumbling, but like I read on Reddit at some point: everyone using the deepweb recommends turning off Javascript. It’s not always essential to being safe, but it’s much safer to have it off than on.

Tor

We’ve learned that blindly running Tor alone isn’t safe either: researchers just found more than 100 snooping Tor relays and the web is well aware of the FBI’s Tor exploit that they refuse to release.  Beyond that, Tor is just like any other program; it has bugs, some of which are major security threat, and it’s possible they won’t be discovered until someone takes advantage of them. Even if they aren’t compromised by the NSA or FBI, having your Tor traffic de-anonymized by a 3rd party could be far worse than having clearnet traffic intercepted.

Just to go into brief detail regarding potential threats on Tor, we’ll take a look at traffic confirmation hacks. The Onion Project, on their blog, has an article about how “One cell is enough to break Tor’s anonymity” and it gives a pretty good explanation of how it works. Traffic confirmation hacks are not extremely complicated and Tor is not meant to stop these hacks from happening as it would take more resources than they can afford to use. This kind of hack occurs when an attacker is able to observe relays on both ends of a Tor circuit. If the first relay is an entry guard and the last relay knows the destination, this information can absolutely be used to deanonymize the user.

That being said, for what Tor advertises to do, it does very well. The issues referred to here aren’t an unknown conspiracy theory; The Onion Project talks about them on their own blog and it goes right along with the concept of this article: making it increasingly difficult to be compromised, not impossible.

Because we aim to let people browse the web, we can’t afford the extra overhead and hours of additional delay that are used in high-latency mix networks like Mixmaster or Mixminion to slow this attack. That’s why Tor’s security is all about trying to decrease the chances that an adversary will end up in the right positions to see the traffic flows.

The way we generally explain it is that Tor tries to protect against traffic analysis, where an attacker tries to learn whom to investigate, but Tor can’t protect against traffic confirmation (also known as end-to-end correlation), where an attacker tries to confirm a hypothesis by monitoring the right locations in the network and then doing the math. And the math is really effective. There are simple packet counting attacks (Passive Attack Analysis for Connection-Based Anonymity Systems) and moving window averages (Timing Attacks in Low-Latency Mix-Based Systems), but the more recent stuff is downright scary, like Steven Murdoch’s PET 2007 paper about achieving high confidence in a correlation attack despite seeing only 1 in 2000 packets on each side (Sampled Traffic Analysis by Internet-Exchange-Level Adversaries).

And one of the last points worth making about Tor alone is that your ISP would know you’re using Tor unless bridges are used. Therefore the chance that you would lose plausible deniability – in the most extreme cases – is always there. The likelihood of a problem similar to this ever arising is pretty slim, but it’s worth noting. This Harvard student, in 2013, displays a great example of how the FBI were able to determine that he had called in the bomb threat. He was simply selected as a suspect by being one of a few people who used Tor that morning and, of course, confessed when confronted by agents.

It’s really no surprise that the majority of issues that occur when using Tor seem to be caused by user error and human stupidity, but there are several small issues that, especially when they stack, can render your security useless. This is why I recommend running both a VPN and Tor at the same time. Some will argue that it’s a pointless measure or that it’s more work than it’s worth, but given some of the issues pointed out above, I disagree.

Here’s an infographic /u/SecureThoughts posted on Reddit some time back that demonstrates what running both would look like:

vpnstor1

There’s an overwhelming amount of “double encryption” in the picture, and for my needs, that’s perfect. Breaking that would require a significant amount of resources and it would certainly discourage people from attempting the task.

VMs

Taking this one step further is terrifyingly complex and is only recommended for those who are absolutely terrified of being spied on or simply enjoy feeling impenetrable. The extra step I am referring to is adding in Virtual Machines.  More complexity can be achieved using a chain of VMs with Whonix, but it’s too complex to get into here. The basic concept is that even if someone gets through your VPN and Tor, they won’t know anything about your actual machine. And, although unlikely, if ransomware were ever to make it’s way down Tor nodes, if your machine got infected, you could just purge the VM and be done with it.

If you’re interested in taking the plunge, good VM software will be needed. The market standard is currently VirtualBox. It’s great software and is open source. Free, too. Running a Linux distro is the best option for a whole array of reasons. Arguably, you’d want to run different operating systems on virtual machines. Different from both each other and host machines. There’s a bunch of potential Linux distributions out there, but, for the sake of being brief, I’ll suggest Ubuntu for the user friendly experience and Arch for the customization and control.

Once you’ve installed VirtualBox and downloaded your Linux distribution’s .iso, (here’s Ubuntu’s) you’re going to want to set it up in a way that will best work for you. I’ll run through what I recommend for first time users. Inside VirtualBox, select ‘New’ and choose your OS. In this case Ubuntu. You won’t need much RAM for a single VM instance, so 1GB will likely do. You can change this in the future. Use defaults for storage; it’s dynamic so space can grow if you end up using more than planned. Then hit ‘Create.’

There’s some extra tweaking that I would recommend doing in both the General/Advanced tab and USB tab: disable ‘Shared Clipboard/Drag’ and Drop and ‘Enable USB Controller.’ Under Storage and CD select ‘Choose a virtual CD/DVD disk file’ and find your .iso image you downloaded from before. You can now run the VM and go through the OS install. It’s up to you whether or not you want to use encrypted LVM in disc partitioning; I can’t really comment either way.

When you have your system installed, I would immediately turn off networking and then disable WebGL. In Firefox type “about:config” in the URL bar and set “webgl.disabled” to true. You can turn networking back on at this point. Now you’re going to need to set up the system for running a VPN. Since the instructions for other types of VPNs may vary depending on the service, I’ll explain the process for Open-VPN services.

Open Terminal and then type:

  1. sudo apt-get install network-manager-openvpn
  2. sudo restart network-manager

Review the .crt and .key files your VPN gave you and find the VPN server you want to be connecting to. You will need to use the IP address instead of the hostname. You’ll also need to know the server port number and connection type which will be either UDP or TCP. If you’re routing via Tor, use TCP. Otherwise UDP. Check the cipher type and if none, use Network Manager as default. If your VPN provides a ta.key, you’ll need to know the number at the end of the tls-auth line for the key direction.

You’re going to need to copy all your VPN certificates and key files to the OpenVPN directory. Open Terminal again.

  1. cd /home/user/path-to-the-files
  2. sudo cp ca.crt client.crt client.key ta.key /etc/openvpn/

And then you’re going to need to set up the VPN from within Network Manager.

  1. VPN → Add → Create. Enter the IP of your server.
  2. If your VPN provides only a ca.key;
    1. Password → Enter username and password.
    2. CA Certificate → Places → File System → etc → find your ca.crt.
    3. Then Advanced → General → “Use Custom Gateway Port” and enter the port number.
  3. If your VP provides ca.key, client.crt and client.key, but not ta.key;
    1. Select Certificates(TLS)
    2. Replicate the steps above for uploading the ca.crt key, but also for client.crt and client.key.
    3. Then Advanced → General → “Use Custom Gateway Port” and enter the port number.
  4. If your VPN provides ca.key, client.crt, client.key and ta.key, and requires a password for connection;
    1. Password with Certificates (TLS) → Enter username and password.
    2. Add the ca.crt and client.crt as described above.
    3. Then Advanced → General → “Use Custom Gateway Port” and enter the port number.
    4. TLS Authentication → Use additional TLS authentication → Key File and upload your ta.key.

Check Whatismyipaddress to see if the VPN is connecting successfully. If it doesn’t connect, use Google. That’s about all I can cover here without rambling on any more than I already have. I’d recommend using VPN-Firewall to check for VPN leaks. It’s a pretty easy setup. Whonix has some great information on chaining multiple virtual machines as well as documentation about most of this stuff. I’d recommend checking it out.

That’s it for now. Good luck.

12 comments

  1. what about tails?

    • C. Aliens

      Tails is great for the purpose it was built for. The biggest advantage is it’s a live OS that leaves no trace. By default, though, you’re still just running Tor without any other protection. Long story short, without VPNs and socks proxies, you’re no exactly safe from being identified. The absolute safest in my opinion, is Qubes OS. It incorporates everything in this article by default. https://www.qubes-os.org/

  2. Tails doesn’t help you when your network is being watched / logged. It is good for 0day “protection” when running on a burned DVD. You could run it in a VM but this would kinda destroy the concept of Tails.

    On the other hand, you could use your neighbors WiFi / nearby WiFi’s to evade the problem listed in the text.

    “He was simply selected as a suspect by being one of a few people who used Tor that morning and, of course, confessed when confronted by agents.”

    • Live system without persistance + public wifi… What could possibly go wrong

      • Casper

        cameras on public wifi places, if you are the only one there sitting with a laptop.

        • Cameras are not everywhere, and besides, the FBI is not able to engage in real-time tracking of Tor. It will take them months to trace an IP with Tor, get a subpoena, and then figure out if there were any cameras around, subpoena those videos, which, by that time, will likely have been overwritten.

          You act like the Feds have unlimited resources. They are not going to spend a million dollars on catching a casual drug user or even a CP viewer.

  3. there are webrtc limiter add-ons for chrome or firefox, to stop dns leaks.
    people can also use bitcoins to buy a server and install vpn server, better than to trust to some other vpn. but it is better to purchase many small VPS and shut down after use. don’t use the same vpn server million years. and make it public for free, if more people use it, it is harder to track who used it in what time.
    beside it, many public wifi networks are monitored and only 80,443 ports are allowed.
    I think debian + vpn + whonix is the best. but again, it is question how much we can trust to the tor developers, we must trust to the others who should review the code.
    the tor project board just added new people: https://blog.torproject.org/blog/tor-project-elects-new-board%C2%A0-directors

  4. However tell what vpn should i have to use?

    • loki

      deepdotweb one time published article saying that one vpn company didn’t give logs to the cops: privateinternetaccess.com
      I just checked they accept bitcoin, cashu, ripple, gift cards, etc.

  5. The VPN + TOR is very interesting. Do I first connect to the VPN and then to TOR?

    what is the correct procedure?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *