Tor nodes and bridges

4 replies [Last post]
Beko
Offline
Joined: 08/31/2019

Could one theoretically make a Tor bridge that is not publicly listed and only for personal use, in say-- an internet-freedom-friendly country, and then connect to it from Iran/China/Russia/Turkey etc where VPN and Tor are banned? Just brainstorming what attacks could get one caught?
ex: listening certain ports to try and intercept Tor traffic.
ex: seeing all connections going to the same ip address.

Is it just not worth it? Would just using clearnet be better where internet freedoms are limited?
I due to Covid I am not planning to go anywhere anytime soon, but I do intend to.

Thanks!

centurino
Offline
Joined: 05/11/2020

It all depends on your threat model, really. Are you going to post on sites that your government authorities could easily get access to? If not, a simple VPS is probably enough to hide your Internet traffic from the ISP. Otherwise, I'd recommend chaining two VPSs or connecting to TOR over VPS for additional security. That way, even if they see your IP on the server side, they wouldn't be able to link it to the other VPS and your identity.

Masaru Suzuqi -under review-
Offline
Joined: 06/06/2018

> I'd recommend chaining two VPSs or connecting to TOR over VPS for additional security.

How to do this? I set the URL of the server of Mullvad in "automatic proxy setting" of the "setting of network proxy" of Trisquel. Then use Tor browser. Is it working? I have read that chaosmonk said that Tor over VPN is OK, but VPN over Tor is not OK or something like that.

But in this way of mine, maybe only when I use Tor browser, I am using Tor over VPN? I mean, when I use other apps, they use only VPN? not Tor over VPN?

centurino
Offline
Joined: 05/11/2020

> How to do this? I set the URL of the server of Mullvad in "automatic proxy setting" of the "setting of network proxy" of Trisquel.

I don't know which protocol is used in that case, but the use of the term "proxy" indicates that it might be HTTP or some version of SOCKS, neither of which offer end-to-end encryption. That means that the other server will indeed proxy your queries, but someone eavesdropping on your traffic will be able to tell which servers you connect to just as well. So even assuming that it can configure itself properly using that URL, you shouldn't be using this. Try to check your public IP with and without it, if there is no change, it certainly isn't working:

$ wget https://api.myip.com/ -q -O - && echo

You should see a bit of JSON with your IP and country of origin.

VPS is essentially a VPN service that you configure yourself, i.e. you rent some server space and then use it to set up a VPN for your private use. It is harder for government authorities to block than publicly available VPN services. However, if you are not well-versed in those kinds of things and Mullvad works, you can use it for now instead. They have an app for GNU+Linux on their website and it appears to be free software. It's probably easy to use, so you can start with that. I'd recommend OpenVPN config files otherwise, they are available on their website too. you can start OpenVPN like this:

sudo openvpn --config

You'd probably want to automate it somewhat using a systemd service or something similar, I'll tell you how to do that in case the app doesn't work or you don't want to use it. You can check if it's working with the first command I posted too.

> I have read that chaosmonk said that Tor over VPN is OK, but VPN over Tor is not OK or something like that.

Using TOR over VPN could only be harmful if you trusted your ISP more than your VPN provider for some reason. But in that case, why would you use a VPN at all? VPN over TOR exposes you to timing attacks because there are two points (your ISP's routers and the VPN provider's servers) where times can be measured relatively easily by an attacker. It's effectively not much safer than only using the VPN. With TOR over VPN, your ISP knows that you connect to a VPN server, but doesn't know what you use it for and the VPN provider knows that you are using TOR, but doesn't know what for either. It's probably the best setup in terms of privacy.

Masaru Suzuqi -under review-
Offline
Joined: 06/06/2018

Thank you. But I noticed that both of you were talking about other thing. It seems to be kind of traffic laundering.
I was surprised that I could have drawn the schematic vaguely in my brain. It would be very hard but I might be able to set that on VPM. However, I am not so such a threat so maybe I will just configure the OpenVPN setting for now. I use Mullvad app on X200, and they do not supply the app for 32 bit machines, so I tried to set the VPN setting on my router but I am not sure if it is working or not. I will start OpenVPN config first anyway. Thank you, and sorry for the unintended off-topic.