[tor-talk] Am I successfully using Torsocks, SSH, and a VPS? Please advise, thanks!
Ben Tasker
ben at bentasker.co.uk
Wed Aug 10 10:12:34 UTC 2016
Hi
On Tue, Aug 9, 2016 at 5:58 PM, <blobby at openmailbox.org> wrote:
> Please see below for my response to your helpful comments.
>
> On 2016-08-08 11:18, Ben Tasker wrote:
>
>> If you're using Firefox, one thing you want to consider is DNS leakage.
>>
>> If you go into about:config, see whether network.proxy.socks_remote_dns
>> exists. If not create it and set to True.
>>
>> Without that, DNS won't use the tunnel. As you've got a VPN running it'll
>> likely egress from the VPN endpoint instead.
>>
>>
> Point taken. It did exist and was set to "true".
Cool
>
>
> VPN ---> Torsocks (on 127.0.0.1) ---> SSH (bound to port 33333) ---> VPS
>>>
>> ---> Internet.
>>
>> How do you pay for the VPS? If it's in your name (or can be linked to you)
>> then all you're doing is preventing your local ISP from seeing what you're
>> connecting to (which might, of course, be your aim). You do, in effect,
>> have a fixed exit point though, so it's worth bearing in mind that in some
>> ways it makes you more identifiable from the point of view of services
>> you're connecting to.
>>
>
> Bitcoin is my friend! I appreciate that using a VPS with a static IP does
> provide a fixed exit point.
>
> I'm wondering if you feel, based on your expertise, that my system looks
> secure (see below).
>
>
Wouldn't go so far as to use the word expertise ;)
You're using vanilla firefox, so if you haven't already, take a close look
at any plugins/addon's you've installed. Some are known to ignore Proxy
settings (flash being a primary example).
Conversely, look at whether you're using anything outside of Firefox that
might use Firefox's proxy settings without you realising (at least one of
the FOSS Java runtimes does this - I think it was OpenJDK but don't hold me
to that as I can't remember for sure) - if it's sending traffic out that
can be linked to you then you're now associated with the VPS. I'd be
inclined to set a packet capture running on the VPS, use your system
normally for a while and then review the capture to see whether anything
unexpected has gone out (it's unfinished, but this might help -
https://github.com/bentasker/PCAPAnalyseandReport )
The VPN means you also have a fixed entry point (if you think of it as an
additional hop), one you share with others (so there's a small risk in
getting caught up in a net meant for someone else), so you probably want to
check exactly what's going out over the VPN aside from your Tor traffic -
in part to check there's nothing directly attributable to you (though
you're connecting to the VPN directly, so they have your IP) - but also to
check there's nothing "related" to your Tor browsing (essentially an
extension of the check above).
I'm sure others with more experience will have input, but the network path
you've set up looks OK to me, so long as you're comfortable with the
ramifications of having a fixed exit point. Your biggest risk probably
comes from anything that might ignore the proxy settings, or from software
unexpectedly using the proxy, once you're linked to that VPS there's no
going back.
> Is it possible to use a HTTP(S) (or another type) of proxy to alter
the IP. The ideal model would be: VPN –-> Torsocks (on 127.0.0.1) –-> SSH
(bound to port 33333) –-> VPS –-> Proxy (e.g. HTTP(S)) –-> Internet.
Given that your stated aim is to avoid being blocked out of sites by coming
from exit node addresses, adding a proxy at the end might undermine that -
some proxies (at least) are blocked by various sites, and you'd also be
back to being exposed to some of the risks of having your traffic tampered
with by a third parties system.
However, if you really wanted to, one way would be to put Squid onto the
VPS with a transparent redirect, and then tell Squid to pass the traffic
onto whichever proxy (or pool of proxies) you wanted to use.
Ben
--
Ben Tasker
https://www.bentasker.co.uk
More information about the tor-talk
mailing list