[tor-talk] Tor -> VPN Clarification

Zenaan Harkness zen at freedbms.net
Sun Feb 1 22:17:03 UTC 2015 

On 2/2/15, Joe Btfsplk <joebtfsplk at gmx.com> wrote:
> On 2/1/2015 4:11 AM, Bill Berry wrote:
>> My take (on his take :) ) was that;
>>
>> a) trusting a VPN for security is a bad idea because no VPN operator is
>> going to go to jail for you (see HideMyAss and Sabu etc)
> More details about the reference to HideMyAss & Sabu, Re: them not going
> to jail for users?
>
> This VPN & Tor (or Tor & VPN) subject - and its discussion here has
> become complex.
> Maybe too complex for all but a handful of folks?
>
> Does Tor Project or sources they recommend ("trust") have more down to
> Earth guides to If, when, where, how - of using VPN & Tor?

I agree that the descriptions / ascii arts are probably not up to
scratch at this point.

Let's create some diagrams so we can talk about scenarios (this is
just a rough crack at it, please modify/ fix as needed):

vpn = virtual private network
vps = virtual private server
www = destination website/ public internet service
tor hs = tor hidden service
tbb = tor browser bundle
| = or

**) vpn then tor:
browser
 -> vpn proxy -> VPN -> tor proxy -> TOR
 -> www | tor hs

where:
 TOR = tor entry -> tor mid -> tor exit

and where:
 VPN = vpn client -> local isp -> vps/vpn isp
        -> vps/ mixnet -> vpn server/ exit node

The vpn client could be ssh, and vpn server sshd.
Alternatively the JAP client and JAP's backend, etc.

If you run an ssh vpn, say on a vps, then your "tor proxy" can run on that vps.

This is not recommended.

Although it gives some privacy against your local isp, you would need
to trust your vps isp (assuming you are running your own vps, for your
ssh based vpn) - not recommended since the vps isp will generally have
full root access to your vps (at least to the disk image/ files).

(The terminology here might need to be improved - tor proxy might not
be the right term?)


**) tor through vpn:
browser
 -> tor proxy -> vpn proxy -> VPN -> TOR
 -> www | tor hs

This is better, since tor is running "on top of" or "through" the vpn.
The vps (or vpn mixnet) can still see that you are accessing the tor
network, but at least your local isp cannot (you get some local
privacy, only seeing you running ssh).

(BTW, why is ssh "visible" at all - surely there is a protocol to set
up an encrypted link, in full privacy? - should be a separate thread
though.)


**) vpn through tor:
browser
 -> vpn proxy -> tor proxy -> TOR
 -> VPN -> www

Here your local isp might know that you're running tor, but not what
you are accessing (a vpn).

The vpn isp/provider will know (if they want to) what website you're
accessing, assuming they know it's your vpn account (or your vps).

So the only way this would be useful for much is if you don't need
much in the way of privacy/ anonymity against your vpn provider (in
which case, why bother), or your vpn is anonymous (ie the talk about
paying for your vpn/vps with bitcoin).

Also in this scenario, any Tor HS access would not get to your vpn at
all (if you're lucky :)

Good luck,
Zenaan

More information about the tor-talk mailing list