[tor-talk] Help me secure my setup
Oskar Wendel
o.wendel at wp.pl
Sun Jan 10 16:37:02 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
My current setup is fairly simple. Let me introduce some consistent naming
first.
- - server - my server (VPS) in the datacentre
- - router - a router in my home, it has a private VPN connection to the
server
- - tor PC - a PC on which I browse tor
Currently tor client is running on the server and tor PC accesses its
socks port through the VPN. All other Internet access from the tor PC
is blocked on the router, so no leaks are possible. Tor PC has only
one, internal IP.
Advantage is that in case of a raid, it would be done in the datacentre
before raiding my home.
Major drawback is that it is possible for the attacker to hack into the
server (or just seize it invisibly, as it's only virtual) and sniff on the
localhost between the VPN end and socks port.
I've been recently thinking of different approaches.
1. Maybe I should run a private (unpublished) bridge on the server and a
tor client on my tor PC, that would be able to connect only to the bridge
(through a VPN)? This way, all unencrypted traffic would never exit a tor
PC. This PC is secured enough to assume it's secure from being hacked
into. It's also encrypted and never left unattended.
Additional question: if a tor client connects through a bridge, does it
need to access other servers (like directory authorities) directly, or
it would work if I give it access only to the bridge?
I'm a little scared of bridges, as they don't use guards (yet?) and they
are less popular than traditional relays, so bugs in them are more likely
to exist.
2. Maybe I should run a tor client on a separate machine in my home,
between my tor PC and the router, and route all traffic from it through
the VPN, so it would look like it originates from the server? This way
all unencrypted traffic will still be inside my home and I would avoid
using bridges.
3. Maybe I should modify point 1, but publish the bridge address? I'm
tight on my bandwidth and I don't want to run a relay, but maybe this way,
as the outgoing traffic originating from me will blend with outgoing
traffic originating from other using my bridge, it would be more plausible
to deny my activities if someone launches a correlation attack? They would
have to correlate traffic entering and leaving my bridge with traffic on
the exit node (or rendezvouz point, or any node in the path from an exit
service to it), while in case of a client (or a private bridge), it would
be sufficient to correlate the traffic on a guard (for client) or a middle
node (for bridge) with the traffic on an exit node...
I'm much more concerned with anonymity accessing hidden services than with
anonymity accessing clearnet services through exists, by the way.
- --
Oskar Wendel, o.wendel at wp.pl.REMOVE.THIS
Pubkey at https://pgp.mit.edu/pks/lookup?search=0x6690CC52318DB84C
-----BEGIN PGP SIGNATURE-----
iQEcBAEBAgAGBQJWkoicAAoJEGaQzFIxjbhMkO8H/i8EQjQmvFyILCzvXc725NTV
HGE6pSFEsZ5Fmk00nL6eaqxjc4DUqsjfpmno/Ad19aU+MA/85JRfp47Um/OkaDIM
vwi2JAfcG2QF9NJvZkwQxWHUHbsUXdyBNmd1h29bLGjXGETHFTmaVnCXuYAu8Stm
0jSHTG/Xf1vpRPlt+SRkP2MM/eqxVw+JGfZpfkFUuKjHif/Dye0JXJVkvs1MQvvw
5V6KqhplEo19caSHyhwXxS6DnumIQzNHNgMOMs75PbApSUADPczR6DIeWBiQL4fj
GgeTbnof/PK0Mx12o5/e3/zM7++pHdzIAPenDmrGOX1bftgWLnpvjFglE2Zikcg=
=LDvG
-----END PGP SIGNATURE-----
More information about the tor-talk
mailing list