Необходимость редактирования настроек Whonix-workstation?

[Kirigaya]

Коллеги подскажите пожалуйста ответ на вопрос, реализуя цепочки vpn1 - whonix - vpn2, насколько важно изменять настройки в whonix workstation согласно гайду на официальном сайте whonix? В курсе paranoid написано, что можно просто подключаться используя openvpn без доп настроек whonix firewall и тд? Дак насколько же это важно и необходимо, используются ли они чтобы не допустить утечку tor ip адреса при отказе vpn или есть еще какие то подводные камни ? Интересно послушать ваше мнение.

P.S. Речь об этих настройках. => https://www.whonix.org/wiki/Tunnels...ore_a_VPN#Inside_Whonix-Workstation_.E2.84.A2

 

[Whomed]

Whomed сказал(а):
If you can trust your VPN, it's not important, but don't trust anybody, EVER)
DON'T do it this way: VPN_1 -> WHONIX -> VPN_2. It renders the whole setup useless as you're exposingyour VPN as the first contact point.
This means that if the feds seize the VPN server, they will be able to see who connected to what server; what was sent; what was the packet size; if the connection is insecure, they can see your requests and response; etc.
If you want to maximize your privacy, the network tunnel flow should be the following:
TOR -> VPN -> INTERNET
That way your connection is completely end-to-end encrypted.

CAUTION: remember that when accessing an insecure endpoint, you request will be sent in plaintext from the last node.
For example:

Tor servers could be compromised, so make sure to use at least 3 relays.
Never use a VPN as your entry point, that's the whole point of using the Tor network.
Use a bridge when connecting to the Tor network so nobody know you are connecting to Tor)

I hope you understood. If you have any questions, feel free to ask.
Нажмите, чтобы раскрыть...

Thank you for the answer brother. But if I use my own vpn servers, why would anyone try to hack into the first vpn server if I never use it for anything other then connection to TOR network? And how they can find out the address of the first vpn server?

 

[Kirigaya]

Kirigaya сказал(а):
Thank you for the answer brother. But if I use my own vpn servers, why would anyone try to hack into the first vpn server if I never use it for anything other then connection to TOR network? And how they can find out the address of the first vpn server?

But if I use my own vpn servers, why would anyone try to hack into the first vpn server if I never use it for anything other then connection to TOR network?

And how they can find out the address of the first vpn server?

Use a bridge when connecting to the Tor network so nobody know you are connecting to Tor)

As always... It depends.
Imagine you're a criminal that connects to its own VPN to route the connection through Tor (Tor over VPN: YOU -> VPN -> TOR)...

For example, they could try to get in into your VPN server to check if there are any kind of logs, residual data, current traffic, unsecured connections, etc.

Remember that Tor doesn't encrypt data, unlike a VPN.
If you're using a secure connection, it will keep on scrambling the data, but if it is insecure, it will just forward that request and respond back with plaintext data.
A decent VPN will always encrypt your data so it cannot be it's not in plaintext (YOU -> VPN), but when they have to send your insecure request to the server, it will not be encrypted (VPN -> INTERNET).
This means that the response that the server sends out won't be encrypted either (INTERNET -> VPN), but the response you get from the VPN will be (VPN -> YOU).

After this you may be asking yourself "why use Tor instead of a VPN then?"... Because with Tor you will not (shouldn't) rely on a single node/relay, which could be compromised to sniff data.

If they try to compromise Tor nodes/relays and VPN servers, why would they not try to get into yours?

Your ISP can)
That's why I recommended the following:

When you're not using anonymous bridges to connect somewhere, they will know you're trying to route the network traffic over somebody else instead of them, which is weird, because you're not doing something illegal and you have "nothing to hide", right?

When using the TOR -> VPN -> INTERNET (VPN over Tor) flow, even if your VPN server keeps logs, it won't matter, because your IP address will never be revealed to them unless all Tor relays are compromised (that's why I recommend using 3+ Tor relays).

I'm happy to keep helping if you or anybody has any question.

 

[Whomed]

Ok, I get it bro, thanks again for your help. I'll review my security mechanisms. How many tor relays whonix uses by default?

 

[Kirigaya]

Kirigaya сказал(а):
Ok, I get it bro, thanks again for your help. I'll review my security mechanisms. How many tor relays whonix uses by default?

Three. It's the same as the Tor Browser (it's hardcoded here). ENTRY_NODE -> MIDDLE_NODE -> EXIT_NODE.
Open up Nyx and execute getinfo circuit-status to see the Tor Circuit.
Remember that you can't see it in Whonix's Tor Browser for security reasons)

When adding another Tor Circuit, make sure that the rest of them are SOCKS5 proxies, otherwise you could be de-anonymized because your could get the same relay more than one time.

 

[Whomed]

Whomed сказал(а):
Three. It's the same as the Tor Browser (it's hardcoded here). ENTRY_NODE -> MIDDLE_NODE -> EXIT_NODE.
Open up Nyx and execute getinfo circuit-status to see the Tor Circuit.
Remember that you can't see it in Whonix's Tor Browser for security reasons)

When adding another Tor Circuit, make sure that the rest of them are SOCKS5 proxies, otherwise you could be de-anonymized because your could get the same relay more than one time.

Good day. Sorry I am writing this way). I apologize in advance for my English, it is not my native language. In general, I will be straightforward - you wrote that we would be happy to help our knowledge of people who need it. I would like to ask you how a person more disassembled in this question - what, in your opinion, the most secure bunch for anonymity? Thanks in advance for the answer, I will wait for him as much as it takes.

 

[dontknowend]

dontknowend сказал(а):
Good day. Sorry I am writing this way). I apologize in advance for my English, it is not my native language. In general, I will be straightforward - you wrote that we would be happy to help our knowledge of people who need it. I would like to ask you how a person more disassembled in this question - what, in your opinion, the most secure bunch for anonymity? Thanks in advance for the answer, I will wait for him as much as it takes.

It really depends on your thread model.
What are you planning to do exactly? Be the next DPR; a hacker; cracker' scammer; researcher; etc.?
If you have money, get yourself a VPS using anonymous payments and set it up as a VPN tunnel that saves no logs (Make sure the company is based in a country that has no mandatory data retention laws).
Your network flow will look like this: YOU -> TOR -> VPN_TUNNEL -> ENDPOINT.
As the VPN will be a tunnel, you can forward all your request and responses through it without leaking your IP address.

If you don't have money, just use a VPN like Mullvad before connecting to TOR, they seem to know what they're doing, though never trust anybody.
ATTENTION: Be careful, you don;t want to connect to a VPN before routing your traffic through Tor unless you REALLY trust that VPN. Also, use HTTPS.

 

[Whomed]

Thank you very much for the answer and time) There is money, I will study information about VPS. And what about the connection itself? I understand that you should not do everything from my home Internet. Is it worth hacking points WI - FI to enter the network with them? Or are there any other ways?
Последнее редактирование: 01.04.2021

 

[dontknowend]

Whomed сказал(а):
It really depends on your thread model.
What are you planning to do exactly? Be the next DPR; a hacker; cracker' scammer; researcher; etc.?
If you have money, get yourself a VPS using anonymous payments and set it up as a VPN tunnel that saves no logs (Make sure the company is based in a country that has no mandatory data retention laws).
Your network flow will look like this: YOU -> TOR -> VPN_TUNNEL -> ENDPOINT.
As the VPN will be a tunnel, you can forward all your request and responses through it without leaking your IP address.

If you don't have money, just use a VPN like Mullvad before connecting to TOR, they seem to know what they're doing, though never trust anybody.
ATTENTION: Be careful, you don;t want to connect to a VPN before routing your traffic through Tor unless you REALLY trust that VPN. Also, use HTTPS.

*Thank you very much for the answer and time) There is money, I will study information about VPS. And what about the connection itself? I understand that you should not do everything from my home Internet. Is it worth hacking points WI - FI to enter the network with them? Or are there any other ways?

 

[dontknowend]

dontknowend сказал(а):
Thank you very much for the answer and time) There is money, I will study information about VPS. And what about the connection itself? I understand that you should not do everything from my home Internet. Is it worth hacking points WI - FI to enter the network with them? Or are there any other ways?

And what about the connection itself? I understand that you should not do everything from my home Internet. Is it worth hacking points WI - FI to enter the network with them? Or are there any other ways?

What's your threat model? What are you going to do?
Sure, it can benefit you a lot by using a network that isn't yours. Feds will not go directly to you, they will investigate further and will catch you if your OPSEC is poor.

VPS Recommendation: njal.la

If I was of help, like are appreciated.

 

[Whomed]

Whomed сказал(а):
What's your threat model? What are you going to do?
Sure, it can benefit you a lot by using a network that isn't yours. Feds will not go directly to you, they will investigate further and will catch you if your OPSEC is poor.

VPS Recommendation: njal.la

If I was of help, like are appreciated.

Скрытый контент для пользователей: Whomed.

 

[dontknowend]

Whomed сказал(а):
What's your threat model? What are you going to do?
Sure, it can benefit you a lot by using a network that isn't yours. Feds will not go directly to you, they will investigate further and will catch you if your OPSEC is poor.

VPS Recommendation: njal.la

If I was of help, like are appreciated.

Скрытый контент для пользователей: Whomed.

 

[dontknowend]

Whomed сказал(а):
It really depends on your thread model.
What are you planning to do exactly? Be the next DPR; a hacker; cracker' scammer; researcher; etc.?
If you have money, get yourself a VPS using anonymous payments and set it up as a VPN tunnel that saves no logs (Make sure the company is based in a country that has no mandatory data retention laws).
Your network flow will look like this: YOU -> TOR -> VPN_TUNNEL -> ENDPOINT.
As the VPN will be a tunnel, you can forward all your request and responses through it without leaking your IP address.

If you don't have money, just use a VPN like Mullvad before connecting to TOR, they seem to know what they're doing, though never trust anybody.
ATTENTION: Be careful, you don;t want to connect to a VPN before routing your traffic through Tor unless you REALLY trust that VPN. Also, use HTTPS.

Brother but does the rented vps before tor isn't helping if they somehow can figureout whonix chain? Ofcourse vps1 (vpn1) will not be connected with vps2 (vpn2) in any way.

 

[Kirigaya]

dontknowend сказал(а):
Hidden content

And how do you feel about connecting via modem?

Kirigaya сказал(а):
Brother but does the rented vps before tor isn't helping if they somehow can figureout whonix chain? Ofcourse vps1 (vpn1) will not be connected with vps2 (vpn2) in any way.

Somebody could be pulling out a MITM attack, but if you are using a secure connection between you and another endpoint, you will be fine. If you use a VPN, the VPN will be the MITM.

Sure, you can connect to the internet using the modem alone, but you will not be able to use more devices in your LAN to connect to the internet, as it will not know where to route the traffic to, that's what the router is for.

I'm not following what you're saying.
You don't want to use Tor over VPN (YOU -> VPN -> TOR -> ENDPOINT) unless you trust your VPN provider. If you do, you're risking deanonymization because you will be using the same VPN at all times, which means they can get all logs from the VPN provider.
You can use VPN over Tor (YOU -> TOR -> VPN_TUNNEL -> ENDPOINT) for more privacy, because unless everything is compromised, your IP address will not be exposed.

 

[Whomed]

Whomed сказал(а):
If you want to maximize your privacy, the network tunnel flow should be the following:
TOR -> VPN -> INTERNET

Whomed сказал(а):
Remember that Tor doesn't encrypt data, unlike a VPN.

This is a bad idea which makes a lot of unique TOR features useless. As explained in this beautiful article from the Whonix wiki, by default TOR builds different circuits for different destination addresses, so that you appear as many different persons on different sites/forums. But this is not the case if you use TOR->VPN. Now in TOR's perspective all your traffic goes to the same destination point(VPN), which means the same circuit will be used for all connections, and you will appear as the same person everywhere. Furthermore, VPN becomes your static exit node, which makes the problem even worse. Thus, instead of maximizing your privacy, you are decreasing it drastically when connecting to a VPN after TOR. All your activities from different places can be associated with the same person in that case, even if your real IP is unknown.

What???
Последнее редактирование: 27.01.2022