VM, VPN, Proxychains and Maybe VPS

[S3V3N]

Ok, so here is what I want to accomplish...

- Run Debian Linux in a VM, routing 100% of traffic (TCP/UDP/DNS) through Proxychains/VPN1

- Run Ubuntu Linux as the Host routing 100% of traffic (VM Traffic + All TCP/UDP/DNS) through VPN2

- If required to increase Anonymity, hop through anonymous VPS running proxychains as well

So, it will look like this;

VM (Proxychains thru VPN1) --> HOST (VPN2) --> (possible Anon VPS)

Please explain how to set this up, and how to test it is working correctly.. ;)

Thanks!!

[digininja]

What is it you are trying to achieve? Why do you want to run things over three VPNs?

To test it works correctly, just put a sniffer between you and the next hop and look for any traffic not going to the final VPN.

[S3V3N]

To be honest, I know Tor has been cracked, and I know that not all VPN's can be trusted not to keep logs.

I could also use a multi-hop VPN instead of using two, but I don't know of any "Free" reliable VPNs. And Proxychains is a given. Buy I haven't been able to figure out how to run 100% of the traffic from the VM (TCP/UDP and DNS) to the HOST VPN regardless of what connection I might be using (Wifi, 3G/4G or hardwire).

Any suggestions?? Obviously this needs to be as transparent as possible. Automatic if possible

[S3V3N]

as for the VPS, I have heard of ppl setting up free anon VPS as proxychains hop spots and VPN'ing to these boxes randomly. Any thoughts??

[S3V3N]

I have also read of some ppl using Tails or the like, but most of them use Tor, which I would prefer not to if possible.

[digininja]

Using multiple VPNs will still result in all the traffic coming out of one of them at the end, if you trust that enough to use it as your end point then just use that one, routing through another in the middle isn't going to add anything as all the traffic will still get decrypted and sent out to the world from the final host.

[S3V3N]

The point for me using a VPN, is mainly to hide what I am doing from my ISP. Proxychains is for not allowing my location to be discovered. (Yes I realize that certain Socks5 proxies are needed) but I want a way to make 100% of the traffic route out of the VM through the VPN (so I suppose running the VPN on the VM would not leave any traces of what I am doing on the host PC)

[S3V3N]

My thoughts on using multi-VPN's is because I have heard rumors of certain agencies piercing VPN's

[digininja]

So use the same VPN set up on both machines, either use the same provider or different but don't worry about putting VPNs in VPNs.

The simplest way that I know to do this on Linux is to use a VPN provider that supports OpenVPN then just set it up to send all traffic over that, forget proxychains and stuff, just let basic routing handle everything for you. I use Astrill and they have an option to download an OpenVPN config file that you can litteraly just use with

openvpn -c config.conf

or something similar.

[digininja]

My thoughts on using multi-VPN's is because I have heard rumors of certain agencies piercing VPN's

But which one do you trust? You have to have the most inside one as the one you trust and from the exit point of the outer VPN its is going to be exposed and running naked on to its end point. If it has been compromised then there is nothing you can do about it.

And as an aside, are you doing anything that you really need to worry about "certain agencies" monitoring?

[S3V3N]

I have a decent VPN I use to block my ISP, but if I want no traces of what I am doing tracing back to me, then a VPN won't really be enough, as VPN's can be theoretically hacked by the agencies hence the proxychains in countries that don't work with other countries. I don't want anyone with out having to spend many many many hours and lots of money.. Being able to trace back to me. (I know this makes me seem either really paranoid or up to no good)

[S3V3N]

I am not doing these "types" of things, but if I were, I wouldn't want to get caught. But truly it is for my education only. I want to know more about being untraceable (as possible) online regardless of who might be looking.

[digininja]

Are you talking about the linux proxychains app? If so then that just lets you run apps through a single proxy.

I think what you are trying to set up is something where you send traffic to one server then have that terminate it, put it into a second channel then send it on to another and so on, is that right? That is a different thing to what you are talking about in the first mail.

[digininja]

I am not doing these "types" of things, but if I were, I wouldn't want to get caught. But truly it is for my education only. I want to know more about being untraceable (as possible) online regardless of who might be looking.

You can't be untraceable, check out Dread Pirate Roberts, the guy had a lot of money and a lot invested in being untraceable, he failed.

Same for the Anon/Lulzsec guys. It is a nice ideal to work to but in reality if you are thinking about protecting yourself against government level adversaries then you don't have a chance of winning.

[S3V3N]

I will look into Dread Pirate Roberts, I guess I am a noobie as I can't recall hearing that one. But as to lulz/Anonymous, they got sloppy and left meta data in their video posts, which was a big surprise to me that they overlooked that. But regardless.

As to the proxychains Linux app, you can chain multiple proxies together, and your data hops from proxy to proxy. The biggest advantage is obviously to the agencies with endless funds or no budgets limits at all. I can concede this as a fact, if they want you, they will "probably" get you but I wouldn't want to make it easy on them. :) there's no money involved here, so no trails there, no partners, so no leaks there... Just trying to cover my basis and know what I am doing, and how to make it all work.

[S3V3N]

Ok, I have heard of the Dread Pirate Roberts, but he was caught basically because he relied entirely (from what I have read) on Tor to keep his anonymity, but one of the agencies found an exploit in the exit parameters from the Tor node from what I recall.

[digininja]

A few points from this...

DPR thought he had done enough, he was wrong. Do you think you can do enough and get it right?

Sabu was caught because he once logged into an IRC server without bringing up all his defenses, that one leak of an IP got him caught. If you are going to do this you have to be 100% accurate, no slips. You also have to give up all your existing online identities, gmail, facebook, anything which will have a server log tied to your identitiy before you start this anonymisation run. You must also make sure that you never access any of your new life through anything other than your new set up, if you create a new gmail account you can't then tie it to your phone. Are you prepared to go this far?

For proxychains, all it does is allow you to run an app on your machine through a proxy, if you want to chain stuff together then you have to have something waiting on the far end to receive it, proxychains on your machine doesn't set that up.

What I think you want is this

PC ----- Intermediate 1 ----- intermediate 2 ----- destination

If this is right then proxychains will only help you make PC to intermediate 1, you will then need something on 1 to bounce to 2 and something on 2 to spit it out to the destination. You also here introduce extra points of failure, you have three connections rather than a single one that you would have just using a VPN. You also have an extra intermediate step that needs to be secured.

Conclusions:

Getting all this right is hard, People with much more to lose that you have got it wrong

It isn't just about hiding your IP, it is hiding your identity. If you log into gmail through all this then your identity is blown. If you have any tracking cookies on your machine, you are blown

The more steps you introduce the more potential weak points you create

If you want to know more about trying to do this properly look up works from the Grugq, he is an expert in opsec and talks a lot of sense.

For most people, think about who you are really trying to hide from and what you are trying to hide, this is often:

Surfing porn

Pirating stuff

Pirating porn

and they are trying to hide from:

ISP

parents

siblings

room mate

For all of these the solutions are much different than trying to hide from "the man"

[S3V3N]

Good points, Good points. I will look up grugq, I am always interested in learning more. I am not hiding from anything, just on a journey to educate myself in the proper ways of making this happen and putting it to proper use. Personally, if I were to go to these extremes, I would have a dedicated PC to isolate everything with. I also found another post that takes this all to the extreme.

https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-1

Interesting reading..

s3v3n