Changes between Version 48 and Version 49 of doc/TorBOX/OtherAnonymizingNetworks

Sep 27, 2012, 11:46:38 PM (8 years ago)



  • doc/TorBOX/OtherAnonymizingNetworks

    v48 v49  
    1 [[TOC(noheading, depth=1)]]
    2 [ TorBOX Homepage]
     1TorBOX has been renamed to Whonix.
    4 = Introduction =
    5 TorBOX can work together with any other suited Anonymizing Networks, either in addition, this means the other network will be tunneled through Tor. Also Tor can be completely exchanged with any other suited anonymizing network.
     3This page has been moved. The History of this page might still be interesting.
    7 '''Note that all networks differ in their thread model and security! Research before you start using them.
    9 = Rudimentary TorBOX Support for Other Anonymizing Networks =
    10 Although the project's name TorBOX does not implicate it, TorBOX is agnostic about which Anonymizing Network is being used. The project name has historical reasons. TorBOX started with Tor as anonymizing network. The idea, that also other anonymizing network could be used, came much later. Can you think of, any better name to describe TorBOX? And even any better name to describe the anonymizing network agnostic?
    12 At the moment TorBOX's support for Other Anonymizing Networks is only rudimentary and not as good as supported like the Tor network. Of course TorBOX developers respect other anonymizing networks, their developers and their users. They are simply more accustomed to the Tor network, which is also a personal preference. It's also very hard to be equally interested, educated and to stay up to date with all other anonymizing networks at the same time.
    14 As soon as a new developer, who actively supports the other anonymizing network, joins the TorBOX project, this particular anonymizing network can be equally supported like the Tor network. For example, there is not much point in separate a 'JonDoBOX', if most of the knowledge and code is shared. Almost anything, even the project name, could be revised.
    16 = i2p anonymizing network =
    17 Unfortunately it is not possible to reliably replace the Tor network with the [ i2p network]. The i2p network is mainly designed to host all services inside the i2p network. We have to update the TorBOX-Workstation's operating system and software packages. That is not possible with i2p. Outproxies exist (http, https and socks), but too few of them. And they are not suited for use with TorBOX. They are too unreliable (too often offline). At the moment (March 2012) there are no working https or socks outproxies, which we could use for apt-get. I2p can be used as an addition to TorBOX.
    19 If you simply want to browse eepsites, see [ Browsing eepsites using i2p inproxies on TorBOX-Workstation], otherwise you can also install i2p directly inside TorBOX-Workstation or directly on the TorBOX-Gateway.
    21 == Browsing eepsites using i2p inproxies on TorBOX-Workstation ==
    22 There are several i2p inproxies, those are similar to [ tor2web]. Simply use your [ Tor Browser]. Note that you will loose the end-to-end encryption to the eepsites, which i2p would provide, if you would install it directly inside TorBOX-Workstation or if you would use it the ordinary way. Depending on if the inproxy uses http (unencrypted), http'''s''' (or is reachable through a hidden service), also [ Exit Nodes Eavesdropping] applies. In any case, the i2p inproxy admin can see, all your traffic into the i2p network and there is no way to prevent that. [[BR]]
    23 i2p inproxies:
    24  * [ awxcnx]
    25  * [http://6dyi4t72u7y6g763.onion/ 6dyi4t72u7y6g763.onion]
    26  * or simply add '.to' after '.i2p'. For example, instant of 'http://forum.i2p' you can use ''.
    28 == Installing i2p inside TorBOX-Workstation (i2p over Tor) ==
    29 It is possible to run i2p inside the TorBOX-Workstation. [[BR]]
    30 Advantages: [[BR]]
    31  * Anonymity is provided by Tor.
    32  * I2p webinterface works normal inside Tor Browser. No need to install a graphical user interface on the TorBOX-Gateway.
    33  * Eepsites (.i2p) can be reached directly from Tor Browser.
    34  * I2p's end-to-end encryption will be used like usual.
    35 Disadvantages: [[BR]]
    36  * Adds load to Tor.
    37  * Adds load to i2p.
    38  * It's slower than i2p directly on TorBOX-Gateway or the ordinary usage.
    39  * Incoming connections are not possible, because [ TorBOX's Tor Workstation is firewalled]. ^1^ [[BR]]
    40  ,,^1^ If you know to use a hidden service, please add this information.
    41  * No contribution (leaching) to the i2p network. ^2^ [[BR]]
    42  ,,^2^ Sounds worse than it is. Only very little people are expected to use i2p over Tor. I2p offers those options itself. It's not like a leeching mod.
    44 Recommend settings:
    45  * Tor Browser
    46    * Use a [ second instance of the Tor Browser].
    47    * Add http proxy IP: port: 4444 in Tor Browser's TorButton.
    48  * Network
    49    * IP configuration: hidden mode (do not publish IP) (There is no need to publish the exit node's IP address.)
    50    * UDP-Port: completely disable (Not supported by Tor.)
    51    * TCP: disable inbound (Firewalled) (Only outgoing TCP supported by TorBOX.)
    52  * Tunnels
    53    * length (all tunnels): inbound and outbound: 0 (It's faster and less connection interrupts. Anonymity is already provided by Tor. No need to leech from Tor/i2p.)
    55 == Installing i2p on TorBOX-Gateway [i2pBOX] ==
    56 Development stalled due to lack of interest from TorBOX developers and ip2 community. Development thread: [ Support for i2p [WAIT for contributors/more mature upstream]]; [ i2p thread]. Anyone feel free it take it.
    58 = JonDonym =
    59 Be aware, that the [ JonDonym network] is much smaller than the Tor network. However, JonDonym might be faster. In some aspects JonDonym is more/less secure than Tor. Depends on your thread model. Read the [ network comparison]. Also note [ law enforcement].
    61 == proper's JonDonym opinion ==
    62 Tunneling JonDonym over Tor makes sense in some cases. I wouldn't do it for a longer amount of time, as it adds a permanent exit server. (See [ TorPlusProxy] for background.) Tor suffers from a few [ bad relays], as the servers are run by volunteers and a few of them are evil. There is [ Exit Nodes Eavesdropping] (applies only to unencrypted traffic). Even worse, exit nodes may try to defeat SSL using sslstrip (google it, read, watch some demonstration videos) (or other tools). And/or they inject malware into the data stream. Conclusion: if you want to download something, which you can not download over SSL (and if there are also no hash sums or signatures), the JonDo exit is more trustable than a random Tor exit. Alternatively you can also use .exit, to force the use of a specific Tor exit node, which you trust more than a random one.
    64 == JonDonym over Tor inside TorBOX-Workstation ==
    65 You can tunnel JonDonym over Tor. This could be useful, to circumvent Tor bans. But note [ Tor Plus Proxy] (it adds a permanent exit node, like explained and the article). Not many changes are required. [ download] and install it as usual. You need 'JonDo – the IP changer', either as the gui or console version. You can decide, if you prefer to use JonDoFox or the [ Tor Browser]. If you want to use the Tor Browser, see their [ help section] on how to point Firefox to JonDo.
    67 == JonDonym as Tor replacement [JonDoBOX] ==
    68 Not finished yet.
    70 The sources might contain additional helpful information. The [ TorBOX dev thread about JonDonym]; the [ thread in the JonDonym forum]; [ JonDonym transocks_ev]; [ JonDoDaemon for Debian].
    72 Depending on your [ thread model], [ JonDonym] can be potentially used as a replacement for Tor. Prefer the [ console version] of 'JonDo – the IP changer', otherwise you would have to install a desktop environment, which needs a lot more RAM, CPU and disc space (not possible on most embedded devices).
    74 Free users can [ only only use port 80 (http) and 443 (https)]. Socks is [ only available for paying premium users]. Therefore free users can only reach services listening on remote port 80 or 443. Normal browsing will work, other stuff, for example IRC on port 6667 will not work. Paying premium users can use all services.
    76 In comparison to Tor, JonDo does not offer a TransPort or DnsPort. For that reason, transocks_ev [ (download here)] is needed. Note that you can not use the firewall rules provided [ under transocks_ev]. You need to adjust the [ TorBOX firewall] (/etc/ or alternatively adjust [ TorBOX-Gateway].
    78 = RetroShare =
    79 In fact [ RetroShare] is not an [ anonymizing network], it is a [ friend-to-friend] (F2F) network, or optionally a [ darknet]. It has a very different audience and thread model. RetroShare does not support using an outproxy yet, for this reason, it can not replace Tor on the TorBOX-Gateway. It can be used inside the TorBOX-Gateway. This enables you, to do things, which are normally potentially dangerous, such as adding random people (from a forum), while staying anonymous. (For example, to join a RetroShare forum.)
    81 == RetroShare over Tor ==
    82 After adding tons of random "friends" from a public forum, I could connect to a very few people over TCP. Approximately only 5% were online. Although I can probable see only a very small portion of the network, the content of the network looks pretty interesting.
    84 RetroShare reports Right click -> DHT Details: [[BR]]
    87 Chance of working better (untested): [ Tunneling UDP over Tor]. Note, that [ Other Anonymizing Networks over Tor UDP Tunnel] applies.
    89 = Freenet =
    90 == Using a gateway (inproxy) inside your TorBOX-Workstation ==
    91 A [ freenet gateway]. Still working? How to use?
    93 == Freenet inside the TorBOX-Workstation (Freenet over Tor) ==
    94 In "classical sense" (directly and only over Tor) this is impossible. This is tested, freenet installs normally, but even with lowest security settings, connection will never be established. The problem is, that Tor does not support UDP. (There has been a [ discussion] about this topic. Although it's from 2008, it doesn't look like, the situation has changed or will change.)
    96 Workaround: [ Tunneling UDP over Tor]. Note, that [ Other Anonymizing Networks over Tor UDP Tunnel] applies.
    98 Another workaround: Buy, administrate and connect the SSH server anonymously though your TorBOX-Workstation. Install freenet on the remote location and connect from your TorBOX-Workstation (SSL or SSH tunnel). See the freenet wiki for more information.
    100 == Freenet on the TorBOX-Gateway [FreenetBOX] ==
    101 Can be also potentially only be used parallel to Tor. It's impossible to tunnel Freenet through Tor (see above). Also replacing Tor with Freenet is impossible, as freenet is a separated network, not designed to exit the network. Apt-get couldn't work.
    103 Not written yet.
    105 = VPN =
    106 Not finished yet. UNTESTED! [ dev thread]
    108 TorBOX developers do not review or rate VPN services. That's beyond the TorBOX project. See [ A Free example VPN working with TorBOX for testing purposes] for more information.
    110 == VPN's in addition to Tor ==
    111 It is already possible to [ Tunnel Tor through proxy, '''VPN''' or SSH] or to [ Tunnel Proxy/SSH/'''VPN''' through Tor], or a combination of both methods.
    113 == VPN's as a Tor replacement [VPNBOX] ==
    114 Not finished yet. UNTESTED! [ dev thread]
    116 In this chapter we explain, how you can replace Tor with a VPN. Regarding security see 'Introduction' on this page at the top. It's your responsibility to find a (non-logging, safe) free/paid VPN provider or to stick with Tor.
    118 [ source], Windows related but the routing stuff is valid for Linux as well.
    120 First we have to ensure, that the VPN-Gateway will only connect trough the VPN service and nothing else. There are some weak alternative ways to do this. Some "VPN-Monitor" check every, let's say 500 ms, if the VPN IP is still valid, if not, kill a list of applications. This is not very secure, it's a game if that time period is sufficient to stop a leak and if killing the applications is fast enough. Another more serious option would be to use iptables rules, allow only traffic to the VPN server and to no other targets. This maybe additionally implemented later. However, using iptables for this scenario isn't the most secure option. When the IP of the VPN service gets assigned to another server, you could end up connecting to a malicious server. The most secure option is to modify the routing table.
    122 1. Test if your host internet connection is working.
    124 2. Test if your tor internet connection is working.
    126 3. Store your routing table before starting the VPN and before modifying anything. Type in console:
    127 {{{
    128 route
    129 }}}
    131 4. Start VPN.
    132 {{{
    133 sudo openvpn /etc/openvpn/client.conf
    134 }}}
    136 5. Test if your ISP IP gets replaced with the VPN IP.
    138 6. Store the modified routing table. Type in console:
    139 {{{
    140 route
    141 }}}
    143 7. Delete your default route and set your new default route to the virtual VPN network adapter.
    144 {{{
    145 sudo route del default
    146 sudo route add default dev tun0
    147 }}}
    149 8. Test if your VPN IP is still valid.
    151 9. Store the modified routing table. Type in console:
    152 {{{
    153 route
    154 }}}
    156 10. For testing purposes, kill your OpenVPN connection.
    157 {{{
    158 sudo killall openvpn
    159 }}}
    161 11. Test if you can NOT connect to anything anymore. That's the whole point to prevent any leaks in the clear.
    163 TODO: [[BR]]
    164 - Testing. [[BR]]
    165 - Autostart everything. [[BR]]
    166 - Use up in /etc/network/interfaces. [[BR]]
    167 - Final step: forwarding traffic from the Workstation to the Gateway.
    168 - extra: VPNchains (two or more independent VPN providers in a chain)
    170 Not finished yet. UNTESTED!
    172 = Proxy =
    173 Required reading: [[BR]]
    174 [ proxy] [[BR]]
    175 [ Tor + VPN or Proxy] [[BR]]
    177 == Proxies in addition to Tor ==
    178 See [ Advantages of TorBOX], "It is possible to use TorBOX setup in conjunction with VPNs, ssh and other proxies....".
    180 == Proxies as a Tor replacement [ProxyBOX] ==
    181 Not finished.
    183 [ dev thread]
    185 It is possible to replace Tor with local or remote proxies. Note that anonymity is sufficiently lower with (single hop) proxies. The difficulty is, that most proxies lack a TransPort and DnsPort.
    187 It also depends, what kind of proxy you want to use.
    189 See also [ TorBOX/OptionalConfigurations#TransparentProxying] (Describes Transparent Proxying inside TorBOX-Workstation to an extra proxy, i.e. TorBOX-Workstation -> Tor -> Proxy.)
    191 There are two options available. 1. Transparent Proxying Method or 2. The Proxy Settings Method.
    193 === Depending on Proxy type ===
    194 http proxies are not suited, because we would not be able to connect to https protected websites. The setup for https, socks4(a)/5 proxies should be very similar.
    196 === Transparent Proxying Method ===
    197 Not finished.
    199 Transparent Proxying (like TorBOX with Tor's TransPort) is, due to technical limitations, not fully supported by proxies. Proxies do not offer a DnsPort and also do not act as a DNS server. While it's possible to relay TCP and UDP traffic through the proxy on the IP level (using iptables), you would still always require known (you know the IP) DNS server. (i.e. public DNS server such as OpenDNS, Google, httpsdnsd) DNS resolution would look like: Proxy-Workstation -> Proxy-Gateway -> Proxy -> DNS server. It's technically not possible to let the proxy transparently (!) do the DNS resolution (no tools available) - at least not that we know after extended research know of. This is because proxies offer hostname resolution, but not DNS. (Sources: Leonid Evdokimov (author of [ redsocks]) on mailing list, [ Transparent Proxy, DNS, without public DNS server]; [ Bernd Holzmüller] (author of [ transocks_ev]) by e-mail) This technical limitation may be lifted if redsocks [ Feature Request: fake DNS resolver] gets implemented.
    201 Due to the DNS issue, you can't completely hide behind the proxy (using it transparently). You always would have to reveal, that you are using a public (or private) extra DNS resolver. Of course, you would also not only have to trust the proxy, but also the extra DNS server, which can see, log and correlate all your DNS queries.
    203 For TCP and UDP: Proxy-Workstation -> Proxy-Gateway -> network layer -> redsocks -> proxy [[BR]]
    204 For DNS: Proxy-Workstation -> Proxy-Gateway -> network layer -> redsocks -> proxy -> public DNS server [[BR]]
    206 === Proxy Settings Method ===
    207 Not finished.
    209 Design: The Proxy-Workstation is on an isolated internal LAN (similar to TorBOX's TorBOX-Workstation design) and can't connect to the internet directly. (Iptables rules on the Proxy-Gateway forbid that.) All applications installed inside the Proxy-Workstation have to use the correct [ proxy settings] or a [ wrapper].
    211 For TCP, UDP and DNS: Proxy-Workstation -> Proxy-Gateway -> proxy