Changes between Version 48 and Version 49 of doc/TorBOX/OtherAnonymizingNetworks


Ignore:
Timestamp:
Sep 27, 2012, 11:46:38 PM (7 years ago)
Author:
proper
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorBOX/OtherAnonymizingNetworks

    v48 v49  
    1 [[TOC(noheading, depth=1)]]
    2 [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX TorBOX Homepage]
     1TorBOX has been renamed to Whonix.
    32
    4 = Introduction =
    5 TorBOX can work together with any other suited Anonymizing Networks, either in addition, this means the other network will be tunneled through Tor. Also Tor can be completely exchanged with any other suited anonymizing network.
     3This page has been moved. The History of this page might still be interesting.
    64
    7 '''Note that all networks differ in their thread model and security! Research before you start using them.
    8 
    9 = Rudimentary TorBOX Support for Other Anonymizing Networks =
    10 Although the project's name TorBOX does not implicate it, TorBOX is agnostic about which Anonymizing Network is being used. The project name has historical reasons. TorBOX started with Tor as anonymizing network. The idea, that also other anonymizing network could be used, came much later. Can you think of, any better name to describe TorBOX? And even any better name to describe the anonymizing network agnostic?
    11 
    12 At the moment TorBOX's support for Other Anonymizing Networks is only rudimentary and not as good as supported like the Tor network. Of course TorBOX developers respect other anonymizing networks, their developers and their users. They are simply more accustomed to the Tor network, which is also a personal preference. It's also very hard to be equally interested, educated and to stay up to date with all other anonymizing networks at the same time.
    13 
    14 As soon as a new developer, who actively supports the other anonymizing network, joins the TorBOX project, this particular anonymizing network can be equally supported like the Tor network. For example, there is not much point in separate a 'JonDoBOX', if most of the knowledge and code is shared. Almost anything, even the project name, could be revised.
    15 
    16 = i2p anonymizing network =
    17 Unfortunately it is not possible to reliably replace the Tor network with the [http://www.i2p2.de i2p network]. The i2p network is mainly designed to host all services inside the i2p network. We have to update the TorBOX-Workstation's operating system and software packages. That is not possible with i2p. Outproxies exist (http, https and socks), but too few of them. And they are not suited for use with TorBOX. They are too unreliable (too often offline). At the moment (March 2012) there are no working https or socks outproxies, which we could use for apt-get. I2p can be used as an addition to TorBOX.
    18 
    19 If you simply want to browse eepsites, see [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OtherAnonymizingNetworks#Browsingeepsitesusingi2pinproxiesonTorBOX-Workstation Browsing eepsites using i2p inproxies on TorBOX-Workstation], otherwise you can also install i2p directly inside TorBOX-Workstation or directly on the TorBOX-Gateway.
    20 
    21 == Browsing eepsites using i2p inproxies on TorBOX-Workstation ==
    22 There are several i2p inproxies, those are similar to [https://trac.torproject.org/projects/tor/wiki/doc/tor2web tor2web]. Simply use your [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers#newadviceMarch2012 Tor Browser]. Note that you will loose the end-to-end encryption to the eepsites, which i2p would provide, if you would install it directly inside TorBOX-Workstation or if you would use it the ordinary way. Depending on if the inproxy uses http (unencrypted), http'''s''' (or is reachable through a hidden service), also [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#ExitNodesEavesdropping Exit Nodes Eavesdropping] applies. In any case, the i2p inproxy admin can see, all your traffic into the i2p network and there is no way to prevent that. [[BR]]
    23 i2p inproxies:
    24  * [https://www.awxcnx.de/tor-i2p-proxy2-en.htm awxcnx]
    25  * [http://6dyi4t72u7y6g763.onion/ 6dyi4t72u7y6g763.onion]
    26  * or simply add '.to' after '.i2p'. For example, instant of 'http://forum.i2p' you can use 'http://forum.i2p.to'.
    27 
    28 == Installing i2p inside TorBOX-Workstation (i2p over Tor) ==
    29 It is possible to run i2p inside the TorBOX-Workstation. [[BR]]
    30 Advantages: [[BR]]
    31  * Anonymity is provided by Tor.
    32  * I2p webinterface works normal inside Tor Browser. No need to install a graphical user interface on the TorBOX-Gateway.
    33  * Eepsites (.i2p) can be reached directly from Tor Browser.
    34  * I2p's end-to-end encryption will be used like usual.
    35 Disadvantages: [[BR]]
    36  * Adds load to Tor.
    37  * Adds load to i2p.
    38  * It's slower than i2p directly on TorBOX-Gateway or the ordinary usage.
    39  * Incoming connections are not possible, because [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#TorBOXsTorBOX-Workstationisfirewalled TorBOX's Tor Workstation is firewalled]. ^1^ [[BR]]
    40  ,,^1^ If you know to use a hidden service, please add this information.
    41  * No contribution (leaching) to the i2p network. ^2^ [[BR]]
    42  ,,^2^ Sounds worse than it is. Only very little people are expected to use i2p over Tor. I2p offers those options itself. It's not like a leeching mod.
    43 
    44 Recommend settings:
    45  * Tor Browser
    46    * Use a [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers#UsetheTorBrowser second instance of the Tor Browser].
    47    * Add http proxy IP: 127.0.0.1 port: 4444 in Tor Browser's TorButton.
    48  * Network
    49    * IP configuration: hidden mode (do not publish IP) (There is no need to publish the exit node's IP address.)
    50    * UDP-Port: completely disable (Not supported by Tor.)
    51    * TCP: disable inbound (Firewalled) (Only outgoing TCP supported by TorBOX.)
    52  * Tunnels
    53    * length (all tunnels): inbound and outbound: 0 (It's faster and less connection interrupts. Anonymity is already provided by Tor. No need to leech from Tor/i2p.)
    54 
    55 == Installing i2p on TorBOX-Gateway [i2pBOX] ==
    56 Development stalled due to lack of interest from TorBOX developers and ip2 community. Development thread: [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev#Supportfori2pWAITforcontributorsmorematureupstream Support for i2p [WAIT for contributors/more mature upstream]]; [http://forum.i2p2.de/viewtopic.php?t=7037 i2p thread]. Anyone feel free it take it.
    57 
    58 = JonDonym =
    59 Be aware, that the [https://anonymous-proxy-servers.net JonDonym network] is much smaller than the Tor network. However, JonDonym might be faster. In some aspects JonDonym is more/less secure than Tor. Depends on your thread model. Read the [https://anonymous-proxy-servers.net/en/help/jondonym.html network comparison]. Also note [http://anonymous-proxy-servers.net/en/law_enforcement.html law enforcement].
    60 
    61 == proper's JonDonym opinion ==
    62 Tunneling JonDonym over Tor makes sense in some cases. I wouldn't do it for a longer amount of time, as it adds a permanent exit server. (See [https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN TorPlusProxy] for background.) Tor suffers from a few [https://trac.torproject.org/projects/tor/wiki/doc/badRelays bad relays], as the servers are run by volunteers and a few of them are evil. There is [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#ExitNodesEavesdropping Exit Nodes Eavesdropping] (applies only to unencrypted traffic). Even worse, exit nodes may try to defeat SSL using sslstrip (google it, read, watch some demonstration videos) (or other tools). And/or they inject malware into the data stream. Conclusion: if you want to download something, which you can not download over SSL (and if there are also no hash sums or signatures), the JonDo exit is more trustable than a random Tor exit. Alternatively you can also use .exit, to force the use of a specific Tor exit node, which you trust more than a random one.
    63 
    64 == JonDonym over Tor inside TorBOX-Workstation ==
    65 You can tunnel JonDonym over Tor. This could be useful, to circumvent Tor bans. But note [https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN Tor Plus Proxy] (it adds a permanent exit node, like explained and the article). Not many changes are required. [https://anonymous-proxy-servers.net/en/software.html download] and install it as usual. You need 'JonDo – the IP changer', either as the gui or console version. You can decide, if you prefer to use JonDoFox or the [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers#newadviceMarch2012 Tor Browser]. If you want to use the Tor Browser, see their [http://anonymous-proxy-servers.net/en/get-help.html help section] on how to point Firefox to JonDo.
    66 
    67 == JonDonym as Tor replacement [JonDoBOX] ==
    68 Not finished yet.
    69 
    70 The sources might contain additional helpful information. The [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev#SupportforJonDo TorBOX dev thread about JonDonym]; the [https://anonymous-proxy-servers.net/forum/viewtopic.php?f=10&t=6680&sid=24b1980990c5ae69e021bc998c878370 thread in the JonDonym forum]; [https://anonymous-proxy-servers.net/en/help/transocks.html JonDonym transocks_ev]; [https://anonymous-proxy-servers.net/wiki/index.php/JonDoDaemon_for_Debian JonDoDaemon for Debian].
    71 
    72 Depending on your [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening thread model], [https://anonymous-proxy-servers.net/ JonDonym] can be potentially used as a replacement for Tor. Prefer the [https://anonymous-proxy-servers.net/wiki/index.php/JonDoDaemon_for_Debian console version] of 'JonDo – the IP changer', otherwise you would have to install a desktop environment, which needs a lot more RAM, CPU and disc space (not possible on most embedded devices).
    73 
    74 Free users can [https://shop.anonymous-proxy-servers.net/bin/payment?lang=en#vorteile only only use port 80 (http) and 443 (https)]. Socks is [https://anonymous-proxy-servers.net/en/help/about.html only available for paying premium users]. Therefore free users can only reach services listening on remote port 80 or 443. Normal browsing will work, other stuff, for example IRC on port 6667 will not work. Paying premium users can use all services.
    75 
    76 In comparison to Tor, JonDo does not offer a TransPort or DnsPort. For that reason, transocks_ev [https://anonymous-proxy-servers.net/en/help/transocks.html (download here)] is needed. Note that you can not use the firewall rules provided [https://anonymous-proxy-servers.net/en/help/transocks.html under transocks_ev]. You need to adjust the [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#TorBOXsTorBOX-Workstationisfirewalled TorBOX firewall] (/etc/torboxfirewall.sh) or alternatively adjust [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev/TGScript TorBOX-Gateway].
    77 
    78 = RetroShare =
    79 In fact [http://retroshare.sourceforge.net RetroShare] is not an [https://en.wikipedia.org/wiki/Anonymizer anonymizing network], it is a [https://en.wikipedia.org/wiki/Friend-to-friend friend-to-friend] (F2F) network, or optionally a [https://en.wikipedia.org/wiki/Darknet_(file_sharing) darknet]. It has a very different audience and thread model. RetroShare does not support using an outproxy yet, for this reason, it can not replace Tor on the TorBOX-Gateway. It can be used inside the TorBOX-Gateway. This enables you, to do things, which are normally potentially dangerous, such as adding random people (from a forum), while staying anonymous. (For example, to join a RetroShare forum.)
    80 
    81 == RetroShare over Tor ==
    82 After adding tons of random "friends" from a public forum, I could connect to a very few people over TCP. Approximately only 5% were online. Although I can probable see only a very small portion of the network, the content of the network looks pretty interesting.
    83 
    84 RetroShare reports Right click -> DHT Details: [[BR]]
    85 NET WARNING No DHT; Behind NAT UNKNOWN NAT STATE MANUAL FORWARD
    86 
    87 Chance of working better (untested): [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#TunnelingUDPoverTor Tunneling UDP over Tor]. Note, that [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#OtherAnonymizingNetworksoverTorUDPTunnel Other Anonymizing Networks over Tor UDP Tunnel] applies.
    88 
    89 = Freenet =
    90 == Using a gateway (inproxy) inside your TorBOX-Workstation ==
    91 A [http://www.student.nada.kth.se/~md98-osa/gateway.html freenet gateway]. Still working? How to use?
    92 
    93 == Freenet inside the TorBOX-Workstation (Freenet over Tor) ==
    94 In "classical sense" (directly and only over Tor) this is impossible. This is tested, freenet installs normally, but even with lowest security settings, connection will never be established. The problem is, that Tor does not support UDP. (There has been a [http://comments.gmane.org/gmane.network.freenet.support/8211 discussion] about this topic. Although it's from 2008, it doesn't look like, the situation has changed or will change.)
    95 
    96 Workaround: [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#TunnelingUDPoverTor Tunneling UDP over Tor]. Note, that [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#OtherAnonymizingNetworksoverTorUDPTunnel Other Anonymizing Networks over Tor UDP Tunnel] applies.
    97 
    98 Another workaround: Buy, administrate and connect the SSH server anonymously though your TorBOX-Workstation. Install freenet on the remote location and connect from your TorBOX-Workstation (SSL or SSH tunnel). See the freenet wiki for more information.
    99 
    100 == Freenet on the TorBOX-Gateway [FreenetBOX] ==
    101 Can be also potentially only be used parallel to Tor. It's impossible to tunnel Freenet through Tor (see above). Also replacing Tor with Freenet is impossible, as freenet is a separated network, not designed to exit the network. Apt-get couldn't work.
    102 
    103 Not written yet.
    104 
    105 = VPN =
    106 Not finished yet. UNTESTED! [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev#SupportforVPNsasTorreplacementOPTIONALFEATURE dev thread]
    107 
    108 TorBOX developers do not review or rate VPN services. That's beyond the TorBOX project. See [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#AFreeexampleVPNworkingwithTorBOXfortestingpurposes A Free example VPN working with TorBOX for testing purposes] for more information.
    109 
    110 == VPN's in addition to Tor ==
    111 It is already possible to [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#TunnelingTorthroughproxyVPNorSSH Tunnel Tor through proxy, '''VPN''' or SSH] or to [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#TunnelingProxySSHVPNthroughTor Tunnel Proxy/SSH/'''VPN''' through Tor], or a combination of both methods.
    112 
    113 == VPN's as a Tor replacement [VPNBOX] ==
    114 Not finished yet. UNTESTED! [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev#SupportforVPNsasTorreplacementOPTIONALFEATURE dev thread]
    115 
    116 In this chapter we explain, how you can replace Tor with a VPN. Regarding security see 'Introduction' on this page at the top. It's your responsibility to find a (non-logging, safe) free/paid VPN provider or to stick with Tor.
    117 
    118 [http://cranthetrader.blogspot.de/2011/10/dont-allow-non-vpn-traffic.html source], Windows related but the routing stuff is valid for Linux as well.
    119 
    120 First we have to ensure, that the VPN-Gateway will only connect trough the VPN service and nothing else. There are some weak alternative ways to do this. Some "VPN-Monitor" check every, let's say 500 ms, if the VPN IP is still valid, if not, kill a list of applications. This is not very secure, it's a game if that time period is sufficient to stop a leak and if killing the applications is fast enough. Another more serious option would be to use iptables rules, allow only traffic to the VPN server and to no other targets. This maybe additionally implemented later. However, using iptables for this scenario isn't the most secure option. When the IP of the VPN service gets assigned to another server, you could end up connecting to a malicious server. The most secure option is to modify the routing table.
    121 
    122 1. Test if your host internet connection is working.
    123 
    124 2. Test if your tor internet connection is working.
    125 
    126 3. Store your routing table before starting the VPN and before modifying anything. Type in console:
    127 {{{
    128 route
    129 }}}
    130 
    131 4. Start VPN.
    132 {{{
    133 sudo openvpn /etc/openvpn/client.conf
    134 }}}
    135 
    136 5. Test if your ISP IP gets replaced with the VPN IP.
    137 
    138 6. Store the modified routing table. Type in console:
    139 {{{
    140 route
    141 }}}
    142 
    143 7. Delete your default route and set your new default route to the virtual VPN network adapter.
    144 {{{
    145 sudo route del default
    146 sudo route add default dev tun0
    147 }}}
    148 
    149 8. Test if your VPN IP is still valid.
    150 
    151 9. Store the modified routing table. Type in console:
    152 {{{
    153 route
    154 }}}
    155 
    156 10. For testing purposes, kill your OpenVPN connection.
    157 {{{
    158 sudo killall openvpn
    159 }}}
    160 
    161 11. Test if you can NOT connect to anything anymore. That's the whole point to prevent any leaks in the clear.
    162 
    163 TODO: [[BR]]
    164 - Testing. [[BR]]
    165 - Autostart everything. [[BR]]
    166 - Use up in /etc/network/interfaces. [[BR]]
    167 - Final step: forwarding traffic from the Workstation to the Gateway.
    168 - extra: VPNchains (two or more independent VPN providers in a chain)
    169 
    170 Not finished yet. UNTESTED!
    171 
    172 = Proxy =
    173 Required reading: [[BR]]
    174 [https://trac.torproject.org/projects/tor/wiki/doc/proxy proxy] [[BR]]
    175 [https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN#VPNSSHversusProxy Tor + VPN or Proxy] [[BR]]
    176 
    177 == Proxies in addition to Tor ==
    178 See [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX#AdvantagesofTorBOX Advantages of TorBOX], "It is possible to use TorBOX setup in conjunction with VPNs, ssh and other proxies....".
    179 
    180 == Proxies as a Tor replacement [ProxyBOX] ==
    181 Not finished.
    182 
    183 [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev#SupportforproxiesasTorreplacementOPTIONALFEATURE dev thread]
    184 
    185 It is possible to replace Tor with local or remote proxies. Note that anonymity is sufficiently lower with (single hop) proxies. The difficulty is, that most proxies lack a TransPort and DnsPort.
    186 
    187 It also depends, what kind of proxy you want to use.
    188 
    189 See also [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/OptionalConfigurations#TransparentProxying TorBOX/OptionalConfigurations#TransparentProxying] (Describes Transparent Proxying inside TorBOX-Workstation to an extra proxy, i.e. TorBOX-Workstation -> Tor -> Proxy.)
    190 
    191 There are two options available. 1. Transparent Proxying Method or 2. The Proxy Settings Method.
    192 
    193 === Depending on Proxy type ===
    194 http proxies are not suited, because we would not be able to connect to https protected websites. The setup for https, socks4(a)/5 proxies should be very similar.
    195 
    196 === Transparent Proxying Method ===
    197 Not finished.
    198 
    199 Transparent Proxying (like TorBOX with Tor's TransPort) is, due to technical limitations, not fully supported by proxies. Proxies do not offer a DnsPort and also do not act as a DNS server. While it's possible to relay TCP and UDP traffic through the proxy on the IP level (using iptables), you would still always require known (you know the IP) DNS server. (i.e. public DNS server such as OpenDNS, Google, httpsdnsd) DNS resolution would look like: Proxy-Workstation -> Proxy-Gateway -> Proxy -> DNS server. It's technically not possible to let the proxy transparently (!) do the DNS resolution (no tools available) - at least not that we know after extended research know of. This is because proxies offer hostname resolution, but not DNS. (Sources: Leonid Evdokimov (author of [https://github.com/darkk/redsocks/issues/new redsocks]) on mailing list, [http://librelist.com/browser//redsocks/2012/5/15/transparent-proxy-dns-without-public-dns-server/#e8cb0f54932856f1c0cc9259e24cb089 Transparent Proxy, DNS, without public DNS server]; [http://tiggerswelt.net/Ueber%20uns/impressum/ Bernd Holzmüller] (author of [http://oss.tiggerswelt.net/transocks_ev/ transocks_ev]) by e-mail) This technical limitation may be lifted if redsocks [https://github.com/darkk/redsocks/issues/23 Feature Request: fake DNS resolver] gets implemented.
    200 
    201 Due to the DNS issue, you can't completely hide behind the proxy (using it transparently). You always would have to reveal, that you are using a public (or private) extra DNS resolver. Of course, you would also not only have to trust the proxy, but also the extra DNS server, which can see, log and correlate all your DNS queries.
    202 
    203 For TCP and UDP: Proxy-Workstation -> Proxy-Gateway -> network layer -> redsocks -> proxy [[BR]]
    204 For DNS: Proxy-Workstation -> Proxy-Gateway -> network layer -> redsocks -> proxy -> public DNS server [[BR]]
    205 
    206 === Proxy Settings Method ===
    207 Not finished.
    208 
    209 Design: The Proxy-Workstation is on an isolated internal LAN (similar to TorBOX's TorBOX-Workstation design) and can't connect to the internet directly. (Iptables rules on the Proxy-Gateway forbid that.) All applications installed inside the Proxy-Workstation have to use the correct [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#classicalcommonway:usetheapplicationsproxysettings proxy settings] or a [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#notsocommon:useawrapper:forcetheapplicationtouseaproxytorsocksusewithtor wrapper].
    210 
    211 For TCP, UDP and DNS: Proxy-Workstation -> Proxy-Gateway -> proxy
     5https://sourceforge.net/p/whonix/wiki/OtherAnonymizingNetworks/