wiki:doc/TorBOX/OtherAnonymizingNetworks

Version 33 (modified by proper, 7 years ago) (diff)

--

TorBOX Homepage

Introduction

TorBOX can work together with any other suited Anonymizing Networks, either in addition, this means the other network will be tunneled through Tor. Also Tor can be completely exchanged with any other suited anonymizing network.

Note that all networks differ in their thread model and security! Research before you start using them.

Rudimentary TorBOX Support for Other Anonymizing Networks

Although the project's name TorBOX does not implicate it, TorBOX is agnostic about which Anonymizing Network is being used. The project name has historical reasons. TorBOX started with Tor as anonymizing network. The idea, that also other anonymizing network could be used, came much later. Can you think of, any better name to describe TorBOX? And even any better name to describe the anonymizing network agnostic?

At the moment TorBOX's support for Other Anonymizing Networks is only rudimentary and not as good as supported like the Tor network. Of course TorBOX developers respect other anonymizing networks, their developers and their users. They are simply more accustomed to the Tor network, which is also a personal preference. It's also very hard to be equally interested, educated and to stay up to date with all other anonymizing networks at the same time.

As soon as a new developer, who actively supports the other anonymizing network, joins the TorBOX project, this particular anonymizing network can be equally supported like the Tor network. For example, there is not much point in separate a 'JonDoBOX', if most of the knowledge and code is shared. Almost anything, even the project name, could be revised.

i2p anonymizing network

Unfortunately it is not possible to reliably replace the Tor network with the i2p network. The i2p network is mainly designed to host all services inside the i2p network. We have to update the Tor-Workstation's operating system and software packages. That is not possible with i2p. Outproxies exist (http, https and socks), but too few of them. And they are not suited for use with TorBOX. They are too unreliable (too often offline). At the moment (March 2012) there are no working https or socks outproxies, which we could use for apt-get. I2p can be used as an addition to TorBOX.

If you simply want to browse eepsites, see Browsing eepsites using i2p inproxies on Tor-Workstation, otherwise you can also install i2p directly inside Tor-Workstation or directly on the Tor-Gateway.

Browsing eepsites using i2p inproxies on Tor-Workstation

There are several i2p inproxies, those are similar to tor2web. Simply use your Tor Browser. Note that you will loose the end-to-end encryption to the eepsites, which i2p would provide, if you would install it directly inside Tor-Workstation or if you would use it the ordinary way. Depending on if the inproxy uses http (unencrypted), https (or is reachable through a hidden service), also Exit Nodes Eavesdropping applies. In any case, the i2p inproxy admin can see, all your traffic into the i2p network and there is no way to prevent that.
i2p inproxies:

Installing i2p inside Tor-Workstation

It is possible to run i2p inside the Tor-Workstation.
Advantages:

  • Anonymity is provided by Tor.
  • I2p webinterface works normal inside Tor Browser. No need to install a graphical user interface on the Tor-Gateway.
  • Eepsites (.i2p) can be reached directly from Tor Browser.
  • I2p's end-to-end encryption will be used like usual.

Disadvantages:

  • Adds load to Tor.
  • Adds load to i2p.
  • It's slower than i2p directly on Tor-Gateway or the ordinary usage.
  • Incoming connections are not possible, because TorBOX's Tor Workstation is firewalled. 1
    1 If you know to use a hidden service, please add this information.
  • No contribution (leaching) to the i2p network. 2
    2 Sounds worse than it is. Only very little people are expected to use i2p over Tor. I2p offers those options itself. It's not like a leeching mod.

Recommend settings:

  • Tor Browser
  • Network
    • IP configuration: hidden mode (do not publish IP) (There is no need to publish the exit node's IP address.)
    • UDP-Port: completely disable (Not supported by Tor.)
    • TCP: disable inbound (Firewalled) (Only outgoing TCP supported by TorBOX.)
  • Tunnels
    • length (all tunnels): inbound and outbound: 0 (It's faster and less connection interrupts. Anonymity is already provided by Tor. No need to leech from Tor/i2p.)

Installing i2p on Tor-Gateway

Development stalled due to lack of interest from TorBOX developers and ip2 community. Development thread: Support for i2p [WAIT for contributors/more mature upstream]; i2p thread. Anyone feel free it take it.

JonDonym

Be aware, that the JonDonym network is much smaller than the Tor network. However, JonDonym might be faster. In some aspects JonDonym is more/less secure than Tor. Depends on your thread model. Read the network comparison. Also note law enforcement.

proper's JonDonym opinion

Tunneling JonDonym over Tor makes sense in some cases. I wouldn't do it for a longer amount of time, as it adds a permanent exit server. (See TorPlusProxy for background.) Tor suffers from a few bad relays, as the servers are run by volunteers and a few of them are evil. There is Exit Nodes Eavesdropping (applies only to unencrypted traffic). Even worse, exit nodes may try to defeat SSL using sslstrip (google it, read, watch some demonstration videos) (or other tools). And/or they inject malware into the data stream. Conclusion: if you want to download something, which you can not download over SSL (and if there are also no hash sums or signatures), the JonDo exit is more trustable than a random Tor exit. Alternatively you can also use .exit, to force the use of a specific Tor exit node, which you trust more than a random one.

JonDonym over Tor inside Tor-Workstation

You can tunnel JonDonym over Tor. This could be useful, to circumvent Tor bans. But note Tor Plus Proxy (it adds a permanent exit node, like explained and the article). Not many changes are required. download and install it as usual. You need 'JonDo – the IP changer', either as the gui or console version. You can decide, if you prefer to use JonDoFox or the Tor Browser. If you want to use the Tor Browser, see their help section on how to point Firefox to JonDo.

JonDonym as anonymizing network on Tor-Gateway (as Tor replacement)

Not finished yet.

The sources might contain additional helpful information. The TorBOX dev thread about JonDonym; the thread in the JonDonym forum; JonDonym transocks_ev; JonDoDaemon for Debian.

Depending on your thread model, JonDonym can be potentially used as a replacement for Tor. Prefer the console version of 'JonDo – the IP changer', otherwise you would have to install a desktop environment, which needs a lot more RAM, CPU and disc space (not possible on most embedded devices).

Free users can only only use port 80 (http) and 443 (https). Socks is only available for paying premium users. Therefore free users can only reach services listening on remote port 80 or 443. Normal browsing will work, other stuff, for example IRC on port 6667 will not work. Paying premium users can use all services.

In comparison to Tor, JonDo does not offer a TransPort or DnsPort. For that reason, transocks_ev (download here) is needed. Note that you can not use the firewall rules provided under transocks_ev. You need to adjust the TorBOX firewall (/etc/torboxfirewall.sh) or alternatively adjust tor-gateway.sh.

RetroShare

In fact RetroShare is not an anonymizing network, it is a friend-to-friend (F2F) network, or optionally a darknet. It has a very different audience and thread model. RetroShare does not support using an outproxy yet, for this reason, it can not replace Tor on the Tor-Gateway. It may be used inside the Tor-Gateway. This would enable you to do things, which are normally potentially dangerous, such as adding random people (from a forum) while staying anonymous. (For example, to join a RetroShare forum.)

At the moment it is not possible to connect to the RetroShare network over Tor. RetroShare relies on UDP, which is not supported by Tor. Yet, RetroShare also has no proxy support. Also torsocks does not help. When proxy support gets implemented, it might be possible. Update:

After adding tons of random "friends" from a public forum, I could connect to a very few people over TCP. Approximately only 5% were online. I don't know why it's working. Although I can probable see only a very small portion of the network, the content of the network looks pretty interesting.

Retroshare reports Right click -> DHT Details: NET WARNING No DHT; Behind NAT UNKNOWN NAT STATE MANUAL FORWARD

Chance of working better (untested): Tunneling UDP over Tor. Note, that Other Anonymizing Networks over Tor UDP Tunnel applies.

Freenet

Using a gateway (inproxy) inside your Tor-Workstation

A freenet gateway. Still working? How to use?

Inside the Tor-Workstation

In "classical sense" (directly and only over Tor) this is impossible. (Tested, freenet installs normally, but even with lowest security settings, connection will never be established.) The problem is, that Tor does not support UDP. (There has been a discussion about this topic. Although it's from 2008, it doesn't look like, the situation has changed or will change.)

Workaround (Not tested yet, but should work.): Tunneling UDP over Tor. Note, that Other Anonymizing Networks over Tor UDP Tunnel applies.

Another workaround: Buy, administrate and connect the SSH server anonymously though your Tor-Workstation. Install freenet on the remote location and connect from your Tor-Workstation (SSL or SSH tunnel). See the freenet wiki for more information.

On the Tor-Gateway

Can be also potentially only be used parallel to Tor. It's impossible to tunnel Freenet through Tor (see above). Also replacing Tor with Freenet is impossible, as freenet is a separated network, not designed to exit the network. Apt-get couldn't work.

Not written yet.

VPN

Not finished yet. UNTESTED! dev thread

TorBOX developers do not review or rate VPN services. That's beyond the TorBOX project. See A Free example VPN working with TorBOX for testing purposes for more information.

VPN's in addition to Tor

It is already possible to Tunnel Tor through proxy, '''VPN''' or SSH or to Tunnel Proxy/SSH/'''VPN''' through Tor, or a combination of both methods.

VPN's as a Tor replacement on Tor-Gateway

Not finished yet. UNTESTED! dev thread

In this chapter we explain, how you can replace Tor with a VPN. Regarding security see 'Introduction' on this page at the top. It's your responsibility to find a (non-logging, safe) free/paid VPN provider or to stick with Tor.

source, Windows related but the routing stuff is valid for Linux as well.

First we have to ensure, that the VPN-Gateway will only connect trough the VPN service and nothing else. There are some weak alternative ways to do this. Some "VPN-Monitor" check every, let's say 500 ms, if the VPN IP is still valid, if not, kill a list of applications. This is not very secure, it's a game if that time period is sufficient to stop a leak and if killing the applications is fast enough. Another more serious option would be to use iptables rules, allow only traffic to the VPN server and to no other targets. This maybe additionally implemented later. However, using iptables for this scenario isn't the most secure option. When the IP of the VPN service gets assigned to another server, you could end up connecting to a malicious server. The most secure option is to modify the routing table.

  1. Test if your host internet connection is working.
  1. Test if your tor internet connection is working.
  1. Store your routing table before starting the VPN and before modifying anything. Type in console:
    route
    
  1. Start VPN.
    sudo openvpn /etc/openvpn/client.conf
    
  1. Test if your ISP IP gets replaced with the VPN IP.
  1. Store the modified routing table. Type in console:
    route
    
  1. Delete your default route and set your new default route to the virtual VPN network adapter.
    sudo route del default
    sudo route add default dev tun0
    
  1. Test if your VPN IP is still valid.
  1. Store the modified routing table. Type in console:
    route
    
  1. For testing purposes, kill your OpenVPN connection.
    sudo killall openvpn
    
  1. Test if you can NOT connect to anything anymore. That's the whole point to prevent any leaks in the clear.

TODO:

  • Testing.
  • Autostart everything.
  • Use up in /etc/network/interfaces.
  • Final step: forwarding traffic from the Workstation to the Gateway.
  • extra: VPNchains (two or more independent VPN providers in a chain)

Not finished yet. UNTESTED!

Proxy

Not finished.

Proxies in addition to Tor

See Advantages of TorBOX, "It is possible to use TorBOX setup in conjunction with VPNs, ssh and other proxies....".

Proxies as a Tor replacement

It is possible to replace Tor with local or remote proxies. Note that anonymity is sufficiently lower with (single hop) proxies. The difficulty is, that most proxies lack a TransPort and DnsPort.

It also depends, what kind of proxy you want to use.

CGI

CGIProxies (proxy web interface) are not supported as we don't know any trans2cgi redirectors.

HTTP

Not finished.

Http proxies maybe can be utilized. The difficult part is to translate the network layer to the http proxy. There are two ways this might work:
1) network layer -> tranSOCKS_ev -> socks2http -> http proxy
2) network layer -> trans2http -> http proxy
What we don't know yet if there are any (Open Source) socks2http or trans2http redirectors for Linux. We might document that, as soon we got the socks proxy support ready.

SOCKS

Not finished.

Socks proxies can be more easily utilized. tranSOCKS_ev can translate the network layer to a socks proxy.
JonDonym with premium cascades supports socks. They provide instructions how to transparently proxy through their socks proxy. This is not a copy and paste solution. You have to exchange their proxy IP's and port's with your settings. Same goes for the firewall rules. The firewall rules have to be also adapter from local redirection for a specific user to anonymizing middlebox.