Hi On Tue, Aug 9, 2016 at 5:58 PM, <blo...@openmailbox.org> wrote:
> Please see below for my response to your helpful comments. > > On 2016-08-08 11:18, Ben Tasker wrote: > >> If you're using Firefox, one thing you want to consider is DNS leakage. >> >> If you go into about:config, see whether network.proxy.socks_remote_dns >> exists. If not create it and set to True. >> >> Without that, DNS won't use the tunnel. As you've got a VPN running it'll >> likely egress from the VPN endpoint instead. >> >> > Point taken. It did exist and was set to "true". Cool > > > VPN ---> Torsocks (on 127.0.0.1) ---> SSH (bound to port 33333) ---> VPS >>> >> ---> Internet. >> >> How do you pay for the VPS? If it's in your name (or can be linked to you) >> then all you're doing is preventing your local ISP from seeing what you're >> connecting to (which might, of course, be your aim). You do, in effect, >> have a fixed exit point though, so it's worth bearing in mind that in some >> ways it makes you more identifiable from the point of view of services >> you're connecting to. >> > > Bitcoin is my friend! I appreciate that using a VPS with a static IP does > provide a fixed exit point. > > I'm wondering if you feel, based on your expertise, that my system looks > secure (see below). > > Wouldn't go so far as to use the word expertise ;) You're using vanilla firefox, so if you haven't already, take a close look at any plugins/addon's you've installed. Some are known to ignore Proxy settings (flash being a primary example). Conversely, look at whether you're using anything outside of Firefox that might use Firefox's proxy settings without you realising (at least one of the FOSS Java runtimes does this - I think it was OpenJDK but don't hold me to that as I can't remember for sure) - if it's sending traffic out that can be linked to you then you're now associated with the VPS. I'd be inclined to set a packet capture running on the VPS, use your system normally for a while and then review the capture to see whether anything unexpected has gone out (it's unfinished, but this might help - https://github.com/bentasker/PCAPAnalyseandReport ) The VPN means you also have a fixed entry point (if you think of it as an additional hop), one you share with others (so there's a small risk in getting caught up in a net meant for someone else), so you probably want to check exactly what's going out over the VPN aside from your Tor traffic - in part to check there's nothing directly attributable to you (though you're connecting to the VPN directly, so they have your IP) - but also to check there's nothing "related" to your Tor browsing (essentially an extension of the check above). I'm sure others with more experience will have input, but the network path you've set up looks OK to me, so long as you're comfortable with the ramifications of having a fixed exit point. Your biggest risk probably comes from anything that might ignore the proxy settings, or from software unexpectedly using the proxy, once you're linked to that VPS there's no going back. > Is it possible to use a HTTP(S) (or another type) of proxy to alter the IP. The ideal model would be: VPN –-> Torsocks (on 127.0.0.1) –-> SSH (bound to port 33333) –-> VPS –-> Proxy (e.g. HTTP(S)) –-> Internet. Given that your stated aim is to avoid being blocked out of sites by coming from exit node addresses, adding a proxy at the end might undermine that - some proxies (at least) are blocked by various sites, and you'd also be back to being exposed to some of the risks of having your traffic tampered with by a third parties system. However, if you really wanted to, one way would be to put Squid onto the VPS with a transparent redirect, and then tell Squid to pass the traffic onto whichever proxy (or pool of proxies) you wanted to use. Ben -- Ben Tasker https://www.bentasker.co.uk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk