Discussion:
Openvpn question
(too old to reply)
root
2023-03-31 16:38:42 UTC
Permalink
This is directed to anyone having knowledge about the inner
workings of openvpn software: how difficult would it be
to add an integer parameter to the invocation of openvpn
which would instruct the network of the number of times
to bounce packets around the network before going out
to the world?

This would allow any vpn server to act as tor.

TIA
Henrik Carlqvist
2023-03-31 17:12:01 UTC
Permalink
This is directed to anyone having knowledge about the inner workings of
openvpn software: how difficult would it be to add an integer parameter
to the invocation of openvpn which would instruct the network of the
number of times to bounce packets around the network before going out
to the world?
This would allow any vpn server to act as tor.
I fear that this question comes from a confusion about how the term "VPN"
is used and misused.

VPN stands for "Virtual Private Network", it sets up an encrypted
connection between two points and somehow emulates some kind of network
device at each end. This allows you to route network traffic between the
two points and even though the original connection between the two points
are considered unsafe as others might use tools like tcpdump or wireshark
to listen on the network traffic the VPN software will encrypt the
traffic on a more or less public network to give you a "Virtual Private
Network".

A proxy server is a completely different thing. A proxy server allows you
to connect to it, telling it which server you really wanted to connect
to. The proxy server will then connect to the server you asked for and
there might be differetn reasons for using different kinds of proxy
servers.

One reason to use a proxy server might be that it somehow "cleans" the
network traffic. The proxy server might block ads or stop you from
accessing known "bad" sites. Another reason to use a proxy server might
be anonymity, the server that you connect to will not see your IP address
but instead some IP address that belongs to your proxy server.

The confusion between these two different things come from the fact that
many more or less commercial services providing proxy servers provide a
VPN to connect to their proxy server. For some odd reason these service
providers often call their service a "VPN" even though the primary use
for their service is a proxy server.

Tor is a proxy service in multiple steps, this is so the end point don't
know where the traffic came from and the middle points don't know if
previous point was the traffic origin. There are tragic examples of
people who have mistaken tor for a way to encrypt the traffic to the
server that they wanted to connect to but the hard way found out that
traffic between tor the end point and server was unencrypted. Here is an
old article about that subject:

https://web.archive.org/web/20150705184539/https:/chloe.re/2015/06/20/a-
month-with-badonions/

OpenVPN is not intended to be something like tor, it is simply VPN
software in the true meaning of VPN, to encrypt network traffic between a
VPN server and one or more VPN clients.

Would it be possible to make OpenVPN behave like tor? Yes, with
opensource software like OpenVPN anything is possible, but you would be
required to make major modifications of those "configuration" files named
*.c .

regards Henrik
Lew Pitcher
2023-03-31 18:34:27 UTC
Permalink
Hi, Henrik
Post by Henrik Carlqvist
This is directed to anyone having knowledge about the inner workings of
openvpn software: how difficult would it be to add an integer parameter
to the invocation of openvpn which would instruct the network of the
number of times to bounce packets around the network before going out
to the world?
This would allow any vpn server to act as tor.
I fear that this question comes from a confusion about how the term "VPN"
is used and misused.
[snip]
Post by Henrik Carlqvist
Would it be possible to make OpenVPN behave like tor? Yes, with
opensource software like OpenVPN anything is possible, but you would be
required to make major modifications of those "configuration" files named
*.c .
This was the best analysis I've read on the differences between proxy servers,
VPNs, and commercial "VPN Services".

Thanks for the great synopsis.
--
Lew Pitcher
"In Skills We Trust"
root
2023-04-01 03:45:37 UTC
Permalink
Post by Henrik Carlqvist
A proxy server is a completely different thing. A proxy server allows you
to connect to it, telling it which server you really wanted to connect
to. The proxy server will then connect to the server you asked for and
there might be differetn reasons for using different kinds of proxy
servers.
Thanks for responding Henrik.

For the purpose of my question the difference between vpn and
proxy does not matter. Your description informs me that I
get the use of a proxy server for about $3/month, but it is
called NORD vpn.
Post by Henrik Carlqvist
OpenVPN is not intended to be something like tor, it is simply VPN
software in the true meaning of VPN, to encrypt network traffic between a
VPN server and one or more VPN clients.
I understand that the openvpn doesn't have what I want, but it does
take my traffic and sent it, via the intermediary, to where I want.
If, instead, it were to route the traffic among other instances
of the proxy it would, like TOR, be more difficult to work backward
from the destintion to me.
Post by Henrik Carlqvist
Would it be possible to make OpenVPN behave like tor? Yes, with
opensource software like OpenVPN anything is possible, but you would be
required to make major modifications of those "configuration" files named
*.c .
The configuration files I use all are .ovpn. I suppose you are not referring
to those.
Post by Henrik Carlqvist
regards Henrik
Henrik Carlqvist
2023-04-01 09:13:14 UTC
Permalink
For the purpose of my question the difference between vpn and proxy does
not matter. Your description informs me that I get the use of a proxy
server for about $3/month, but it is called NORD vpn.
Yes, that was my point and that is why the difference between a VPN and a
proxy server matters.
Post by Henrik Carlqvist
OpenVPN is not intended to be something like tor, it is simply VPN
software in the true meaning of VPN, to encrypt network traffic between
a VPN server and one or more VPN clients.
I understand that the openvpn doesn't have what I want, but it does take
my traffic and sent it, via the intermediary, to where I want.
For OpenVPN to be useful you will need to run OpenVPN at both ends. You
cannot solve any problem (VPN or proxy related) by only running OpenVPN
at your end.
If, instead, it were to route the traffic among other instances of the
proxy it would, like TOR, be more difficult to work backward from the
destintion to me.
If you want tor, use tor. You will be able to use tor because all the
nodes involved with tor are running tor.
Post by Henrik Carlqvist
Would it be possible to make OpenVPN behave like tor? Yes, with
opensource software like OpenVPN anything is possible, but you would be
required to make major modifications of those "configuration" files
named *.c .
The configuration files I use all are .ovpn. I suppose you are not
referring to those.
No, I am not referring to those configuration files, I am referring to a
complete rewrite of the software.

But instead of adding tor functionality to OpenVPN you might be able to
use OpenVPN on top of tor. If an OpenVPN client is configured to connect
by a tor proxy on localhost the OpenVPN server will not be able to see
the IP address of the client. However, I don't see any point in doing so.
A VPN server usually don't allow any radnom client to connect to the VPN.
Usually some kind of credentials are used to connect to a VPN and those
credenials are used to identify the client regardless of IP address used
by the client.

regards Henrik
noel
2023-04-01 22:15:16 UTC
Permalink
Post by Henrik Carlqvist
Another reason to use a proxy server might
be anonymity, the server that you connect to will not see your IP
address but instead some IP address that belongs to your proxy server.
close....

Many proxy servers send X-forwarded-for and will still see your IP, this
is however more typical configuration of ISP/ASP/Enterprise and even more
os on their web servers.

Granted the likes of TOR should *not* send that, but exit nodes have been
known to leak before and no boubt will again.

proxy or VPN (and for VPN I'd be looking at wireguard over anything
else), your anonymity is only as good as the VPN/proxy operator and its
technical staff.
slash
2023-04-03 10:51:33 UTC
Permalink
Post by root
This is directed to anyone having knowledge about the inner
workings of openvpn software: how difficult would it be
to add an integer parameter to the invocation of openvpn
which would instruct the network of the number of times
to bounce packets around the network before going out
to the world?
This would allow any vpn server to act as tor.
TIA
What exactly is your purpose?
Do you want to hide to your ISP the fact that you are connecting to a
Tor node? Or does your ISP prevent you from doing so?
--
/
root
2023-04-04 00:21:51 UTC
Permalink
Post by slash
Post by root
This would allow any vpn server to act as tor.
TIA
What exactly is your purpose?
Do you want to hide to your ISP the fact that you are connecting to a
Tor node? Or does your ISP prevent you from doing so?
Thanks for responding. My post was prompted by an article I read in
NewYorkTimes which talked about VPNs, but really meant Proxy
Servers. The article questioned how secure (meaning private) my
internet activity was with most VPNs. I will continue to use
VPN to mean these things with apology to Henrik.

The substance of the NYT article is that, say, a court order
could force a VPN to reveal what traffic goes through the
VPN to me. Regardless of whether such traffic is legal or
illegal, I don't want the "government" to have any knowledge
of the traffic. I have tried in the past to implement tor and
was put off by one thing or another. Finally when I managed to
get a browser (Brave I think) to work, the speed penalty was
horrible. Since my concept of what the Proxy is doing, is
to make my IP seem to be that of the Proxy and if that
isn't sufficient to prevent eavesdropping, I thought
that, like tor, if my traffic went through several proxies
in sequence it would be much more difficult to backtrace.
I imagined that by just a few hops the speed penalty would
be tolerable, but the "security" would be greatly increased.

BTW, when I first started using a "VPN" I chose Trust-Zone.
After some time I switched to PIA and saw a huge increase
in speed. Most recently I have been using NORD with an
even greater speed increase. The VPNs recommended by
NYT were several times the monthly cost of NORD.
slash
2023-04-04 20:59:11 UTC
Permalink
...a court order
could force a VPN to reveal what traffic goes through the
VPN to me.
That's why you need Tor. A court could order the exit node to reveal
your identity, but the node couldn't comply. You need to trust the vpn
operator. Even if it's run by holy monks, it still needs to comply with
its country's law. You don't need to trust the Tor nodes, because they
couldn't betray you if they wanted to. At worst, they can be shut down,
but you will still be safe. Obviously, if you don't do anything stupid.
https://support.torproject.org/
I have tried in the past to implement tor and
was put off by one thing or another.
Try Tails. You boot from a usb key, and it's all set.
https://tails.boum.org/
--
/
Henrik Carlqvist
2023-04-05 05:37:06 UTC
Permalink
I have tried in the past to implement tor and was put off by one thing
or another. Finally when I managed to get a browser (Brave I think) to
work, the speed penalty was horrible.
Most browsers have some setting for a proxy server which you can alter to
make them use tor.

But yes, a solution like tor does affect the speed. "Speed" is about two
things, bandwidth and latency. With tor you will suffer from the
bandwidth of the slowest node that you happen to jump by and your latency
will increase with a factor that roughly equals the number of nodes that
you pass by.

regards Henrik

Loading...