Michael Altfield's gravatar

Tor->VPN in TAILS to bypass tor-blocking

This post will describe how to route outgoing traffic in a python script running on TAILS first through Tor, then through a SOCKS proxy created with an ssh tunnel. This is helpful when you want to use the anonymizing capabilities of tor, but you need to access a website that explicitly blocks tor exit nodes (common with sites running CloudFlare on default settings).

The Original Script

In my last post, I looked at writing a python script that passed all pycurl calls through tor without leaking DNS lookup calls. Before you can use the script below, you need to make sure you have pycurl >=v7.19.5.1. If you don't, see my previous post on how to install it in TAILS.

amnesia@amnesia: ~$ cat checkTor.py
#!/usr/bin/env python
import pycurl

curl = pycurl.Curl()
curl.setopt( pycurl.URL, 'https://check.torproject.org/' )
curl.setopt( pycurl.PROXY, '127.0.0.1' )
curl.setopt( pycurl.PROXYPORT, 9050 )
curl.setopt( pycurl.PROXYTYPE, pycurl.PROXYTYPE_SOCKS5_HOSTNAME )

curl.perform()
amnesia@amnesia: ~$ ./checkTor.py
<!doctype html>
...
Congratulations. This browser is configured to use Tor.
...

In the above script, we query check.torproject.org in python using pycurl. As we can see from the output, it confirms that we're using Tor. Our goal for this post is to pass Tor through an SSH tunnel SOCKS proxy so that (a) the proxy provider only sees our tor exit node (not us) and then the proxy passes the connection onto the destination (check.torproxy.org), who (b) only sees the IP address of the SOCKS proxy (not us, nor a tor exit node). Thus, we'll achieve relative-anonymity (see precautions at the end of this post), and the final endpoint won't know who we are or be able to detect that we're using tor.

SSH SOCKS proxy

First, let's initate an ssh tunnel with a local SOCKS proxy on port 9350. Just replace <vpn-user> and <vpn-hostname> and with the SSH user/hostname provided by your VPN/SSH service. Note: This command was tested to work on TAILS v1.4. For more information on how to torify ssh, see the TorifyHOWTO guide on the torproject wiki.

ssh -o "ProxyCommand connect-socks -S 127.0.0.1:9050 %h %p" -ND 127.0.0.1:9350 <vpn-user>@<vpn-hostname>

Once you've authenticated successfully, you're set. Don't worry if the window doesn't print anything; this is normal. Just leave this window open. If you want to verify that the SOCKS proxy is open, open another terminal and verify with netstat:

amnesia@amnesia:/$ netstat -ln | grep 9350
tcp        0      0 127.0.0.1:9350          0.0.0.0:*               LISTEN
tcp6       0      0 ::1:9350                :::*                    LISTEN

iptables

Run the following command to permit traffic to flow out of the box on our new SOCKS proxy at port 9350.

iptables -I OUTPUT 1 -d 127.0.0.1/32 -p tcp -m tcp --dport 9350 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner 1000 -j ACCEPT

The New script

Now, update the script as seen below so that it uses our new tor->SSH/SOCKS proxy (as opposed to just the tor SOCKS proxy) on port 9350, add the bit to drop our privileges to the 'amnesia' user (uid=1000) so that we meet the new iptables rule requirements, and give it a run as root.

amnesia@amnesia: ~$ cat checkTor.py
#!/usr/bin/env python
import pycurl, os

os.setuid( 1000 )

curl = pycurl.Curl()
curl.setopt( pycurl.URL, 'https://check.torproject.org/' )
curl.setopt( pycurl.PROXY, '127.0.0.1' )
curl.setopt( pycurl.PROXYPORT, 9350 )
curl.setopt( pycurl.PROXYTYPE, pycurl.PROXYTYPE_SOCKS5_HOSTNAME )

curl.perform()
amnesia@amnesia: ~$ ./checkTor.py
<!doctype html>
...
      Sorry. You are not using Tor.
    
  </h1>
  <p>Your IP address appears to be:  <strong>WW.XX.YYY.ZZZ</strong></p>
...

Success! torproject.org doesn't see that we've gone through a tor exit node to hide our identity.

A quick verification of my SSH server's /var/log/secure log file shows that it saw an authentication from a tor exit node--not my real IP address. And a quick check of WW.XX.YYY.ZZZ as returned from check.torproject.org shows that it sees our SSH server's IP address, not our real IP address. Mission Accomplished!

Warnings

This section provides important warnings to the user who wants to use a Tor->VPN configuration while maintaining anonymity.

Reduced Anonymity

If you use this solution, please be aware that it can easily reduce your anonymity than just using tor alone. For more information of these potential risks, please see what the Tor project and the TAILS team have to say about using Tor in combination with a VPN. Obviously, if you're accessing multiple different sites using the same internet-facing VPN IP Address, it's trivial to correlate all of your activity together. By default, tor changes circuits every 10 minutes and TAILS utilizes stream isolation to reduce correlation attacks when using different software and accessing different websites in TAILS. When all of your traffic appears to come from the same VPN IP, you loose all of these benefits from tor.

Torify

To "torify" an application is often not trivial. Many applications will ignore your proxy settings, leak valuable information outside the tor circuit, or publish private PII or uniquely-identifiable fingerprint information without your knowledge through tor. This is a complex topic, and I cannot possibly compile all of the catches here. Instead, checkout this great TorifyHOWTO article on torproject's wiki for more information. In general, it's best to run your torified application in an environment that forces all traffic through tor, such as in TAILS or Whonix.

Isolating Proxy

This post describes using transparent proxy chaining with iptables, where the tor proxy is running on the same machine as the application using tor. Whenever possible, you can further reduce the risk (for example, the linux kernel bug that sent a FIN ACK or RST ACK command on the clearnet, bypassing your transparent torification proxy and sending your real IP to the destination) of leaking valuable personal information to the clearnet by compartmentalizing the two components (tor and the application) onto two distinct machines. For more information, see the IsolatingProxy documentation on the torproject.org wiki.

Related Posts

3 comments to Tor->VPN in TAILS to bypass tor-blocking

  • JoeDCC

    Thank you for this post, this helped me a lot.

    Isn't this method too vulnerable to a Man-in-the-middle attack after the Tor exit node ?

    Would you recommand a particular vpn/ssh provider ?

    Thanks

    • Michael Altfield

      @Joe If you expect privacy when sending your traffic through a proxy service that you don't own, always ensure that traffic is end-to-end encrypted.

  • Henry Boggins

    brillant scripting thank you any thoughts on tails 2.0 connnect the ssh?

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>