Advanced Privacy and Anonymity Using VMs, VPN’s, Tor – Part 1

Advanced by mirimir (gpg key 0x17C2E43E)

Introduction

If you’re here, you may be using (or considering) a VPN service to provide online privacy and anonymity, and perhaps to circumvent Internet censorship. This series of guides goes far beyond that. It explains how to obtain vastly greater freedom, privacy and anonymity through compartmentalization (aka compartmentation) and isolation, by using multiple virtual machines (VMs) with Internet access through nested chains of VPNs and Tor.

These are advanced guides, and the full setup will require at least a few days of focused work. Before choosing which aspects to implement, it’s best to consider your threat model. Start by reading An Introduction to Privacy & Anonymity and Applying Risk Management to Privacy. What are you protecting? Who are you protecting it from? What might happen if you were compromised?

Note: I wrote this series in 2013, well over six years ago. Although I’ve updated stuff a few times since, it’s been a while. I’ll be doing a total rewrite soon, but that will take some time. So for now, I just have a few comments. First, pfSense has changed considerably since my last update. The basic approach still works, and I still use it. But much of Part 6 needs revised. Second, privacy in meatspace is basically dead, given increasingly pervasive surveillance. So there’s a lot in Part 7 to be revised. Using giftcards, mailing cash, etc are far more risky. Also, Electrum is now the best Bitcoin wallet in Linux. And I have updated recommendations for Bitcoin mixers.

The key threats, and corresponding defenses, are:

Threat Defense Tracking and profiling Compartmentalize and isolate activity using multiple pseudonyms, workspace VMs, VPN services and Tor. Block WebGL to prevent VM graphics fingerprinting. Diversify VMs, choosing OS with different video drivers. Leaks and exploits that circumvent VPNs or Tor Compartmentalize and isolate workspace and networking in separate VMs. VPN compromise via traffic analysis or provider collusion Compartmentalize Internet access and distribute trust using nested chains of VPNs and Tor. Heightened surveillance of Tor users Connect to Tor network through VPN(s). Heightened surveillance of VPN users Connect to VPN server(s) via secure, private proxies (not yet included in these guides). Unauthorized local access Use full disk encryption (FDE) on host machines (and VMs). Forensic detection of encrypted data Use hidden Truecrypt volumes for plausible deniability (not included in these guides).

For example, if you just want to circumvent Internet censorship and data retention by your ISP, you don’t need more than a good VPN service (unless consequences of getting caught are serious). If you just want to circumvent commercial tracking and behavioral marketing, you don’t need the full setup described here. However, if you want better privacy and anonymity than browser extensions can provide, you might consider a basic setup (covered in Part 2) to compartmentalize your activities using VMs and VPN services.

Conversely, if you’re a political dissident who might suffer serious consequences if compromised, using the full setup (covered in Parts 3-8) would be prudent. The approaches described there would probably protect against non-targeted surveillance by national-scale government agencies. For such agencies with limited resources, they might even protect against targeted surveillance.

Although it appears that global-scale intelligence agencies intercept virtually all Internet traffic, the approaches described here might protect against routine non-targeted surveillance, given the need to correlate traffic through multiple VPN tunnels and Tor. While there’s no way to be sure of that, it’s clear that nothing less would suffice.

However, it’s unlikely that even the full setup described here would protect against directed surveillance by global-scale intelligence agencies. That would require far more resources and expertise than most nations (let alone individuals) possess.

Using Tor

As I write this, the Tor network is under extreme stress. Since August 20, the number of Tor clients has increased from about 0.5 million to over 4.0 million. Based on reports from Fox-IT and TrendLabs, it appears that the approximately 3.5 million new Tor clients are part of a Mevade botnet. So far, these Mevade bots are not sending much traffic, and are stressing Tor primarily by querying its directory servers. See this Tor Project blog post for more.

At this point, this has probably not reduced the level of anonymity that Tor can provide. It’s just made Tor slower and less reliable. However, if more than a few thousand of these bots were to become relays, there would be cause for concern, because they could collude to deanonymize other Tor users. A recent paper by Tor researchers, Johnson et al (2013) Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries analyzes the network’s vulnerability to potential adversaries. I recommend periodically checking the Tor Project blog for status updates, and also checking Tor client and relay counts.

Summary

Acknowledgement

These guides reflect my participation at Wilders Security Forums for the past few years. I acknowledge the administrators and moderators for the venue, and for their care and guidance. But mostly I acknowledge the Wilders’ user community (especially fellow privacy lovers) for great answers, tough questions, and lively discussions.

I also acknowledge IVPN for invaluable support and encouragement.

Finally, I acknowledge the global open source community, without which none of this would have been possible.