Advanced Privacy and Anonymity Using VMs, VPN’s, Tor – Part 1
If you’re here, you may be using (or considering) a VPN service to provide online privacy and anonymity, and perhaps to circumvent Internet censorship. This series of guides goes far beyond that. It explains how to obtain vastly greater freedom, privacy and anonymity through compartmentalization (aka compartmentation) and isolation, by using multiple virtual machines (VMs) with Internet access through nested chains of VPNs and Tor.
These are advanced guides, and the full setup will require at least a few days of focused work. Before choosing which aspects to implement, it’s best to consider your threat model. Start by reading An Introduction to Privacy & Anonymity and Applying Risk Management to Privacy. What are you protecting? Who are you protecting it from? What might happen if you were compromised?
Note: I wrote this series in 2013, well over six years ago. Although I’ve updated stuff a few times since, it’s been a while. I’ll be doing a total rewrite soon, but that will take some time.
So for now, I just have a few comments. First, pfSense has changed considerably since my last update. The basic approach still works, and I still use it. But much of Part 6 needs revised. Second, privacy in meatspace is basically dead, given increasingly pervasive surveillance. So there’s a lot in Part 7 to be revised. Using giftcards, mailing cash, etc are far more risky. Also, Electrum is now the best Bitcoin wallet in Linux. And I have updated recommendations for Bitcoin mixers.
The key threats, and corresponding defenses, are:
|Tracking and profiling||Compartmentalize and isolate activity using multiple pseudonyms, workspace VMs, VPN services and Tor. Block WebGL to prevent VM graphics fingerprinting. Diversify VMs, choosing OS with different video drivers.|
|Leaks and exploits that circumvent VPNs or Tor||Compartmentalize and isolate workspace and networking in separate VMs.|
|VPN compromise via traffic analysis or provider collusion||Compartmentalize Internet access and distribute trust using nested chains of VPNs and Tor.|
|Heightened surveillance of Tor users||Connect to Tor network through VPN(s).|
|Heightened surveillance of VPN users||Connect to VPN server(s) via secure, private proxies (not yet included in these guides).|
|Unauthorized local access||Use full disk encryption (FDE) on host machines (and VMs).|
|Forensic detection of encrypted data||Use hidden Truecrypt volumes for plausible deniability (not included in these guides).|
For example, if you just want to circumvent Internet censorship and data retention by your ISP, you don’t need more than a good VPN service (unless consequences of getting caught are serious). If you just want to circumvent commercial tracking and behavioral marketing, you don’t need the full setup described here. However, if you want better privacy and anonymity than browser extensions can provide, you might consider a basic setup (covered in Part 2) to compartmentalize your activities using VMs and VPN services.
Conversely, if you’re a political dissident who might suffer serious consequences if compromised, using the full setup (covered in Parts 3-8) would be prudent. The approaches described there would probably protect against non-targeted surveillance by national-scale government agencies. For such agencies with limited resources, they might even protect against targeted surveillance.
Although it appears that global-scale intelligence agencies intercept virtually all Internet traffic, the approaches described here might protect against routine non-targeted surveillance, given the need to correlate traffic through multiple VPN tunnels and Tor. While there’s no way to be sure of that, it’s clear that nothing less would suffice.
However, it’s unlikely that even the full setup described here would protect against directed surveillance by global-scale intelligence agencies. That would require far more resources and expertise than most nations (let alone individuals) possess.
As I write this, the Tor network is under extreme stress. Since August 20, the number of Tor clients has increased from about 0.5 million to over 4.0 million. Based on reports from Fox-IT and TrendLabs, it appears that the approximately 3.5 million new Tor clients are part of a Mevade botnet. So far, these Mevade bots are not sending much traffic, and are stressing Tor primarily by querying its directory servers. See this Tor Project blog post for more.
At this point, this has probably not reduced the level of anonymity that Tor can provide. It’s just made Tor slower and less reliable. However, if more than a few thousand of these bots were to become relays, there would be cause for concern, because they could collude to deanonymize other Tor users. A recent paper by Tor researchers, Johnson et al (2013) Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries analyzes the network’s vulnerability to potential adversaries. I recommend periodically checking the Tor Project blog for status updates, and also checking Tor client and relay counts.
|Part 2 - Basic Setup Using VMs, VPNs and Tor|
|This guide covers a basic setup to protect online privacy and anonymity. There are multiple workspace VMs to compartmentalize and isolate activity. Each VM has its own Internet connectivity, and firewall rules to prevent leaks. It uses simple nested chains of VPNs and Tor to mitigate risks of tracking and profiling, and to distribute trust among multiple providers. But it does not protect against exploits that circumvent VPNs, Tor and/or firewall rules by isolating workspace and networking in separate VMs. Using diverse OS for workspace VMs, with different video drivers, is crucial to prevent association through WebGL fingerprinting.|
|Part 3 - Planning Advanced VM and VPN Setup|
|This guide presents relevant considerations for planning an advanced setup to protect online privacy and anonymity. As in the basic setup, there are multiple workspace VMs to compartmentalize and isolate activity, and each VM has its own Internet connectivity. The nested chains of VPNs and Tor are more complex, to better mitigate risks of tracking and profiling, and to distribute trust among more providers. The setup isolates workspace and networking in separate VMs to defeat exploits that circumvent VPNs, Tor and/or firewall rules.|
|Part 4 - Setting Up Secure Host Machines|
|This guide explains how to set up Linux host machines for securely running numerous VMs. Linux distributions are open-source and free, so there's less risk of backdoors, and no money trail to one's true name. With clean installations, there's little (if any) risk from prior compromise. RAID arrays provide faster disk I/O, greater capacity and better reliability. Using full disk encryption (FDE) prevents forensic analysis, unless the host is accessed while in use.|
|Part 5 - Installing VirtualBox and Creating Linux VMs|
|This guide covers installing VirtualBox, and creating Linux workstation VMs and read-only LiveCD VMs. Using diverse OS for workspace VMs, with different video drivers, is crucial to prevent association through WebGL fingerprinting.|
|Part 6 - Creating pfSense VMs as VPN Clients|
|This guide covers creating pfSense router/firewall VMs, and configuring them as secure VPN clients, with routing and firewall rules to prevent leaks. It also explains how to test for leaks using Wireshark.|
|Part 7 - Paying Anonymously with Cash and Bitcoins|
|This guide explains how to anonymously buy VPN services using cash by mail and anonymized Bitcoins. It also covers how to buy Bitcoins, and how to anonymize them using Multibit clients and mixing services, with all connections via Tor.|
|Part 8 - Creating Nested Chains of VPNs and Tor|
|This tutorial explains how to create arbitrarily complex nested chains of VPNs and Tor through virtual networking, with pfSense VPN-client VMs and Tor-client VMs.|
These guides reflect my participation at Wilders Security Forums for the past few years. I acknowledge the administrators and moderators for the venue, and for their care and guidance. But mostly I acknowledge the Wilders’ user community (especially fellow privacy lovers) for great answers, tough questions, and lively discussions.
I also acknowledge IVPN for invaluable support and encouragement.
Finally, I acknowledge the global open source community, without which none of this would have been possible.