5

At the moment there are a number of online services (Hide my ass or PIA) that offer some type of security through an VPN connection. This of course can work, but the big problem (for me at least) would be that no matter what if they want to look at the data they can.

There are a couple of threads on the internet with people trying to make a VPN connection through a proxy server. I tried to find some more information on the internet on how exactly an proxy server works (like what it does to the packets exactly, not what it does in genaral, which is clear to me), but if I understand it correctly it looks at the packet headers and replaces the ip address for its own and forwards them (of course, there is more, but just the basics).

If you would make a VPN connection through an proxy server would be the ultimate option. The VPN endpoint is seeing the data, BUT it can only see where it comes from, the proxy server. The proxy server on the other hand can see the real ip address, but can't see the actual data.

What I would like to know is if the above concept is really true or am I missing something (or completely forgetting something)? Could this work? Any deep inside on what an proxy server exactly does with the packages is really helpful.

P.S. I am NOT asking for any companies which could offer this type of server, I only want to know the concepts and try to catch the whole thing.

UPDATE:

With "secure" I mean anonymity. So currently when connecting to an VPN services they can see your IP address and can see your data. I want to tackle that and make them see some sort of "placeholder" or proxy, which was something I thought that could work

dudebrobro
  • 673
  • 3
  • 7
  • 2
    "I mean anonymity", please understand one thing... there is no such thing as anonymity on the internet. TOR-like services are the nearest you'll get, but even then, you have to use those services with such an extravagant level of paranoia for them to be even half effective that most mere mortal humans end up being caught out because, well, they have the average human faults (which become more apparent when worried about being tracked !) – Little Code Jun 13 '16 at 13:44

2 Answers2

2

Proxy vs. VPN

If you would make a VPN connection through an proxy server would be the ultimate option.

Not necessarily.

The VPN endpoint is seeing the data, BUT it can only see where it comes from, the proxy server. The proxy server on the other hand can see the real ip address, but can't see the actual data.

Did you know that VPN servers are essentially proxy servers, but with encryption? :-) Proxy servers in general don't encrypt their traffic to/fro, so this is not a good idea at all. It shows you connecting to the proxy, the data you're sending to the proxy in real time, the data that's being sent to the VPN. That means you're completely unsecured.

Tracking you is still possible either way

And even if your proxy encrypted the information to/fro, there are a lot of ways to track you, even if you're hidden behind a dozen VPNs and proxies! :-o

There's too much information leakage on the main operating system, and this goes for Windows, Linux, etc. You really need to do something such as:

  1. VPN such as Private Internet Access which is set to kill your main connection on failed connection.
  2. Virtual Machine which has it's own VPN/proxy, and which isn't Windows.
  3. Completely change your browsing habits.

And you have to be really careful. It simply isn't worth the effort unless you're a criminal scum, or a paranoid schizophrenic who thinks they are onto you for some unknown reason that makes zero sense. And even then, you can't really 100% hide anyway.

Community
  • 1
Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
  • It doesn't matter if the proxy server encrypts its traffic or not. Take the scenario `User ⇾ Socks Proxy ⇾ VPN ⇾ Internet`, here the proxy will see nothing but encrypted traffic going to the VPN. [See here](http://askubuntu.com/a/339090/253733) for an example with OpenVPN. – SilverlightFox Feb 15 '16 at 10:55
  • 2
    @SilverlightFox Encryption doesn't protect against meta data/connection state, which is what I'm going on about here. Connection details will still lead back to you in time. – Mark Buffalo Feb 15 '16 at 12:08
  • How do you mean? Which data are you saying is available in the clear to the proxy? – SilverlightFox Feb 15 '16 at 12:10
  • No, when you connect to an IP address, your connection to that address is logged at a specific time. Even if the VPN provider doesn't log these connections, it's logged between *every single hop* in and out of that VPN address. When your VPN connects to an IP address, *you* are connected to the VPN around that time, and you're sending data to the VPN. With Metadata, you can unravel someone behind over a dozen proxies in a very short time. The connection pattern will reveal itself. – Mark Buffalo Feb 15 '16 at 12:15
  • Also, your data going *to* the proxy is unencrypted, so that makes it even easier to tell what you're doing, even if the proxy encrypts to/fro the VPN. – Mark Buffalo Feb 15 '16 at 12:43
  • That's my point. It _is_ encrypted in my SOCKS proxy scenario above - it is a tunnel between the user machine and the VPN, passing via the proxy. – SilverlightFox Feb 15 '16 at 12:45
  • And metadata will still get you, and help those with the appropriate technology unmask your entire chain. There are so many ways to narrow it down. – Mark Buffalo Feb 15 '16 at 12:48
  • 1
    @SilverlightFox Before your traffic can pass through to the VPN or any proxy servers, it must pass through your modem and then to your ISP servers which then direct you via DNS to the VPN servers, and then from the VPN servers to your target ip address or web server. The largest tracking machine is your own ISP. As well as the ISP of public hotspots. The metadata that Mark is describing will eventually lead to you no matter what unless you use a different machine, different web connection, different network card/interface, different OS, etc, each time you connect to the web. – Yokai Aug 12 '16 at 09:09
  • 1
    The packet contents, itself, may be hidden from prying eyes. But that doesn't matter in the least when metadata can pinpoint to you very easily in as little as 6 months time monitoring. Much less time than that if your ISP is instructed to monitor connections from your assigned modem. – Yokai Aug 12 '16 at 09:10
  • @Yokai Thanks for the response. This has been a hard concept to convey for me, but I think I explained it better [here](http://security.stackexchange.com/a/121738/87119). Now with more makeshift flowcharts! :-P – Mark Buffalo Aug 12 '16 at 15:05
-3

The approach I have found to be most effective is to leverage the animosity of one country against another. I.e. Pakistan hates India, China hates Taiwan, Israel hates Iraq, etc... you bounce from a proxy in one country and then to another, and THEN fire up a VPN through that proxy chain, and you'll find that the political paperwork required to extradite anyone through such a connection is ridiculous, if not utterly impossible.

You have to use a proxy chain, and a VPN that is SOCKS5 aware... if you do that, you're golden.

C.J. Steele
  • 415
  • 2
  • 5
  • Proxies are unencrypted generally, so that part is not a good idea. An encrypted VPN is okay, but still... the NSA is apparently able to tap into *all* hops worldwide, so you still cant hide in that context *unless* you're in one of those countries. – Mark Buffalo Feb 14 '16 at 13:30
  • 1
    @C.J.Steele "The approach I have found to be most effective is..." Tell you what CJ, why don't you come back and tell us how that plan worked out for you once you are wanted by a nation state for some crime serious enough to make them want to track you down and bring you to justice. ;-) – Little Code Jun 13 '16 at 13:38
  • 1
    To add to Mark's comment, proxies are only used to spoof your ip address. Nothing is done to your traffic/packets whatsoever. A VPN may encrypt traffic inside a tunnelling protocol but that is a single wrapper that can be peeled off by the VPN hosting company. Most VPNs do not permit any illegal activity whether national or international. So logs are kept for this reason. And then SOCKS5.. Tor users are easily identified based on entry and exit tor nodes. There are MANY, MANY foxacid tor relay nodes and many of them are exit nodes. From exit node to target address, there is no tor encryption.. – Yokai Aug 12 '16 at 09:15