1

How should I configure a VPN in order to access blocked websites and to hide my identity?

Usually I use SSH tunneling to protect my privacy and to escape censorship. I know nothing else about VPNs but I would like to know how to use it correctly.

(I'm on Mac OS X)

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Chiron
  • 121
  • 6
  • I have edited the question to make it a little clearer - please let me know if I have changed your meaning. – Rory Alsop Nov 25 '11 at 08:41

3 Answers3

5

I'm afraid your question is rather vague, but I'll provide some quick answers for various possible interpretations :

You should try out the Tor Browser Bundle because Tor has grown incredibly user friendly under Mac OS X and usually offers better 'privacy' than VPNs, especially now that Aurora uses HTTPS Everywhere by default. There are always bandwidth considerations with Tor that might make it unsuitable. You cannot realistically use bittorrent over Tor in particular, but you indicated web browsing.

If you aren't concerned about privacy, but reside in a country that blocks some website, then you could probably bypass their blocking by using a DNS provider outside you country. I used this for bypassing Turkey's youtube ban in 2009 for example.

If you are only visiting such a country, your employer or university abroad might offer a free VPN service which could be used to bypass their filtering, even if they go beyond DNS filtering. You'd enjoy some privacy from the local authorities by doing this, but not from your employer or university.

If you are a resident of a country who's filtering goes beyond DNS, there are various public service VPNs offered by humanitarian organizations like Telecomix (starting point). There are also various commercial VPN providers if you aren't eligible for humanitarian ones (previously).

There is a delicate question about exactly when any VPN solutions offer enough privacy, but again HTTPS Everywhere improves that situation significantly. In fact, you should also check if HTTPS Everywhere solves your problem completely all by itself.

Jeff Burdges
  • 837
  • 5
  • 9
  • 3
    As for privacy, it depends on 1. whether the VPN keeps any kind of logs (including just a permanent encryption key) and 2. whether whoever you are actually trying to protect you privacy from can get the VPN to handle such logs and other personally identifiable information. – ewanm89 Nov 25 '11 at 01:25
  • 4
    One also has to be careful of data leakage, aka an application sending GPS coordinates, cause you may be using an anonymous IP address but we know those coordinates (think location in data embedded in a photograph). – ewanm89 Nov 25 '11 at 01:27
  • Agreed, I've edited the comment to reflect privacy considerations, more firmly recommend Tor, and suggesting HTTPS Everywhere over VPN. We should mention that HideMyAss VPN ratted out LulzSec in particular. – Jeff Burdges Nov 25 '11 at 02:25
4

VPN means Virtual Private Network. It is a very generic name which covers any kind of technology aiming at emulating the security benefits of having "your own wires" while doing it over the wires which are already there.

A VPN can help for privacy issues only in a specific context: namely, whoever wants to spy on you controls a specific part of "the Internet" through which your packets must go; e.g. the envisioned enemy is the government of the country in which you live, and you assume that this government has complete control of the national telecommunications infrastructure. To thwart them, you establish a VPN between your home machine and an external system (outside of the reach of your enemy) to which you forward all your communications. The attacker will be able to know that you have some network activity with the World at large; he may even have a relatively precise notion of how much data you exchange. But he will not be able to discover what data you send and to whom (ultimately -- you send everything to the external system, which then forwards it to the intended recipient).

There are various technologies to implement such a VPN, and SSH tunneling is one of them. Therefore, you already have a VPN !

In such a setup, the external system is "trusted". This is the technical term which means that it is in the ideal position to backstab you. To avoid the potential problem of having a single trustee, you can cascade them:

  • You encrypt data and send it to External System 1.
  • ES1 decrypts the data, and discovers that the data is itself encrypted with another key, and is advertised destination is External System 2. ES1 forwards the data to ES2.
  • ES2 decrypts the data, and obtains the actual plaintext data and destination.

So that's double-encryption (the plaintext and intended final destination -- the Web site you want to browse -- are first encrypted with ES2's public keys, and the result, along with ES2's name, is encrypted again with ES1's public key). This can be viewed as two VPN, one nested within the other. Your privacy is secure as long as either ES1 or ES2 remains honest; both would have to betray you in order to uncover your Web traffic.

Tor is a tool designed to do this double-VPN trick -- actually, with possibly more than two nested VPN, and with automatic randomization of the external systems to use. It is a good match with your expressed requirements (as I understand them).

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • The problem is that the big brother has blocked the port 22, so I'm not able to SSH tunneling any more. – Chiron Nov 25 '11 at 16:41
  • 2
    SSH can be run over any port, provided that both client and server agree. See the `Port` option in `sshd_config` (on the server), and the `-p` command-line flag on the client. – Tom Leek Nov 25 '11 at 18:33
1

There are good directions available for configuring ssh's ProxyCommand option to use corkscrew, proxytunnel or prtunnel.

Jeff Burdges
  • 837
  • 5
  • 9