Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

A tutorial for manually "chaining" desktop VPNs

To stay ahead of new and evolving threats, cryptostorm has always looked out past standard network security tools. Here, we discuss and fine-tune our work in bringing newly-created capabilities and newly-discovered knowledge to bear as we keep cryptostorm in the forefront of tomorrow's network security landscape.
User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

A tutorial for manually "chaining" desktop VPNs

Postby Pattern_Juggled » Fri Jan 11, 2013 1:57 pm

How to Chain VPNs for Complete Anonymity


Big name individual hackers and hacker groups everywhere in the news are getting caught and thrown in jail. Every time I see something like this happen, I won’t lie, I get a little sad. Then I wonder, how are these guys getting caught? If a group like LulzSec, with all the fame and “1337-ness” can get caught, I think my hacker comrades are doing something wrong.

When members of LulzSec started getting captured, it was because proxy and VPN services complied to federal request and handed over the private information of its users. I think this is wrong for a number of reasons—foremost, people should be able to have their own privacy respected. Today’s Null Byte will be demonstrating one of the methods around this: Chaining VPNs.

A VPN allows you to connect to a remote network, and over all ports, encrypt and forward your traffic. This also changes your IP address. Chaining VPNs is a tricky task, though there is a simple and uncommon method I know of. Using multiple VPNs together has the huge perk of being completely anonymous.


How Does Chaining VPNs Work?

First, a person would connect to the VPN. Then, when connected to the first VPN, you chain to the second, and since a bunch of people share the same IP, the second VPN has no way of knowing who tunnelled to it. An even better scenario is where you use an eastern VPN as your first, because our country has no jurisdiction to retrieve the logs from them, thus increasing your security.

However, to chain VPNs, the second VPN would need to know how the first VPN’s traffic was encrypted. This flaw makes it impossible to chain them in this method, unless you own both VPNs (not very likely).

So, how can we chain VPNs then? I’ll show you how by using a virtual machine!


Requirements

    Windows, Mac or Linux OS
    Admin/root privileges
    OpenVPN
    VirtualBox
    2 VPNs (there are tons of free ones that you can find with google search)



Step 1 Install OpenVPN & a VirtualBox Computer

First, we need to install the VPN client for Linux users. Windows users can download the program here and here, and run the installer normally. Mac users can use this GUI for OpenVPN for Mac.

  1. Change to the Downloads directory.
  2. Configure the installation.

    Code: Select all

    ./configure

  3. Compile and install.

    Code: Select all

    make && sudo make install

  4. Now we need to install VirtualBox. This will allow us to have a virtual operating systems running from within our computer. Download VirtualBox: Windows, Mac, Linux.
  5. Install a virtual machine of your choice for Windows or Linux and Mac, then install OpenVPN to it.


Step 2 Chain the VPNs

Start up your virtual machine, and configure them both.

  1. For Windows users using the default VPN client, use this guide to connect to a VPN. Linux and Mac users, go here.
  2. Connect to VPN A with your host OS.
  3. Start up your virtual machine of choice, and connect to VPN B with it.
  4. Operate from within your virtual machine, and you will be safe from prying eyes. If you need to delete the virtual machine, make sure you securely delete it, and your information will be safe.


Source: Cyberguerilla.org
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: A tutorial for manually "chaining" desktop VPNs

Postby marzametal » Tue Aug 13, 2013 12:32 pm

I am interested in giving this a shot. I am just waiting for my payment for CC to clear before I can use CC as my VPN #1. I am currently looking at which VPN providers really take anonymity seriously to figure out which will be my VPN #2.

I have some questions...
1) Which VPN do I connect to first? (eg: CC VPN to the VPN I choose from the list, or vice-versa)
2) Is it possible to connect to a CC VPN twice? (eg: purchasing two accounts)
3) Do any users here prefer a specific VPN that is in the top part of that website list, and if so, why?

Thanks in advance for any feedback!

EDIT: I have been reading the following thread - Manually preventing VPN DNS leakage in Windows, and would like to ask another question in relation to using a VPN within a VPN...
4) Will the "dnsfixsetup.exe" program run the 3 scripts for each connected VPN?
I might be misunderstanding this aspect. Start up PC. Connect to VPN 1. The scripts will be run. Load VM and connect to VPN 2. The scripts will run again? Maybe the scripts won't do anything when the 2nd VPN connects since everything has been set up when the 1st VPN connected...

Once again, thanks in advance for any feedback!

User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

chaining, encapsulating, wrapping, multi-hop, Leakblock, etc

Postby Pattern_Juggled » Tue Aug 13, 2013 7:30 pm

marzametal wrote:I am interested in giving this a shot. I am just waiting for my payment for CC to clear before I can use CC as my VPN #1. I am currently looking at which VPN providers really take anonymity seriously to figure out which will be my VPN #2.


That list is interesting. Here's the backstory, short version:

Years ago, the idea of doing a "no log" VPN service was heretical. When Cryptocloud was founded in early 2008, the founders decided to take a very public "no logging" stance. Nobody had done that previously, in the VPN market or as far as we know anywhere else in the network world. We took a great deal of heat for that (using the "we" here because Baneki was one of the founding members of the Cryptocloud project, and it fell specifically onto our team's shoulders to draft the first Terms of Service from scratch).

Since then, "no logging" has become an empty marketing buzzword. There's dozens of VPN companies out there spouting off about "no logging," but if you look in their Terms of Service they specifically state that they retain information and turn it over to LEO if requested - no subpoena required, nothing official, just a friendly "request" and these "no logging" VPN companies are dropping the dime on paying customers.

We're aware of one high-profile VPN company, who regularly gets on those "no logging" lists by spouting all the right words, but in a private conversation with a colleague stated flat-out that they log... and that they regularly turn over information to the FBI, secretly, upon request. Including logs. And, yes, including initiating realtime surveillance - #snitchware - on targets, if requested. No subpoena needed, no notification to the customer. No refund, either: they charge their customers money even as they're betraying them!

Anyhow, take those "no logging" marketing blurbs with a healthy handful of salt. It's very, very easy to copy and paste "no logging!!!!" into your website's html but much harder to actually turn off logging in all systems, across a network, without error, and keep it turned off. Harder yet to resist pressure from LEO to "accidentally" turn logging back on, if requested, secretly.

Basically, you can tell the VPN companies that are "serious about privacy" because they're the ones that get targeted for [url]extra-legal harassment[/url] by the U.S. Feds. Conversely, if a so-called privacy company has avoided involvement in any sort of public controversy, press smears against them, or outright conflict with law enforcement at some level or another... then there's a piece of the story that's not being told. Sorry, that's the way it works in the real world.

You look at lists like that, and ask yourself this: which of those companies would commit "Privacy Seppuku" rather than betray their customers? Which has made any such commitment, publicly? None of them, sadly. They spout great words about how much "privacy" matters to them... but read their Terms of Service, ffs! They say it right there, in black and white: we'll stab you in the back, dear customer, at the merest whiff of inconvenience to ourselves. And don't buy that "oh it's just legalese" crap - nobody writes that stuff into their website if they don't intend to use it to justify their customer betrayals in the future: "well, our Terms of Service say quite clearly that..."

Ahem. Apologies for the rant. We've just seen those lists turn into empty hype. The real privacy companies, the ones out on the front lines confronting the surveillance monstrosity on the battlefield, are often too damned busy to fuss around with TorrentFreak's beauty contests. It's a question of priorities. Every wonder why Hide My Ass has so effectively Googlebombed the results for "VPN" via Pagerank? Hint: it's not because they're investing their time and effort in building exceptional security technologies. We'd hire them for dirty SEO, sure - they kick ass at that. Protecting customers? Ahaha, that's dark satire, surely...

1) Which VPN do I connect to first? (eg: CC VPN to the VPN I choose from the list, or vice-versa)
2) Is it possible to connect to a CC VPN twice? (eg: purchasing two accounts)


Topologically, using 2 accounts from the same provider (assuming at least one is paid for anonymously) works just as well as having separate providers. Yes, yes... there's a theoretical timing-based traffic analysis attack that a "rogue" VPN company could do in such a case, imputing via an incredibly tedious, manual procedure that those two VPN sessions are linked temporally... but not only has such an attack never happened, it's also far-fetched in terms of a host of practical considerations (if servers desynch time, even by a few hundred ms, then this timing attack becomes exponentially more complex until it's essentially an NP Complete task to solve with high confidence).

Years ago, our crew played around with "VPN over VPN" setups, as part of testing Sun's crypto acceleration hardware cards. It actually works, which is scary: if you know the tech fairly well, envision the amount of packet shuffling and crypto overhead that's taking place in a TCP-over-TCP wrapped session. <shivers> ...and then think of the error-checking, and the session-level stuff like packet ordering. Drop a packet and it's amazing the whole universe doesn't collapse in on itself. But it doesn't - it works.

That's what this stuff is, really: VPN over VPN. Wrap one VPN service inside another VPN service, so that the tunnelled sessions embody a holarchic relationship with each other. That's distinct from "chaining" which is a serial configuration - and is, unfortunately, associated with a number of snake-oil hucksters in the "VPN industry" who have pimped it for years as a solution to nonexistent problems... or just as outright honeypots for carders. So, fair warning there...

EDIT: I have been reading the following thread - Manually preventing VPN DNS leakage in Windows, and would like to ask another question in relation to using a VPN within a VPN...
4) Will the "dnsfixsetup.exe" program run the 3 scripts for each connected VPN?
I might be misunderstanding this aspect. Start up PC. Connect to VPN 1. The scripts will be run. Load VM and connect to VPN 2. The scripts will run again? Maybe the scripts won't do anything when the 2nd VPN connects since everything has been set up when the 1st VPN connected...


All those tutorials for manually fiddling with Windows routing entries and/or metrics are, in my quite humble opinion, trouble on the hoof: they're complex enough to require fairly have networking expertise to do right, without error (at least CCNA level, basically) - and even so errors could happen and "fail open" with no way to be warned they're taking place.

Mostly, those "guides" have been collected here as a foundation on which the Leakblock project is based. Basically, all the existing "solutions" for preventing Windows leaks are dodgy, or complex, or incomplete... or all three. There's no good solution right now - but Leakblock addresses the issue in a way I think is structurally ideal.

Objects in mirror may appear larger than they are; your mileage may vary, etc.

Cheers,
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

marzametal
Posts: 520
Joined: Mon Aug 05, 2013 11:39 am

Re: A tutorial for manually "chaining" desktop VPNs

Postby marzametal » Wed Aug 14, 2013 12:19 pm

Hi Pt_jD...

Thanks for the reply.

Also, thanks for the "rant" and all additional feedback. You may consider it to be a rant, but to someone like myself, who sorta' knew that wherever I go electronically is being monitored but didn't really give it much thought till recently... it's quite some nice advice to be provided with. After I read some posts on the CC forum, and then coming across that VPN list, a small corner in my mind was telling me it was all bollocks... say one thing but do another sorta' thing. It could also be compared to malware and virus protection; all those companies claiming they provide high 90%'s and even 100% protection but falling on their lying swords when 0-day or 0-hour evil arrives at their front door.

You certainly have given me much to think about, from the VPN over VPN layout, to the Micro$oft Windows DNS leaks (and the lack of knowing my IP and packet information is being leaked till it is too late).

Wrap one VPN service inside another VPN service, so that the tunnelled sessions embody a holarchic relationship with each other.

I know I am jumping the gun here. I am yet to even receive my first CC VPN, and here I am contemplating running another CC VPN within the first one! Having said that, my curiosity is still peaking. Running a VPN within a VPN - how would Port Forwarding (PF) and P2P applications be affected? From what I have read on this forum and seen in the Client Area, a VPN is assigned a PF port and that is entered into each P2P application. I am not sure if it also has to be entered into the Router. Now, if the internal VPN is being used for all online stuff, and the external VPN is acting as a "shell", how would the corresponding PF ports link up? Orrrrrr do they even need to, since the external VPN is not being used on-the-fly by the user, but the internal VPN is? Hmmmm, I think if I try to explain this scenario further I will give the both of us a Bill Gates BSOD. I hope the above makes some sense.

There's no good solution right now - but Leakblock addresses the issue in a way I think is structurally ideal.

Eventually, when I get my CC VPN up and running, I would like to put my hand up to help with the alpha-testing of Leakblock. I know I am not as knowledgeable as the other testers when it comes to networking and traffic etc... but I would rather spend time online participating in a cause that means something to me, rather than wasting whatever IQ I have on "crap".

Thanks for taking the time to read and hopefully reply, Pt_jD!


Guest

Re: A tutorial for manually "chaining" desktop VPNs

Postby Guest » Sat Oct 19, 2013 3:42 pm

Pattern_Juggled wrote:How to Chain VPNs for Complete Anonymity
How Does Chaining VPNs Work?

First, a person would connect to the VPN. Then, when connected to the first VPN, you chain to the second, and since a bunch of people share the same IP, the second VPN has no way of knowing who tunnelled to it. An even better scenario is where you use an eastern VPN as your first, because our country has no jurisdiction to retrieve the logs from them, thus increasing your security.

However, to chain VPNs, the second VPN would need to know how the first VPN’s traffic was encrypted. This flaw makes it impossible to chain them in this method, unless you own both VPNs (not very likely).

So, how can we chain VPNs then? I’ll show you how by using a virtual machine!


It is just me or does the text I highlighted not make *any* sense. My concept of VPN chaining is like proxy chaining, that is a VPN tunnel over a VPN tunnel. I've seen another concept of chaining like: C1 -> S1 -> C2 -> S2, where the vpn data is routed through two servers by an intermediary client. I can't even think of a case where the second VPN would need to know how the first VPN's traffic was encrypted.

Anyway, it is most certainly possible to create a VPN chain (with openvpn no less) without paying for the extra overhead of a virtual machine. On linux this is super easy if the servers are configured correctly (might be harder on a windows box). All you do is run the first openvpn, which sets up all traffic to be routed out through the first VPN. Then you run the second openvpn, which will setup all traffic to be routed out through the second VPN.

Yes, it will seem like magic, but its not. <insert Arthur C. Clarke quote>


Guest

Re: A tutorial for manually "chaining" desktop VPNs

Postby Guest » Sat Oct 26, 2013 4:49 am

Guest wrote:
Pattern_Juggled wrote:How to Chain VPNs for Complete Anonymity
How Does Chaining VPNs Work?

First, a person would connect to the VPN. Then, when connected to the first VPN, you chain to the second, and since a bunch of people share the same IP, the second VPN has no way of knowing who tunnelled to it. An even better scenario is where you use an eastern VPN as your first, because our country has no jurisdiction to retrieve the logs from them, thus increasing your security.

However, to chain VPNs, the second VPN would need to know how the first VPN’s traffic was encrypted. This flaw makes it impossible to chain them in this method, unless you own both VPNs (not very likely).

So, how can we chain VPNs then? I’ll show you how by using a virtual machine!


It is just me or does the text I highlighted not make *any* sense. My concept of VPN chaining is like proxy chaining, that is a VPN tunnel over a VPN tunnel. I've seen another concept of chaining like: C1 -> S1 -> C2 -> S2, where the vpn data is routed through two servers by an intermediary client. I can't even think of a case where the second VPN would need to know how the first VPN's traffic was encrypted.

Anyway, it is most certainly possible to create a VPN chain (with openvpn no less) without paying for the extra overhead of a virtual machine. On linux this is super easy if the servers are configured correctly (might be harder on a windows box). All you do is run the first openvpn, which sets up all traffic to be routed out through the first VPN. Then you run the second openvpn, which will setup all traffic to be routed out through the second VPN.

Yes, it will seem like magic, but its not. <insert Arthur C. Clarke quote>



I cascade VPNs all the time. Very easy in windoz.

The statement " the second VPN would need to know how the first VPN’s traffic was encrypted " is incorrect.


Guest

Re: A tutorial for manually "chaining" desktop VPNs

Postby Guest » Sat Oct 26, 2013 8:29 am

Oh goodie, my post about cascading vpns got thru.

I’m an old-skool dos guy. I like running batch (bat) files.
I set up a bunch of bat files to initiate automated vpn cascading on my crappy win7 junk’r PC.
I’ve got a vpn account from a friendly Moldovan that I use to ‘enter’ the net (beyond my ISP).
I use SSTP to a NL server (shared VPN) as my first hop.
From there, I then connect using (non-secure) PPTP to VPNReactor’s free (30-min) trial account.
VPNReactor’s shared PPTP exits are notoriously ‘dirty’ on scaneye (pobralem.pl) and I like that.

The (cycling) bat commands reconnect the PPTP every 30-minutes. Also does a CCleaner every 30-min.
My SSTP connection never (usually) goes down and I’m also picky about DNS settings for each adapter.
I use temp 24-char passwords generated from random.org and signup to VPNR using disposable emails.
There’s a bit more to it and I can elaborate if anyone is interested.

Of course PPTP is broken. I only run it as my second hop so that my first hop doesn’t see plaintext exiting. It’s fun to play with vpn cascading and see the effect on latency and speed testing.

Interesting, there seems to be priority, SSTP -> L2TP -> PPTP. This works fine and is still pretty fast.
Then, if you want, launch OpenVPN to your final exit point.

Don’t get me wrong, MSCHAPv2 sucks balls. But for ‘hopping’ purposes it can have its uses.
A hop a day keeps six strikes away!
:lol:

User avatar

Baneki
Posts: 49
Joined: Wed Jan 16, 2013 6:22 pm
Contact:

approving guest posts

Postby Baneki » Sat Oct 26, 2013 9:24 am

Guest wrote:Oh goodie, my post about cascading vpns got thru.


We really appreciate the post, and apologise for the occasional delays in approving guest posts.

Just to be clear: all guest posts get approved, without editing of any kind (unless the poster requests an edit be made, such as a typo, in which case we can make the adjustment - but we'll always put a note in the post specifying the edit, and confirming it was requested by the poster herself). The only reason we "approve" them is to hold down the spambots.

In fact, because the only CAPTCHAs that we've found able to foil spambots also foil human beings (some sort of bizarre inversion of the Turing test), we've disabled all CAPTCHAs for guest posting right now. This does bring a relative flood of spambot submissions, but it also allows guest posters to avoid annoying CAPTCHA drama.

The one negative consequence is that one of our forum moderators has to sift through the spam submissions every few hours to "approve" the (apparently ;-) ) human ones. We do our best to make those cycles routinely, but occasionally they fall through the cracks when one mod thinks another's on-duty at a given time, and so forth. Varying timezones of the mod team make things interesting, too.

Anyhow, we appreciate any and all (human) input and every guest post is approved. There's no "editorial judgement" being exercised, beyond filtering out spam.

Cheers,

    ~ Baneki


Guest

Re: A tutorial for manually "chaining" desktop VPNs

Postby Guest » Sat Oct 26, 2013 9:47 am

.
No worries at all. I like this new forum a lot. The 'apple pie' smell of home.

The recent cryptostorm posts on TorrentFreak were awesome and are greatly appreciated. I feel I helped contribute by asking ... "And now for the bad news?" Ohhh boy, the response was brutally refreshing!

http://torrentfreak.com/vpn-provider-sh ... 1093830346

I wish you success with your VPN offering and creating this new (Aug2013) forum (brilliant). But I also hope that true leadership can emerge in the VPN provider collective. Cascading vpns has such a great potential. If VPN providers could all just get along and provide a unified front, the world would be a better place (and way faster than Tor).


PeterBumj9
Posts: 2
Joined: Fri Apr 03, 2015 12:58 pm

Re: A tutorial for manually "chaining" desktop VPNs

Postby PeterBumj9 » Fri Apr 03, 2015 1:04 pm

it is quite some great assistance for you to be provided with. Once i examine several articles about the CC discussion board, after which coming across in which VPN number, a smaller spot within my mind was showing me personally it absolutely was most bollocks... declare one thing although accomplish another sorta' thing. The item may be in comparison with viruses in addition to virus protection; those businesses proclaiming they feature substantial 90%'s and in many cases 100% protection although dropping on their laying swords as soon as 0-day as well as 0-hour wicked gets to the front door.





______________________________________________________________________________________________
NoorAlamShahzad


Return to “cryptostorm reborn: voodoo networking, stormtokens, PostVPN exotic netsecurity”

Who is online

Users browsing this forum: No registered users and 6 guests

Login