Network OpSec Routes/Methods

Hi everyone,

I’m interested in discussing the latest best practices for network routing to ensure the highest level of privacy and security within Qubes OS. As we all know, network security and OPSEC are critical for maintaining privacy, and there are various configurations that people are using to achieve the most hardened setups. I’m hoping to gather some insights into what the Qubes community considers the most effective methods, especially regarding multi-layered VPN and Tor setups.

What I’ve seen so far:

1. VPN → Tor (VPN over Tor)
2. Tor → VPN (Tor over VPN)
3. Multiple VPNs (VPN1 → VPN2)
4. Whonix + VPN Configuration (Whonix → VPN)
5. Using Config Files for VPNs (OpenVPN, WireGuard, etc.)
6. Firewall + Virtual Machines (VM) Isolation

Key Considerations:

• Multi-layering: Multi-layer VPN setups (VPN1 → VPN2), or VPN + Tor
• Whonix integration: Using Whonix as a Gateway in combination with other privacy tools like VPNs
• DNS & Kill Switches: I see large amounts of discussions debating a setup for this current issue, Noticeably VPN leaking possibilities upon a killswitch error

You can use sys-pihole

See http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Chaining_Anonymizing_Gateways#Other_Considerations

Some have everything go out through a VPN first. Mullvad is one of the most believed to be trustworthy VPN providers. One of the nicest things out there is having fresh residential IPs close to the thing you want to talk to. Or even not close but just residential.

I have always been skeptical of quantum computers but quantum seems to be something to be appropriately concerned about. Google reportedly has a 53-qubit quantum computer. Microsoft has announced their Majorana quantum computer. There are “quantum resistant” cipher options for TLS. Why the Tor Project hasn’t made sure tha all Tor circuits use asymmetric ciphers for the quantum era in addition to existing elliptical ciphers I don’t know.

One of the important things with VPNs or proxies is to make sure that only the VPN or proxy can send out. With iptables, having iptables -P OUTPUT DROP ; iptables -P FORWARD DROP with something like iptables -I OUTPUT -m owner --gid-owner $gid_of_vpngroup -j ACCEPT and something else for the FORWARD part, then a command sg vpngroup openvpn --config $config_file is useful for not having leaks.

Most VPN providers support Wireguard now and nftables has replaced iptables. Wireguard and nftables would be the modern thing. If the relevant commands/configs for these aren’t easy to find I could get them up and post them.

The major thing to watch out for is “linking”. You may want to run multiple copies of Whonix Workstation. Be mindful of what time you are online. If there are websites you check almost daily, consider having some scrapers that run remotely fetch those pages and downloading them in batches. Delayed gratification goes a very long way.

Corridor might be interesting to you.

also see https://forum.qubes-os.org/t/staying-anonymous-fingerprinting-and-attacks/33021

It’s difficult, particularly against sophisticated adversaries like the NSA or GCHQ. The core challenge is that Tor has been found to be vulnerable at times and most ISPs routinely collect NetFlow logs.
A typical setup like ISP→VPN→Tor (Guard, Middle, Exit) is potentially vulnerable, as the ISP can still identify you through the VPN’s IP address, which the Guard node also knows.

Even using multiple VPN servers (multi-hop) doesn’t fully solve the problem. If the initial VPN and the Tor circuit both observe the same traffic patterns, they can potentially collaborate to identify users.
ISP→VPN #1→VPN #2→Tor
If 100MB is sent to VPN #1 and the website receives 100MB in traffic, this data may be enough to identify you. This technique involves creating a suspect list and then implementing real-time packet-level logging. The adversary would analyze the timing of each packet exchanged between the website and the ISP, searching for correlations that link to a specific customer.

Currently, the most robust setup I’ve found is using a VM with the Mullvad App and DAITA, multi-hop, lockdown mode, and a quantum-resistant tunnel enabled. Then restrict outgoing connections through VM firewall settings. Be warned, this setup requires trust in Mullvad, the effectiveness of DAITA and the inability for an adversary to track packets across data centers.

It’s important to note that standard Wireguard and OpenVPN configurations don’t support DAITA or hide the use of multi-hop. Mullvad’s lockdown mode should be sufficient in itself, VPN after Tor reduces anonymity, and DNS is managed by Mullvad and then the Tor exit node.

The effectiveness of tools like DAITA and other traffic analysis prevention techniques is still being evaluated, so you can use your own custom tool in addition to DAITA.

Choosing server locations is also important. Ideally, you’d want a VPN provider with servers in a non-14 Eyes country and a server that the provider physically owns, to minimize the risk of interception.

For maximum anonymity, you’d need perfect uptime, consistently generating random traffic that can’t be filtered out, and only using your chosen identity for brief periods. This level of control is difficult to achieve in practice.

In short, use multiple VPN servers before Tor, generating constant, random traffic 24/7. Regularly monitor your sys-whonix and sys-net traffic to identify any connections between them.

DARPA made a neat thing called RACE. I don’t yet know much about it but others may find it interesting too.

Why Quantum Cryptanalysis is Bollocks: A Lesson from History (Peter Gutmann) – https://www.cs.auckland.ac.nz/~pgut001/pubs/bollocks.pdf

I really like your mullvad setup but one problem with all VPNs including Mullvad with DAITA and multi hop and everything is it doesn’t do anything at all if the VPN provider is spying on you. I mean Mullvad won’t know what happens after Tor but Mullvad can share info about everything leading up to the guard node. I trust Mullvad, they keep proving themselves and doing great things, but if they are legally forced to spy on a user then the VPN does nothing for anonymity.

And the problem is that it’s so easy for authorities to legally force companies into this. There are more laws than you can imagine. Everyone is breaking at least some law that you didn’t even know existed. And there are so many laws that can be interpreted very conveniently on a case by case basis. And you have probably heard about the popular threat FBI an CIA can make “we will find something if you don’t do what we say”. Everything is corrupt and the people working in cia and fbi are rogue corrupt extremists. If you say that about UK authorities it’s enough to become targeted surveillance by them. No freedom of speech exist.

My guess is that almost all people who have learned to protect their privacy enough to make mass surveillance difficult will enter a list for targeted surveillance. They can just use any random excuse for such surveillance.

You could do something like Mullvad→IVPN→Proton VPN→Tor
Mullvad with DAITA enabled
IVPN torrenting/downloading random files
Then run noisy or PartyLoud after Proton VPN or Tor itself

This way at minimum they would need IVPN and Proton VPN to both log, a cooperating ISP, and multiple malicious Tor circuits before they have a connection to your real identity. Even then, you could replace the last two VPN providers and reset sys-whonix to force them to restart the entire process.

For legality, Mullvad claims there aren’t any laws applicable to them that would force any spying of their users.

The issue with this setup is that it’s expensive and it’s not clear as to whether a VPN provider is safe to use at any given time.

Look into multi party VPN’s like Obscura, SethOnPrivacy has a great interview with the CEO.
http://ngmmbxlzfpptluh4tbdt57prk3zxmq4ztew7l2whmg7hkqaof2nzf7id.onion/
http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion/en/blog/mullvad-partnered-with-obscura-vpn

Only a matter of time before these solutions expand to platforms like Linux solving TCP meltdown or similar problematic situations that can arise when home-brewing such setups.

Interesting posts, I will spend time to look more into what you’ve both said.

Another important thing we should talk about is the more recently discovered vulnerability or attack vector introduced with VPNs. It’s called Port Shadow Attacks and allows hijacking connections, deanonymizing users, or redirecting traffic. The vulnerability stems from the shared nature of ports in VPN servers.

Another big problem is tunnel link connection chain risk. It’s possible that the same operator/network could be used twice in my connection chain. This results in the same IP address as the first and last proxy. To reduce this risk, look for a VPN provider who does not support port forwarding. The VPN provider should also run their own servers rather than relying on shared infrastructure. This means the VPN provider has to own or rent the building which the computers/servers are in and the vpn provider also has to own those servers and they should not be used for anything else than the VPN servers. I haven’t checked yet which VPN providers do this because whonix docs made me lose a lot of interest in VPNs and because I’ve been so busy with other tasks I need to complete first. But your posts make me want to do more research into this asap.

Maybe we need to define the word ‘spying’. What I was thinking of is the VPN provider, in this example mullvad, can log for authorities the IP I’m connecting from and which time, and which hops I make and which tor guard node I connect to or which other VPN provider’s server I connect to. That’s all they need so that’s what I was thinking about with spying (targeted spying, not mass surveillance spying). Is this legally not possible to do for Mullvad, based in sweden so I guess the swedish laws protect them from both swedish authorities and all the other countries authorities? I’m surprised if that’s really true. I will have to look more into this but legal questions are usually difficult to find good trustworthy answers to without hiring a lawyer who you can ask.

I believe the VPN providers I mentioned are immune to these attacks, and at least IVPN and Mullvad also let you use servers that they physically own.