New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Advice on setting up TOR over VPN server
I've currently got several VPN servers setup using OpenVPN and wireguard. However I'm wanting to enable the option to connect to my VPN server and it route that traffic from that connection to the TOR network. I know this is possible because Proton VPN among others offer it, although I'm experienced in Linux Server Admin and Network Admin, I'm not sure of the best/most secure way to do this. I've searched online and found a few suggestions but nothing that really helped. I'm hoping someone in this community can point me in the right direction.
Thanks!
Comments
I don't see the advantage of adding a fourth hop to a already slow connection. Wouldn't it make more sense to use a client such as https://github.com/Und3rf10w/kali-anonsurf or use the official SOCKS Proxy
Since I'm lazy here is GPT4 answer to your post:
Connecting a VPN server to the TOR network involves a few steps:
Configure your OpenVPN or Wireguard server: You need to ensure your VPN server is correctly configured and working. From the information given, it sounds like you already have this part handled.
Install and configure a TOR proxy on your VPN server: The TOR network works by bouncing your requests around a distributed network of servers called onion routers. To connect to this network, you need to install a TOR proxy on your VPN server. This proxy will route all traffic from your VPN to the TOR network.
Here's an example of how you can install and configure TOR on a Ubuntu server:
sudo apt updatesudo apt install torAfter installing TOR, you need to configure it to allow your VPN server to connect to it. Open the TOR configuration file with a text editor:
sudo nano /etc/tor/torrcThen, add the following lines to the file:
SocksPort 0SocksPolicy accept *DNSPort 53TransPort 9040These lines configure TOR to accept connections from your VPN server and route them to the TOR network.
Configure your VPN server to route all traffic through the TOR proxy: After setting up the TOR proxy, you need to change your VPN server configuration to route all traffic through the TOR proxy. This can be done by modifying the 'iptables' of your server to redirect all traffic to the TOR proxy.
Here's an example of how you can do this:
sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --syn -j REDIRECT --to-ports 9040sudo iptables -t nat -A PREROUTING -i tun0 -p udp --dport 53 -j REDIRECT --to-ports 53These commands redirect all TCP traffic and DNS requests from your VPN (assumed to be 'tun0') to the TOR proxy.
Please note that the above are just examples and the exact commands might vary depending on your server setup and VPN configuration.
In terms of security, this setup is reasonably secure as it combines the encryption of a VPN with the anonymity of the TOR network. However, it's worth noting that while this setup provides a high degree of privacy, it can significantly reduce your internet speed due to the additional hops in the TOR network. Also, some websites block traffic from the TOR network due to its association with illicit activities.
Regarding ProtonVPN and other VPN providers offering TOR over VPN, it's important to note that they likely use their client applications to manage this setup, as indicated by responses from NordVPN and ProtonVPN https://restoreprivacy.com/vpn/wireguard/. Implementing this on your own server means you'll have to manage the configurations yourself.
End of quote.
Try it and if you're still having problems please narrow your question to a specific step.
from my experience the only thing that your limited by would be your bandwidth
Edit: I need to learn how to read...
Oh shit. Lmgtfy will be replaced with lmgpttfy.
Is it advisable/and or required to run the TOR Proxy on the same VPN server, or setup a separate instance of Ubuntu to act just as a Tor proxy?
Since we started with it I'll give GPT4 the honor to answer your follow up question (just ignore that "Both VPN and TOR can be resource-intensive" paragraph which is irrelevant to today's average servers).
GPT4:
Running the TOR proxy on the same server as the VPN server is perfectly fine and is a common setup. It simplifies the process as you don't have to manage multiple servers and deal with inter-server communication.
However, there are a few reasons why you might want to consider running the TOR proxy on a separate server:
Security: If someone manages to compromise your VPN server, they could potentially gain access to your TOR proxy as well if they're on the same machine. By keeping them separate, you add an additional layer of security.
Performance: Both VPN and TOR can be resource-intensive. If your server doesn't have sufficient resources, running both on the same machine could degrade performance. In such a case, separating them onto different servers could help.
Maintenance and scalability: Having them on separate servers allows you to maintain and scale each service independently. For example, you could upgrade or restart the TOR server without affecting the VPN server and vice versa.
Here's a general guide on how to set up a separate TOR proxy server:
Install Ubuntu on a new server instance.
Install and configure the TOR service as described in the previous answer.
Update the iptables rules on your VPN server to redirect traffic to the TOR proxy server instead of localhost. You'd need to replace 127.0.0.1 with the IP address of your TOR server:
sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --syn -j DNAT --to-destination <tor-server-ip>:9040sudo iptables -t nat -A PREROUTING -i tun0 -p udp --dport 53 -j DNAT --to-destination <tor-server-ip>:53```
Remember to replace tor-server-ip with the actual IP address of your TOR server.
In conclusion, whether to run the TOR proxy on the same server as the VPN or on a separate server depends on your specific needs and constraints. Both options have their pros and cons, and you'll need to consider factors such as security, performance, and maintenance when making your decision
End of quote.
BTW in previous gpt answer it forgot to add about running 'service tor start' command before TOR service can work (almost sure you know that but just in case).
I'm working in this but I only have massive miss success...
Routing traffic from a VPN to the Tor network is a powerful way to enhance privacy and anonymity. This setup is often referred to as a "VPN-to-Tor" or "VPN over Tor" configuration. Here's a step-by-step guide to help you implement this setup securely:
1. Understand the Basics
Tor-to-VPN: Your traffic goes through the Tor network first, then exits through the VPN. This setup is not as common but can protect against malicious Tor exit nodes.
You’re aiming for the VPN-to-Tor setup.
2. Set Up Tor on Your VPN Server
bash sudo apt-get update sudo apt-get install tor/etc/tor/torrc) to set up a transparent proxy:bash sudo nano /etc/tor/torrcbash VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 9040 DNSPort 5353bash sudo systemctl restart tor3. Configure IPTables for Traffic Routing
You need to route all traffic from your VPN clients through Tor using IPTables.
bash sudo sysctl -w net.ipv4.ip_forward=1 sudo nano /etc/sysctl.confAdd or uncomment the following line:
bash net.ipv4.ip_forward=1eth0with the name of your server's network interface andtun0with your VPN interface.bash sudo iptables -t nat -A PREROUTING -i tun0 -p udp --dport 53 -j REDIRECT --to-ports 5353 sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --syn -j REDIRECT --to-ports 9040 sudo iptables -t nat -A OUTPUT -m owner --uid-owner debian-tor -j RETURN sudo iptables -t nat -A OUTPUT -d 127.0.0.1/32 -j RETURN sudo iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353 sudo iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040 sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE4. Persist the IPTables Rules
Save your IPTables rules to ensure they persist across reboots:
bash sudo sh -c "iptables-save > /etc/iptables.rules" sudo nano /etc/network/interfacesAdd the following line to the interface you want the rules applied on (usually
eth0ortun0):bash pre-up iptables-restore < /etc/iptables.rules5. Test Your Configuration
check.torproject.orgto see if your IP address is recognized as a Tor exit node.curlorwgetwith the--interfaceoption set totun0and see if it shows a Tor IP.6. Additional Security Considerations
7. Client Configuration
No special configuration is needed on the client side, as the VPN server is transparently routing all traffic through Tor.
This setup should give you a robust and secure VPN-to-Tor connection. Regularly update both your VPN and Tor services to ensure you're protected against the latest vulnerabilities.
GPT's answer
You should try xtls/xray-core 3x-ui.