Software full of Performance

Different needs and different threat models lead to misunderstandings between people. Let’s say you want to leave the most anonymous comment possible on a social network. What do you need for it? VPN? Hill? An SSH tunnel? Well, it is enough to buy any SIM card and a used phone in the nearest store, then go a considerable distance from where you live, insert one into another, post your message and sink the phone. You have accomplished your mission 100%.

But what if you don’t want to just leave a single comment or hide your IP address from some site? What if you want such an advanced level of anonymity that it will create the most intricate puzzle leaving no room for any tricks at any level? And also hide the very fact of using anonymity tools along the way? This is what I am going to talk about in this article.

Perfect anonymity is above all a dream, like everything perfect. But that doesn’t mean you can’t get pretty close. Even if you are being identified by the system’s fingertips and other means, you can still remain indistinguishable from the mass of general Web users. In this article I will explain how to achieve this.

This is not a call to action, and the author in no way calls for any illegal action or violation of the laws of any state. Consider it just an “if I were a spy” fantasy.

Basic protection level

The basic level of protection and anonymity looks something like this: client → VPN/TOR/SSH tunnel → destination.

Actually, this is just a slightly more advanced version of a proxy that allows you to substitute your IP. You won’t achieve any real or quality anonymity this way. Just one wrong or default setting in notorious WebRTC, and your real IP is revealed. This type of protection is also vulnerable to node compromise, fingerprinting, and even simple log analysis with your provider and data center.

By the way, there is a common opinion that a private VPN is better than a public one, since the user trusts his system settings. Consider for a moment that someone knows your external IP. So you also know your data center. Therefore, the data center knows the server to which this IP belongs. And now imagine how difficult it is to determine which real IP connected to the server. What if you are the only customer there? And if they are numerous, for example 100, it becomes increasingly difficult.

And this is not to mention that few people will bother to encrypt their drives and protect them from physical deletion, so they will hardly notice their servers rebooting to boot level 1 and turning on VPN logs under the excuse of “minor technical difficulties” in the data”. center.” Also, there’s no need even in things like this, because all incoming and outgoing server addresses are already known.

Speaking of Tor, its use itself can raise suspicion. Secondly, the outgoing nodes are only around 1000, many of them are on the block list and they are no-nos for many sites. For example, Cloudfare features the ability to enable or disable Tor connections through a firewall. Use T1 as the country. Also, Tor is much slower than a VPN (currently Tor network speeds are less than 10 Mbit/s and often 1-3 Mbit/s).

Summary: If all you need is to avoid showing your passport to everyone, bypass simple site blocks, have a fast connection, and route all traffic through another node, choose VPN, and a paid service should be better. For the same money, you will get dozens of countries and hundreds and even thousands of outgoing IP addresses instead of a VPS with only one country that you will have to configure painfully.

In this case, there is little point in using Tor, although in some cases Tor will be a decent solution, especially if you have an extra layer of security like VPN or an SSH tunnel. More on this below.

Medium protection level

A medium level of protection looks like an advanced version of the basic: client → VPN → Tor and variations. This is an optimal working tool for anyone who is afraid of IP spoofing. This is a case of synergy when one technology strengthens the other. But make no mistake. While it is really hard to get your real address, you are still vulnerable to all of the attacks described above. Your weak chain is your workplace: your work computer.

High level of protection

Client → VPN → Remote Workplace (via RDP/VNC) → VPN.

Your work computer should not be yours, but a remote machine with, say, Windows 8, Firefox, a couple of plugins like Flash, a couple of codecs, and no unique fonts and other plugins. A boring and simple machine indistinguishable to millions of people. In the event of a leak or compromise, you will still be covered by another VPN.

It was previously believed that Tor/VPN/SSH/Socks allowed a high level of anonymity, but today I would recommend adding a remote workplace to this setup.


Client → Double VPN (in different data centers, but close to each other) → Remote workplace + Virtual machine → VPN.

The proposed scheme consists of a primary VPN connection and a secondary VPN connection (in case the first VPN is compromised due to some leak). It is used to hide ISP traffic in order to hide your real ISP address in the data center with a remote workplace. Then goes a virtual machine installed on the server. I suppose you understand why a virtual machine is so vital – to fall back to the most standard and banal system with a standard set of plugins after each download. And this should be done at a remote workplace instead of a local one, because people who used a virtual machine locally in conjunction with TripleVPN once opened the IP check site and were very surprised to see their real, real IP address on the “WebRTC” field. I don’t know and I don’t want to know what software some developer will develop tomorrow and install in his browser without his concern. So just don’t think about it and don’t store anything locally. Kevin Mitnick found out 30 years ago.

We have tested this setup, the delays are significant even if you set everything up correctly in terms of geography. But these delays are tolerable. We assume that the user will not place the servers on different continents. For example, if you physically reside in New York, place your first VPN in New York as well, your second in Mexico, etc., your remote workplace in Canada, and the final VPN, for example, in Venezuela. Don’t put different servers in the Eurozone as those governments cooperate closely, but on the other hand, don’t spread them too far apart. Neighboring countries that hate each other would be the best solution for your chain 😉

You can also add automatic website visiting in the background from your real machine, thus mimicking web browsing. With this, you dispel suspicions that you use some anonymization tools because your traffic always goes to only one IP address and through one port. You can add Whonix/Tails and go online via public Wi-Fi in a cafe, but only after changing your network adapter settings, which could also lead to your de-anonymization. You could even change your appearance so as not to be visually identified in the same cafe. You can be identified by various means, from your coordinates on a photo captured by your phone to your writing style. Just remember that.

On the other hand, most people are perfectly suited to an anonymizer, but even our anonymizer, after all our efforts to make it useful, still lacks browsing experience. Yes, a regular VPN is a normal and adequate solution to bypass simple blocks with decent speed. Need more anonymity and ready to sacrifice some speed? Add Tor to the mix. I want something else? Do as mentioned.

Fingerprinting, such as efforts to detect VPN usage, is very difficult to circumvent due to the time it takes to send packets from the user to the website and from the website to the user’s IP address (not accounting for request blocking). specific entrants). You can cheat on a check or two, but you can’t be sure that a new “nightmare” won’t appear overnight. This is why you need both a remote workplace as well as a clean virtual machine. So it’s the best advice you can get right now. The cost of such a solution starts from just $40 per month. But keep in mind that you have to pay with Bitcoin only.

And a little epilogue. The main and most important factor in your success in achieving true anonymity is separating personal and secret data. All intricate tunnels and schemes will be absolutely useless if you log in, for example, to your personal Google account.

Be anonymous!

Leave a Reply

Your email address will not be published. Required fields are marked *