源自网络上对tor和vpn的英文介绍,个人翻译成中文。
如题tor和vpn
(突然想说vpn全称是什么? )
TorPlusVPN
TOC(depth=1)
Introduction–介绍
| original text |
译文 |
| There are many discussions on the Tor Mailing list and spread over many forums about combining Tor with a VPN, SSH and/or a proxy in different variations. X in this article stands for, “either a VPN, SSH or proxy”. All different ways to combine Tor with X have different pros and cons. |
有许多关于把Tor与vpn、ssh或者是proxy通过不同方式结合的讨论,出现在Tor的邮箱列表和在很多论坛中。要说明的是,在这篇文章中,不管是vpn,还是ssh,亦或是proxy,将用x指代。将Tor与x结合起来的所有的方法,优缺点共存。 |
Anonymity and Privacy–匿名和隐私
| original text |
译文 |
| You can very well decrease your anonymity by using VPN/SSH in addition to Tor. (Proxies are covered in an extra chapter below.) If you know what you are doing you can increase anonymity, security and privacy. |
在使用Tor时额外使用vpn、ssh会很大程度影响匿名性。(proxy作为之后一章单独讲述)如果你想知道做些什么能够提高匿名性、安全性,保护隐私。 |
| Most VPN/SSH provider log, there is a money trail, if you can’t pay really anonymously. (An adversary is always going to probe the weakest link first…). A VPN/SSH acts either as a permanent entry or as a permanent exit node. This can introduce new risks while solving others. |
大多数vpn、ssh提供商标明写着,不完全的匿名支付让金钱流动的痕迹无所遁形。(对手总是会先去侦测你最弱的连结)。vpn、ssh会是一个永久的进出节点。这可以在解决其他风险的同时引入新的风险。 |
| Who’s your adversary? Against a global adversary with unlimited resources more hops make passive attacks (slightly) harder but active attacks easier as you are providingmore attack surface and send out more data that can be used. Against colluding Tor nodes you are safer, against blackhat hackers who target Tor client code you are safer (especially if Tor and VPN run on two different systems). If the VPN/SSH server is adversary controlled you weaken the protection provided by Tor. If the server is trustworthy you can increase the anonymity and/or privacy (depending on set up) provided by Tor. |
谁是你的对手?what is the meaning of internet hop? 在面对一个拥有无限资源的全球对手时,虽然更多的跳数使被动攻击变得略微困难,但主动攻击更容易,因为你提供了更多的攻击面,并发送更多可以使用的数据。在面对可以互联的Tor节点时,你会更安全,面对目标是Tor客户端密钥的黑帽黑客目,你会更安全(特别是如果Tor和VPN运行在两个不同的系统)。如果VPN/SSH服务器被对手控制,你就会削弱了Tor所提供的保护。如果服务器是值得信赖的,你可以增加Tor提供的匿名性和/或隐私(取决于设置)。 |
| VPN/SSH can also be used to circumvent Tor censorship (on your end by the ISP or on the service end by blocking known tor exits). |
VPN/SSH也可以用来规避Tor审查制度(由ISP在你的终端规避或通过在服务终端阻止已知的Tor出口)。 |
VPN/SSH versus Proxy
| original text |
译文 |
| The connection between you and the VPN/SSH is (in most cases, not all) encrypted. On the other hand the connection between you and an OpenProxy is unencrypted. An ‘SSL proxy’ is in most cases only a http proxy which supports the connect method. The connect method was originally designed to allow you to use to connect using SSL to webservers but other fancy things such as connecting to IRC, SSH, etc. are possible as well. Another disadvantage of http(s) proxies is, that some of them, depending on your network setup, even leak your IP through the ‘http forwarded for’ header. (Such proxies are also so called ‘non-anonymous proxies’. While the word anonymous has to be understood with care anyway, a single OpenProxy is much worse than Tor). |
你和VPN/SSH之间的连接是(在大多数情况下,并非全部)加密的。另一方面,你和OpenProxy之间的连接是不加密的。proxy/SSL代理 “在大多数情况下只是一个支持连接方法的http代理。连接方法最初是为了让你使用SSL连接到网络服务器,但其他花哨的东西,如连接到IRC、SSH等,也是可能的。http(s)代理的另一个缺点是,其中一些代理,根据你的网络设置,甚至通过 “http转发的 “头来泄露你的IP。(这种代理也被称为 “非匿名代理”。虽然匿名这个词必须谨慎理解,但单一的OpenProxy比Tor要糟糕得多)。) |
| Also read Aren’t 10 proxies (proxychains) better than Tor with only 3 hops? - proxychains vs Tor. |
|
VPN versus SSH or Proxy
| original text |
译文 |
| VPN operates on network level. A SSH tunnel can offer a socks5 proxy. Proxies operate on application level. These technical details introduce their own challenges when combining them with Tor. The problematic thing with many VPN users is, the complicated setup. They connect to the VPN on a machine, which has direct access to the internet. |
VPN运行在网络层。一个SSH隧道可以提供一个socks5代理。代理运行在应用层。这些技术细节在与Tor结合时引入了它自己的挑战。许多VPN用户的问题是,复杂的设置。他们在一台可以直接访问互联网的机器上连接到VPN机器,该机器可以直接访问互联网。 |
| the VPN user may forget to connect to the VPN first without special precautions, when a VPN connection breaks down (VPN server reboot, network problems, VPN process crash, etc.), direct connections without VPN will be made. |
VPN用户可能会忘记首先连接到VPN在没有特别预防措施的情况下,当VPN连接中断(VPN服务器重启、网络问题、VPN进程崩溃等),就会产生没有VPN的直接连接。 |
| To fix this issue you can try something like VPN-Firewall. |
为了解决这个问题,你可以尝试像VPN-Firewall |
| When operating on the application level (using SSH tunnel socks5 or proxies), the problem is that many applications do not honor the proxy settings. Have a look into the Torify HOWTO to get an idea. |
当在应用层面的操作(使用SSH隧道sock5或代理),问题是许多应用程序不尊重代理设置。请看一下Torify HOWTO来了解一下。 |
| The most secure solution to mitigate those issues is to use transparent proxying, which is possible for VPN, SSH and proxies. |
缓解这些问题的最安全的办法是使用透明的代理,这对VPN、SSH和代理都是可行的。 |
You -> X -> Tor
| original text |
译文 |
| Some people under some circumstances (country, provider) are forced to use a VPN or a proxy to connect to the internet. Other people want to do that for other reasons, which we will also discuss. |
有些人在某些情况下(国家、供应商)被迫使用VPN或代理来连接到互联网。另一些人由于其他原因想这样做,我们也将讨论这些原因。 |
You->VPN/SSH->Tor
| original text |
译文 |
| You can route Tor through VPN/SSH services. That might prevent your ISP etc from seeing that you’re using Tor VPN/SSH Fingerprinting below). On one hand, VPNs are more popular than Tor, so you won’t stand out as much, on the other hand, in some countries replacing an encrypted Tor connection with an encrypted VPN or SSH connection, will be suspicious as well. SSH tunnels are not so popular. |
你可以通过VPN/SSH服务路由Tor。这可能 防止你的ISP等看到你在使用Tor 下面的VPN/SSH指纹识别一方面,VPN比Tor更受欢迎,所以你不会那么引人注目。另一方面,在一些国家,用加密的VPN或SSH来取代加密的Tor,也会被人怀疑。SSH隧道不那么受欢迎。 |
| Once the VPN client has connected, the VPN tunnel will be the machine’s default Internet connection, and TBB (Tor Browser Bundle) (or Tor client) will route through it. |
一旦VPN客户端已经连接后,VPN隧道将成为机器的默认互联网连接。连接,而TBB(Tor浏览器捆绑)(或Tor客户端)将通过它路由通过它。 |
| This can be a fine idea, assuming your VPN/SSH provider’s network is in fact sufficiently safer than your own network. |
假设你的VPN/SSH供应商的网络事实上比你自己的网络足够安全,这可能是一个好主意。 |
| Another advantage here is that it prevents Tor from seeing who you are behind the VPN/SSH. So if somebody does manage to break Tor and learn the IP address your traffic is coming from, but your VPN/SSH was actually following through on their promises (they won’t watch, they won’t remember, and they will somehow magically make it so nobody else is watching either), then you’ll be better off. |
这里的另一个好处是它可以防止Tor看到你在VPN/SSH背后的身份。因此,如果有人设法打破Tor,并了解你的流量的IP地址是来自,但你的VPN/SSH实际上是通过他们的承诺(他们不会看,他们不会记得,而且他们会以某种方式神奇地让其他人也不看),那么你就会更好。 |
You -> Proxy -> Tor
| original text |
译文 |
| This does not prevent your ISP etc from seeing that you’re using Tor because the connection between your and the proxy is not encrypted. |
这并不妨碍你的ISP等看到你在使用Tor,因为你和代理之间的连接是不加密的。你和代理之间的连接是不加密的。 |
| Sometimes this prevents Tor from seeing who you are depending on the configuration on the side of the proxy server. So if somebody does manage to break Tor and learn the IP address your traffic is coming from, but your proxy does not log an the attacker didn’t see the unencrypted connection between your and the proxy, then you’ll be better off. |
有时这可以防止Tor从看到你是谁,取决于配置的一方代理服务器。因此,如果有人设法打破Tor和学习的你的流量来自的IP地址,但你的代理并没有记录在案。攻击者没有看到你和代理服务器之间未加密的连接。代理,那么你会更好。 |
You -> Tor -> X
| original text |
译文 |
| This is generally a really poor plan.Some people do this to evade Tor bans in many places. (When Tor exit nodes are blacklisted by the remote server.)(Read first for understanding: How often does Tor change its paths?.Normally Tor switches frequently its path through the network. When you choose a permanent destination X, you give away this advantage, which may have serious repercussions for your anonymity. |
这通常是一个非常糟糕的计划。有些人这样做是为了逃避许多地方的Tor禁令。(当Tor的出口节点被远程服务器列入黑名单时)。先阅读理解。Tor多久会改变它的路径?。通常情况下,Tor在网络中切换频繁地切换它在网络中的路径。当你选择一个永久的目的地X,你就放弃了这个优势,这可能会对你的匿名性产生严重的影响。对你的匿名性产生严重影响。 |
You -> Tor -> VPN/SSH
| original text |
译文 |
| You can also route VPN/SSH services through Tor. That hides and secures your Internet activity from Tor exit nodes. Although you are exposed to VPN/SSH exit nodes, you at least get to choose them. If you’re using VPN/SSHs in this way, you’ll want to pay for them anonymously (cash in the mail [beware of your fingerprint and printer fingerprint], Liberty Reserve, well-laundered Bitcoin, etc).However, you can’t readily do this without using virtual machines. And you’ll need to use TCP mode for the VPNs (to route through Tor). In our experience, establishing VPN connections through Tor is chancy, and requires much tweaking. Even if you pay for them anonymously, you’re making a bottleneck where all your traffic goes the VPN/SSH can build a profile of everything you do, and over time that will probably be really dangerous. |
你可以将VPN/SSH服务,通过Tor。这可以隐藏你的互联网活动,并保证其安全性。Tor退出节点。虽然你会被暴露在VPN/SSH出口节点下,但你至少可以选择它们。至少可以选择它们。如果你以这种方式使用VPN/SSH,你会希望以匿名的方式付款(邮寄现金[注意你的指纹和打印机指纹]、Liberty Reserve、资金充裕的比特币,等等)。)然而,如果不使用虚拟机,你就不能轻易做到但是,如果不使用虚拟机,你不能轻易做到这一点。而且你需要使用TCP模式VPN(通过Tor路由)。根据我们的经验,通过Tor建立VPN连接是不可靠的,需要进行很多调整。即使你为它们付费匿名的,你也会产生一个瓶颈,你所有的流量都会进入VPN/SSH可以建立一个你所做的一切的档案,而随着时间的推移,这可能会非常危险。这可能是非常危险的。 |
You -> Tor -> Proxy
| original text |
译文 |
| You can also route proxy connections through Tor. That does not hide and secure your Internet activity from Tor exit nodes because the connection between the exit node to the proxy is not encrypted, not one, but two parties may log and manipulate your clear traffic now. If you’re using proxies in this way, you’ll want to pay for them anonymously (cash in the mail [beware of your fingerprint and printer fingerprint], Liberty Reserve, well-laundered Bitcoin, etc) or use free proxies. One way to do that is proxychains. Another way would be to use a Transparent Proxy and then either proxify (set proxy settings) or socksify (use helper applications to force your application to use a proxy) the programs you want to chain inside your Transparent Proxy client machine. |
你也可以通过Tor路由代理通过Tor连接。这并不能隐藏和保护你的互联网从Tor出口节点的活动,因为出口节点与代理之间的连接节点与代理之间的连接是不加密的,不是一个,而是两方可能记录和操纵你现在的清晰流量。如果你以这种方式使用代理机构。你会希望以匿名方式支付他们的费用(现金邮寄[小心你的指纹和打印机指纹])。你的指纹和打印机的指纹],自由储备。完善的比特币,等等)或使用免费的代理。一种方法是代理链。另一种方法是使用透明代理,然后使用proxify(设置代理设置)或socksify(使用辅助程序来强制你的应用程序使用代理)。你想在你的透明代理客户机内连锁的程序。 |
You -> X -> Tor -> X
| original text |
译文 |
| No research whether this is technically possible. Remember that this is likely a very poor plan because [#You-Tor-X you -> Tor -> X] is already a really poor plan. |
没有研究这是否是技术上是否可行。请记住,这可能是一个非常糟糕的计划因为[#你-Tor-X你->Tor->X]已经是一个非常糟糕的计划。 |
You -> your own (local) VPN server -> Tor
| original text |
译文 |
| This is different from above. You do not have to pay a VPN provider here as you host your own local VPN server. This won’t protect you from your ISP of seeing you connect to Tor and this also won’t protect you from spying Tor exit servers.This is done to enforce, that all your traffic routes through Tor without any leaks. Further read: TorVPN. If you want this, it may unnecessary to use VPN, a simple Tor-Gateway may be easier, for example Whonix. |
这与上述不同。在这里,你不必向VPN供应商支付费用,因为你托管自己的本地VPN服务器。这不会保护你免受你的ISP看到你连接到到Tor,这也不会保护你免受被监控Tor出口服务器。这样做是为了执行,你所有的流量都通过Tor,没有任何泄漏。进一步阅读。TorVPN。如果你想这样,可能没有必要使用VPN,一个简单的Tor网关可能更容易,例如Whonix。 |
VPN/SSH Fingerprinting
| original text |
译文 |
| Using a VPN or SSH does not provide strong guarantees of hiding your the fact you are using Tor from your ISP. VPN’s and SSH’s are vulnerable to an attack called Website traffic fingerprinting |
使用VPN或SSH并不能提供强有力的保证,从你的ISP那里隐藏你正在使用Tor的事实。你的ISP。VPN和SSH很容易受到一种叫做网站流量指纹 |
| ^1^. Very briefly, it’s a passive eavesdropping attack, although the adversary only watches encrypted traffic from the VPN or SSH, the adversary can still guess what website is being visited, because all websites have specific traffic patterns. The content of the transmission is still hidden, but to which website one connects to isn’t secret anymore. There are multiple research papers on that topic. |
^1^攻击。很简单,这是一种被动的窃听攻击,虽然对手只观察来自VPN或SSH的加密流量,但对手却能从VPN或SSH,仍然可以猜到正在访问的网站。因为所有网站都有特定的流量模式。传输的内容传输的内容仍然被隐藏,但一个人连接到哪个网站不再是秘密。关于这个话题有多篇研究论文。 |
| ^2^ Once the premise is accepted, that VPN’s and SSH’s can leak which website one is visiting with a high accuracy, it’s not difficult to imagine, that also encrypted Tor traffic hidden by a VPN’s or SSH’s could be classified. There are no research papers on that topic. |
^2^ 一旦接受了这个前提,即VPN和SSH可以高度准确地泄露一个人正在访问的网站。一个人正在访问的网站有很高的准确性,这不难想象不难想象,由VPN或SSH隐藏的加密Tor流量也会被分类。可以被列为机密。目前还没有关于这个主题的研究论文。 |
| What about Proxy Fingerprinting? It has been said above already, that connections to proxies are not encrypted, therefore this attack isn’t even required against proxies, since proxies can not hide the fact, you’re using Tor anyway. |
那代理指纹呢?上面已经说过。到代理服务器的连接是不加密的,因此这种攻击甚至不需要针对代理服务器,因为代理服务器无法隐藏事实上,你正在使用Tor。 |
| ^1^ See Tor Browser Design for a general definition and introduction into Website traffic fingerprinting. |
^1^ 参见Tor浏览器设计,了解网站流量指纹的一般定义和介绍。 |
| ^2^ See slides for Touching from a Distance: Website Fingerprinting Attacks and Defenses. There is also a research paper from those authors. Unfortunately, it’s not free. However, you can find free ones using search engines. Good search terms include “Website Fingerprinting VPN”. You’ll find multiple research papers on that topic. |
^2^ 见远距离触摸:网站指纹攻击和防御的幻灯片。也有一篇研究论文来自这些作者。不幸的是,它不是免费的。然而,你可以通过搜索引擎找到免费的,使用搜索引擎。好的搜索词包括 “网站指纹VPN”。你会发现关于这个主题的多篇研究论文。 |
See also
Practical
- If you still want to combine Tor with a proxy, all combinations are possible using Whonix (anonymous general purpose operating system). Whonix’s optional configurations document this.
References
