Deep dive into VPN & Proxies: How to stay safe online
Table of contents
In my last post, I wrote about DNS, VPN & Proxies, while that was focused on simple explanations this one is gonna be more comprehensive & technical.
As usual, you are requested to do your due diligence before using any service providers. I won’t talk much about DNS, so please visit my last post DNS, VPN & Proxies in layman terms to see its breakdown.
So starting off, I first want to clarify three terms i.e, Privacy, Security & Anonymity.
Privacy- Privacy is a concept where people can only see what you want them to see. For e.g- Maybe you don’t want everyone to know where you live, the same could apply to your phone numbers, DOB, etc.
Security- Security is the implementation of certain practices which helps stay safe. For e.g- You use locks to keep your homes safe, the same could apply to using passwords to secure online accounts.
Anonymity- Anonymity is the concept where your online is private online & cannot be deduced easily. For e.g- A journalist would want to keep their identity safe in order to avoid getting tracked by criminal organizations.
Sad to say, most people don’t even know the differences let alone practice them to full avail. It is also worth mentioning privacy & anonymity are often used interchangeably however they both differ in more ways than one.
Towards the end of this article, I’ll share some techniques to protect your online identity. You are requested to read that portion thoroughly in order to reap maximum benefits.
VPN (Virtual Private Network)
VPN or Virtual Private Network is a special technology that creates a private tunnel between a client & Internet by routing traffic through a private network. This essentially enhances the privacy & security of traffic while also shielding it from the prying eyes of any MiTM (Man in The Middle).
To better understand the workings of VPN, let’s first see what actually happens behind the scenes without it:-
Fig: Client → ISP → Internet → Different Servers
The client opens the browser & types a domain name.
A DNS request is sent to ISP over UDP (port 53) to fetch the corresponding IP address.
ISP sends back the IP after receiving it from the authoritative nameserver.
The browser sends a connection request to that IP using the selected protocol i.e, HTTP/HTTPS. This request travels over the ISP network.
The website sends back a reply which also travels over the ISP network.
Few important points,
i. ISP can see all searches made using DNS & even see HTTP traffic unless it’s encrypted.
ii. In the case of HTTPS even if they can’t figure out the exact transaction, ISPs can pretty much put it together using co-relation analysis.
iii. Websites will see the IP allocated by ISP which will be unique to a single device at a given time. With just a few search queries, the location of the user can be figured out easily.
iv. The same applied to data transfer by mobile apps & underlying OSs. So if you use an app that doesn’t implement HTTPS, your data is pretty much visible to ISP. Simply put this is a privacy nightmare.
v. This could mean ISP can use this data to track you across the Internet, build your profile, show you ads or even sell your data.
vi. Now replace ISP with a malicious MiTM (Man in The Middle), depending on their access level they could do identity theft, perform social engineering, infect your system with malware & or even worse frame you for crimes they commit.
vii. In case you live in a restrictive regime, your government could impose censorship on selective content (websites, social media platforms, and search engines, to name a few). Now since your ISP has to follow government orders, you won’t be able to see these sites without either VPN or a Proxy.
Now let’s see how & where VPN comes into play:-
Fig: Client → ISP → VPN Server → Internet → Different Servers
The client installs a VPN software, selects a protocol (more on this below) & clicks connect.
The client’s request travels to the VPN provider’s private network over the ISP network. There VPN provider performs key exchange & allocates an IP to the client.
Now the connection between the client & VPN provider is encrypted and it will appear as garbage to any onlooker. The client can now search privately without the worry of ISP or malicious actors snooping on the connection.
The client opens the browser & searches for a website.
DNS request is processed by the VPN provider (unless different DNS servers are configured at OS/network level).
The rest process is the same as ISP with the exception of the private tunnel.
Few important points,
i. Connection is only encrypted between the client & VPN provider by default. If you visit an insecure website (non-HTTPS), your traffic between VPN & website is up for grabs.
ii. VPN provider essentially becomes your new ISP, unless they are trusted they pose the same threats.
iii. A single VPN IP is allocated to multiple clients instead of an isolated IP in the case of ISP. It makes it harder to pinpoint the actual location of a user. This also makes it easier to browse the internet over public networks without revealing unnecessary data.
iv. VPN at its core provides privacy & security however achieving anonymity using only VPN is a false claim. Using TOR in conjunction with VPN (more about this in a later section below) is a good practice to achieve this.
v. Services like WebRTC & WebGL could reveal the original IP address even over a VPN. Disabling such services enhances privacy.
vi. VPN cannot protect you from browser fingerprinting which could be utilized to identify an user across the internet. There are also techniques like traffic analysis, search pattern recognition, and behavior analysis among others which could reveal the identity of an user. This is why I said earlier that any VPN which claims you will be anonymous is making misleading claims.
vii. Since VPN traffic can be co-related I’ll recommend changing your servers every once in a while according to your use case. As VPN IPs act like static ones, if you keep using one it will make it easier to pinpoint you among others users having the same IP due to browsing & connection patterns. One more thing to mention is device time can also be used to track someone across the internet. Now I won’t go into much specifics however this is something to keep in mind while surfing the internet.
As we already know that VPN creates a private tunnel between the client & server, let’s see how this is implemented. VPNs use specialized tunneling protocols which help them create this private & secure tunnel. This is also worth mentioning that a VPN connection is only as strong as the protocol it uses.
Each protocol is usually divided into 2 components i.e,
(i) Control channel which looks after the key exchange, IP, DNS, & routes assigning, and authenticating client to VPN server.
(ii) Data channel which transports the actual encapsulated data from client to server & vice versa.
Working in absolute harmony these channels play an important role in keeping communication secure.
Now that we know the basics of protocols, let’s discuss some of the most common ones in use. There are 5 widely popular protocols namely, PPTP, L2TP, IKEv2, OpenVPN & WireGuard. Please note that some protocols use either TCP or UDP. Only OpenVPN is known to use both.
Recently I came to know that ProtonVPN is also working on developing a new protocol that will be more effective in bypassing firewalls & evading censorship.
Now let’s find out more about these protocols:-
PPTP- PPTP or Point-to-Point Tunneling Protocol uses Enhanced GRE (General Routing Encapsulation) to establish a connection over TCP port 1723. Originally introduced in 1999 it is an enhanced implementation of PPP (Point-to-Point Protocol). I want to point out that PPTP doesn’t do any encryption by itself & relies on PPP to do so. Now please beware that PPP uses the RC4 algorithm (up to 128 bits) which is known to have several vulnerabilities. For the love of your data please don’t ever use this protocol.
L2TP- L2TP or Layer 2 Tunneling Protocol uses IPSec (Internet Protocol Security) along with UDP ports 500, 5500 & 1701 to function. Designed as a replacement for PPTP, it used the AES algorithm to enforce the encryption. As we discussed channels earlier, the control part is handled by IPSec while the data part is handled by L2TP. Please note that according to some leaked reports, NSA had allegedly broken L2TP back in 2016 so it’s wise to look into more secure ones.
IKEv2- IKEv2 or Internet Key Exchange version 2 also uses IPSec with UDP ports 500 & 4500 in order to function. While L2TP implemented IPSec, IKEv2 is practically built on top of it. It uses a unique feature known s security associations while leveraging the strength of up to 256 bits with encryption algorithms like AES, Blowfish, ChaCha20, and Camellia. Please note this is a fast & secure protocol compared to the previous two and is widely used in the industry.
OpenVPN- OpenVPN is likely the most used VPN protocol in the world with robust security features. It uses SSL/TLS in place of IPSec & offers services over both UDP & TCP which makes it suitable for multiple use cases. It also leverages the power of hardware acceleration something which most VPN protocols tend not to use. One of the most liked things about it is that it uses the OpenSSL library & FPS (Perfect Forward Secrecy) to provide the best possible connection security. One downside of this security mechanism is that OpenVPN requires high computing power in order to deliver. Now do keep in mind that while UDP mode provides fast speeds it cannot bypass censorship due to its very nature, this is where TCP mode comes into play.
WireGuard- The latest addition to the protocol family, WireGuard is the fastest VPN protocol to date. By using UDP ports it relies on algorithms like ChaCha20, Curve25519, Poly1305, and BLKE2s in order to offer lightning-fast speeds which are second to none. However due to the fact that UDP is used censorship bypass is still not possible at the moment. Do note that while WireGuard doesn’t offer robust security like OpenVPN, it still packs a punch. With proper configurations, it offers the fastest connection speeds with reasonable security controls.
Now that we know about VPN, let’s dive into Proxies next.
Proxy
Proxy is a special type of server that acts as an intermediary between a client & outside networks (like the internet). It listens for a request and then either forwards it or drops it as per configurations. Please note that while Proxies work in a similar manner as VPNs, they have different use cases.
Proxy servers operate on two implementation levels as follows:-
I. Forward Proxy ( when implemented on the client side)
Fig: Client → Forward Proxy Server → ISP → Internet → Different Servers
The client gets the IP of a forward proxy server & configures their system to use it while browsing.
The client opens the browser & searches for “medium.com”.
This query goes to the forward proxy server who makes the request on client’s behalf.
Once “medium.com” sends a response to the forward proxy server, it then forwards it back to the client. It is a pretty effective method since in an ideal scenario website won’t know who actually requested the resources.
II. Reverse Proxy (when implemented on the server side)
Fig: Client → ISP → Internet → Reverse Proxy Server → Different Servers
The client opens the browser & searches for “medium.com”.
This query travels to the internet over ISP’s network.
The Reverse Proxy server receives the requests & checks the configurations for taking action. If action is allowed, this request is sent to the respective server for processing.
Once the web server has processed the request it is sent back to the reverse proxy server who then forwards to the client via the internet. This technique of putting reverse proxy servers helps defend actual servers from malicious attacks like DoS/DDoS.
Now few important points,
i. Proxy servers in most cases don’t encrypt traffic by default. In the cases where they do more often than not, it's HTTPS. Make sure to check these things before using any proxy server. This is where VPNs shine with their unique encryption algorithms.
ii. Proxy servers can store browsing logs and use them as per the owner’s policies. It’s always worth paying for a good proxy service than using free ones.
iii. One more danger is that most free (and sometimes paid) proxies are often deployed by a few organizations who then infect them with malware in order to infect users & thus create an army of bots. These bots are then sold to cybercriminals to do as they please i.e launching DoS/DDoS attacks, and using these computers to breach organizations, among other nefarious things.
iv. Proxy servers can share the origin IP in headers like x-forwarded-for which could unmask the client. They can also easily modify the requests/responses without the client knowing.
v. It’s a good idea to use multiple proxy servers from different providers in a chain. This will provide better security with the downside of slow connection speed. One of the most used examples of this type of configuration is the Tor Network (more on this towards the end of this article).
vi. Two of the most famous forward proxy servers for the security community are Burp Suite & OWASP ZAP. Both of these are used to intercept web requests & then perform several operations on them in order to find vulnerabilities & other sensitive information which could help in protecting the intended source & destination.
Now let’s see a different type of proxy protocols we can use:-
I. SOCKS- SOCKS aka Secure Sockets is a protocol that sends your data as is. That means your data is transferred without any attempt to read it. SOCKS-based proxy servers are used simply for data forwarding & receiving. SOCKS currently has two versions i.e, v4 & v5 out of which v5 is the latest & more robust than the former.
II. HTTP- HTTP or Hyper Text Transfer Protocol enabled proxy servers are used as content filters. That means they can see all your data & then either forward or drop it based on their configurations. When these servers use SSL/TLS they are known as HTTPS proxy servers.
Now that we know of some common proxy protocols, let’s see their different types:
I. Transparent proxy- These proxies are also known as level 1 proxies. They don’t provide anonymity to their users & almost always share the origin IP in headers like x-forwarded-for & announce to servers about them being proxies. Their main use case is to cache web content & then store it for a pre-determined time period in order to save bandwidth & other resources.
II. Anonymous proxy- These proxies are also known as level 2 proxies. While they tend not to share the origin IP, they do announce that they are acting as a proxy for a client. These proxies can be used in the scenario when you don’t want to reveal the origin IP but have no qualms about sharing that a proxy server is in use.
III. Elite proxy- These proxies are also known as level 3 proxies. They act as an independent client & don’t give away any indicators which could classify them as a proxy server. They are ideal for the scenario when a client doesn’t want to disclose that they are using a proxy server.
TOR (The Onion Router)
Now that we knocked off some basic concepts about VPNs & Proxies, let me tell you some ways of protecting online identity.
In both VPN & Proxy sections, I have mentioned the term TOR (The Onion Router) which is an advanced open-source implementation of proxy servers in order to provide anonymity to internet users.
Let’s see how TOR works:-
Client → TOR entry node → TOR middle node → TOR exit node → Internet → Different servers
The client downloads the TOR software bundle & clicks on the TOR browser.
TOR browser starts the connection process which involves finding routes & opening local ports usually (9050).
After routes are set client searches for “medium.com”.
This request is first sent to the TOR entry node when intercepts it & forwards to the middle node.
The middle node intercepts the request & forwards it to the exit node.
The exit node intercepts the request & then forwards it to the web server for “medium.com”.
When web server sends data back, the same process is repeated in reverse order.
Few important points,
i. In TOR Network one node only knows the address of next node. This use of compartmentalization helps secure the identity of all engaged nodes in a communication.
ii. TOR is used for evading surveillance & protecting online identity. It is one of the most important tool in the arsenal of privacy advocates, journalists, spies & other privacy-minded people.
iii. TOR network operates like layers of onion hence the name The Onion Router. Traffic is forwarded to next node without sharing whole route which makes it difficult to track someone in TOR network.
iv. TOR makes all users identical in order to resist browser fingerprinting, in case you use additional add-ons it could render TOR ineffective.
v. TOR traffic can also be decrypted if uses follows poor internet hygiene which includes browsing HTTP sites, downloading shady files, logging to social media/tracking sites, and following a browsing pattern. It could also happen if an attacker has access to your network traffic along with control over entry & exit nodes.
vi. ISPs can see when someone uses TOR, for this fact the use of VPN is necessary. However using this technique could risk the integrity of TOR traffic if VPN is compromised or you did a misconfiguration. Unless you know exactly what are you doing please don’t use them together.
Now let’s see how we can use VPN in conjunction with TOR to gain maximum anonymity. Please note while I’m sharing this this to give you an overview making proper configurations is your responsibility.
[ Disclaimer: First three scenarios are bad operational security in my perception & I only recommend fourth with a good provider. ]
I. Client → ISP → TOR- In this scenario, client connects to TOR over default ISP network. Here ISP can see that client connected to TOR network as well as see the IP of entry node. Howver they cannot see any traffic that is exchanged as well as the destination.
II. Client → Proxy → ISP → TOR- In this scenario, client first connects to a proxy server then connects to TOR network. While this does sounds more secure than previous scenario it’s not. Here in addition to ISP, Proxy server can also see the origin IP & entry node. This scenario TBH doesn’t makes sense in my mind & I strongly recommend against using it.
III. Client → TOR → Proxy- In this scenario, client first connects to TOR network then uses it to connects to a proxy service. I don’t even know why someone would even do attempt to do this as it undermines the whole concept of TOR. I strongly recommend against using this setup unless you have some exceptional use case for this. Even in that scenario please mote it could be used to decipher your online identity as well as traffic.
IV. Client → VPN → TOR- In this scenario, client first connects to a VPN then tunnels the traffic though their servers. Then connects to TOR network using its software suite. This does two things i.e, prevents ISP from knowing you are using TOR & also prevents TOR from seeing your origin IP. Now this goes without saying that VPN provider should be trusted & situated in a country where they couldn’t be forced to handover their logs/ spy on their users. Now this is a setup which could be used by most users to stay anonymous over internet while enjoying the best of both world i.e VPN & Proxy.
Kudos, you finally made it to the end of this article. Please accept my humble gratitude for reading my article, I hope you liked it. I’m dropping some TOR implementations here, please do your research & see if they match your particular use case: Whonix, TAILS, Orbot, QubesOS.
Please provide your feedback/suggestions in order for me to improve my writing as well as provide better content.
Until we meet again.