You can setup an OpenVPN server on a VPS that's only reachable as a Tor onion service. You lease the VPS through Tor, as anonymously as possible. You pay with Bitcoin that's been mixed at least twice through Tor. See http://dbshmc5frbchaum2.onion/OpenVPN-Onion-VPS.html (using Tor, or a tor2web proxy).

Alternatively, or in addition, you can use nested chains of multiple VPN services. See https://www.ivpn.net/privacy-guides/advanced-privacy-and-ano...

I guess in a way they're somewhat of the same thing, right? How much traffic do you think EC2, DigitalOcean, etc push out each day? Probably harder to tap that entire pipe.

I'm guessing that Amazon knows who you are. And I'm sure that they keep logs, for accounting and debugging. So being "one of a million EC2 nodes" doesn't hide you, in any way. That EC2 node has an IP address. While you're using it, it's your IP address.

When you "share a single egress point with hundreds of thousands of other people", determining whether some activity at some time was yours takes substantive analysis of logs. And often, those logs will be long-gone by the time anyone wants to crunch them.

But it depends on your goals, really. If you want security from local threats for doing real-name stuff (business, banking, etc) then you're better off with a private VPN. If you want a little casual anonymity, for torrenting or social media or whatever, then a VPN service is better. And if you want stronger anonymity, use Tor through VPN(s).

I'm not as concerned with law enforcement as I am with hackers and surveillance.

> And if you want stronger anonymity, use Tor through VPN(s).

Tor is basically a honey-trap for law enforcement and others. It's trivial to get your own exit node and sniff or modify traffic (proven in practice!), hidden services are a hack that don't adequately protect your privacy, and it's trivial to identify tor users from non-tor users. I like tor the technology, I don't like tor the network.

As with my guidance on VPNs, if you want to use tor right then setup your own network of routing nodes. Don't use the horribly insecure public one.

Saying that Tor is just a LEA honey-trap is just plain FUD.

Evil exit nodes are a risk. And websites are increasingly blocking Tor IPs. So run a VPN server as an onion service. You look like a simple VPS. And the VPN protects your traffic from evil exit nodes. And you're hitting that VPN server through seven-relay circuits.

Explain why the FBI has been able to unmask nearly every high profile hidden service operator they go after then? Each time it's a different strategy, and they have all been incredibly effective. Some relied on bugs in Tor, others on broken tools used to access it, others on poor UX that encourages operational security failures. Russian intelligence ran their own set of exit nodes for a period and replaced all executable downloads with malware! You are objectively less safe using the public Tor network.

I don't think the concept of "crowding" is a recognized security property of a system. At least, I've never seen it used before. The way that single-hop commercial VPN services "crowd" people together creates a massive liability. The way that Tor allows anyone on their public network creates a free-for-all where you're exposed to more surveillance and more malicious code (entry/exit node manipulation). Each of these offer straightforward targets for a slow, lumbering, resourced attacker to eventually completely compromise with users none the wiser.

Maybe successfully defending against the weaker adversaries is useful to many people, although it raises a serious challenge of how to clearly disclose the risks and limitations, which I see as a very important challenge for Tor on both the browser and hidden service sides.

(Hidden services might have categorically worse problems so that there's almost no realistic threat model in which their current design is safe; maybe that's what you're getting at?)

Like everything else in cryptography, users don't care if things are insecure: things must be secure, because users want them to be! Ignore the Tor users getting zorched by governments; they're all outliers!

This is a point that I wish more people were familiar with. Tor has been oversold as the privacy project to protect from everything. The Snowden docs leaked out and privacy activists ruffled around their pockets asking, "what do we have to rally behind?" They found Tor and stuck with it, despite it certainly not being built for that task.

Almost always failure to follow the grugq's advice about compartmentalization and opsec. CMU attack was an isolated incident.

Like, this won't save you if you're engaging in evil shenanigans. It will make you much harder to surveil.

I'm freaked by the idea of using third-party generated PKI, I must admit. But that's arguably no worse than trusting third-party VPN providers.

And then there's the absence of crowding. Unless users share their VPNs.

We just provide a nifty UI so you don't have to :)

Maybe add ta.key?

You need to determine who your adversary is (at least the category of adversary they're in).

If your adversary is The NSA, you're probably fucked already - get off the internet.

If your adversary is your local drug or anti-terror law enforcement, they're probably getting "hints" from the NSA and likely parallel reconstructing evidence against you based on that.

If your adversary is closer to local cops, MPAA/RIAA, your boss, your parents, your ex-wife's lawyer, or your ISP - this list provides a great deal of useful information.

Browser/cookie hygiene is orthogonal to VPN/network hygiene.

I’m happy to pay somebody 5/mo to handle that + patching etc. etc.

The steps are: 1) Make a DigitalOcean or Rackspace account. 2) Make an API key by clicking <link> and hitting the button. 3) Insert it in this box. 4) Hit go.

That's it. Then you download/install the client (like you would with any other VPN service) and you're done. You don't need to know anything about the droplet size, or anything else.

Quite literally, my mom has done this, and she sells clothing for a living and is not technically adept.

I will likely use Libreswan for both L2TP/IPsec and IKEv2, and give the user a choice between those options at installation. L2TP/IPsec support is still a little more ubiquitous, but IKEv2 will be set up by default. It's a much better protocol with significantly less legacy baggage.

Your comments on Tor are thought-provoking too. I can look into making that optional as well, either through a prompt or command-line flag.

Thanks for the feedback! Let me know if you have any other suggestions.

Sidenote: Ubuntu's security posture appears slightly better than Debian's, but I'm a little vague on the details. Historically, Ubuntu has had people like Kees Cook working on security of their distro and relentless pursued AppArmor policies, adoption of exploit mitigations, and reducing the footprint of the default install. Any way you can make it more distro-agnostic so I could run the installers on Ubuntu instead would be appreciated!

Btw, I didn't notice that portable OpenIKED was deprecated :-(.

Good news! Your Ubuntu dreams are already a reality. The playbooks are currently designed for Ubuntu 14.04. I was using Debian 7 at launch (which might be what you saw previously) but I switched the base distribution late last year. Ubuntu 16.04 is the frontrunner for the next upgrade. The playbooks and roles are complicated enough that it's not terribly practical to target multiple distros, especially given the wide support that Ubuntu enjoys.

I'm 90% done, just need motivation to spend another 90% to finish up the last %10.

What might be effective would be an app that created multiple instances, with multiple providers, and then shared them with other users. So you were all using multihop VPNs, with the hops changing frequently. The https://www.softether.org/ project allows users to share their VPN servers. You'd just take that to the next level.