Return to Level1Techs.com

Trust and VPNs

Rules


Be considerated or be yeeted. This does not need to degenerate into the last PIA post. I wanted this one to be productive. Plus you can learn a tad bit about PKI if you scroll down to the video. ;)

Mentioning israel or their intelligence directives has NOTHING to do with being jewish nor is meant to call anybody out from that region. Please nobody start sharing opinions related to them in a manner meant to hurt or insult one another


The Concern

So as we all know Kape Tech has bought all the big VPN names.

These were previously outside United States CIA jurisdiction do to being within the united states (if you believe they follow those rules). (most people considered this a good reason to actually have a VPN from within the US. Others are in the panama and swiss camp so to each their own)

Now they are in Israels hand who has a security cooperative with the United States. CIA and Mossad talk. Higher executives within the company are former Unit 8200. Unit 8200 for those not up to date on the military intelligence side of things is a secret Intelligence directive ran under the guise of support acitvity operations for the Israeli Defense Force. They are about as bad ass as they get and far more capable than the NSA in some regards because they dont have to worry about getting caught. That said they usually avoid doing so and thats why you havent heard of them.

Well one of there people that used to be really good at system exploiting is now the CEO of Kape tech.

Let this sink in, why is the top exploiter from mossad suddenly in charge of all these companies and who gains to win? Not to mention all his former buddies are in the CTO and chief engineer positions etc.

I know now your thinking whos this nut job whos talking about this, why would I care.


So this spawns a conversation about trust. Not just the chain of trust ins a PKI but trust overall. People put a lot of faith in services they can run on the cheap. This is fine from an obfuscation standpoint. Can we trust any major VPN provider? No and you never should have. Most of us people who knew this have anyway because we dont need to be an invisible man but more or less one amongst a crowd.

So why the need to make a post if we already shouldnt have trusted them? The problem is people use them as a trust worthy place to pipe their network traffic through. Its totally chill to use to bypass iSP restrictions.


How to eliminate VPN trust issues and still use it?

Unfortunately this means your going to break out the onion router within the VPN. You cant trust the VPN endpoint so to add obscufation and trust your traffic being safe its best to setup TOR within the VPN.

If you dont feel like sacrificing your connection speed for this you can always make your own VPN. You can get a VPS of config 2vCPU and 2 GB of ram which should be more than plenty for this or alternative the 1 VCPU as cheap as you can. Anyways what matters here is not the specification. If you want to be an invisible man or woman you have to decide how your going to run this even if you do not want to be invisible.

Invisble: (this would have a special purpose)

  • Buy it with crypto currency (preferablly monero turned into bitcoin)
  • DO not tie it to any email that can be traced back to you
  • Do not connect it to known locations you stay like home and work
  • Do not surf any personal traffic that can be tied to specifically you on it.
  • Theres alot more you shouldnt do but we wont get into that. Educate yourself :wink:

Just a trusted VPN server:

  • well buy it with a normal credit card. Who cares if its tied to you. Its just an endpoint like a SOCKS proxy would be.

So we have a choice of VPNs, @sgtawesomesauce is a fan of wireguard and I completely understand why. His reasons for loving it he can reply about.

Im going to talk about the things that make me like it. Particularly on the cipher end.

Wireguard has what most consider to be a bleeding edge set of protocols.

It has a lot less overhead and a very minimal code base. In comparison wireguard has about 4300 lines of code where openVPN has over 500000. This alleviates my concern of it not yet fully being audited as a security protocol. The less code the less chance you have for a bug or security flaw. It also makes the code far easier for the average programmer to audit. For those unfamiliar auditing is us trying to find a vulnerability and close it up. Not to mention the lack of so much overhead means way better performance. Anyways lets talk about one commercial option and also the setup guide to each on a personal VPS. The cons I have with it is that its in heavy development. So things change too often.

Trustworthy Commercial Wireguard VPN

Can confirm their logs are all sent to to /dev/null and you can pay with monero :wink:

OpenVPN Setup

Let’s assume you have easy RSA installed and OpenVPN on your choice of distro or OS (FreeBSD, Debian 10, CentOS)

This differs on every distribution so I dont want to get distribution specific. What you need to do first is find your EasyRSA vars file. (normally located in its installation folder).

set_var EASYRSA_REQ_COUNTRY    "Panama"
set_var EASYRSA_REQ_PROVINCE   "Panama"
set_var EASYRSA_REQ_CITY       "Panama City"
set_var EASYRSA_REQ_ORG        "Self Hosted VPN"
set_var EASYRSA_REQ_EMAIL      "[email protected]"
set_var EASYRSA_REQ_OU         "Obscufate"

These variables are to each their own. Lets get tough with the crypto digests, Find and change to 512:
#set_var EASYRSA_DIGEST "sha512"

Decide on the key you want. Either RSA or CURVE and find the following lines for either and change them to the key length you want respectively

#set_var EASYRSA_ALGO		rsa
#set_var EASYRSA_KEY_SIZE	4096
or
#set_var EASYRSA_ALGO		ec
#  Lets use bitoins curve
#set_var EASYRSA_CURVE secp521r1

Set those variables to whatever you wish. It will be part of the certificate and key creation. RSA is trusty and strong but ec is new and rather fast but theres rumors it cant be trusted.

Run the initial PKI (aka build your CA and everything you need for the Private Key Infrustructure). Heres a link to understand out PKI works:

Lets build the PKI Infra:
# generate a directory to store all files
./EASYRSA_DIR init-pki

# generate cert authority
./$EASYRSA_DIR$ build-ca nopass

# gen server key and req
./$EASYRSA_DIR$ gen-req server nopass

# Gen server.ca
./$EASYRSA_DIR$ sign-req server server nopass

# gen client key and req
./$EASYRSA_DIR$ gen-req client nopass

# gen client.ca 
./$EASYRSA_DIR$ sign-req client client nopass

You can choose to leave this all in this directory or you can clean up the directory structure to your liking. Either way I wont tell you what to do here.

Now on your VPS setup the firewall correctly to handle both ssh and port 443. Do not skip this step. (This is short hand). Using IP tables is pretty easy. Assuming its install you can find IPv4 rules here /etc/iptables/rules.v4. You can use ANY other firewall just configure it properly

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Forward the VPN traffic to <INTERFACE>
-A POSTROUTING -s 10.8.31.0/24 -o <INTERFACE> -j MASQUERADE
COMMIT

Setup loop back so you can get a functional internet connection between the VPS Ethernet connection and the VPN endpoint broadcast.

*filter

# Allow all loopback (lo) traffic and reject anything other wise
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A OUTPUT -o lo -j ACCEPT

# Allow ping and ICMP error returns.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# Allow SSH.
-A INPUT -i <INTERFACE> -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
-A OUTPUT -o <INTERFACE> -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT

# Allow TCP traffic. (Or you can use UDP
-A INPUT -i <INTERFACE> -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
-A OUTPUT -o <INTERFACE> -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT

# Allow DNS resolution and limited HTTP/S on <INTERFACE> for updating etc
-A INPUT -i <INTERFACE> -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A OUTPUT -o <INTERFACE> -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT

# TUNNEL Traffic
-A INPUT -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT

# Else reject
-A INPUT -j REJECT
-A OUTPUT -j REJECT

COMMIT

Disable IPv6 in sysctl

net.ipv4.ip_forward = 1

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1

Commit this with sudo sysctl -p and also remove any IP6 lines in your hosts config or anywhere that would otherwise resolve IP6. We want to disable it because IP6 is very unique and pinpointable as its usually not behind NAT and everyone gets a unique address thats no where else since it supports so many addresses. Further more block this is in /etc/iptables/rules.v6 for simple IPtables

*filter

-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT 

Now we get to the nitty gritty. A good secure configuration

Server.conf:

#/$DIR$/openvpn/server.conf
local <IP>
dev tun
topology subnet <You can also isolate here>
proto tcp
port 443
server 10.8.31.0 255.255.255.0
tls-server

ca /etc/openvpn/server/certificates/ca.crt
# crl-verify /etc/openvpn/server/certificates/crl.pem
cert /etc/openvpn/server/certificates/server.crt
key /etc/openvpn/server/certificates/server.key
tls-crypt /etc/openvpn/server/certificates/tls_crypt.key

dh none
ecdh-curve ED25519
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-version-min 1.2 <specify min (can be 1.3)>
persist-tun
compress <obvously>
persist-key
keepalive 10 120
user ovpn
group ovpn
status /var/log/openvpn-status.log
log /var/log/openvpn.log
push "redirect-gateway"
push "dhcp-option DNS 10.8.31.1"
push "dhcp-option WINS 10.8.31.1"
push "route-ipv6 2000::/3" 

Client.conf:

# /$DIR$/openvpn/server.conf
client
dev tun
remote <IP> 443
proto tcp
resolv-retry infinite
compress
nobind
verify-x509-name "COMMON_NAME_OF_THE_SERVER_CERTIFICATE" name
remote-cert-tls server
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
tls-version-min 1.2
auth-nocache
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
ca /etc/openvpn/client/certificates/ca.crt
cert /etc/openvpn/client/certificates/client.crt
key /etc/openvpn/client/certificates/client.key
tls-crypt /etc/openvpn/client/certificates/tls_crypt.key

So what are we doing that hardens it? ONE we are moving away from UDP to TCP to avoid firewall limiting. We do this by specifying that protocol. We are also configuring it to the singular most open port of 443.

So logjam exploits do effect the hellman key exchange so to mitigate it we are using an EC based diffie hellman (change your configs up earlier to reflect it please).

We have replaced TLS-Auth with TLS-Crypt since its now recommended by most security gurus. Now we can gen the secret

 openvpn --genkey --secret /$DIR$/openvpn/server/certificates/tls_crypt.key
cp /$DIR$/openvpn/server/certificates/tls_crypt.key /tmp/openvpn/client/certificates/tls_crypt.key 

persist-tun and persist-key prevent leakage and key reading until the VPN is reestablished if we lose connection to the tunnel.

On your VPS harden the openvpn user

adduser --system --shell /usr/sbin/nologin --no-create-home ovpn
groupadd ovpn
usermod -a -G ovpn ovpn 

Let’s talk about the alorithm of choice. You can use CBC but it has a vulnerability. GCM is much more versatile in my opinion and GCM is also parallelizable (if thats a word). Also if your using TLS 1.3 you must use GCM. To my understanding its more secure: Read here https://crypto.stackexchange.com/questions/202/should-we-mac-then-encrypt-or-encrypt-then-mac

I chose to use SHA512 to remove any chance of digest attacks and I dont cache the digest. This does make it slower because keys are not cached in memory. I also pushed IP6 though its blocked on the VPS to force a redirect to a dead endpoint. (Now you know how PIA blocks IPv6)

Im sure theres more optimization to both protocols but enjoy. I hope you can see how openVPN is configured and understand those choices your making in the frontend software of most VPNs

Wireguard Setup

Set it up on your VPS and make sure youve loaded the kernel modules (modprobe wireguard)

We need to generate keys and fortunately this is a much more simple setup than wireguard:

cd /etc/wireguard
umask 077
wg genkey | sudo tee privatekey | wg pubkey | sudo tee publickey

If you want some vanity to make public keys that have an identifier as to who is connect look up: https://github.com/warner/wireguard-vanity-address

Using your favorite way to edit a text file. Open /etc/wireguard/wg0.conf and enter what you need to in here

[Interface]
PrivateKey = <your server private key here>
Address = 10.8.31.1/24
Address = fd86:ea04:1111::1/64
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o <INTERFACE> -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o <INTERFACE> -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o <INTERFACE> -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o <INTERFACE> -j MASQUERADE
ListenPort = 443

Again changing the port to the single most allowed port in firewalls and throw this at the end of your sysctl. Its important we allow the forwarding:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

and commit it by executing sysctl -p. Now we can bring the interface up and test it

wg-quick up wg0

by executing the command wg and seeing the interface information. Of course enable whatever firewall rules you need to do this so that you can get an internet connection working. See Open VPN instructions for some ideas.

For wireguard clients you will need to create peers on the device itself.
On the client you go ahead and setup wireguard like you did on your server and then modify wg0.conf just as above

This is what it should reflect

[Interface]
Address = 10.8.31.2/32
Address = fd86:ea04:1111::2/128
SaveConfig = true
PrivateKey = <your client private key here>
DNS = 1.1.1.1

[Peer]
PublicKey = <your server public key here>
Endpoint = <your server public ip>:443
AllowedIPs = 0.0.0.0/0, ::/0

CHMOD the configuration and connect to the server

chmod 600 /etc/wireguard/wg0.conf

Verify this was added properly

wg set wg0 peer <client-public-key> allowed-ips 10.8.31.2/32,fd86:ea04:1111::2/128

wg

If the output is correct you have all of what you need to run wireguard so go ahead and wg-quick up wg0 to reap the benefits and as per any good piece of software there is a way to automate it on boot. If you get no conenction or a firewall blocks it allow it through

iptables -A INPUT -p udp -m udp --dport 443 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 443 -j ACCEPT
sudo systemctl enable [email protected]

For the paranoid please use TOR within either setup :wink:


Alright depending on the one you chose you now have a VPN server all to your own. Id love to see throughput comparisons of both technologies. Im going to gather wireguard will win.

At the end of the day

“Praise the God of all, drink the wine, and let the world be the world.”

1 Like

OK, I’m Jewish, so assume what I post here is a Mossad plot too. However, I wouldn’t trust any third-party’s VPN, Mossad or no Mossad involvement. If you aren’t capable of rolling your own, someone made an Anisble script to do it for you. Assuming you’re not doing something so illegal that your VPS or your own server will be seized, this will do:

1 Like

Im really going to have to go up and preface that mossad has nothing to do with being jewish. Oops lol. This is not meant to call out anybody just shady practices by companies.

You can direct all the logs of your VPS to /dev/null but then you have DO logs etc that you cant really erase yes.

1 Like

Most VPN companies are a lot more shady (even before alleged Mossad purchase) than merely logs sitting on your own or a cloud server.

See I wouldnt be surprised if it was them. 1 they are bad ass, 2 they do work closely with us, 3 they dont even care if they get caught though admittedly every countries INT DIRECs are very shady and very clandestine as they should be and probably have done a lot of bad things. Nobody is innocent lol.

See up until this point I think PIA was the one to prove how not shady they are. Theres a lot of evidence showing this proof. Ill probably be fine if they continue doing so but IDK if thats the MO of their new parent organization.

I used to use mullvad before I rolled my own, who owns them? Not that I recommend any of those VPN companies, btw.

1 Like

Actually, assuming I wasn’t doing something that would upset a western intelligence agency, I’d rather, given a choice, have a VPN owned by them than by a criminal syndicate or the like, who do own some other VPN companies. A good western intelligence agency doesn’t want to tip their hand by selling their info to the highest bidder in order to get money or the like.

1 Like

100 percent unless you really want to get crazy and have a data center in cyprus. I think we both know how that little island is still doing so well.

Its not that they want to. Its that people inside who defect eventually end up spilling the deets all over the dark web lol.

1 Like

Why these places? Urban legend on how these places are somehow magically less under the influence of the CIA / NSA? This is a myth, and these locations do not significantly increase the level of security. Such an urban myth because they are not in a group of five eyes.

1 Like

How did you come to this conclusion?

The CIA has an almost global reach. The same as the NSA and the US in general, both officially and unofficially. Once again, I would like to remind everyone about secret CIA prisons in Europe, which were created in cooperation with local agencies against the law … If anyone thinks that a VPN company that is located outside of the US makes it somehow more resistant to CIA / NSA activities, he is wrong.

The first mistake in the reasoning process is to create a specific scenario of a distrust threat. River theme … Nothing is completely safe. TOR does not guarantee 100% the same as no commercial VPN or own VPN servers because everything comes to the question of what model of distrust we will use and against whom we hide. Your own VPN server in some DC does not completely eliminate the threat vector, it only changes its shape. In addition, this whole reasoning process has many flaws and holes and is strongly mismatched to the average internet user.

Glad you asked these articles can send you down that rabbit hole.

https://news.ycombinator.com/item?id=21679682

In some parts of the world there is a saying that every Jew is a Mossad agent. Once, a similar saying was made about the Russians and the KGB. :wink:

1 Like

LMAO this couldnt be farther from the truth. Mossad agents are much much more capable than the average IDF soldier or even their commandos. I wont get into it to deep. but I caught your joke.

Ok what’s a U.K. based company got to do with the Israeli government?

Or are you trying to suggest that the fact that a Jewish person has a significant stake in a U.K. based company then there must be something going on? Because otherwise I’ve no idea what you think the Israeli government has to do with this.

Its the fact that the executives and the company it was previously are slightly shady. The connections happen. With so many “former” people at the head of various positions of the company it seems extremely suspicious. Admittedly everyone’s speculation that there is something shady going on remains to be seen but I would be weary of it just as I would be weary of any large influx of former spooks being in charge of high positions in a company. How familiar are you with the clandestine part of the world? I flag this as a concern not an absolute OMG ditch the company run away lose your nuts off in paranoia type deal.

Also what better place to run such an operation than the UK? Without getting to deep into the dirty messed up nature of past politics do you see where im going?

Even if its a UK company that doesnt generally mean anything nowadays. Look at US big tech. Doesnt mean much where it is. Its still owned and operated by people that definitely cant be trusted. The point of the post is trust. Also helping people understand the infrastructure they are using.

That’s good…

Ok got it. Jewish boss = Mossad operation.

2 Likes

Its not so much jewish like I said before I dont care if hes jewish. Its his previous work. That said yeah it sounds ridiculous, I understand your troll but its not something they have not done before. Theres a lot of history one can look back at and understandibly be worried over it. I hope to everyone’s god the speculation is wrong :wine_glass: .

By everyone im talking about places that cant be posted here because they are only access from TOR. Seems some of it got on the clearnet though

Google has an awful lot of former NSA agents, in fact, its the NSA’s biggest destination after leaving that agency. Experience in gathering a lot of data on people has use in the private sector. That does not mean the NSA is spying on you via Google employees though.