VPN Vs Proxy Vs TOR: the only guide you need to see

What is proxy server (it is just a forwarder, forward data)

The forwarder receives the requests from client and forwarded it to the destination.

Proxy just use the concept of tunnel without encryption.

Proxy server retrieves data on the Internet on behalf of a user. the proxy server act like a middleman. it means every time you request something in the internet with your real IP your request will go through the proxy server so the proxy server will provide you the resource you requested using the proxy server's IP so your IP address will not be left there it means you are anonymous.

Proxy server advantages:

1. Privacy: because it allows you to surf the internet anonymously. It hides the identity of the clients by masking their IP addresses.
2. speed: For example, if a company uses a proxy server and whenever a user wants to retrieve a webpage, the proxy server will retrieve the webpage from the internet on behalf of the user and then it'll store that web page into a centralized cache database. So if another user on a different computer goes to a webpage that has been stored in the proxy database, the proxy server doesn't have to go out on the internet to retrieve the web page. It can simply retrieve it from its database and then send it to the user. So this makes webpage retrieval much faster.
3. saves bandwidth: because a proxy server reduces the need to go out on the internet to retrieve data because it already has that data stored in its database.
4. ?activity logging: Now a lot of companies will use a proxy to keep track of what websites their employees are looking at. So when a company's employees are surfing the internet, the proxy will keep a record of what websites they're visiting and how long they were on those websites. And in addition, a company can also configure the proxy to block certain websites to keep their employees from visiting them.

So we have two disadvantages of proxy server:

1. The first is that the proxy server can't encrypt data as you surf the internet. So this is where a VPN comes in.
2. The second is there is a chance that the server owner might leak your real IP address and then your anonymity is gone so to overcome this issue the proxy chains are introduced

What is proxy chains

Proxy Chains are a tool that forces any TCP connection made by any given application to go through proxies like socks4, socks5, or http proxies it means the proxy chain is a combination of different proxy servers.

if you use proxy chains instead of a single proxy server there is a very little chance in the leakage of your real IP it is possible but very much difficult to discover you so without wasting time let's start.

so we will now be installing the proxy chains in our Kali Linux machine:

so open your terminal then type sudo apt install the proxy chains and hit enter:

sudo apt install proxy chains        

once it installs we need to check its configuration file and have to change some basic things as for our needs so type:

sudo nano(or vim) /etc/proxychains.conf        

here you can configure all these network settings as for your requirements like:

1. choosing a chain type:

?Which type of chain you want to use among the dynamic, random, the round robin chain and the strict let me tell you the definitions of these chains.

there are four types of proxy chains:

1. Strict chain: in this chaining all proxies of the list will be used so you can chain for example 10 proxies if you want to make yourself really hard to track and they will be chained in an ordered way but if there any dead proxy in your list, then your connection is gone.
2. ?The dynamic chain: which is almost similar to the strict chain - it will try to connect to all the proxies on your list - but if there is any dead proxy in your list it will be excluded and skipped to the next proxy this will not guarantee any privacies because most of your proxies could be dead if you just have one working proxy it will connect and you will not notice the difference.
3. ?The round robin chain: so you do a list of proxies and then each connection go through a different proxy so each time you're on a different location on earth.
4. Random chain: is also pretty good but it will be really hard to make an https request using random chain

To activate the chain you want remove the hash # before it and also add a hash # before the one you don't.

1. determine chain length:

you can set the chain length over here

chain_len = the number of proxies you want to chain

You can set it to any number you want but because we use free proxies we will leave it to 1 because they do not offer a good amount of bandwidth so you maybe going to keep it to just one proxy to limit the speed degradation. but if you use paid proxies put the number of proxies you want.

you can make longer chains if you want you can add more chains the more proxies you add the longer your chain is the more speed degradation you're going to see.

1. making the list of proxies:

We're going to find some working proxies rank them by speed and chain those proxies together to completely hide your identity.

Now to get some proxies you'll have to go to some websites that offer free proxy list like:

SPYS.ONE and then once you're here i want you to click over the socks proxy list why only socks well the http proxies will only forward http traffic so we cannot make any secure connection over those proxies once you click on this socks proxy list you can see them ranked over here by speed we want the least latency that we can get.

What is VPN

One of the most important goals of a VPN is to connect two devices that are far from each other, each one possibly in another country, possibly in another place, but by using a VPN, they connect to each other as if they were present with each other, as if they were in the same place, meaning as if they were next to each other, not in two different places.

However, there is a big difference between VPN and proxy. In our proxy section above, we just explain the proxy as it is?a forwarder that forward the content inside of TCP. Which introduces the concept of tunnels. But Real VPN protocols use a bit more magic. When you fall for those VPN Ads and get yourself a VPN, you intend to use it like?a proxy but the purpose of a VPN is very?different. VPN technologies are usually?intended to provide you access to a VIRTUAL PRIVATE NETWORK. A WHOLE NETWORK. That’s?what corporate or company VPNs are for. Because real VPN client and servers do?not just forward requests like a basic proxy,?but it actually packages up the entire packet.

So some other functions of VPNs that we don't encounter too much:

encapsulate protocols that are not supported by the Internet.

For instance, a higher-layer protocol is not the only thing that can be encapsulated in the IP protocol. For example, we can also encapsulate protocols that are not supported by the Internet and for some reason need to be transported over the Internet such as Novell's IPX protocol (IPX over IP). Even an actual IP datagram can be encapsulated over the IP protocol. At first sight, encapsulation of IP over IP can seem like a waste of time. However, if we want to transmit data between two parts of a private network over the Internet with an address 10.0.0.0/8 range, then this type of encapsulation becomes necessary. Moreover, it is also possible to secure intra-IP datagrams with encoding and a simple Virtual Private Network (VPN) can thus be created.

If we need to transport IP protocol version 6 datagrams over a network that only supports IP protocol version 4, then again we have no choice but to encapsulate IPv6 over IPv4.

How the VPN actually work??

VPN Actually Using Two Concepts Mainly:

• Tunneling
• Encryption

What is tunneling?

In the physical world, tunneling is a way to cross terrain or boundaries that could not normally be crossed. Similarly, in networking, tunnels are a method for transporting data across a network using protocols that are not supported by that network. Tunneling works by encapsulating packets: wrapping packets inside of other packets.

How does packet encapsulation work?

Data traveling over a network is divided into packets. A typical packet has two parts: the header, which indicates the packet's destination and which protocol it uses, and the payload, which is the packet's actual contents.

An encapsulated packet is essentially a packet inside another packet. In an encapsulated packet, the header and payload of the first packet goes inside the payload section of the surrounding packet. The original packet itself becomes the payload.

So The tunnel could be used to forward unencrypted traffic over the Internet but in this case we don't put any layer of security we just forward the data through different networks so we need to put a layer of security and we doing that by using Encryption, the Encryption adds the security features to the data that flows over the tunnel.

Someone will thing if we need to make secure connection we need just the encryption to encrypt the packet and we don't need the tunneling, here's the point.

Encryption is the process of scrambling data in such a way that it can only be unscrambled using a secret encryption key; the process of undoing encryption is called decryption. If a packet is completely encrypted, including the header, then network routers will not be able to forward the packet to its destination since they do not have the key and cannot see its header. But By wrapping the encrypted packet inside another unencrypted packet, the packet can travel across networks like normal and here appears the need to tunneling.

So Encrypting the packet without using the tunneling is impossible because the routers can't route the packet since it's header encrypted.

?So simply, the original packet gets encrypted and wrapped in another IP header (tunnel the whole IP and TCP packet using a tunneling protocol) with the IP of VPN server as the destination. And using it's own IP address as the source. When the packet reach the VPN server The server will unwrap the packet and forward it through its own ISP, using its own IP address as the source. And the destination IP is the IP of the thing I want (wither its website, ….). Devices sitting before the VPN server can see your source IP, but not the destination. Devices sitting after can see the destination but not the source. The zones of visibility in the network path are now partitioned.

Tunneling protocols: which basically adds another IP header to the existing one.

What are some other tunneling protocols?

In addition to GRE, IPsec, IP-in-IP, and SSH, other tunneling protocols include:

• Point-to-Point Tunneling Protocol (PPTP)
• Secure Socket Tunneling Protocol (SSTP)
• Layer 2 Tunneling Protocol (L2TP)
• Virtual Extensible Local Area Network (VXLAN)

?Reasons you might want to hide your IP address

• To keep your physical address private
• To avoid geographic restrictions
• To stop companies from tracking your online activities
• To stop your ISP from tracking you
• Keep your searches private
• to watch Netflix

Commercial VPNs

The secret that most VPNs don’t want?you to know is that despite all the marketing,?a VPN is not really a privacy tool. It does?hide your IP address and it does encrypt your?data so that your internet service provider (ISP) can’t see what websites you’re visiting and what you're doing online., There can be very good reasons to hide those.?but at the end of the day, all you’re really?doing is replacing your distrust in your ISP (Internet Service Provider)?with a blind trust in a VPN company that is likely?very vague about who they are. And of course, I’m referring specifically to commercial?VPNs targeted at individual users like you and me.

So all you're doing is changing who can see that metadata. Your ISP can't any more, but the VPN company can because at their end of the tunnel, they have to look at that metadata to work out where to send your traffic to.

Not just that also there is a lot of claims that VPN companies said they are not doing and actually they are liars in most of cases and some of this claims are:

• no DNS leaks (proof leaks)
• no logs (no record of your activities)

What is a DNS leak?

When you use a proxy or VPN, your connections are routed through a proxy server or a VPN server. Consequently, to the target host (web site or service), they look as though they came from the proxy's or VPN server's IP address. This prevents the target host from knowing your true IP address.

To make connections, your computer needs to know the IP addresses of the target hosts. This is where DNS comes into play. From a security standpoint, DNS requests (usually UDP packets on port 53) should go only through the same VPN or proxy connection. If DNS requests go through other routes, a DNS leak happens. This effectively means that your true location is revealed.

A DNS leak is also a security threat because the leaked DNS data are not secured by the VPN or the proxy. In public networks, it can be intercepted and analyzed.

A DNS leak is the act of monitoring, storing and filtering your DNS traffic at ISP level by inspecting the public DNS servers you use to resolve internet hostnames into IP addresses.

?If you are using a VPN service, there are several ways to run a DNS leak test. Use an online DNS leak test app:

• dnsleaktest.com
• dnsleak.com
• ipleak.net

These online tests usually yield quick results, but be aware that some of the most popular VPN companies are the same ones who developed these DNS leak testing tools. Know that they could manipulate results to reflect their own interests, to sell you their own VPN services.

?Run a DNS leak test by using the command line

Another way to test your provider against DNS leaks is by querying Akamai. Simply run:

nslookup whoami.akamai.net        

This should return the IP address of your VPN provider, and not your local ISP allocated IP. And while this means you’re browsing the Internet and responding from the VPN-assigned IP, the question remains: can you really trust your VPN provider?

?No logs policy:

in 2017 PureVPN helped FBI arrest Ryan Lin on charges of cyber stalking

in case it wasn't obvious:

I do not condone cyberstalking or defend Ryan Lin. However, this case sheds some light on the "no log" VPN companies and lack of transparency in their claims.

the FBI managed to obtain logs from PureVPN which confirmed that the gmail account he used to send threats was accessed from the PureVPN IP which was in turn linked to his home IP address.

let's take a look at PureVPN log policy at the time:

"We do not keep any logs that can identify or help in monitoring users activity you are invisible even we cannot see what you do online we do not monitor user activity nor do we keep any logs we therefore have no record of your activities such as which software you used which websites you visited what content you downloaded which apps you used, etc. after you connected to any of our servers."

And sure there are some VPNs that were asked by the authorities to hand over the logs and didn't do it such as ExpressVPN

or PIA (Private Internet Access)

But almost every mainstream VPN provider has a skeleton in the closet.

So at the end no matter how secure and trustworthy your VPN service seems to you if they tell you that they have undergone security audits that they have no logs policy then it's up to you if you want to use their VPN or not

So…..what should I use instead???????

If you don’t feel you can trust any VPN provider, and you want better and more private ways to browse the web in my opinion there are only two options TOR and self-hosted VPNs

TOR (multiple VPNs chained together)

Now let's talk about onion networks this is a cool idea to provide confidentiality of the data and anonymity to make it very difficult to determine who the sender and receiver are while the data is in transit

here's how onion networks work:

The sender will predetermine a series of nodes (also called relays) that a packet is going to pass through on its way to the destination the sender will then encrypt the entire packet multiple times each layer of encryption will use the encryption key of a specific node and thus when the sender sends the packet the first node will decrypt the outermost layer of encryption which will reveal the next node to send the packet to the next node receives the packet strips off the next layer encryption which again reveals the next node to send the packet to and so on until the packet finally reaches the destination which will finally decrypt the data stored within the packet the big advantage here is that each node along the way only knows which node the packet came from and the next node but not the ultimate source and destination and each node has zero access to the encrypted data within the innermost layer a perfect example of an onion network is TOR The Onion Router the big downside of course is performance.

installing the TOR service in our Kali Linux machine:

so open your terminal then type sudo apt install TOR and hit enter

sudo apt install TOR        

Now start the TOR service by

sudo service TOR start        

Now if you check your IP let's search what is my IP click on this first link you can see it should absolutely be different from your real IP of your host machine

Again if you want to change your IP simply run

sudo service TOR restart        

And if you refresh this page you will see the IP address is changed so every time you need a different IP restart your TOR service

so you have successfully been anonymous

the downside of TOR

TOR was indeed developed on behalf of the us intelligence community and that raises some uncomfortable questions to say the least but guess what TOR is also completely free and open source so if you do have any doubts about how secure and private it is you're always free to examine the call yourself speaking of the US intelligence the NSA is definitely not happy about TOR the NSA deemed TOR on its own as a major threat to its mission and even ranked it as catastrophic leading to a total loss lack of insight into target's communications

However, the TOR network has been under attack for a while many threat actors are trying to control the exit notes of TOR so they can see what you're accessing if they also have control over the entry node then they can know who you are know what you're browsing on the internet.

So that brings me to my next point another thing you can do is set up your own dedicated or Cloud VPS box (self-hosted VPN) located in an offshore country, where ISPs are not leaking (as much) information as your current ISP, and install your own VPN service with software like OpenVPN.

you might wonder and think how can you write your own?VPN. How can you grab a whole TCP/IP packet,?to wrap it, send it to another server?

It is of course very complex to do that.?There is a reason why people use existing?protocols and implementations like OpenVPN,?tinc or wireguard. But essentially they use?a feature called TUN or TAP (All VPNs are based on a feature called TUN/TAP). This is like a?virtual or emulated or faked network card.

So due to the complexity of this topic and we don't want to make this Article too long so we will not explain it here but if you want to go a bit deeper on a technical level, I really can recommend?to you this excellent blog post TUN/TAP interface tutorial

So our solution will be to use Existing protocols and not making our own protocol

Make your own?VPN

1. Choosing a VPS provider:

if you want to host your own VPN we need to find where we want to host it there are a lot of VPS providers:

• Microsoft Azure
• AWS
• GCP
• Linode
• Digital ocean
• Hostinger
• GoDaddy

And a lot more

but there are a few things that you need to consider before choosing the VPS provider:

the first one is virtualization technology and in this case most of VPS providers these days use KVM or XEN and those two technologies are good what you want to avoid is OPENVZ this is a container based virtualization technology and virtual machines that run it use a very old version of Linux kernel

location it's pretty self-explanatory but still you want to choose it according to your needs according to how you're going to use a VPN so for example:

• if you want to watch American Netflix you have to choose American location
• if you want to use it as a seed box don't choose Germany, Austria or Switzerland since those countries have very strict anti-piracy laws
• if you want to use your VPN for online gaming keep in mind that the further the server is from you physically the bigger your latency is going to be
• if you're really serious about privacy make sure to pick a VPS location that is outside the 14 Eyes

1. Creating an account in the VPS provider website

You have to sign in

1. Creating A VPS:

• next thing we need to do is add a server there is a lot of distros to choose from.
• you will also want to choose the location.
• you can choose the root password and upload the SSH key
• lastly click the create button and there we go our server is now created.

?4. Generating SSH Keys:

now you should see the control panel of your server and while the server is starting let's generate the SSH keys for it using a clear text password to log into your server is never a good idea since the password is not encrypted in transit and can be exposed on a hostile network by creating an SSH key we're going to make it so that you can only log into your server if you have the key file and the password and at the same time the password will be encrypted

if you're using linux you probably already know how to open a terminal

on windows you'll need to open the powershell with administrator privileges and install SSH using this command:

PS C:\> Add-WindowsCapability -Online -Name OpenSSH.Client*        

This is the command that will generate our ssh keys. the RSA algorithm with 4096 key size is what I'd personally recommend, since it's sufficiently secure and widely supported.

ssh-keygen -t rsa -b 4096        

?just press enter when asked the key location to save it to the default one and then enter your password of choice by now our server has started up and we're ready to log in

1. Logging in to the server

copy the ip address from the server control panel go back to the terminal and type in:

SSH root@ipaddress        

type yes enter the root password that you specified in the first step and that's it we're in

?6. Updating The Packages:

First and foremost, let's update our operating system and software type in:

apt-get update && apt-get upgrade        

?7. Creating A Non-Root User:

As much as it's convenient to not have to enter root password every time you have to do something i personally prefer to create a user account that isn't root exposing root login on an SSH server is probably not a good idea even if you have multi-factor authentication call me paranoid but I think having to enter root passwords sometimes is the price that i'm personally willing to pay for some sense of security type:

useradd –G sudo –m [your username of choice] –s /bin/bash        

That's going to create a user, set bash as default shell for him and permit sudo usage.

Afterwards we'll need to create a password for our user using:

passwd username        

Enter your password twice and we're good to go

1. ?Configuring SSH(Copying SSH key from host to the server):

Now that we've created our user it's a good time to copy the public ssh key to the server open a second terminal window for your local terminal and enter

Linux or mac

ssh-copy-id username@ipaddress        

windows

type $env:USERPROFILE\.ssh\id_rsa.pub | ssh ip-address "cat >> .ssh/authorized_keys"        

you'll be prompted to enter your password and once you do go back to the terminal window with your server don't close the other window yet now that we've copied the SSH keys to the server we have to restrict authentication to the public key only

1. Restricting SSH to key authentication

let's edit the sshd configuration file:

vim(nano) /etc/ssh/sshd_config        

First of all, let's change the default port. This won't do much for security, but it will help with those obnoxious SSH scanners that try to log in with default credentials. Not much, but the security logs will definitely get easier to read. You can use any port that's not taken by other services, but I prefer to use 69. Nice

# Port 22
Port 69        

Next, we need to disable password authentication so that you're only able to log in using a public key.

PasswordAuthentication no        

Last but not least, let's also disable root login

PermitRootLogin no        

Now save the file and restart the sshd service using:

sudo systemctl restart sshd        

Now without closing the window let's go back to our local machine and try to log in with our key:

ssh –I ~/.ssh/id_rsa username@ipaddress –p [port number]        

If you see the prompt to enter your key password, that means we're good to go. It's also a good idea to verify that we can't log in with our password anymore

1. Creating a server alias

you might have noticed that the command that we used to log into our server is kind of long and annoying to type so let's fix that create a file in the .SSH folder in your home directory called "config" and edit it using your favourite text editor:

vim or (nano) ~/.ssh/config        

?here we're going to create an alias for our VPS:

Host ....... # choose a name for your server?
        User ....... # the username of the user that we created?
        Port 69
        IdentityFile ~/.ssh/id_rsa? # that's the location of our key file
        HostName ip_address?? # that's the IP address of our server        

Save and close, and now we can login to our server by simply typing:

ssh [host]        

1. ?Installing And Configuring OpenVPN:

So normally setting up an OpenVPN server takes some time since you need to:

• install the packages
• generate the keys
• set up IP tables
• write the configuration files for the server and the client

thankfully we won't do any of that in this Article and instead we'll use the OpenVpn road warrior script from a Github user called nyr

This script will do all the hard work for us and all we have to do is answer a few simple questions and download the config file at the end.

click raw and copy the link from your browser. Log in to your server and install wget if you haven't already. Sometimes it comes with your OS image already, but sometimes it doesn't.

sudo apt install wget        

Next, type wget, press Space and paste the link that you copied earlier. Press Enter

wget link        

Now let's launch the script:

sudo bash openvpn-install.sh        

?The script will ask you some questions and in most cases you'll want to pick the default answer

For the port you can either choose a default port 1194 but i prefer to choose 443 since 1194 is known as the OpenVPN port and in some cases it can be blocked on your network 443 is the same port that is used for https but whereas https uses TCP OpenVPN in this configuration uses UDP so they won't conflict with each other.

you're also going to be asked which DNS you want to use feel free to choose whatever you like if you have any preferences but i normally choose 1.1.1.1.

As for the client name choose whatever you like now that the configuration is done press any key and the installation process is going to start it's fully automated and at the end you're only going to get a configuration file which will download to our local machine later on the problem is that the script places the file in the root directory by default and in order to download it later we need to move it to our user home directory and give ourselves the correct privileges.

sudo mv /root/thinkpad.ovpn
sudo chown [username] thinkpad.ovpn        

With that out of the way there's only one thing left to be done on the server's side and that is to disable the logs let's edit the configuration file here:

sudo vim /etc/openvpn/server/server.conf        

?And change verb 3 to verb 0

Now restart the OpenVPN service:

sudo systemctl restart [email protected]        

And there we go a VPN that actually doesn't keep logs Amazing!

Now if you want to use this VPN for all your traffic you can download

• tunnelblick on mac
• OpenVPN connect on windows
• or load it into the network manager on Linux

Now after we talked about proxies and ProxyChains then we understand how the VPN works and how we can make our self-hosted VPN and then we saw how TOR works and how I will make it run in our kali Linux distro so after we see all these technologies and how cool they are now we're going to hop between VPNs, TOR network and proxies to make sure our traces are very hard to track so we can now direct the traffic through our VPN server and then instead of access the internet directly from VPN server we will direct our traffic to the TOR network then we will forward it through a set of proxies if you just make the steps above all in the same time that's mean you apply all these technologies together.

?

Note: remember that all the methods that we've shown today will only make it harder to track you anyone who can basically listen to all those proxies or to the entry and exit nodes on TOR network can actually know who you are and can see your traffic but since we're using VPN they will be redirected to our VPN exit point which adds an extra layer of security on all ends this will help keep your privacy and prevent trackers from tracking you as much as possible.?

WARNING

this Article is for educational purposes only do not apply the techniques that you see over here to harm or perform any hacking action for which you do not have explicit permissions from the owners of the services.