explicitClick to confirm you are 18+

VPNs, how to use them properly and stay anonymous (part 5)

Dmitry DvoinikovOct 4, 2019, 4:36:07 PM
thumb_up10thumb_down

This article has five parts. The fifth and final part presents a practical plan of connecting to the Internet anonymously.

Contents of part 5:

22. Identity isolation
23. Hardware preparation
24. Getting on the Internet
25. Bootstrapping the VPN
26. Connecting to the VPN
27. Chaining VPNs
28. Working anonymously
29. Paying anonymously
30. VPNs and Tor
31. Conclusion

•  •  •

22. Identity isolation

Create a virtual identity. It doesn't have to be a real person with passport and bank account, enough is to have a nickname, by which you refer to it internally. Have it sealed in your mind, separate it from yourself. Switch back and forth, when you need to, never be both at the same time. If possible, don't let them physically appear in the same places. The whole point of it is that it's not you.

I will only say it once - never use anything related to your real life, be it your name (duh !), hardware, VPN, cell-phone, e-mail address or any other artifact for anything from the anonymous side, and vice versa.

It is only natural for humans to stick to familiar environments, repeat steps that worked before and keep good habits, but in this case you'd better develop a separate set of those.

23. Hardware preparation

Buy a laptop. It doesn't have to be the cheapest one, because if it's slow, you'll start looking for shortcuts and it will end badly.

First thing out of the box, disable any connectivity it might have. Install some Linux or BSD variant. Follow a security hardening manual. I will only be briefly mentioning network and firewall related points.

Configure firewall so that it lets nothing through.

For every wireless device that you will have, starting with the built-in Wi-Fi network card, check to see which of its hardware addresses can be changed. At the very least configure network cards MAC address randomization. Don't overdo it, make it look like a random iPhone or something. MAC address of some baroque mainframe network card is likely to draw attention.

Chances are, during the entire setup process, you will have to use another computer to search for information on how to set anything up. Be careful what you search. Use DuckDuckGo instead of your everyday search engine.

24. Getting on the Internet

The next step is to decide how you are going to get online. You have three options there - public Wi-Fi, cellular connection or Internet cafes. It's better to choose one upfront and optimize for it. Gives you less headaches later on.

Option №1: Public Wi-Fi

If you've got a good public Wi-Fi coverage where you live, it's the easiest option. Post offices, public libraries, airports, terminals, subway stations and other transportation hubs are typically covered.

A separate family of public Wi-Fi is set up by various private businesses, such as malls, hotels, restaurants or co-workings. One of those could be a better choice than an airport controlled by the government.

The downside of this approach is that Wi-Fi covered areas are also typically covered with video surveillance. You may want to buy an external Wi-Fi device with a long range antenna to stay farther away from the spot, around the corner, in a place down the street, separated by a wall. Or you can choose to hide in plain sight and blend with a crowd of other users.

Option №2: Cellular connection

Unless your laptop already has a built-in cellular modem, buy an external USB device, preferably 4G/LTE, it will make it easier to work on the move. Make sure to compare coverage of different cellular operators. For instance, here, in Berlin, only O2 covers U-Bahn (the German subway), which can be an important consideration.

If your country uses SIM cards, buy a prepaid anonymous SIM card (otherwise you'll need a prepaid anonymous modem or a smartphone with tethering capability, all the same caveats apply). Getting one is trickier every day, and the possibilities vary from one country to another. Basically, there are countries where you can have one at every gas station, and countries, where you can't have one legally at all.

With "Roam Like Home" law currently in effect in Europe, having a SIM card from another European country would not cost you a lot, but you would have to be topping up the credit periodically, and many providers accept only payments from within their countries. Also watch out for the activation procedure that some providers may require. Even when it does not require identification, it may only be possible from within the country of origin. 

See this site for plethora of information.

Having a cellular link is better than Wi-Fi in many aspects. You can work from anywhere and never appear on cameras. Having you traced would require shakedown of a telecom provider, and even then all they get is an approximate position in the middle of nowhere and a phone number registered to nobody.

Option №3: Internet cafes

Having to appear in person in a shabby place, likely video monitored, and pay money to temporarily use a computer which is most definitely compromised. How good an advise is that ?

These I mention mostly for completeness, and they can be one possible answer to the question raised in the next section.

25. Bootstrapping the VPN

Now it's time to pick the VPN provider you are going to use.

An ideal VPN provider should be registered outside of major jurisdictions, have a fleet of servers all over the world, be cheap, accept anonymous payments (more on that later) and not require any information at registration.

Unfortunately, I don't know such a winner.

The VPN provider closest to ideal, that I encountered so far, is Mullvad. It checks every mark except being registered in Sweden, a European jurisdiction. With that exception, it makes a perfect initial VPN provider.

(No association, and by all means, feel free to check out the other providers, may be one of them works better for you).

You see, the problem with signing up with most VPN providers is that you have to do a lot of things upfront. At the very least - create a fake e-mail address, register the VPN account, and then, most inconveniently - pay for the service. That last step will give you the most trouble, because you don't have any anonymous payment instrument yet. You will be leaving traces all over the place. And to reiterate - you don't want the VPN provider to know who you are.

Suddenly you have a chicken and egg problem. You want to sign up for a VPN, but for doing so you need an anonymous Internet connection. Therefore, this one time you will be exposing yourself, the only question is to what degree.

For the purpose of registering a VPN you could buy another disposable piece of hardware, cheapest smartphone for example, and throw it away immediately afterwards. Or use a demonstration sample in an electronics shop. Or you can walk into an Internet cafe. Anyway, for a short period of time you will need access to yet another computer unrelated to you.

And then, Mullvad registration is perfectly elegant and takes literally 10 seconds of online time. Open a browser, go to the site, click the button and get a random number on the screen. Write it down or take a screenshot with your smartphone, close the browser and walk away. You can hardly ask for less exposure than that.

But what really saves the day is that Mullvad requires no online payment. Instead, it takes your money in the most anonymous way imaginable - by cash. You put the number that you got and a banknote in an envelope and send it to Sweden. A few days later you can start using your VPN.

No matter which VPN provider you chose, now you have a laptop, which has never seen the light of the Internet, and a VPN account ready to be used.

26. Connecting to the VPN

There are two principles in setting up a personal VPN for anonymity.

First, all of your traffic must go through it. If you split it in any way, you make it possible for the local Internet provider to intercept and correlate, and you don't want that. Especially important is to configure DNS queries to also go through the VPN tunnel and specifically use DNS servers run by the VPN provider.

Second, all traffic must be reduced to the absolute minimum. Ideally, your firewall must only allow such connections that are absolutely necessary for what you are doing anonymously. For example, outgoing HTTPS connections from your browser, and nothing else. That will break everything else, like software updates and OS online detection feature, but you will be leaving less traces.

Configure the firewall accordingly. Easy to say, right ?

Essentially, it goes like this: allow outgoing connections to VPN provider on the external interface. Allow outgoing connections initiated by the browser on the VPN interface. Deny everything else.

Configure your browser not to be telling on you. At a minimum, switch it to "incognito by default", save no cookies or history, do not install any uncommon extensions. Follow some browser hardening manual.

Now you can get online for the first time. Establish the VPN connection, and open the VPN provider's web site. There is typically a section there to check whether your browser is properly protected. If it comes up green, you can breathe out.

27. Chaining VPNs

So far, the information that you are giving out is limited to your approximate physical location. That's unavoidable and is good enough for many uses already, but there is still a couple of unresolved problems.

Problem №1: The VPN provider that knew too much

First problem, your VPN provider knows where you are and also sees all your activity. That's too much knowledge to be in one hands.

To solve this problem, you should get a second VPN from a different provider and chain them. The traffic will thus go through the first VPN server to the second VPN server and only from there to its destination.

This way the first VPN provider will know where you are, and the second will see all your traffic.

Registering the second VPN is way easier than the first, because by now you have anonymous Internet access. For maximum effect, have the second VPN provider from a different jurisdiction.

Some VPN providers sell "server chaining" as their own feature. This is not the same, you need a separate provider.

Firewall configuration would now look like this: allow outgoing connections to the first VPN provider on the external interface. Allow outgoing connections to the second VPN provider on the first VPN interface. Allow outgoing connections initiated by the browser on the second VPN interface. Deny everything else.

You could chain more that two VPNs that way. Whether it provides much additional utility, I'm not sure.

Problem №2: Insecure workstation

Second problem, if you make a stupid mistake working as root, your laptop decides that it positively needs to call somewhere despite the firewall, or is hacked and compromised, you are exposed.

Chaining helps here too. Let your laptop connect to the VPN as before, but don't do any actual work on it. All the anonymous activity is to be done on yet another separate machine. That machine would establish the second VPN connection through the laptop. The chances of both machines being compromised are significantly lower.

For ideal isolation, you need a separate device for each of the chained VPNs. It is of course unreasonable to have two laptops connected with a cable, but I can easily see a laptop and a small pocket router hooked together that way. 

Another practical solution is to run a virtual machine inside your laptop, install a separate OS there, and configure it to be using the second VPN through the first one provided by the laptop OS. Then that virtual machine becomes the anonymous workstation. This option provides no hardware separation, but has better anonymity value, because a virtual machine is exactly a "generic" computer, could give out no identifying details even if it wanted, and can be disposed of in a snap.

28. Working anonymously

Thus, we have finally covered the topic of connecting to the Internet anonymously. Working anonymously on the Internet is another problem, as you would find out the first thing you try to register a social network account.

Although it is beyond the scope of this article, one thing I will repeat - you could only stay anonymous by maintaining the identity separation. For the most obvious example, you'll need to receive that one-time SMS confirmation - never use your own phone. Buy a separate one-time phone and SIM card for that.

29. Paying anonymously

Since I'm recommending to buy this and that, I would have to say a few more words about how to do so anonymously.

Never use a credit card or bank account which is in any way associated with you. Never use PayPal or any other online payment system, which is related to you in any way. Never use Western Union or any other payment system which requires identification.

Only pay cash.

Avoid withdrawing cash from ATMs in exact amount, in immediate vicinity and immediately before the payment you are going to make, because correlation.

Always buy cash over counter. Always buy one article at a time and pick it randomly from the pile. Don't buy stuff locally, prefer large crowded outlets. The shops should better have no cameras, or be packed with customers, ideally both.

Never order anything by mail, at least not to your name or address in any way associated with you. In any case, picking up mail is not anonymous at all.

The problem with cash is that you cannot pay with it on the Internet, and the list of options for anonymous Internet payments is ever shrinking.

There is a ton of "payment systems", such as AliPay, WeChat or WebMoney, which offer quick and easy ways to pay on the Internet. But the real problem is not how to pay with a currency-like token once you already have it, the problem is how to actually buy some of it without exposing your credit card or bank account.

If Bitcoin entered your mind, it is not by itself an answer and not even the preferred option. First, you still need to buy it somehow. Second, it is a public ledger, therefore all the transactions are visible to anyone without any legal authority. And if you are using the same wallet for more than one transaction, they are trivially correlated. By using the same wallet for any prolonged period of time, you are effectively publishing the entire history of your payments to the world. Students today write harvesters to scan ledgers and train their machine learning to find patterns.

As I have mentioned already, some Internet services do accept cash by form of "cash in the mail", whereby you put cash in an envelope and send it to such and such address. This option has the absolute best anonymity value. If there is ever this option, go for it. Obviously, there is no need to write your real return address.

The next convenient and efficient anonymous payment instrument is a prepaid bank debit card. It was possible to buy a generic VISA card at a gas station, no id required, and have a balance of exactly X euro that you paid for it. Then this card would have worked just like any other, and you could have paid with it freely. If this option is still available where you live, go for it. Yes, all the payments made from one card had also been correlated, but not without bank intervention, and the nature of its limited balance made the card disposable anyway.

The next option, which is usable today, is gift cards. You could buy a plastic gift card such as Amazon or Apple in any drugstore, scratch it, and use the code as a one-time payment instrument in the amount of the card's value. Some services accept it directly, which is very nice of them. And for everything else there is Bitcoin, for which you first trade the card at a crypto exchange. This method has exorbitant commissions, you could expect to get about 50 cents worth of goods per euro spent on gift card, but it is most likely to work. Gift cards are in the big corporations' interest, and since this entire venture is shady anyway, some form of it is likely to be around.

Similar to gift cards function payment cards (one example is PaySafe). They attempt to capture the market of exactly universal online currency, but are not very successful in doing so and have only a narrow regional acceptance. From anonymity standpoint, it is also a good choice, if the seller accepts it directly or you can trade it for Bitcoin.

Needless to say, all financial exchange and trading on the Internet must be done anonymously. It takes a bit of experimentation to find the sites that would actually allow you to work anonymously.

Reportedly, there are Bitcoin ATMs with cash-in function in the USA and Europe and select banks would exchange your money for Bitcoin. That sounds nice in theory, but I would imagine such novelty is happening under video surveillance.

There is a "meeting in person" option, where you hand over cash and presumably get Bitcoin in return, but that's very scam welcoming, and you are seen in person.

30. VPNs and Tor

No anonymity discussion would be complete without mentioning of Tor. Although Tor is more than just an IP hiding service, in this context you could think of it as of a crowdsourced VPN, where you connect to a random server, your traffic travels through a chain of unrelated servers and exits at some unpredictable place. Think a twisted spaghetti-like pipe structure with forks and junctions. And there is no central authority that maintains it exclusively, anybody could spin up a server and let it be used by Tor.

The idea sounds nice, and the implementation could be technically perfect, but what prevents Tor from becoming the ultimate privacy solution is its size. There is just about 6000 servers at this moment (about the size of a single large commercial VPN provider), and most of them are just pipe junctions, not the actual exit nodes.

Hosting a Tor exit node (a server which connects Tor cloud to the open Internet and through which all the suspicious traffic flows) is a problem in itself. It became the Internet's proverbial hot potato, very few hosting providers would allow using their servers for Tor exit nodes. Likewise, any company or individual that sets up an exit node, must be prepared to face at least an inquiry from the law enforcement.

There is about a thousand exit nodes, they are all known and thus routinely blacklisted. There is no way to hide an exit node, that's why a lot of them have honest DNS names like tor.exit.node.com. Many sites will outright deny access if you come from a Tor exit node. I would assume that most if not all exit nodes are under surveillance, be it authorities or simply the curious server owner.

Tor would be much more usable if it was a hundred times larger. If you want to support Internet privacy, rent a server and make it a Tor node, preferably an exit. It is trivial to set up and costs upwards from 50 euro a year.

Tor client package you can download, install and use for free, and it is actually two things in one. The first is a VPN client that connects to the cloud, and the second is a browser preconfigured to connect through that VPN. So the presumed usage of Tor is exactly for anonymous browsing.

Tor browser is perfectly usable and is hardened for anonymity by experts, but I would recommend using it by itself on your everyday computer only in an "emergency, break glass" kind of situation, when you need a dose of anonymity right now, and don't have time to set everything up as described above.

But it is absolutely possible to use Tor through a VPN.

And then, having chained several VPNs and using Tor browser on top of that is, I believe, the most untraceable Internet connection practically possible.

31. Conclusion

I do hope that upon reading this article you have better understanding of how VPNs work, what problems they solve, and how and to what extent Internet can be accessed anonymously.

As a final note, whatever you do, responsibility stays with you. You can throw away the laptop but not the consequences of your actions. It's better overall not to do things, that you could not admit openly. Please give it a good thought before seeking anonymity.

That's all I had to say, and thank you again for reading !

About the author:

My name is Dmitry Dvoinikov, I work as a programmer for more than 20 years so far. My interest in networks and security goes back to mid-90s. Back then I wrote a utility for tunneling TCP through HTTP, similar in nature to VPN. Couple of years later I wrote a real VPN daemon which I still find pretty functional. It's unique in its capability of establishing a VPN tunnel through a uni-directional stream of ICMP pings (something that I then needed to get through a very restrictive firewall). Later I spent about a decade working in banking industry, specifically online banking, cryptography and digital signatures.