Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Lahana – my VPN to Tor gateway script for EC2 Free-tier users (dreamcats.org)
43 points by iuguy on June 2, 2013 | hide | past | web | favorite | 19 comments

Some of you may have read or taken part in the discussion about what's going on in Turkey right now. This is my side project to help people build VPNs using Tor with the free tier. I hope it's helpful not just to Turks but to other people. I could really do with help setting up connectivity guides and also with people translating guides into Turkish, Kurdish and any other regional languages used by people in affected areas.

Any help you can offer would be gratefully appreciated.

Why not just setup tor bridges/relays? Is the advantage of this that it can be easily used with an iPhone? It seems like this is rather unsafe since the Turkish government can just set up lahana nodes, sniff the traffic before it goes to tor, while knowing who exactly is sending it.

It's not perfect, it's meant to be easily shareable which precludes using certificates.

Lahana nodes don't talk to each other and people should set stronger passwords and secrets (although I think I'll set a more secure default).

Part of the advantage is that this will work with pretty much any VPN client and doesn't need Tor installing locally. It's also incredibly easy for an end user to connect to. The problem at the moment isn't that people are being identified in Turkey, the problem is that some people are seeing things blocked. This has actually gone on for a while with stupid things like Youtube being blocked.

Lahana doesn't give you secrecy, it just (in theory) makes it harder to track back from the far end (by using tor), provides direct access to tor without needing to install anything and (hopefully) lets you bypass filtering.

I would not recommend Lahana for anyone where being identified could cause serious harm. But I do welcome any ideas/help on trying to make Lahana better.

In any case, since you mentioned that tracking from the destination is a concern, if one is going to be using lahana, I think also using torbutton is a good idea, since you will otherwise be vulnerable to browser fingerprinting (see https://blog.torproject.org/blog/effs-panopticlick-and-torbu...). Since Torbutton assumes you will be using tor in the recommended manner, one using lahana would have to: 1. Click on Torbutton 2. Go to "preferences" 3. Select "Transparent Torification (requires custom transproxy or Tor router)" 4. Press Ok

I think browser fingerprinting might be more of a theoretical threat, and don't know if it has ever been successfully used so it may not be worth your concern.

Keep in mind that using Torbutton (and https everywhere as you recommended) is currently possible only on the desktop version of firefox.

I haven't been following Turkey news related to tor but if you look at https://metrics.torproject.org/users.html?graph=direct-users... it doesn't seem like Tor is being blocked

Anyways good luck with this

Thanks for that. I'll take a look into that tomorrow. I'm shattered right now. Trying to just get some nodes up. If I can at least provide the same level of security as the telecomix guys I think everyone (including the telecomix guys) are all doing well.

AFAIK with the exception of iOS devices, using the Tor Browser Bundle is just as easy, if not more so than installing a vpn client. I realize that Tor can't be used on iOS without jailbreaking it, and that iOS comes with a vpn client, but for PCs Tor doesn't even require an install to use, while a vpn client does, and for android it only requires installation of two apps. While your effort is commendable, seems well intentioned, and is more than anything I have ever done, it just seems like this is a dangerous step down from the recommended use of TOR.

Which is great, except for the fact that Tor itself is fraught with a whole load of issues and at the end of the day you can still incriminate yourself.

Lahana doesn't implement secrecy because it wasn't a design requirement. It solves a different problem and uses Tor to do that, albeit in a manner associated with 24 hours and some ductape rather than years of NSA and DARPA funding. If you have any suggestions for implementing secrecy while maintaining the ease of use aspect I'd love to hear them. Heck, even documenting all the risks you see with it at the moment would be useful as it would help people make more informed decisions.

I've seen mixed reports about tor being blocked or possibly not, which is part of the reason for the VPN. Thanks for the feedback though and I agree that for many cases Tor is a better solution while it remains directly accessible, especially if secrecy is a requirement.

"I realize that Tor can't be used on iOS without jailbreaking it"

Not quite true.

While Tor can't be used for all traffic, there are Tor apps -- OnionBrowser works quite well; I just tried it.

Good point, although based on my experience using onionbrowser on an iphone over a year ago, id say lahana or jabreaking seem to be better choices for someone wanting to use facebook, twitter, or youtube, since using any of these on a mobile phone browser can be hell without tor.

You are correct, wish I'd known about that beforehand!

Yes, as far as I've heard,

You should probably make the 'Lahana is not super secure' really BIG and BOLD for the reader so they can understand their risk.

I've actually read the opposite (there used to be something about TOR -> VPN here http://sourceforge.net/p/whonix/wiki/Tunnel_Tor_through_prox... they seem to say VPN -> TOR is safe) I think using VPN -> Tor is normally ok since if you are running tor locally, your vpn provider won't be able to read your traffic since you have encrypted your traffic for tor locally (you've encrypted it four times in total, once for the vpn and three times for tor). The problem with lahana is that, unlike in the last case, in this case the traffic is only encrypted once locally then sent to the lahana node, decrypted, and then encrypted three times for tor. The danger here is that the person running the lahana node can read all your traffic after it is decrypted for them.

Encrypting something multiple times doesn't necessarily make something more secure. In some cases it can decrease the effectiveness of the protocols in use, but it really depends on what encryption is used and how it is used.

> The danger here is that the person running the lahana node can read all your traffic after it is decrypted for them.

So if I understand this correctly, if you're in a country with a government that monitors traffic and you connect to a malicious public lahana node that monitors traffic, run by the same government then your traffic is compromised?

But if you run your own lahana node, then it's not (excluding questions about whether or not Amazon have the ability to go into a node for example)?

Sorry if it sounds like I'm being daft I'm just trying to understand the specifics here, so I can figure out ways to address them (if they fall within the scope of lahana, vs traditional Tor uses).

Here's my reference for reference, http://www.slideshare.net/grugq/opsec-for-hackers (slide 137/138)

I cannot recommend either, but I would note that in your link they do seem to state 'Anyway, not so many people seem to do use a tunnel before they connect to Tor, therefore it's not so well tested, do not rely on it too much.'. So I'd be wary of their advice for anything you need to bet your life on.

Done, although if you have any specifics it'd be greatly appreciated.

If you want to try connecting to a Lahana server without setting up your own node, try this:

Username: bob

Password: bob

Secret: whoop

Hostname: ec2-50-19-10-247.compute-1.amazonaws.com

There's a guide for iOS users[1], I haven't got round to posting a guide for Windows and Mac OSX yet.

[1] - http://lahana.dreamcats.org/ios-howto/

If you create a Lahana node, please post the details in the Lahananodes subreddit[1] so others can use it. It's a bit late in the evening in Turkey but I'm trying to get some nodes up for when people come online in the morning. If you can run a node, please do!

[1] - http://www.reddit.com/r/lahananodes/

Sorry, maybe you can explain this to me, but I don't understand what advantage does this has over Tor Bridges?

The purpose of Lahana is to provide a free method of bypassing filtering that almost anyone can implement and anyone can use. It's not meant to provide secrecy, it just gets you past the first hurdle of the filter and gives you tor as an option for a destination.

The reason for using tor is to make it so the source is not directly identifiable to surveillance tools unless the user uses the connection insecurely (e.g. runs bittorrent or has browser leaks). There is the added bonus of being able to access tor without having to install anything on your device.

Tor bridges are fantastic, but for people on mobile devices that don't run android or aren't jailbroken this isn't an option. Lahana opens this up to people running unjailbroken iOS, Blackberry and Windows Phone.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact