PDA

View Full Version : Creating a VPN




anon2345
Jul 8, 2010, 03:29 AM
Hey I have a question and after my researching, and lack of understanding, I still need some help. I am trying to set up a VPN only to hide my IP.

I don't need anything difficult and I found a couple sites where I could pay for this but is there an easy way to set up a VPN on my macbook pro for free? If so could I get a definitive explanation? It seems overwhelming and daunting even for my brightest apple-geek friends. What do I need to do and how?

Thanks in advance!



super_kev
Jul 8, 2010, 08:45 AM
VPN is a private, encrypted network between two points. Basically, think of it as a tunnel between the computer (or network) and another computer (or network). Say you have a VPN server at Network A, and you were on Network B but wanted to connect to a server on Network A. You login to the VPN server using a client program, and your traffic is tunneled to the VPN server over the internet and appears as a computer that's physically hooked up to Network A, thus all web traffic looks like it is coming from Network A. You still have an IP address at Network B, but all traffic is encrypted through the tunnel to Network A. I'm sure there is an easier way to explain this, so let me try an example here:

For example, if you want to connect to a computer at home and listen to iTunes (using Bonjour, or local networking), you could setup a VPN server at home (because this is the network you want to connect to), tunnel in from work or travel, and bingo, your iTunes computer would show up in the network list, as you are connected to your home network. All network traffic would appear as coming from your home network.

If you pay for a VPN service, your network traffic will appear to be coming from the paid VPN servers (and hence their IP). You will still have an IP, but only encrypted traffic (going to the VPN server) will be coming from it.

I use Viscosity and a DD-WRT router running an OpenVPN server to tunnel into home and access my servers (cost = $9 for Viscosity, $65 for the router, otherwise free), but my guess is that you want your network traffic to be coming from an IP address that does not point to you, so you would need to use someone else's VPN service.

aarond12
Jul 8, 2010, 09:37 AM
What are you hiding your IP from? A website? If so, a proxy server might be a better choice. There are LOTS of free proxy servers on the web, such as http://www.hidemyass.com/.

-Aaron-

anon2345
Jul 8, 2010, 11:46 PM
VPN is a private, encrypted network between two points. Basically, think of it as a tunnel between the computer (or network) and another computer (or network). Say you have a VPN server at Network A, and you were on Network B but wanted to connect to a server on Network A. You login to the VPN server using a client program, and your traffic is tunneled to the VPN server over the internet and appears as a computer that's physically hooked up to Network A, thus all web traffic looks like it is coming from Network A. You still have an IP address at Network B, but all traffic is encrypted through the tunnel to Network A. I'm sure there is an easier way to explain this, so let me try an example here:

For example, if you want to connect to a computer at home and listen to iTunes (using Bonjour, or local networking), you could setup a VPN server at home (because this is the network you want to connect to), tunnel in from work or travel, and bingo, your iTunes computer would show up in the network list, as you are connected to your home network. All network traffic would appear as coming from your home network.

If you pay for a VPN service, your network traffic will appear to be coming from the paid VPN servers (and hence their IP). You will still have an IP, but only encrypted traffic (going to the VPN server) will be coming from it.

I use Viscosity and a DD-WRT router running an OpenVPN server to tunnel into home and access my servers (cost = $9 for Viscosity, $65 for the router, otherwise free), but my guess is that you want your network traffic to be coming from an IP address that does not point to you, so you would need to use someone else's VPN service.

Yes, precisely- I do not want an IP that points to me. I have a couple reasons for this:

1. Sometimes I torrent things. Usually things that I own, have lost or been destroyed, or would never waste money on. I would just rather be safe because, for instance, my roommate downloaded a movie and verizon sent him an email stating the movie he downloaded and said they will turn him over if its requested of them. Most of the stuff I torrent is stuff I have owned and lost (or something of that nature) but I don't want to be sued for it. So I heard a VPN is the safest way to go. Don't get me wrong, I'm pretty nerdy, but this VPN stuff I really confusing sounding and sorta over my head.

2. In addition I own my home and everyone of us owns a Mac. For some reason we can all access each others computers when they're on. I've locked all my stuff down, not that I have anything to hide, but who wants people to have the capability of freely scanning your files? They're my roommates, not my brothers. So, if I set up a VPN I should be on a different unreachable network by those who share my router, correct?

Mostly for the first reason though. So you're saying I would need to do what you've done pretty much or is there an easy way a layman could do this on his own?

anon2345
Jul 9, 2010, 12:32 AM
Sorry, Verizon did not send him an email but rather they sent him a letter through the regular mail.

super_kev
Jul 9, 2010, 08:41 AM
Yes, precisely- I do not want an IP that points to me. I have a couple reasons for this:

1. Sometimes I torrent things. Usually things that I own, have lost or been destroyed, or would never waste money on. I would just rather be safe because, for instance, my roommate downloaded a movie and verizon sent him an email stating the movie he downloaded and said they will turn him over if its requested of them. Most of the stuff I torrent is stuff I have owned and lost (or something of that nature) but I don't want to be sued for it. So I heard a VPN is the safest way to go. Don't get me wrong, I'm pretty nerdy, but this VPN stuff I really confusing sounding and sorta over my head.

2. In addition I own my home and everyone of us owns a Mac. For some reason we can all access each others computers when they're on. I've locked all my stuff down, not that I have anything to hide, but who wants people to have the capability of freely scanning your files? They're my roommates, not my brothers. So, if I set up a VPN I should be on a different unreachable network by those who share my router, correct?

Mostly for the first reason though. So you're saying I would need to do what you've done pretty much or is there an easy way a layman could do this on his own?

What I've done with won't help you a bit in this case, as I'm accessing my home network from outside of the house. You want to access an outside network, and Aaron gave you a solution. However, your traffic will be visible by them, and they may have policies of their own which won't make it much different from your ISP.

As far as #2, you say your Mac is freely browsable even though you locked things down. If you have File Sharing on, you should not be able to access your files unless you login with your personal user name and password, and guests can access only the Public folder. A VPN will isolate you if you are constantly connected, but it's easy and free to just turn off File Sharing, or else make sure access to your computer is not given to guests.

myjay610
Jul 9, 2010, 11:57 AM
Try using TOR (the onion router); then you can just set your bittorrent client to use the TOR proxy. No need to put your entire interface on a VPN connection.

myjay610
Jul 9, 2010, 11:58 AM
PS - might slow your d/l speed way down but you'll be hidden.

anon2345
Jul 11, 2010, 05:22 AM
Try using TOR (the onion router); then you can just set your bittorrent client to use the TOR proxy. No need to put your entire interface on a VPN connection.


How much longer will the TOR cause me to download? I'm trying to run it but it keeps crashing.

darkplanets
Jul 11, 2010, 03:41 PM
Please don't use TOR for torrents, that's not what it was meant and/or designed for. You will get ridiculously slow speeds over TOR, and will piss off the endpoint owners. Not to mention, bit torrent over TOR isn't exactly safe as-is; you need to force encryption out, enable proxy (TOR) for trackers and peers, disable DHT, and keep multiple instances for multiple TOR network usage. In short, it's not worth it.

Similarly, you could try TOR with onioncat, also not worth it.

You can also try I2P2, which is a TOR-like network designed for torrents, but there's also limitations here, mainly the fact that you can only use in-network torrents (I2P2), which means you have limited selection. Once again, it's ridiculously slow.

I would suggest running behind a NAT router, with a egress firewall and limiting BT traffic to localhost traffic only. This will now point only to your router, which is a start, since from there you can use plausible deniability, albeit not the best defense.

There's also other free alternatives to TOR and I2P2, which are designed for torrents. I haven't done much reading on them, nor do I know about their speeds, but they're worth trying out. If you do try them, let me know how they work, I'm curious. Some examples: freenet, bitblinder, gnunet.

But yeah, really, the best solutions for BT are the paid ones; usenet, iPredator, and other VPN/proxy services that support BT traffic. In all cases you need to turn DHT off. If you purchase one of these services, make sure that it's torrent compliant and compatible, and that there's a hefty bandwidth cap. iPredator was set up by the Piratebay guys; I hear its a pretty good VPN service.

Please note though, torrents are inherently unsafe, especially public ones, as anyone can connect to you and poke around so to speak, thanks to DHT or the tracker.

Of course there's another alternative, which perhaps is the best of them all when combined with a security measure like proxies or VPN; private torrents. There are many, many large sites for this; they are all invitation only, are very "scene" oriented, and all have special rules. They require stringent seed ratios, use private trackers with logons, and have a whole host of regulations and rules. You cannot use DHT with these either.

anon2345
Jul 11, 2010, 10:06 PM
Excellent input. Thanks!

I was thinking about the paid services...but if I could do something similar and for free I'd jump on it. What is DHT and how is it disabled?

DoFoT9
Jul 11, 2010, 10:14 PM
its almost like you want IPSec between your computer and your router! bit odd to do but perfectly possible :)

you can always password protect everything - and even enable stealth mode so nothing bounces back.

im very interested in opening up a VPN connection to my home - i use SSH but VPN would be cool.

darkplanets
Jul 11, 2010, 11:24 PM
Excellent input. Thanks!

I was thinking about the paid services...but if I could do something similar and for free I'd jump on it. What is DHT and how is it disabled?

DHT is just the distributed database service; if you use Vuze you'll see it on the bottom right status bar as peers connected. In other words, it works outside of the tracker, and is widely considered the next evolution in P2P file-sharing. With that said though, it has some major advantages and disadvantages, the latter being the issue here. How it works, simply, is that it finds peers around you (Internet) that have the same torrent/files as you have and/or need, and makes a connection to them during the torrent process. Essentially it can be seen as a distributed database that can't be taken down; there's no centralized tracker since you seek out seeds and peers individually, independent of the swarm status. Once connected to peers/seeds the torrent process continues as normal, with the only difference being in how the connection is found, made, and established. The problem with this, however, is that since there isn't a centralized tracker, your computer, ala your IP, makes INDIVIDUAL connections to your peers checking for data, revealing both what you're looking for as well as your location (ip address). A tracker is similar in this regard, but safer in the fact that you are only directed to people who have the file/torrent, not any random person with whom you're checking data against. Essentially DHT is making everyone into their own tracker, checking and compiling lists of IP's with files/data that you need for your torrent. I hope that made sense.

As for disabling it, well, that you have to do in the preferences section of the program. Obviously this varies per client, but it should generally be accessible and easily found. Just as an fyi DHT is enabled by default on all clients, so if security is desired then turn it off, as I said/explained before in my previous post.

As dofot9 has said, yes, making ipsec between your computer and router would be possible, albeit I have little to no knowledge in setting it up; I just use preconfigured VPNs :). Stealth mode is undoubtedly a good idea here, and I would highly recommend the NAT router w/ egress firewall and limiting bittorrent to localhost traffic only; it will point only to your router then, as previously said. Making an ipsec connection between your router and your computer would do the same thing, and would actually be better in this case now that I think about it, as you would have an encrypted tunnel between you and your router. Again though, doing it locally your router would be singled out.

EDIT: Are you in college? It sounds like it. If so, there's some other options available at most universities, which is what I use.

DoFoT9
Jul 11, 2010, 11:33 PM
wow man ^

you really know your stuff :) thanks for that in depth description - i feel like i know a bit more about p2p now! you described it very well, thanks!

DHT seems like a good idea, if the clients were to be encrypted would that help out at all for the anoanimity (sp) of the end users? a tracker is def a better idea, given the general illegal status of torrents, they would tend to not be updated as accurately though - i would imagine.

anon2345
Jul 12, 2010, 12:47 AM
Helpful indeed. ha. Yes, well, if we're making individual connections then people of the mpaa/music industry could easily set up fake seeds and find the IP addy of anyone who leeches off them, correct?

Its not only about torrents, its privacy in general. I don't like being able to find what is done on my computer. Not that I'm doing anything criminal or even perverse, I'm just really conservative when it comes to privacy and people being able to know my personal business. At all.

Yes, I am a student as well. I use Vuze and Transmission. However, most of the stuff that I download is literally stuff I own, lost, or just want backed up. I have most of my movies on a hard-drive via Handbrake but some of them won't rip, these I will torrent. So its not like I'm just getting everything coming out because I've literally paid for most of this stuff. Its more about privacy but this is a motivating factor.

With all of this in mind, what would you say is the best solution for all around privacy with torrent capabilities? Doing what DoFot9 said? Is there a way to escape your router being seen? Or possibly look like youre located in Indochina or something?

darkplanets
Jul 12, 2010, 01:25 AM
wow man ^

you really know your stuff :) thanks for that in depth description - i feel like i know a bit more about p2p now! you described it very well, thanks!

Haha nah man, thanks for the compliment, but I rather consider myself a "noob" to all this; I couldn't begin to explain most of technical network-side aspects of P2P sharing, especially when we're talking about the fine details of DHT, scrapes, trackers, etc. I only know the general gist, how things generally function, and maybe a little more, from reading many different articles and explanations on the internet. It's really a constant learning process, with me learning new things about the nuances of it every day. I am not an expert on P2P networks by any means, and won't be for some time :p


DHT seems like a good idea, if the clients were to be encrypted would that help out at all for the anoanimity (sp) of the end users? a tracker is def a better idea, given the general illegal status of torrents, they would tend to not be updated as accurately though - i would imagine.

It's late, so my heads a bit fuzzy, but basically encryption really doesn't help being anonymous, sadly. DHT is awesome in every other aspect, except for privacy. If you force encrypt data (which you can do), your IP address is still shared, as well as what file(s) you need/host for the torrents, but your actual traffic will be encrypted. DHT and Trackers require an available IP address; it's the only way they can make a connection between peers, or more specifically the only way you can connect to a peer or seed. It's a bit of a lose-lose in that regard right now; the only way around this of course is through a VPN or Proxy, which is where DHT then shines-- forced encryption means that your data isn't being intercepted, and your IP address and data-stream home is being saved/protected via the VPN or proxy. So in short, no, encryption won't help the end-users, at least not without additional IP anonymizing help via VPN or proxies.

A tracker though is not necessarily a better idea either though; it limits the number of peers you can connect to based on the scrape as well as other network and server settings, and may only report a fraction of the users who can contribute data towards your desired torrent based on who's using what torrent with what tracker. Furthermore, a tracker then provides a nice list of people with the desired files for the torrent, a goldmine if you're law enforcement; all you have to do is download the torrent and connect to the tracker to get the current list of IPs hosting or downloading the requested torrent files. That's not to say its entirely insecure though; different trackers have different security and network settings, and in most cases its hard if not impossible to get the entire peer/seed list with all of the IP's off of the tracker itself-- the tracker usually only sends out a limited number of IP addresses for the client to connect to. In regards to the encryption idea, the same hurdles again remain for trackers as they do for DHT. In order for a tracker system to work, IPs are needed, and in order to make a connection you need the seed and peer IPs with whom you're connecting. Forcing encryption will again make that data transfer safe from outside onlookers, but will not hide your IP or the person who you're connected to. Essentially view it as tunneling like VPN, but with both end-points being well-known IP addresses. Basically the same rules apply here as they do for DHT; having an IP anonymizer would fix this problem entirely. VPN or a proxy + forced encryption would provided the necessary security. Until an IP anonymizer becomes standard in either trackers, DHT, or general BT protocol, additional security measures will always be required.

On a similar note, private torrents are really the way to go here; they use private trackers with stringent rules and safety regulations, and are only available to members. Thus the law-enforcement scrutiny is not as prevalent, and the peers/seeds you connect to are more trusted and reputable than public torrent peers. DHT is also disabled by default on these torrents, and the IP seed/peer list is well-secured on the tracker.

As for the tracker updates, the same rules apply to both public and private trackers. Updates to the tracker lists are made on regular intervals, set by the tracker's owners. These usually range from 10-30 minutes, and can be viewed in the torrent details in most BT clients. As you mentioned though, yes, they are not updated as accurately as DHT, which is due to the reasons mentioned above. It only reports peers/seeds connected to the tracker via that specific torrent file and torrent setup, not the overall peers/seeds available that have the same file as you, regardless of the tracker or torrent file. Thus the natural advantage of DHT. Plus there's the fact that if a tracker goes down that doesn't support DHT, the whole torrent goes down, whereas with DHT on the torrent would continue on its merry way, independent of the tracker or its failures.

I think that about covers it; it's a bit more verbose and long-winded than I would have liked, but hey, its late and I'm tired :D

EDIT: OP, you posted while I was typing this; I'll respond to your inquiry/response in the morning :p

EDIT 2:
Helpful indeed. ha. Yes, well, if we're making individual connections then people of the mpaa/music industry could easily set up fake seeds and find the IP addy of anyone who leeches off them, correct?
Correct. This happens all the time, and is actually how the MPAA/RIAA/etc find illegal file sharers. Please note that this can occur using DHT OR trackers, with the only caveat being that for trackers the "fake seed" needs the torrent file and access to the tracker. Hence why private torrents are preferable; while many are undoubtedly penetrated by media groups, the overall exposure is minimal in comparison to public torrents, especially when its password protected, has a forced share ratio, and DHT is turned off.


Its not only about torrents, its privacy in general. I don't like being able to find what is done on my computer. Not that I'm doing anything criminal or even perverse, I'm just really conservative when it comes to privacy and people being able to know my personal business. At all.
Agreed. I'm like-minded for the same or similar reasons.


Yes, I am a student as well. I use Vuze and Transmission. However, most of the stuff that I download is literally stuff I own, lost, or just want backed up. I have most of my movies on a hard-drive via Handbrake but some of them won't rip, these I will torrent. So its not like I'm just getting everything coming out because I've literally paid for most of this stuff. Its more about privacy but this is a motivating factor.
Understood, but no need to justify this to me. Whether you pirate or not is not of my concern ;)


With all of this in mind, what would you say is the best solution for all around privacy with torrent capabilities? Doing what DoFot9 said? Is there a way to escape your router being seen? Or possibly look like youre located in Indochina or something?
TBH, there really isn't a best all around solution for privacy with torrent capabilities. With that said, there are some good options. Doing what DoFot9 said, or what I said with the NAT router, is always a good idea. However, without adding another layer on top (VPN, proxy), there are no ways to escape your router being seen. With that said, there is a way to look like you're located in Indochina; get a VPN or proxy from that area :P. In all seriousness though, really the only true privacy measure that allows for torrents would be a dedicated VPN or Proxy; and I don't think most proxies allow UDP. You have to find a proxy and/or VPN that specifically supports BT; that is to say supports UDP/TCP with all of the required ports open, and with reasonable bandwidth constraints. These are all paid services however. Ultimately you'll never get a quality free service, and the other solutions I listed above are less than ideal. VPN is really the way to go. The reason I asked if you were a student is because most schools have their own VPN servers; mine has around 11. It really depends on the school; some have bandwidth caps, some monitor traffic, some don't have the right ports, and some just don't care. The latter is obviously preferable. Furthermore, your school may also have its own dedicated piracy network, run on either WASTE, DC++, Dtella, or private trackers. This functions on the school's intranet, not internet, so there's no bandwidth caps and it's entirely private. My school uses Dtella, and our network size is typically 80-180 TB, depending on usage and time of day, so there might be a decent network near you. If you can't use a VPN, this is far preferable to using torrents.

aarond12
Jul 12, 2010, 01:39 PM
Another viable option: Usenet access. Currently, you will only find pay-for-play access, but you will have access to many thousands, if not millions, of files of every kind.

If this sounds interesting, try a service like http://www.easynews.com/ and use their free 14-day trial. This way you won't need a proxy, VPN, or anything else -- you can use a standard HTTP (non-peer-to-peer) or HTTPS (secure) download. I've used this company for over 8 years -- they're great.

-Aaron-

TheSandGirl
Jul 13, 2010, 03:21 AM
Hi all,

My situation is very similar to the OP's. I'm a newbie to the concepts of proxies, VPN, torrents, etc. I know enough to be a tiny bit dangerous, but that's about it.

In any event, I was using Transmission for my torrents and I did the following:

I went to a free proxy site such as proxy(4)free, xroxy, etc and found a proxy that was listed as "anonymous." Then I went into Transmission > Preferences > Network and checked the box that reads, "Connect to Trackers With a Proxy." I then entered in the numerical address in the Server field, selected my corresponding port and protocol.

Now, keep in mind that I may be totally off base here and given myself a false sense of security in the process. I actually stumbled across this thread as I was trying to see if I could do the same thing in Vuze as the fields are more complex than those in Transmission (with regard to IP address) and I wanted to ensure I was doing the right thing. If one of you experts out there wouldn't mind throwing in your two cents, I would appreciate it and perhaps it will help out someone else here at the same time.

To the OP: Regarding your private data, can I highly suggest True Crypt for you? Once again, I was in a similar boat, learned about TC and found it was one of the best free pieces of software I've come across on the net. The learning curve was small and essentially it allows you to create encrypted "containers" (folders at a Department of Defense level of secure encryption) where you can keep your files "locked" up. To open them, you simply launch the application which loads in a few seconds, type in your password and voila, your files are there again for you. You can also do the same thing with entire drives instead of containers. You can do it with external drives, flash drives, CD's, DVD's, etc. I had paid for FolderLock on my old PC, but TC is a thousand times better and the best part is that it is free.

The situation with your roommates aside, if your computer, external drive, data discs, etc were to ever be stolen, at least your sensitive files would be secure as well. :cool:

Cheers!
:) :apple: :)

darkplanets
Jul 13, 2010, 04:43 PM
Another viable option: Usenet access. Currently, you will only find pay-for-play access, but you will have access to many thousands, if not millions, of files of every kind.

If this sounds interesting, try a service like http://www.easynews.com/ and use their free 14-day trial. This way you won't need a proxy, VPN, or anything else -- you can use a standard HTTP (non-peer-to-peer) or HTTPS (secure) download. I've used this company for over 8 years -- they're great.

-Aaron-

Usenet... hmm. I haven't heard that mentioned in some time. I'm by no means knowledgeable about the underpinnings of Usenet, but couldn't you just get your own free client and connect to the NNTP servers? I know on the internet Usenet is transported via NNTP on TCP Port 119 for standard, unprotected connections and on TCP port 563 for SSL encrypted connections; do you just make a standard server-like connection to these newsgroups? How does it work out? I'm especially interested in the SSL connection applications, as net neutrality is fading fast. Could you elaborate more on how the underpinnings work?

I'd rather not pay for a monthly fee if I can get a freeware client and connect to the server, par and rar myself from the binaries, and do all that jazz on my own. Is the monthly fee for private server access? Is SSL free? I mean, I really don't need a web browser here either, like the site you posted. It sounds like easynews downloads from the NNTP servers themselves, pars and rars, and then posts for HTTP/HTTPS download on their site, a service I really don't need. While I understand that there's paid newsgroups with large libraries available for a monthly access fee, is there any free, open servers with large libraries? Any public endeavors there, dare I say into piracy? I mean my issue is this; if I'm going to be re-downloading material I own, or pirate material, why should I pay them for something I either own, or something that they don't legally own? Is there anything public like demonoid or TPB? I also hear that certain ISPs host NNTP servers, is this true?

Sorry for the massive wall of questions; I'm just curious :p. I haven't really heard much about usenet in years; the last I heard of it was like 1996 for real newgroups with actual news, not binaries.


In any event, I was using Transmission for my torrents and I did the following:

I went to a free proxy site such as proxy(4)free, xroxy, etc and found a proxy that was listed as "anonymous." Then I went into Transmission > Preferences > Network and checked the box that reads, "Connect to Trackers With a Proxy." I then entered in the numerical address in the Server field, selected my corresponding port and protocol.

Now, keep in mind that I may be totally off base here and given myself a false sense of security in the process. I actually stumbled across this thread as I was trying to see if I could do the same thing in Vuze as the fields are more complex than those in Transmission (with regard to IP address) and I wanted to ensure I was doing the right thing. If one of you experts out there wouldn't mind throwing in your two cents, I would appreciate it and perhaps it will help out someone else here at the same time.

In short, yes, you can do the exact same thing in Vuze that you with Transmission. I personally have never set up a proxy in Vuze, or transmission, so I can't speak to the specifics, but I imagine its rather option-plenty and not that straightforward. My advice is to enter the fields to the best of your knowledge, and then test your torrent IP address. You can do this by either looking at the torrent details and checking your IP, or by using a site like this (http://checkmytorrentip.com/). Obviously, you want the IP seen on the torrent to be different from your IP; namely the one you see in an un-proxied web browser here (http://www.whatsmyip.org/). Seeing a difference in torrent vs regular IP however does not ensure security; that just tells you that the proxy is working (to some degree). This is the first step.

Now we have to get into the specifics, in order to ensure that you're safe. For starters, you want to enable the proxy for both trackers and peers; this really depends on the program and the setup, some will default to this behavior, others handle traffic differently so this option has to be used. The next thing to consider is the type of proxy you're using.

More specifically, is it SOCKS, or HTTP? An HTTP proxy will NOT work; you will not have any protection here. If its SOCKS, is it SOCKS4, or SOCKS5? This is a major difference, and you HAVE to know which it is. The reason is this; when you connect to a peer to download, you typically connect via TCP, and download via TCP. You connect to the tracker typically via UDP, but not always, as you can also receive the tracker list (aka peers and seed list) via TCP; it depends on the tracker and the specific torrent specifications. Note I say typically a lot in the above two sentences; that's because its liable to change given the client, tracker, or torrent. For example, OpenTracker software supports UDP tracker functions, so typically most torrents on OpenTracker powered trackers connect to the tracker list via UDP (Just as an fyi, OpenTracker is the most popular tracker software package). TCP is still an option though. Normally one would connect to a peer and download via TCP, however since TCP is subject to traffic shaping, and since most ISPs don't do deep packet inspection, UDP has been gaining popularity for peer-peer connections and downloads. Most notably, uTorrent, the original makers of BitTorrent, who are considered cannon in regards to the advancement of the torrent protocol, have included UDP capabilities for peer-peer connections and downloads. I don't know if UDP connections for downloads come enabled by default, or if other clients use this function yet, but it's possible that Vuze or Transmission has adopted this new feature, and has enabled it by default. I would make sure to check it out; poke around in the preferences, and see if its there and/or if you can turn it on or off. Furthermore, there is one more use of UDP in the BitTorrent protocol; DHT. DHT is the distributed database; you can read more about that above in my other posts. Basically it is a distributed network for finding seeds and peer independent of a tracker, and can run in tandem with one. It is enabled by default in Vuze. DHT uses UDP to find and make connections with other seeds and peers in the distributed database; once a connection is made it uses TCP to download, like a regular torrent does. So... why did I just tell you all of this? Well, don't worry, I didn't waste your time, its just so you understand a little of how torrents work, and why the following is the unfortunate (or fortunate) truth required to maintain security.

Remember when I asked about the type of proxy server it was?

If the proxy is a SOCKS4 server, which is the most likely possibility, as SOCKS4 is the most popular and prevalent proxy, then you're in trouble. SOCKS4 only supports TCP, NOT UDP. It's a big uh-oh. If you have a SOCKS4 proxy, you have to do the following: 1) Disable DHT. This means all of your torrents HAVE to have a working tracker. 2) Force encryption. This should be done regardless of the type of proxy; you should be able to force encryption out. 2) Disable UDP trackers. This preference will be hard to find, but it should be somewhere, especially in Vuze. Note that there's major drawbacks to this. For one, you won't be able to connect to UDP trackers anymore, which is a large segment of the torrent scene. If the tracker allows TCP connections you'll be fine, but any torrent with a UDP only tracker just became a no-go. Furthermore, if you choose not to disable UDP, then the UDP packets will bypass the proxy, and go on their merry way irregardless of security. These packets will then tell the tracker your real IP address, which will be listed on the tracker list, and peers and seeds will connect to you at your original IP, not the proxies IP. Thus, the proxy is worthless, as only your TCP traffic out will be from a differrnt IP. In otherwords, disable UDP, or don't use a SOCKS4 proxy.

Before I delve into SOCKS5, something should be noted; some proxies may not allow network functions in. In other words, many proxies may not allow TCP/UDP connections inward from the proxy to the computer, it depends on how it was set up and what ports are blocked in what direction. Some will however, it really just depends; this is something else that you need to know about your proxy of choice. If the proxy is listed as torrent-safe, you should be fine. This is another reason why VPNs are preferable; data and network functions easily go both ways.

Onto SOCKS5! Hey, good news! If you have a SOCKS5 proxy (more rare), you're in the green! SOCKS5 supports both UDP and TCP protocols, so as long as you have the network access both ways (as in the above), you're good to go! Once again though, force encryption out for better safety and privacy.

Now for some disclaimers and general warnings. First, programs don't always function as advertised. Just because you put in the proxy address doesn't meant that its going to force all of the programs network connections through the proxy; in fact some programs are notoriously bad at this. I don't know how Vuze rates on proxies, but I know for the TOR plug-in/protocol it fails pretty hard; Vuze will go outside of the TOR network frequently, and on its own. Therefore a couple of safety measures should be taken, just to be sure. 1) Disable DHT. It's really not safe to start with. 2) Force encryption out. 3) Multiple proxy instances for multi use; in other words, if you're using the proxy for two different functions, assign different port numbers for the two programs. If they share the same port and are using the proxy at the same time, the bit torrent client is liable to leak data unabated via your normal IP. Finally, 4) If you're still really concerned about your safety and the program leaking TCP/UDP data and/or your IP address outside the proxy, there are programs to solve just that. I don't know of any off the top of my head, but I know for a fact there are some that will take all of the network data from an application and force it directly onto the proxy, even if the program leaks data to start with. Of course if you have a SOCKS4 proxy and you have UDP enabled in your BT client, this isn't liable or guaranteed to work, as it still could escape depending on the program used to contain it.

I know that's a lot, and is a giant wall of text, but I hope that helped you out.


To the OP: Regarding your private data, can I highly suggest True Crypt for you? Once again, I was in a similar boat, learned about TC and found it was one of the best free pieces of software I've come across on the net. The learning curve was small and essentially it allows you to create encrypted "containers" (folders at a Department of Defense level of secure encryption) where you can keep your files "locked" up. To open them, you simply launch the application which loads in a few seconds, type in your password and viola, your files are there again for you. You can also do the same thing with entire drives instead of containers. You can do it with external drives, flash drives, CD's, DVD's, etc. I had paid for FolderLock on my old PC, but TC is a thousand times better and the best part is that it is free.

While this is undoubtedly true, and possible, and it works, there also is another overlooked option, Disk Images. Use disk utility to create a read/write DMG that is password protected; you can have it 256bit encrypted, which is more than enough for any civilian. Hell, 128 is enough. Not modifying its contents anymore? Then you can compress it too. Need more room? Make another, drag your files over. Those programs work though too; I'm just cheap and I love DMGs :D

anon2345
Jul 14, 2010, 06:41 PM
ef my head! Something very painful just happened behind my eye when I was trying to read that last post. Its now twitching uncontrollably. You know...I just wish they had classes on this sort of thing. (jk jk ha.)

So it turns out my school DOES have a VPN. I have a Mac and they have Mac software, without causing permanent brain hemorrhaging will this work for me?

darkplanets
Jul 15, 2010, 11:52 AM
ef my head! Something very painful just happened behind my eye when I was trying to read that last post. Its now twitching uncontrollably. You know...I just wish they had classes on this sort of thing. (jk jk ha.)
Haha awesome. Mission accomplished :D. Just as an fyi; I'm sure your university does have classes on this sort of thing, start with networking. For the record though, I've never taken any CS classes :p


So it turns out my school DOES have a VPN. I have a Mac and they have Mac software, without causing permanent brain hemorrhaging will this work for me?
Yes, yes it will...


But I can't leave it as that, I have to say more :D. Your school will probably provide 2 clients: Cisco Anyconnect and Cisco VPN (or closely named). I personally don't like either, since both require you to open up a program and leave it running. Anyconnect runs from the menubar, Cisco VPN has a legit program that has to be maintained from within it's window. It's kind of annoying. Furthermore, both clients give you 0 options. When I mean zero, I mean zero, all you have is the connect button. There's no guarantee as to what traffic is pushed through the VPN, in fact, usually only SMB and what-not goes through the VPN service. If you opt for these clients, please, please check your IP and your torrent IP after the VPN is on to check to see if the preconfigured settings covers all of your internet traffic; in my case it didn't, the preconfigured clients only allowed network functions and made me retain my original IP.

Obviously, this doesn't work when you're going for privacy, not SMB access to your schools home folder and printers (which is equally cool). Therefore I suggest a better option, OSX's built in VPN function, which runs in the background without any apps being open/in the dock/in the menubar. Did I mention it takes less RAM? Setting it up is a piece of cake too; open system preferences, hit network, hit the plus at the bottom left, and make a VPN profile. A couple things you'll need; server address, account name (usually your school network ID), account password (same as school account), and the shared secret. If you don't know these, you can usually get them from your school's IT department; just email them.

If you don't want to wait, here's some pointers:

1) When you make the profile, you'll have 3 options; PPTP, L2TP over IPsec, and Cisco IPsec; I use L2TP but it depends on the server(s) your school has. I wouldn't recommend PPTP, straight IPsec is probably your best choice; I went with L2TP over IPsec instead of IPsec because all of the clients use straight IPsec, and since we have different server clusters, I prefer the less congested route :P

2) Your server address is probably vpn.youruniversityname.edu, ipsec.youruniversityname.edu, or l2tp.youruniversityname.edu; or the IP addresses if you know them.

3) The shared secret is probably something really basic. It's case sensitive. For example, ours is YouruniversitynameVPN.

4) Under advanced, select all of the 4 top boxes; the send all traffic over VPN box is really important. Without this checked, you'll retain your original IP. Again, check to see your VPN works after its all set up by checking your IP and torrent IP.

5) Have any proxies? Add them under advanced :)

That about covers it; once again though, make sure your schools IT department: 1) Isn't supportive of the RIAA/MPAA, 2) Doesn't keep logs or keeps short logs, and 3) Is okay with how you're using the VPN. If the last one isn't true, you'll probably get a warning email first, so don't be too worried. The main thing to check for is data caps and if they apply; depends on your school. Furthermore, your schools VPN service has to support everything port-wise (ala if its okay with how you're using the VPN). Typically, I'd say its a non-issue; most of these VPNs are network setups designed for inbound network functions, so all of the ports are supported/opened.

As for my experience with my schools VPN service; I'd say I'm more than pleased. I don't use it often so I don't piss of the network admins, but I use it for content sensitive releases (ie new torrents). The network speed is great; I match my max download speed.

belvdr
Jul 15, 2010, 12:54 PM
Furthermore, both clients give you 0 options. When I mean zero, I mean zero, all you have is the connect button. There's no guarantee as to what traffic is pushed through the VPN, in fact, usually only SMB and what-not goes through the VPN service.

Why would anyone think otherwise? That's putting VPN configuration in the hands of the users, not the administrators.

4) Under advanced, select all of the 4 top boxes; the send all traffic over VPN box is really important. Without this checked, you'll retain your original IP. Again, check to see your VPN works after its all set up by checking your IP and torrent IP.

You can't encrypt traffic to a VPN device and expect it to always decrypt it, no matter what you do on the client. If the VPN endpoint is not set to tunnel that traffic, it won't.

most of these VPNs are network setups designed for inbound network functions, so all of the ports are supported/opened.

It's not just ports.

darkplanets
Jul 15, 2010, 07:39 PM
Belvdr, for one, I want to thank you for correcting me. As I said previously, I am by no means an expert on this, and have no formal (or really informal) education in the matter. I'm simply "that guy" that reads about random things from time to time, and forms incomplete and/or partially incorrect solutions/answers to people's problems :D

Why would anyone think otherwise? That's putting VPN configuration in the hands of the users, not the administrators.

I could think of plenty of reasons why anyone would think otherwise, and thats precisely why I stated it. While I'll admit my knowledge is rather limited, some are even less so, and could therefore naturally assume that all traffic would be routed through the VPN.


You can't encrypt traffic to a VPN device and expect it to always decrypt it, no matter what you do on the client. If the VPN endpoint is not set to tunnel that traffic, it won't.
Quite true. I suppose that's what I was trying to get at, but I didn't outright say it (or understand/think about the decryption). Hence the ports comment; that was more of what I was trying to imply. While what you say is quite true, the reason I wanted him to do that is 1) the preconfigured clients won't allow everything, and 2) many of the configured VPNs CAN handle most functions. For example, with my school, the preconfigured clients only push SMB through the VPN (the main reason they have the VPN to start with). However, after talking with my IT department, I found that it actually does support much more; ie bittorrent traffic (UDP/TCP), SSH, etc. Therefore while it may not support it, it's worth giving it a shot, at least in my opinion.


It's not just ports.
Again, thank you. I should really put a disclaimer as my signature :o

afd
Jul 17, 2010, 02:05 PM
Very interesting post, have been trying to find out about this kind of stuff for a while now. Would this work the other way? I.e if I'm at work could I have a VPN setup on my home mac and either access the Internet via my iMac at home, or files on the hard drive. My work has a proxy server to access the Internet, so I'm not too sure it would work, even with port forwarding going on. The other reason I'd like to do this is for secure browsing (banking etc. ) when using public wifi.
I also have picked up bits of knowledge about networking here and there, but find it all a very steep learning curve.

Lokrado
Jul 21, 2010, 07:32 PM
this is about the best read i have had in a long time :p

anon2345
Aug 3, 2010, 02:21 AM
Could they find the IP address of your phone? What if you aren't linked to a router but instead tether your phone to the computer to use it as a modem? I will try the school VPN soon. It just seemed like an overwhelming pain and seeing as I haven't had a day off in a month between work and school, this has not been a priority. Thanks though man- you've been a tremendous help/inspiration. My child will owe his name to you...little Darkie. It'll be awkward being a white boy named Darkie but it'll tough'n 'im up.

CaliJ177
Aug 11, 2010, 03:43 PM
Yes, if you used your phone it would still be possible to trace your IP back to your phone. When tethering your wireless carrier becomes your ISP the same way Comcast or Verizon would if you use them in your house. You would also want to be really careful about doing that if your carrier has data limits so you don't rack up a crazy high phone bill.

Don't be fooled into a false since of security with a school VPN. I have setup a good number of VPNs (network security engineer and consultant by trade) and most of the time when I setup VPN's for end user access its using a method called split tunneling. This means only requests for internal resources (like email or file shares or internal web pages or services etc...) get encrypted and sent over the VPN. All other traffic gets forwarded out your internet connection like it would normally. It's completely possible that the school will more pass types of traffic over the VPN but that varies from school to school.

Then there's the issue of P2P traffic over the schools internet connection. Again this really widely varies from site to site, but a good number of sites typically have had some type of solution for filtering and policing (throttle the speed of the download/upload) internet traffic.

I saw earlier in the thread that someone suggested encrypting traffic between your router and your computer. This wouldn't do anything meaningful because your outside connection on the router would still be sending out data unencrypted.

I also someone say use a NAT router. This is a little misleading. NAT simply translates your inside IP address to your outside IP address and remembers which connections go with which internal computers. This is how we can have many computers using the same public IP address. This does have the effect of hiding your *internal* IP address to the outside world but does nothing to protect you outside IP address. As far as the MPAA or RIAA would be concerned they can still see that *someone* using your outside IP address downloaded something they didn't like and will go after the person that owned that outside IP address regardless of who on the inside did the downloading.

There really is no magic bullet for privacy when it comes to P2P sharing.
In my opinion there are two options to mitigate the insecurities that come with P2P; use a proxy services or private trackers. The proxy services are hit or miss, never really looked into them too much myself but they are out there. The private trackers as mentioned tend to have all sorts of rules about seeding and being an active contributor.

If anyone has any questions I would be happy to do my best try and explain what I know about VPN's and the like. I love teaching, looking at becoming a Cisco Academy instructor for CCNA material eventually.

robvas
Aug 11, 2010, 04:07 PM
Buy a shell account and tunnel everything through ssh.

Buy a 'seedbox' and run all your torrents on that.

mlts22
Aug 12, 2010, 11:17 AM
Buy a shell account and tunnel everything through ssh.

Buy a 'seedbox' and run all your torrents on that.

One idea is using a service like liNode to get a Linux VM to do all your seeding and torrenting for you. This way, you can set up what you need, and walk off while the machine grabs everything on fast connections. However, one needs to make sure about bandwidth and perhaps consider throttling so one doesn't accrue a big bill due to bandwidth used.

Another caveat is to not use the VM for illegal stuff, because if handed a court order, the VM service provider can easily snapshot the VM, hand it over (with whomever registered and paid for it) to law enforcement.

robvas
Aug 12, 2010, 01:35 PM
One idea is using a service like liNode to get a Linux VM to do all your seeding and torrenting for you. This way, you can set up what you need, and walk off while the machine grabs everything on fast connections. However, one needs to make sure about bandwidth and perhaps consider throttling so one doesn't accrue a big bill due to bandwidth used.

Another caveat is to not use the VM for illegal stuff, because if handed a court order, the VM service provider can easily snapshot the VM, hand it over (with whomever registered and paid for it) to law enforcement.

Linode and other VPS services are great but they don't work too well for torrents because they don't give you very much bandwidth or storage.

mlts22
Aug 12, 2010, 02:17 PM
Linode and other VPS services are great but they don't work too well for torrents because they don't give you very much bandwidth or storage.

I also have heard of services that do the torrenting for you, (you upload the .torrent document), and you then download the completed file. However, I don't know which ones (if any) are really legit.

robvas
Aug 12, 2010, 02:41 PM
I also have heard of services that do the torrenting for you, (you upload the .torrent document), and you then download the completed file. However, I don't know which ones (if any) are really legit.

http://www.superseedbox.com/

You get a web interface to the server. 100mbs connections. Builds your ratio very fast. Then you just download the finished file to your home computer (at the full speed of your home internet connect)