What we don't want
Some users have requested support for VPNs in Tails to "improve" Tor's anonymity. You know, more hops must be better, right?. That's just incorrect -- if anything VPNs make the situation worse since they basically introduce either a permanent entry guard (if the VPN is set up before Tor) or a permanent exit node (if the VPN is accessed through Tor).
Similarly, we don't want to support VPNs as a replacement for Tor since that provides terrible anonymity and hence isn't compatible with Tails' goal.
What we might want
Tails → Tor → VPN
Issue: tails#5858
Use cases
- Access services that block Tor.
- Reach a local resource on a VPN that is not accessible in any other way.
- Reach a VPN non-anonymously (e.g. your account is tied to you IRL) while only hiding your geo-location, which may be the only thing you need in some situations. (Maybe invalid since this is not part of the PELD spec (yet?) AFAIK.)
Solution
The easiest way to solve use case 1 (which we feel is the most
important one for this Tor/VPN setup) is to use a SSH connection with
the DynamicForward
option. The newly created SOCKS port can be used to
have a fixed outgoing IP address. We could write on how to use that in
an "unsupported, advanced users only, may kill kittens" part of the
documentation.
Note that this setup isn't relevant for I2P for the same reason that it's irrelevant for Tor hidden services.
Tails → VPN → Tor/I2P
Issue: tails#17843
Use cases
- Make it possible to use Tails at airports and other pay-for-use ISPs via iodine (IP-over-DNS).
- Access Tor on networks where it's censored.
- Some ISPs require their customers to connect to them through VPNs, especially PPTP. Tails is currently unusable for them out of the box.
Solution
Use cases 1 and 3 are worthwhile to support, and should be rather easy to implement.
For all other uses of this setup (e.g. 2) we already promote bridges instead. Now that obfsproxy is included, it should cover all our needs.