In light of recent revelations that the government specifically targets for surveillance people who do searches for Tor, here is how I suggest you use Tor:
1) Get one of the VPN services, install it and verify that traffic is sent out by default over the tunnel.
2) Use this link to obtain Tor. Set it up so that it runs as a SOCKS proxy locally (the default way, but you can also install it without a browser as just a proxy
3) Keep the VPN and Tor services running all the time, with the kill switch feature such that if the VPN link goes down, the Internet shuts down.
4) Configure Firefox in private mode (about:config) permanently. Configure it to use the Tor proxy
5) Disable geolocation in all browsers
6) Leave everything else default.
Windows 8 Pro (which is the version I have. I cannot comment on other versions) appears to have an issue with a normal OpenVPN tunnel. When using UDP, my VPN does not pass traffic. It does pass that traffic when I use TCP. Additionally, a Cisco SSL VPN (also UDP based) I use does not work. After browsing about a bit, I found that the UDP encapsulation settings have an effect on this. The registry setting which needs to be changed is:
After rebooting, both of my VPNs worked, fixing an issue which nearly made me abandon Windows 8.
One thing which always bugged me about my VPN setup is that whenever I used IPSec on Windows 7, I had to specify the route into my home network using a command prompt in Windows (with elevated permissions) where I had to use the “route add” command (you can view the link to see my example.) I finally have a way around this, by using the tip here. Just follow these directions, but instead of a script, specify the route command, with the flags “add 192.168.0.0 mask 255.255.255.0 10.8.8.1” from the example in my VPN setup post. Check the box “run with highest permissions” and save it. Now, every time you connect to your VPN, the task will automatically set your route. Obviously, you could make this a script with any number of commands or multiple routes, so adjust things accordingly.
I used the easy-rsa script to generate some new server certs recently, and found that my strongswan install on OpenWRT could not load the RSA key. This despite the fact that the same key works fine in OpenVPN on the same server. The interesting thing is that when I use the build-key-pkcs12 script instead of the build-key-server script, and then use openssl on the router to extract the cert and key, the key works. it is also a different size. The key kept coming up as 1704 bytes when using the server script, but 1669 bytes with the pkcs12 script. Since the pkcs12 script works, I suggest using it always. It generates the key and crt files any way, even though the extracted key file was a different size than the generated one with the same set of files. There must be a bug somewhere.
I log into a Zimbra server for email. I may be logged in on the local network, from outside, over the Internet, or across a VPN. The hostname is always the same. I found that I would have to actually quit Firefox in order to log back into Zimbra if I initiated a session over the Internet, and later made a VPN connection. I would see a white screen with a link in the upper left corner which said [Sign Out]. Clicking it did nothing. I actually had to restart Firefox. I discovered that this happened because of Noscript’s ABE protection. I did not wish to disable this, as it is a useful security feature. The solution is to go into the NoScript options, under ABE, and edit the SYSTEM settings. It normally says
# Prevent Internet sites from requesting LAN resources.
Accept from LOCAL
I added this line after the Accept lin:
Accept ALL from *.<mydomainname>
That fixed the issue. It might be advisable for people who use Noscript in a corporate environment with VPN access to add this to their ABE settings in order to prevent web application failures.