There are a lot of ways to gain some anonymity on the web, of which proxies and VPNs are quite common. In particular, Squid3, SSH, Tor, and OpenVPN are great free options if you're looking to run your own service. I've used all of these while experimenting with anonymity and private networks in general.
Note: My claims in this article are supported largely only by personal experience. Nevertheless, hopefully this is helpful if you're looking into anonymity on the web. A list of acronyms and terms is given at the bottom of the page.
What is Anonymity?
Simply, it's a measure of how well your privacy is maintained. It may seem strange, but you might find yourself wondering, why does my privacy matter? "I have nothing to hide, and surely nothing I do on the web is that important." The largest Internet companies like Facebook, and Google make a majority of their profit through advertisements. To better target ads that will get you to act, they gather as much information as they can about your habits, interests, and personal information. Simple Internet searches build up an online persona, that companies with access to this information then sell to each other. There are many arguments that privacy is a basic human right. Others argue that decreased privacy is good because it increases accountability. Either way, or if your interest is just from a technical point of view like mine, here's an overview of some tools you can use:
Squid: fast, but not as secure
Squid is typically used more for caching and network balancing. As a full proxy, it has a unique advantage in that it has direct access to all the HTTP headers passing through it and can manipulate them as you see fit. I have another article here that describes exactly what an elite proxy is, and how it differs from other kinds of proxies. The main idea is that it manipulates HTTP headers to create the illusion that the proxy server itself is making all requests.
This is different than usual proxy behavior; typically the proxy makes itself known to the website being visited, allowing the web server to act on that information if it chooses. Thus Squid allows easy anonymizing of web traffic, since HTTP headers like "User-Agent" and plugins can identify a user between sessions. The "User-Agent" header contains information like which operating system you're using, which browser, what language you speak, and what plugins you have available.
In practice, I've run into more reliability problems with Squid than OpenVPN or SSH. I was able to configure Squid to hide all relevant information from the HTTP requests; to the point that I was able to withstand most websites' proxy detection tests. However, Google seemed to catch on eventually and would regularly challenge me with a Captcha on the basis that it "seemed my IP address was sending automated requests". This happens very occasionally with OpenVPN and SSH as well, though not to the same degree.
I wasn't ever strictly blocked, but something was leaking through; possibly DNS. DNS leaks are possible when DNS settings aren't monitored. In a typical home network, the router is configured to use the local ISPs DNS servers first, not something generic like Google's servers. When discrepancies arise (California IP, New York DNS resolutions), something like a VPN could be in use. OpenVPN can be configured to push pre-determined DNS servers to the client when it connects, but that's beyond the scope of Squid.
Another nice bit about Squid is that almost any device you come across has support for web proxies. Since OpenVPN requires third party software, and potentially further configuration, Squid is a better option if you're using a brand new device, one that isn't supported by OpenVPN, or that you can't make changes to.
OpenVPN: great, but less flexible
There are great OpenVPN clients for Windows, iOS, and Android, but not so much for Chrome OS. Typically this wouldn't much matter, but I do happen to have a Chromebook and I certainly use it more for web browsing than my Windows laptop. There is a mechanism for allowing OpenVPN connections in Chrome OS, it's notoriously difficult to set up. However, my Chromebook does allow very easy access to proxy settings.
Obviously, OpenVPN is a VPN first and foremost. It can't manipulate HTTP headers like Squid can, meaning that the personally identifiable headers like "User-Agent" pass right through. So even though you seem to be coming from Brazil, every website you visit knows that you're the guy with a Chromebook and a unique combination of non-standard plugins.
Private networking is possible with Squid, but OpenVPN certainly shines here. Since you're typically configured as another host on a virtual network, you have your own private IP address and can interact with local network services normally. With Squid, you appear to be coming from the proxy server itself, which might not play nice with things like SMB, assuming that you can get your client to route its SMB traffic through a web proxy too.
Authentication is built in to OpenVPN; you must have a valid certificate to connect. It doesn't matter if you found the port the server is running on or guessed a password. Squid on the other hand, certainly supports authentication but in my experience not as cleanly. You can configure Squid to use PAM, the default authentication support in Linux, so you can require proxy users to provide a user name and password. However, it's not hard to argue that certificates are stronger than passwords, particularly if you don't have the connection between the client and proxy server secured with TLS as well.
As an aside, OpenVPN appears to be superior to IPSec VPNs in both performance and security. More devices have built-in support for IPSec VPNS, Cisco variety in particular, but these solutions typically are not free or as easy to set up. You can read more about IPSec here in another article I wrote.
SSH: secure, but limited
You can also use SSH as a proxy (SOCKS 5) quite easily. Compared to Squid, it was slightly less performant and resulted in about an equivalent amount of suspicion from Google. Like Squid, it doesn't reroute DNS traffic by default, though you certainly could configure Linux to use an SSH tunnel for all of its outgoing traffic.
Using SSH as a proxy certainly limits the number of devices you can connect with. You're required to have an SSH client to make the connection and start the tunnel, but the authentication mechanisms are much more robust. You can use the full suite of SSH authentication features to make sure that only authorized clients can use the server. Another consideration is that clients will have a shell on your server by default; this can be changed with Linux chroots or assigning a non-shell to each proxy user. The damage caused to you by your Squid proxy being misused is fairly minimal, the same cannot be said for SSH. The damage caused by an OpenVPN certificate being lost or stolen depends highly on what services rely indirectly on the VPN authentication for protection, such as an internal file server.
Personally, I've found SSH much easier to configure than Squid. You could also argue that SSH is more reliable than OpenVPN since it runs over TCP instead of UDP, OpenVPN's default. Squid runs over TCP as well, but I personally haven't had any issues with the connection once it was established. As a note, Squid was often quick to forget authentication between sessions requiring the client to re-authenticate regularly.
I would say that SSH is more flexible than OpenVPN, since you could create a connection from any device that has an SSH client. You don't need the OpenVPN client software or to pack around your certificates (assuming you're not using certificates for SSH).
Tor: excellent, but out of your hands
There have been numerous discussions about the pros and cons of Tor in many other places across the web. An entire article could easily be dedicated to this topic, but here I'll go over how it compares to the other methods. Tor by itself, as an anonymous routing service, puts you in a similar position as the others. HTTP headers aren't changed, but you do have the benefit of floating IP addresses. Any serious Tor user should be using the Tor Browser, which handles the DNS and HTTP considerations. DNS requests are made through Tor and generic HTTP header information is assigned to HTTP requests. Disabling JavaScript and other plugins are also a great step in the right direction, though they are still allowed by default.
In conjunction with "defensive" browsing habits and setting the Tor Browser settings to their maximum, Tor beats the other methods in terms of anonymity. By "defensive" browsing habits, I mean treating all websites as hostile and not giving away personally identifiable information freely. You can have all the anonymity available through technical means, but it means nothing if you don't stop yourself from handing out your home address when a website asks for it.
Unfortunately, there are significant performance degradation when using Tor and it's not as available on mobile platforms. Performance can easily be a non-issue depending on your use case; browsing web pages isn't typically a bandwidth intensive activity. Watching movies would be a different matter.
A major difference between Tor and the other services is that you're not really in control of what's happening to your data. All of the nodes that you're hoping through are run by independent parties, each with different motives. When using Squid, OpenVPN, or SSH, you are in control of your data end-to-end. This may be beneficial, if you're concerned with the server you're using being linked back to you. Realistically, warrants are required to get that kind of information from ISPs or VPS providers.
Summary
Squid | OpenVPN | SSH | Tor | |
---|---|---|---|---|
Reliability | Good | Good | Great | Okay |
Performance | Great | Good | Good | Poor |
Anonymity | Okay | Good | Okay | Great |
DNS Leaks? | Yes | No | Maybe | No |
HTTP Leaks? | No | Yes | Yes | No |
Authentication | Poor | Great | Great | - |
Configurability | Okay | Okay | Good | - |
Flexibility | Great | Poor | Poor | Poor |
Google Suspicion | High | Low | Medium | Low |
Risk to Server | Low | Medium | High | - |
Terms
- HTTP : Hyper Text Transfer Protocol; how web pages are sent between computers
- SSH : Secure SHell; ubiquitous remote login service for Unix
- TCP : Transmission Control Protocol; reliable protocol for sending data between computers
- UDP : User Datagram Protocol; unreliable protocol for sending data between computers
- SMB : Server Message Block; common file server protocol
- ISP : Internet Service Provider; how the average person reaches the Internet
- DNS : Domain Name Service; protocol for converting names like "google.com" to IP addresses
- PAM : Pluggable Authentication Module; built-in Unix authentication service
- VPS : Virtual Private Server; provided by a company like AWS, Linode, or Digital Ocean