Different needs and different threat models lead to misunderstanding between people. Let's say you want to leave the most anonymous comment possible on some social network. What do you need for it? VPN? Tor? A SSH tunnel? Well, it's enough to buy any SIM card and a used phone at a nearest shop, then go at a considerable distance from where you live, insert one into another, post your message, and sink the phone. You have accomplished your mission at 100%.
But what if you don't want to just leave a one-time comment or hide your IP address from some site? What if you want such an advanced level of anonymity that will make up the most intricate puzzle without any room for any hack on any level? And also conceal the very fact of using anonymity tools on the way? This is what I'm going to talk about in this piece.
The perfect anonymity is mostly a dream, like everything perfect. But it doesn't mean you can't approach it pretty close. Even if you're being identified by system fingertips and other means, you can still stay undistinguishable from the mass of general Web users. In this article I'm going to explain how to achieve this.
This is not a call to action, and the author by no means calls for any illegal actions or violation of any laws of any states. Consider it just a fantasy about “if I were a spy.”
Basic protection level
The basic level of protection and anonymity looks roughly this way: client → VPN/TOR/SSH tunnel → target.
Actually, this is just a slightly more advanced version of a proxy which allows to substitute your IP. You won't achieve any real or quality anonymity this way. Just one incorrect or default setting in notorious WebRTC, and your actual IP is revealed. This type of protection is also vulnerable to node compromising, fingerprints, and even simple log analysis with your provider and data center.
By the way, there is a common opinion that a private VPN is better than a public one since the user is confident about his system setup. Consider for a moment that someone knows your outside IP. Hence, he knows your data center too. Hence, the data center knows the server this IP belongs to. And now just imagine how difficult it is to determine which actual IP connected to the server. What if you are the only one client there? And if they are numerous, for example 100, it's getting much harder.
And this is not mentioning that few people will bother encrypting their disks and protecting them from physical removal, so they will hardly notice that their servers are rebooted with init level 1 and switching on VPN logs on an excuse of “minor technical difficulties in the data center.” Furthermore, there's no need even in things like these, because all your inbound and outbound server addresses are already known.
Speaking about Tor, its usage itself can raise suspicions. Secondly, the outbound nodes are only about 1000, many of them are blocklisted, and they are no-no for many sites. For example, Cloudfare features an ability to enable or disable Tor connections by means of a firewall. Use T1 as the country. Besides, Tor is much slower than VPN (currently the Tor network speed is less than 10 Mbit/s and often 1-3 Mbit/s).
Summary: If all you need is to avoid showing your passport to everyone, bypass simple site blocks, have a fast connection, and route all the traffic through another node, choose VPN, and it should better be a paid service. For the same money, you'll get dozens of countries and hundreds and even thousands of outbound IPs rather than a VPS with a single country that you'll need to painfully set up.
In this case it's little sense to use Tor, though in some cases Tor will be a decent solution, especially if you have an extra layer of security like VPN or an SSH tunnel. More about this further down.
Medium protection level
A medium protection level looks like an advanced version of the basic one: client → VPN → Tor and variations. This is an optimum working tool for anyone who is afraid of IP spoofing. This is a case of synergy when one technology strengthens the other. But don't be mistaken though. While it's really difficult to obtain your actual address, you are still vulnerable to all the attacks described above. Your weak chain is your workplace – your work computer.
High protection level
Client → VPN → Remote workplace (via RDP/VNC) → VPN.
Your work computer should not be yours, but a remote machine with, say, Windows 8, Firefox, a couple of plugins like Flash, couple of codecs, and no unique fonts and other plugins. A boring and plain machine undistinguishable for millions out there. In case of any leak or compromising, you'll still be covered by another VPN.
It was believed previously that Tor/VPN/SSH/Socks allowed a high level of anonymity, but today I would recommend adding a remote workplace to this setup.
Client → Double VPN (in different data centers, but close to each other) → Remote workplace + Virtual machine → VPN.
The proposed scheme consists of a primary VPN connection and a secondary VPN connection (in case if the first VPN is compromised due to some leak). It serves to hide traffic from the ISP with the goal to conceal your actual ISP address in the data center with a remote workplace. Next goes a virtual machine installed on the server. I suppose you understand why a virtual machine is so vital – to roll back to the most standard and banal system with a standard set of plugins after each download. And this should be done on a remote workplace rather than a local one, because the people who used a virtual machine locally along with TripleVPN once opened IP checking site and got very surprised seeing their actual and real IP address in the “WebRTC” field. I don't know and don't want to know what software some developer will develop tomorrow and install in your browser without your concern. So just don't think about it and don't store anything locally. Kevin Mitnick knew it 30 years ago.
We have tested this setup, lags are significant even if you configure everything properly in terms of geography. But these lags are tolerable. We assume that the user won't place the servers on different continents. For example, if you are physically based in New York, place your first VPN also in New York, the second one in Mexico etc., your remote workplace in Canada, and the final VPN, say, in Venezuela. Don't place different servers in the Euro zone since those governments cooperate tightly, but on the other hand, don't spread them too far from each other. Neighboring countries that hate each other would be the best solution for your chain;)
You could also add the automatic visiting of websites in background from your actual machine thus imitating Web surfing. By this you dispel suspicions that you use some anonymity tools because your traffic always goes to only one IP address and through one port. You could add Whonix/Tails and go online through a public Wi-Fi in a café, but only after changing your network adapter settings which could also lead to your deanonymization. You could even change your looks in order not to be identified visually in the same café. You can be identified by a number of means starting from your coordinates in a photo captured by your phone to your writing style. Just remember that.
On the other hand, the majority of people are perfectly suited with an anonymizer, but even our anonymizer after all our efforts to make it handy is still lacking in terms of surfing experience. Yes, a regular VPN is a normal and proper solution for bypassing simple blocks with a decent speed. Need more anonymity and ready to sacrifice some speed? Add Tor to the mix. Want some more? Do as aforementioned.
Fingerprints, like efforts to detect VPN usage, are very difficult to bypass due to the time of sending packages from the user to the website and from the website to the user's IP address (without taking into account blocking only specific inbound requests). You can cheat one or two checks, but you can't be sure that a new “nightmare” won't appear overnight. This is why you need a remote workplace so badly, as well as a clean virtual machine. So it's the best advice you can get at the moment. The cost of such a solution starts from just $40 a month. But take note you should pay with Bitcoin only.
And a small afterword. The main and most important factor of your success in achieving true anonymity is separating personal and secret data. All the tunnels and intricate schemes will be absolutely useless if you log in, for instance, your personal Google account.