Network setup - TORVM-VPNVM

[james.bu...@gmail.com]

I'm just starting to use qubes os and I'm trying to understand how it all works.

If I wanted to setup the system to route all my traffic through tor and then that tor traffic through a vpn

Would I simply setup a TORVM with Its netVM being the vpnvm ?

Or can a netVM not have its own netVM?

Thanks for the help

[Kolja Weber]

That way round doesent make sense from the security point of view
(besides the fact that your network will be VERY slow) its way better to
route all traffic first via VPN and then Tor (so last hop is VPN and not
Tor)

[Micah Lee]

Qubes comes with sys-whonix, which is a ProxyVM that routes traffic
through Tor. If you want to connect to Tor first, and then the VPN
second, you would make a new ProxyVM for your VPN (I'll call it sys-vpn)
and set its netvm to be sys-whonix. Then you'd create AppVMs and set
their netvm to be sys-vpn.

This way, all of the internet traffic in those AppVMs would be coming
from your VPN's IP address, but you'll be connecting to your VPN
anonymously over Tor.

If you want all your traffic to go over this VPN, then in the VM Manager
you can open Global Settings and set the default netvm to sys-vpn. (You
can of course have specific AppVMs that use sys-whonix or sys-firewall
as their netvm as well, like if you want to just use Tor, or if you want
to click through captive portals on wifi networks.)

[james.bu...@gmail.com]

Hi thanks for the advice it seems my idea was correct then?

What I can't get my head around is

If I setup a whonix vm which torrifies all traffic and then set a proxy vm as its net vm my thinking of it

From the data packets point of view

You create a dAta packet on your app vm
That dAta packet travels to the whonix vm which sends the packet to first tor node, then to the second until it gets to exit node. The exit node isn't my machine how does that packet then know to go to the vpn?

Wouldn't the exit node have to send that packet back to my local app vm and then to the vpn?

Meaning the exit node knows my IP and so will the vpn provider anyway?

The reason I want to have vpn second is because I want the option of anonymity but I also don't want the end website to know I am using tor.

With this in mind is there any better setup?

Thanks

[james.bu...@gmail.com]

I don't mind if the isp knows I am using tor it's the website hats the problem since website doesn't allow tor users

[james.bu...@gmail.com]

Or maybe I understand it better now?

I'm still thinking my machine is one...
If I get my head into thinking each vm is in fact a seperate machine

Then the packet goes

From app vm -> tor vm then to the proxy vm but what i don't understand is though the tor exit node must need an IP address to send my packet too? Surely to send the packet to my proxy vm it would need my real IP address for which the proxy vm is located?

[Sean Dilda]

If you set it up as:

AppVM -> TorVM -> VpnVM -> NetVM

The VPN VM will use the Net VM to talk to the VPN server

The Tor VM will use the VPN VM to talk to the next Tor node, then to your website

With this, the website will see you coming from a Tor exit node.

AppVM -> VpnVM -> TorVM -> NetVM

With this, the data will go through Tor to reach your VPN server, then plain text from your VPN server to the destination web site.  

With this, the website will see you coming from your VPN service, and your VPN service will see you coming from a Tor exit node.

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ccd1f37e-1745-49a1-ae68-c3b5a8cba433%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[james.bu...@gmail.com]

Ah right ok. So I am working the wrong way around when I look at the chain?

[Micah Lee]

On 08/18/2017 03:43 PM, james.bu...@gmail.com wrote:
> Ah right ok. So I am working the wrong way around when I look at the chain?

Think of the ProxyVMs (like sys-whonix, sys-vpn, sys-firewall, sys-net)
as being liking a router that you connect a VM to as a gateway to get
internet access.

sys-net connects to the internet through wifi or ethernet.
sys-firewall gets it's internet from sys-net.

And in your specific example:

sys-whonix gets its internet from sys-firewall.
sys-vpn gets its internet from sys-whonix.

So you might want to make an AppVM called "personal" and set sys-vpn as
its netvm. When you use the internet in that VM, all internet traffic
will come from the VPN.

You might want to make an AppVM called "captive-portal" and set
sys-firewall to be its netvm. When you use the internet there, your IP
will be your real IP address without any proxies.

For each AppVM, you get to choose which ProxyVM it gets its internet from.

[james.bu...@gmail.com]

So I want to have 2 different types of system

One where it goes through tor and then through vpn so that websites don't see I am using tor

So that would need to be whonix WS -> whonix GW -> VPN VM -> net vm

And a seperate system that just uses tor

Which would just be

Whonix WS -> whonix GW -> net VM

If I open two of the above App vms would echo app vm connect to appear as two seperate IPs?

Am I on the right track with this?

Also if I run this will it ensure all traffic goes through tor and vpn no matter what I do? Is there a chance some websites might use different protocols and bypass tor?

Thanks

[james.bu...@gmail.com]

Also Can I safely use any app vm with whonix gw instead of whonix workstation?

Thanks