How to use VPN for encrypt traffic from Tor exit node of Whonix?
Daniil .Travnikov
So the main question is how to setup configuration in Qubes OS?
1. I must install VPN config in Whonix-gw template or in sys-whonix (proxyvm). It means vpn inside whonix.
2. I must install second ProxyVM with VPN which must have NetVM like whonix and must connect with my AppVM? But in this case VPN will be after whonix, not inside.
So what realisation would be safer from Tor Exit Nodes?
What is the official opinion from Qubes developers?
Chris Laprise
isolated from each other.
You can read about Tor + VPN options on the Whonix site:
https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor#Separate_VPN-Gateway
Where it mentions "Qubes VPN documentation" you might try setting up
qubes-tunnel instead, which is easier and more robust:
https://github.com/tasket/qubes-tunnel
-
Note that if you are running OpvenVPN through Tor, you'll probably need
to configure the VPN to use TCP connections and most VPN providers use
different addresses and ports for TCP.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Patrick Schleizer
Epinsion Polickye
I'm assuming you want to tunnel traffic through tor, through a seperate vpn?
For browsing use the Tor browser. To pipe anything else through I recommend proxychains and the tor service on an appVM. You can have the appVM performing this behind a netVM connected to a VPN if you don't want intermediaries knowing you're using tor (potentially apart from your vpn provider).
From reading this it seems like a safer way to go - only pipe apps through tor that you wish to use through tor rather than all traffic. No problem having traffic go through WhonixVM > vpnVM > sys-net however. If you're referring to the other way around (vpnVM > whonixVM > sys-net) I'm not so sure.
So what I recommend is:
- AppVM (proxychains + tor) > vpnVM > sys-net
Add a firewall + other intermediaries if you wish
- AppVM (proxychains + tor) > vpnVM > > vpn2VM > firewallVM > sys-net
If the other way around with vpns and tor you could work that out from the above.
tier...@gmail.com
a) VPN over TOR : VPN goes through TOR. TOR wraps around the VPN, and the exit not is your VPN.
b) TOR over VPN : TOR goes through the VPN. Your VPN tunnel wraps around TOR connections, and the exit node is a TOR exit node.
Caveats
a) VPN over TOR can be insecure. Your VPN provider may not know where you're connecting from, but still knows who you are - because you have authenticated. They have your credentials and/or your previous IPs.
Traffic analysis can also be applied over the long-term, and through process of elimination, your identity can be revealed. Very few people will access this particular service over TOR, doing so hundreds of times will gradually reveal the connecting node - YOU.
b) The TOR exit node can still see your connection, it's not protected by the VPN, only HTTPS/SSH etc, in some cases. This only serves to hide your TOR connection from your ISP, and doesn't provide any great deal of beneficial security or privacy.
How to
Setup your VMs/ProxyVMs in this order:
a) app-vm -> vpn-vm -> whonix-gw -> net-vm
b) whonix-ws -> whonix-gw -> vpn-vm -> net-vm
Recommendations
a) Ensure that you have an anonymous VPN, you have paid anonymously, and have never connected to it outside of tor. You can collect the public key/cert from outside of TOR, but it should be public information, and you should not expose any credentials to acquire it.
b) None.
Closing thoughts
a) is really to protect your traffic from malicious tor nodes, but it can serve to reveal your identity. This should not be relied upon. You can only really stay anonymous by not using exit nodes, and the vanilla TOR browser only. Using any form of credentials will eventually expose you - which includes a VPN. You can combat this by moving around within your own borders, but come on - what are you trying to achieve?
b) A small privacy increase.