So the main question is how to setup configuration in Qubes OS?
1. I must install VPN config in Whonix-gw template or in sys-whonix (proxyvm). It means vpn inside whonix.
2. I must install second ProxyVM with VPN which must have NetVM like whonix and must connect with my AppVM? But in this case VPN will be after whonix, not inside.
So what realisation would be safer from Tor Exit Nodes?
What is the official opinion from Qubes developers?
I'm assuming you want to tunnel traffic through tor, through a seperate vpn?
For browsing use the Tor browser. To pipe anything else through I recommend proxychains and the tor service on an appVM. You can have the appVM performing this behind a netVM connected to a VPN if you don't want intermediaries knowing you're using tor (potentially apart from your vpn provider).
From reading this it seems like a safer way to go - only pipe apps through tor that you wish to use through tor rather than all traffic. No problem having traffic go through WhonixVM > vpnVM > sys-net however. If you're referring to the other way around (vpnVM > whonixVM > sys-net) I'm not so sure.
So what I recommend is:
- AppVM (proxychains + tor) > vpnVM > sys-net
Add a firewall + other intermediaries if you wish
- AppVM (proxychains + tor) > vpnVM > > vpn2VM > firewallVM > sys-net
If the other way around with vpns and tor you could work that out from the above.