Qubes-vpn-support Tor Browser not working

[Anhangá]

Hi everyone,

I'm trying to use a VPN through TOR [NordVPN - TCP Protocol] as follow: Tor Browser in Whonix-Workstation -> sys-VPN -> sys-whonix [whonix-gateway] -> Internet. My goal is connect to my VPN after the TOR routing (Bypass the tor censorpship in some websites). But I lack the ability to achieve that goal (I'm noob)

1 - When I use the Tor Browser (whonix-ws) connected directly to whonix-gw, it works fine

2 - When I use a AppVM with my sys-VPN (configured with Qubes-vpn-support to connect to my VPN provider with TCP protocol), it works fine

3 - When I set my sys-VPN to connect to my VPN over Whonix-gateway, it works fine and I see the LINK IS UP popup.

4 - When I use my AppVM to connect to my sys-VPN over whonix-gateway it connects!

The problem is, when I set mt whonix-workstation to connect to sys-VPN over whonix-gw, My Tor Browser do not work anymore. If I disconnect the VPN inside sys-VPN, the Tor Browser start working as usual, but when my VPN is connected, it stops.

I'm assuming that is some kind of incompatibility of the Tor Browser with the VPN link (again, i'm already using TCP protocol), but I'm can't figure how to fix this. Any ideas?

[Jarrah]

> My goal is connect to my VPN after the TOR routing (Bypass the
> tor censorpship in some websites).

This somewhat defeats the purpose of using TOR. You now have an
identifiable address due to having a (hopefully paid) vpn. They can
track you. Any anonymity provided by TOR is taken away by the VPN.

> The problem is, when I set mt whonix-workstation to connect to sys-VPN over
> whonix-gw, My Tor Browser do not work anymore. If I disconnect the VPN
> inside sys-VPN, the Tor Browser start working as usual, but when my VPN is
> connected, it stops.

This is by design. TOR browser assumes it can speak TOR protocols and
connect to .onion addresses (etc). However, the VPN will come out onto
the clearnet, rather than TOR's network. TOR browser cannot lookup TOR
addresses, nor can it connect to anything relying on TOR.

If you want to do this to access clearnet sites, you'd have to use a
standard browser. The VPN should work just fine, so long as you're not
trying to connect to TOR specific services through it. Though, please
see above warning about doing so.

The only reason I can think of to do this is if you live in a location
that blocks VPNs, but is fine with TOR. Otherwise, you have exactly the
same security model as just using the VPN, plus the overhead and attack
surface of TOR/Whonix.

[Anhangá]

But is it possible to somehow make TOR Browser to access clearnet using a VPN connection after the TOR routing? Do I have to do some special config in the TOR Browser to allow that?

[Chris Laprise]

Someone on the Whonix forums might know the definitive answer to your
question. But I'd guess there is little or no advantage to using
Torbrowser over Firefox when it can't speak to the Tor router.

Note that Firefox has recently incorporated some Torbrowser features, so
you could use it with Tracking Protection set to Strict, and
'privacy.firstparty.isolate' set to True, 'privacy.resistFingerprinting'
set to True, in addition to using the User-Agent Switcher extension. I
think these are a good idea whether or not you use a tunnel or proxy.

--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[Anhangá]

Thank you for the answer Chris.

I'm not planning to use Firefox over a TOR connection. I just want to use the TOR browser but, in the tor end node, route my traffic to a VPN and then to the Internet.

I set the ProxyVM as you said in the qubes-vpn-support and it worked just fine. LINK IS UP and running. But if my ProxyVM is running my VPN connection, TOR browser in the Whonix-WS do not work. If I disconnect the VPN inside my ProxyVM, TOR browser also works just fine. The problem is only when I'm trying to use TOR Browser with VPN link UP. So, I'm guessing that is some config that I have to do inside TOR Browser to use my VPN

The newest firefox has some really good anti-fingerprint features, but nothing compares to TOR Browser, like in-depth fingerprinting combining settings as Screen Resolution and viewport...

[Daniil Travnikov]

I can't agree with you. For example when you using tor without VPN after exit node. You give your all information to Exit Node who could sniff anything whay you doing on the Internet. So I don't think that this is High Level of anonymity. And one of the way to get more level of anonymity is using the VPN after exit node. Only if you can pay for this VPN with cash deposit via crypto-currencies (also it is one of the ways).

[Daniil Travnikov]

Try this on your browser:

About:config

network.proxy.socks_remote_dns  >> Choose >>  false

preferences  --advanced----netowork----settings----   >> Choose >>   No Proxy

network.proxy.type    >> Choose >>    0

network.http.sendRefererHeader    >> Choose >>    0

network.cookie.cookieBehavior    >> Choose >>    2

[Anhangá]

Thanks Daniil. I'll try that.

[Logan]

> --
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users...@googlegroups.com
> <mailto:qubes-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/3833f72e-5235-4969-bea6-7ada065bd19b%40googlegroups.com
> <https://groups.google.com/d/msgid/qubes-users/3833f72e-5235-4969-bea6-7ada065bd19b%40googlegroups.com?utm_medium=email&utm_source=footer>.When you have no choice and need to bypass cloudflare or similar here's
my quick and dirty:

Open any VPN provider's app that provides a SOCKS5 proxy inside a
Whonix-WS appVM. Check the documentation for the IP/Port and point FF's
network settings to the proxy address. Done.

I'll repeat what everyone else is saying: This is generally not
advisable as your are often better spinning up a throwaway Deb or Fedora
appvm with vpn, but this approach is simple and does work.

Logan