Connecting to tor before a Mullvad wireguard vpn

currywurst · October 6, 2022, 10:30am

Hello, I have used the mullvad doc to create a vpn connection like in this documentation

. I want to wrap my vpn about tor to use my old email server ( and didn’t get banned ) so my mullvad vpn is working and I cloned my sys-whonix and put it after my mullvad vm so like
sys-net → sys-firewall-> MullvadVPN → sys-whonix → any Template
But even in my sys-whonix template I get only the response that I use tor when I use the curl command. So it’s like that my cloned sys -whonix template place tor infront of mullvad.
Can someone explain me how I can tunneling a vpn over tor? I searched a lot in the internet but didn’t found something that fits for my wireguard template. Is there an easy way to connecting to tor before a vpn?

DVM · October 6, 2022, 1:00pm

What is sys-whonix and MullvadVPN netvms?

Quben · October 6, 2022, 1:22pm

What’s the point of putting the VPN before Tor…? That’s just an extra unnecessary middleman (unless you’re in one of those weird places that behead people for wanting freedom)

I’ve done Tor->VPN successfully in the past but not the other way around. Sounds to me like it’d be a little more complicated due to the way Whonix works but I could be wrong

whoami · October 6, 2022, 1:43pm

user - firewall - network - tor - vpn - (email) web-service

Advantage, some service provider block traffic from Tor exit nodes. With this setup you can avoid this blocking. … but some are also blocking VPN IPs.

Btw, maybe this is of interest: The Hitchhiker’s Guide to Online Anonymity | The Hitchhiker’s Guide to Online Anonymity

renehoj · October 6, 2022, 2:13pm

You are using Tor and then the VPN, not the other way round, there really isn’t any reason to use the VPN and then Tor.

currywurst · October 6, 2022, 5:11pm

I read your documentation and will try to build a extra proxy vm for my vpn vm. When I put a simple whonix ws on the vpn qube I get this result:

whoami · October 6, 2022, 5:18pm

It is not my documentation. It is just a well known anonymity guide. Sorry, I cannot help you here (I do not have tor - vpn nor vpn - tor nor vpn - tor -vpn) but did you make a search here on this community? There are many threads already i.e. https://forum.qubes-os.org/t/qubes-vpn-setup-tor-over-vpn-vs-vpn-over-tor/8398 , https://forum.qubes-os.org/t/bulletproof-vpn-configs/12762 … I guess @Emily can give you some advice or support

currywurst · October 7, 2022, 11:37am

I set up now a vpn connection with cli scripts

github.com

Qubes-Community/Contents/blob/master/docs/configuration/vpn.md


How To make a VPN Gateway in Qubes
==================================

<div class="alert alert-info" role="alert">
  <i class="fa fa-info-circle"></i>
  <b>Note:</b> If you seek to enhance your privacy, you may also wish to consider <a href="/doc/whonix/">Whonix</a>.
  You should also be aware of <a href="https://www.whonix.org/wiki/Tunnels/Introduction">the potential risks of VPNs</a>.
</div>

Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.

Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)

### NetVM

The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:

- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)

This file has been truncated. show original

But I get the same results. I configured that my sys-vpn use sys-firewall for network and then that sys-whonix clone use sys-vpn for internet. In sys-vpn I can connect to the internet, but when I try to connect to tor through my sys-whonix I can’t establish a connection.
After that I tried to use a new qube with an whonix gw, clicked on provides network and in a second fedora template that I placed behind I opened a Firefox browser. But when I tested my ip it shows me the tor ip. I configured that my sys-vpn use sys-whonix as net vm but then I get no connection at all.

currywurst · October 7, 2022, 11:58am

Your links are private for me

currywurst · October 8, 2022, 8:56am

Ok I read the whonix documentation

And found this text
UDP-style VPN connections are incompatible with Tor because it requires the VPN to be configured to use TCP. [14] This requires adding proto tcp to the VPN configuration file /rw/config/vpn/openvpn-client.ovpn .
So I found and change the passage in my vpn file. After restarting the template I get the message “link is up” so it’s connecting with my sys-whonix template but because that’s not enough I had a 100% packet loss in my ping test. Does anyone know what I am doing wrong?

enmus · October 8, 2022, 9:03am

Just blind suggestion.

whoami · October 8, 2022, 9:28am

This Tor limitation was one reason to develop lokinet.

Emily · October 10, 2022, 7:23am

I chained together qubes to make this work. I’m not sure its the best approach.

Example:
sys-mullvad: Set your firewall settings to only allow connections from the Mullvad IPs. Set your vpn to auto start when qube loads. I used this guide to do that: Using Mullvad VPN in Qubes
sys-whonix: Standard tor connection.
sys-mullvad-whonix: Uses sys-mullvad for the network.

What it looks like in practice.
sys-mullvad start and connects to the VPN.
Then sys-mullvad-whonix starts and connects to Mullvad thru sys-mullvad. Then connects to tor.

(You can go a step further and chain another VPN too: Example: sys-mullvad-tor-proton.)

Slow, but when needed, it could save your life as the world spirals further into dystopia.

You could also replace Lokinet for the Tor part of the chain. That will be my next test.

Quben · November 22, 2022, 6:14pm

Make sure you get the TCP 443 versions of your OpenVPN config files if you want it to work over Tor. I use two different VPN providers and they both offer port 443 options in their respective OpenVPN config download pages so I bet yours does too

Quben · November 22, 2022, 6:18pm

Yeah rofl we can pretty much chain as many VPN’s and Tor circuits as RAM allows… now when we figure out how to throw i2p into the mix (as in an i2p netvm) then we win the anonymity game