Correct network setup to connect to tor from vpn

Before I begin, I read a LOT of pages of forum and guide online, the whonix wiki, @Sven setup, exetera… but I stil cannot understand the correct setup for my use case:

Currently I have:
Tor browser (dispvm) > sys-whonix > sys-firewall > sys-net

I want to connect to tor with the vpn ip instead of my isp ip:

Which is the correct setup for this case?

  1. Tor browser (dispvm) > sys-vpn > sys-whonix > sys-firewall > sys-net

  2. Tor browser (dispvm) > sys-whonix > sys-vpn >sys-firewall > sys-net

Welcome to the forum!

What you want is 2.

However, let me be the normal linux forum dude telling you why you do not want to do, what you try to do:

Generally speaking: A VPN does not help you, it may as well hurt you when using with Tor. If you do not know exactly what you are doing and have a really strong reason to do so, you are better of without.

I wrote many posts about the topic of VPN + Tor and yet nobody really had a real reason to combine them, but if you could tell us what it is that you want to achieve with combining both technologies, maybe we can get a better understanding of your situation.

Here is an overview and some more sources why this is either a bad idea, or noneffective.


Hello! Thank you for welcome and reply!
Interesting link, I missed it before!

I want the guard node to not know my isp ip. If one adversary controls entry + exit nodes, they can find the vpn ip and not my isp, more work for them!

Tor devs like the idea: TorPlusVPN · Wiki · Legacy / Trac · GitLab

You → VPN/SSH → Tor
This can be a fine idea, assuming your VPN/SSH provider’s network is in fact sufficiently safer than your own network.
Another advantage here is that it prevents Tor from seeing who you are behind the VPN/SSH. So if somebody does manage to break Tor and learn the IP address your traffic is coming from, but your VPN/SSH was actually following through on their promises (they won’t watch, they won’t remember, and they will somehow magically make it so nobody else is watching either), then you’ll be better off.

Technically this is correct.

However the Tor network does need you to trust your guard at least a tiny bit. I tend to trust my guards, also i personally have no problem with my guard knowing my IP. But maybe this is important for your use case, and your setup will make it much harder for a singular evil guard node to know your IP.

And from my point of view, the FAQ on Tors website, nor Matts overview, the whonix wiki or most other resources are all to thrilled with the idea. If you want more info on that, see my attached sources from the post i linked to. Just don’t expect any more privacy by using a VPN in front of Tor :slight_smile:

I argue that if tor does not know my isp ip, it is already more privacy. Maybe not from global adversary able to correlate, but almost surely from malicious adversary that is not-global.

Well if this adversary runs a node, him/her having an your IP address is not really useful information imo. I think it is more valuable to inspect the timings and volume of data you request to try and figure out, what you are doing and this is also possible when using a VPN upfront. On the other hand, you gave that same information additionally to a VPN provider that knows you real name (if you have not payed it anonymously).

Also i argue, that VPNs are usually used for shady traffic and as such may have more heat on them by adversaries. Monitoring them is significantly cheaper than trying to monitor all Tor guards.

Your setup will at least not catastrophically fuck up Tors security goals (like other VPN+Tor setups i have seen over the years…)

1 Like

If it is not targeted, they might see what i do, not who i am. And we already excluded target attack by global adversary.

of course, I refer to anonymous payment.

I say the opposite, vpn are becoming more and more used even for just simple things, like netflix while tor is used for more shady business than vpn. Vpn can also be used for many other things, like corporate, or personal networking configurations.

Genuine question, how do you ensure exit nodes and vpn are not using same infrastructure? If vpn also runs some tor exit nodes or both use same host would that be issue @SecularNetwork? Maybe I misunderstand or maybe you have method to avoid?

Tor does this automatically (to some extend)

See here

- We do not choose the same router twice for the same path.
     - We do not choose any router in the same family as another in the same
       path. (Two routers are in the same family if each one lists the other
       in the "family" entries of its descriptor.)
     - We do not choose more than one router in a given /16 subnet
       (unless EnforceDistinctSubnets is 0).
     - We don't choose any non-running or non-valid router unless we have
       been configured to do so. By default, we are configured to allow
       non-valid routers in "middle" and "rendezvous" positions.

Of cource this is not 100% perfect, but it is a start. Also what i don’t know is, if the starting IP is integrated into this system as a mock node. I think it is posible, but not specified directly.

To avoid having the exit on the same infrastructure as your VPN you could enumerate its infrastructure, obtain the census and exclude any overlaps in your torrc.


Same argument can be done for ISP, it is certanly bigger and with more resources, it likely have nodes too

1 Like

Relieved you considered this already.

If true for you than no worries. Apologize if my confusion divert thread.

Definite start. If mock node idea implemented with vpns I surprised and need learn more.
Before use qubes, used whonix virtualbox with linux host. Calyx bitmask vpn on host and frequent whonix tor calyx exit nodes made wonder if make sense to me. I not trust vpns more than guards (or ISP) so performance hit and additional complexity discourage me. Disassociating identity from ISP pursued instead.

Could try enumerate infrastructure. I likely not succeed to my confidence (much privacy hosting seem centralized nowadays). Seem cumbersome if tor exit nodes not specified (which I think not generally advised). Not expert so happy to hear wrong and others successes. Thanks for ideas and research.

I much preferred this setup because the sys-whonix comes after the sys-vpn when you started up the sys-vpn to get the sys-whonix set up afterwards. My current set up is similar, but same:

Tor Browser (DVM) → sys-whonix → sys-vpn → sys-firewall1 → sys-net

This is tha way. I misread, sorry. This setup is the only sane setup for almost all use cases, if you choose to use VPN+Tor.

This will defeat Tor. It will connect **to** your VPN **over Tor**. This will provide you with: * Anonymity against your VPN provider * Basically non anonymity against any system you interact with over Tor

I would highly recommend to rethink what you want to protect against whom.

This may be getting confusing. Isn’t that the solution you proposed OP to connect to Tor via VPN?

1 Like

No. His goal is, to…

So he wants all his traffic to go through the VPN before reaching his guard node.

That’s exactly my point. But then you stated the following, for the same configuration:

These setups are equal, yet you’re having contrasting opinions:

1 Like

You are absolutely right, i messed up.

Just to clear things up:

Tor Browser → sys-whonix → sys-vpn ->sys-firewall → sys-net → the dangerous internet.

Will do the following. sys-whonix will package your traffic into tor packets, thatwill be send through your VPN tunnel and will exit your VPN endpoint. Ususally if you really want VPN+Tor, this is what you want.

Tor Browser → sys-vpn → sys-whonix ->sys-firewall → sys-net → the dangerous internet. This will package your browsertraffic into VPN packets and send those over Tor, to your VPN. From there, it enters the internet at your VPNs endpoint.

I am very sorry for the confusen, i misread your post.

Doesn’t this configuration mean that sys-whonix connects to the tor-entry/guard via the OP’s ISP, thereby revealing the ISP’s ip-address to the tor-guard-node which is what the OP wants to avoid?

I would agree with your first response of option 2

Here, I thought the following would happen: sys-whonix asks sys-vpn for a tor-entry then sys-vpn asks the OP’s ISP for a VPN server and the VPN server “unwraps” the vpn traffic to find the request for a tor-entry so it is the VPN server that connects to tor in this instance so the tor-guard does not know the ISP ip-address.

In general, whatever is closest to sys-net (out of sys-whonix or sys-vpn) is what talks to the ISP and is what the ISP talks to in the “outside world”.

tor-browser -> sys-whonix -> sys-vpn -> sys-firewall -> sys-net <---> ISP <---> VPN Server <---> tor-network <---> [requested url]

tor-browser -> sys-vpn -> sys-whonix -> sys-firewall -> sys-net <---> ISP <---> tor-network <---> VPN Server <---> [requested url]


Yes. And it defeats basically all points of Tor. Luckily, OP doe snot use this setup, but the other one.

Yes, this is correct.


Just a note for others reading this that this is by no mean Qubes specific. It’s an old story from out there.
Reminder that Qubes is about security at first and not about anonymity, as well.