How do i set up whonix under a VPN after this guide?

If i use this guide and it’s network settings.

How do i set up whonix under a VPN afterwards? So that whonix pass through the VPN.
Is it already fixed after that guide, or do i need to change maybe whonix template? Does it even use the same network settings as the official qubes VPN guide? The template uses sys-whonix right now…
Thank you.

I’m not sure what you mean by “under”. Do you want to connect to your vpn before you connect to tor? (vpn before tor). Usually people try to do this to prevent their ISP from knowing they are using tor. If that is what you want to do and assuming you already created your vpn-mullvad VM, you’ll need to assign vpn-mullvad as the networking VM in your sys-whonix VM. That means instead of sys-whonix connecting to the internet directly through sys-firewall, it will connect through vpn-mullvad. The networking chain would look like this: sys-net > sys-firewall > vpn-mullvad > sys-whonix > any-app-vm. When you visit a website, your ip address would appear to be a tor exit node.

But if you want to connect to your vpn after you connect to tor, you’d have to set “sys-whonix” as the networking VM in the vpn-mullvad VM. People usually do this to prevent any website you visit from knowing you’re using Tor. Keep in mind, with this set up you can’t use Tor Browser. You’d use a separate VM with a different browser (firefox/chrome/whatever) and this VM would use vpn-mullvad as the networking VM. The networking chain would look like this: sys-net > sys-firewall > sys-whonix > vpn-mullvad > any-app-vm. If anonymity is important, don’t forget there’s other aspects to anonymity besides just your ip address (browser fingerprinting, cookies, etc) so it’s safer to just use Tor Browser the standard way without a vpn endpoint unless you really know what you’re doing.

It’s pretty simple, just follow the chain of networking VMs starting from sys-networking and assign them however you want. Follow the path, one vm at a time and see if it makes sense. Always try a “whats my ip” search after you set it up and see what your ip address appears to be.

1 Like

Great!!! Sweet. Now my setup is perfect. Thanks you very much. :slight_smile: I was gonna use that, but i was not sure… Appreciated! :dizzy:

1 Like

What do you think of
Is it anonymous and safe enough? Will Tor browser work in this dispVM?

Whaqt do i do if i also want the anon-whonix to go through a VPN then?
Did the setting you mentioned… “you’ll need to assign vpn-mullvad as the networking VM in your sys-whonix VM.” Did that affect both anon-whonix, and the disp whonix-16 also? Which qubes did that setting affect?

It depends on your threat level but I think generally it seems pointless to simultaneously use a vpn as your entry and exit. Using a vpn to hide tor usage is not that effective. More hops does not mean safer. It may be effective in hiding tor usage if you are using internet from a college campus or low security network but ISPs and governments can detect tor usage even if you are going through a vpn first. I would explain it but there are much more detailed posts about that topic so just search for them. The tldr is: tor bridges are better.

But using a vpn after tor is ok depending on what you’re doing. It’s helpful if you want to use tor on a website that blocks tor. The website will think your ip address is from a vpn instead of tor. Just be sure to register and pay for that vpn anonymously if anonymity is important. There’s no point in jumping through all these hoops of trying to be anonymous if you paid for the vpn with your credit card or use it to check your gmail account. That’s basic compartmentalization OPSEC you should research if you aren’t already familiar.

For most people, connecting to tor directly and using the regular tor browser is safest. If you are stuck in a country with censorship, use a tor bridge. If you need to use tor but a service blocks tor, use a vpn after tor. Also, the cops aren’t going to bust down your door or investigate you just for using tor. There’s a lot of tor traffic out there.

1 Like

It would affect any VM that gets internet from sys-whonix.

Go into qube settings on your anon-whonix and disp whonix-16 and see what their networking vm is set to.

An easier way to get an overall picture of your network flow is to go to the Qube manager window and look at the list of all your qubes. There’s a column for “network vm” so you can get a broad view of where all your qubes are getting their network connections from.

Thanks. :slight_smile:
Anon-whonix = sys-whonix.
whonix-16 dvm = sys-whonix

So yeah, everything in qubes seems to go through a VPN then after setting sys-whonix to the VPN. Maybe even updates through tor… Or that could go through tor i do not know… The setting when you install Qubes, and choose use tor updates. Great that the qubes go through a VPN.
Just curious now… Do Qubes update through tor under a VPN then? I guess so…
Thanks for your computer knowledge. Peace out

If your sys-whonix vm is getting its internet from your vpn VM then yes tor updates will all tunnel through the vpn too. You’re welcome :grinning:

Thank you. Someone else wrote that this is very insecure… Tor under a VPN…
Do you know if a plain vpn is safer, or do you have any better connection ideas that would work in 2022?

Define safe. Regarding safety: I do not see anything that i getting more insecure/unsafe by using Tor that is not already wastly unsafe/insecure to begin with (like unencrypted HTTP for example).

Also: what exactly do you want to do/protect?

Tor gives you better security guarantees for anonymity than a VPN. IMHO: If it can be done with Tor, it is always more private/anonymous than doing it with a VPN.

1 Like

ok thanks I read here:

Anyways. I trust a VPN more then my ISP for sure! So i will use this.
I want to protect my right to privacy. I also lock doors… I think it’s disrespectful if hackers break into systems without asking. I would never do that. I could try bug bounty, but that’s using permission. White hats…
Those illegal ones are breaking into systems just because they want control. Domination of this world.
I do pirate movies on the pirate bay sometimes… When netflix is bad. Mostly just learning, or reading. Nothing illegal.
I just want to protect my personal space, and they do have to respect that.
I also want to protect passwords and everything.
I think both can be good if the VPN could be anonymous though… Seems safer. Good luck staying safe from hackers though.
I did not even buy a kindle after i read that they did check pages people read. I just find it to be utterly creeeeepy. So if i read online or search info or whatever… I don’t want it to be like kindle and they even deleted pirated versions of 1984 i read. Thats creepy.
I try to avoid that kind of behavior thats all. They had like data on how fast they read a page and everything haha. So wierd. I would not even be able to concentrate if i knew that. I would want my personal space.
TI think surveillance is kind of sick… Or making humans sick.I am much against it… It’s good if they stop crimes… Dangerous people out there… But apart from that, the mass psychological health has gone down.
Just the thought of that someone might be watching anyone online, and the one using the tech can’t even tell, because they do it in secret. That is just a red flag for me. I do not like it at all.
If some creepy dude did hide behind a bush outside and watched i would know… Not with creepy tech. Can’t even know who is behind that bush.

Just linux distros of course :wink:

I forgot about that use case! Yes, for torrenting a VPN really is the right tool and not Tor.

Yeah that one was hilarious! Really make me think there was a troll within amazon that pulled that of.

So regarding VPN + Tor, i wrote something about that, here is my argumentation on why it is usually a bad idea an not really helping anything.

Regarding that trust thing: The cool thing with Tor is, that you do not have to trust (much)! There is no one entity that can betray you. Trust is distributed between your three nodes, so they have to work together to attack your anonymity. With a VPN you have to trust, that it is protecting you.

Your threat model seems like “i don’t want to be surveilled or analyzed”. Failure of OPSEC is not catastrophic. This can be achieved with a VPN to a reasonable degree of security (Tor is better of course ;)) and with qubes you have the very important other tool to make it happen: DisposableVMs.

Most tracking stuffs happens with cookies and fingerprinting. Hiding your IP is the easy part. Tor browser is especially build to withstand that, but by using disposables with a VPN you can get very far. How good that is against fingerprinting i don’t know however.

Hehe yeah. But i mean. I pirate movies sometimes… So that’s illegal. I have always used the pirate bay, but sometimes, not all of the time. If netflix has issues and so on. Better to use a VPN then… Much less on linux because much is free, but on windows, yeah i did pirate some programs and stuff. :wink: Who could afford to buy it you know.
But i mean, when it comes to mp3, music, movies. sharing is caring right…
I do support creators sometimes… I would give more if i had more.
I download games sometimes… Not as much now. But i don’t play as much now as i used to at all. Linux gaming is cool though…
Lutris is nice.
yeah you are right about the VPN, and yes it’s exactly that. I don’t want to be analyzed or surveilled. :wink: Like the kindle example, i could not even concentrate reading a book imagining some dude on the other end be like: “Hmm, i wonder why it takes so long to turn the page… I wonder if i should delete the 1984 copy.”
Just creepy. And you would not even know who the person where…
Yeah you are right about fingerprinting. So it’s better to blend in right then to stay unique? The brower fingerprinting pages want to show you are unique no? It’s better to be like every other browser right? Like… A tor browser then in the masses maybe?
I mean you can’t stay anonymous online… They could easily be on your phone, computers and everything. But at-least you could try some… We all deserve some privacy…
I have a hard time even writing or talking to people on the phone if i know someone might be listening. It just messes with my mind… Hard to explain. even if i got nothing to hide. It seems to be messing with my freedom of expression or thought perhaps…
It’s some kind of psychological terror the system worldwide has put on it’s citizens…
Some kind of slavery surveillance… I don’t know how to combat that, and take the privacy back. Maybe just being myself. Yeah, as always. Has worked so far. I wont change. I will probably pirate from time to time if a good new movie is out… Qubes could also help and similar solutions.
I will probably try to have anonymity rather then use windows or spyware hardware and so on… But sometimes you don’t have a choice on android and other platforms… hmm.
Maybe i’m the only one that has always been paranoid… I just don’t like cameras outside… stuff like that…
It’s like the opposite of wanting to be famous hehe. Some would like that, crave that… I just find it annoying actually… It’s disrespectful… Like some dude would stand close to you on the subway and start speaking close to your ear kinda… And keep speaking. Just dont caring about personal boundaries. I mean you would not know if someone did that or not! That is also the issue!! In real life this would not be possible…
People would just say, stop it. With technology they can hide… It also depends on if they are good or bad people doing the surveillance… I just don’t like not knowing i guess…

It should be illegal! If not… if they dont ask permissions. Hackers should be able to do the same to them. I’m no hacker, but people who are… If they get surveilled illegaly and not doing anything… They should be able to look at the watchers.

I feel the same way.
I may or may not obtain my books without DRM and then read them in a disposable qube without a netvm or on an airgapped hardware ebook reader. That way nobody knows when i am reading my books and potentially malicious epubs cannot create great damage.

If anonymity is the goal: Yes.
This is called k-anonymity. K is the number of people you look alike, so the more people look like you, the more anonymous you are.

Tor Browser has the goal to let every Tor Browser user look alike. If you are using Tor Browser without Tor somehow, that would make you stand out as likely nobody does that for example.

If your adversary has the ability to run code on your machine, there is absolutely nothing you can do to cover your tracks. Howevery it is unlikely that the surveillance capitalism adversaries like M$, amazon or google run code on my FOSS machines.

It totally is and this is arguably the goal of all this. A good keyword for more information is the Panopticon. You can start seeing this self censorship pretty much everywhere. People start to self censor in fear of being prosecuted for what they say, even if it is totally legal. Staying anonymous is an (more or less) easy way to avoid that problem.

There are degoogled androids out there one can use.

It should (imo). But it is not. You can be assured, that the “normal” people are much more vulnerable to mass surveillance that than you as a qube user are. You are using pretty much state of the art INFOSEC protective equipment against pwnage of your end device.

The fact that you think about things like that alone and consciously act (not meaning self censorship, but OPSEC considerations) make you hop out of the bell curve.

1 Like


Hi again. Could someone please make a guide on how to use the guide with ovpn? But perhaps multiple VPN’s you can switch between also?
If i wanted another VPN, would i create a new qube VM or would there be conflicts with the mullvad one?
I’m thinking you could switch between a vpn in the global manager perhaps.

I agree with you btw! Thanks. Yeah people start to self censor themselves… Even if stuff is totally legal! The surveillance is like some psychological trick. You don’t know who could be on the other side… Some fat dude with some moisture in his hand that just built an app maybe… Who knows… Some moderator or whatever, who has not washed his face in 8 years maybe. Fries all over his chest… Reading some private conversation between some dude and a girl maybe. Breathing heavily…
Mass surveillance can make people schizophrenic i bet, or people getting psychosis.
Could they be listening now or not? They can’t know for real… Then it’s like some start to act wierd or “fake” maybe… Just feeling at un-ease…

That’s the issue with technology. You have no clue who they even are… They are to chicken to just call people up on the phone.
I don’t know if you self censor yourselves in apps you know are being watched over and famous for that or not, but how fun is it being on android if they record everything like creeps you know? It’s sketchy in my opinion… Good if they catch some bad ones… But for the rest it’s annoying with surveillance…
I envy people who had privacy back in the day actually… And i would never ever get a kid today, and imagine kids being online today on apps… their whole lifes must be out there for some. Some might not care others might. I just find it wierd… Poor kids having no freedom whatsoever today. Every purchase registered, every thought, every mood. location, friend circles and so on… Mass-surveillance cameras follow there every step outside in cities. The mods or creeps have the power if you know what i mean… Some could be good guys. Some could be creepy… You just dont know!
I mean some want to protect them, but i bet some abuse the power of surveillance also… Privacy is a human right.

Anyways, could anyone create a guide maybe on multiple VPN’s with this setup? The official qube guide is good also… but i did not manage to create multiple vpn’s there either last time.

What do you mean with “multiple VPN’s”?

If you’re using .ovpn files you can add as many as you want to Network Manager.

You can also take it a step further and create a VM for each profile, then use them by themselves:
browser-vm-1 > vpn-1 > sys-firewall > sys-net
browser-vm-2 > vpn-2 > sys-firewall > sys-net

Or concatenate the vpn VMs for a multi-hop setup like:
browser-vm > vpn-2 > vpn-1 > sys-firewall > sys-net

If you elaborate on your goal you could hope to receive more tailored answers.