(random reddit user reply):
Don’t use such VPN Clients. Have a look at your torrc file.
As I understand, modifying the TorRC file can help to as I initially put it, ‘region-lock’ you to a certain location by only using specific nodes. In this case, I could restrict to using non USA nodes.
That said, I like the idea of the extra security that TOR’ifying the entire VM by using a whonix-ws template, and then adding a VPN on top of it. It’s easier for me to browse and use websites that are not so kind to TOR-based visitors.
I am not hearing many downsides apart from, “just don’t do it”. I do not understand why this would be seen as risky or not recommended given the extra major layer of anonymity that the completely TOR’ified Qubes VM provides. What is the big deal of adding a VPN on top of this in the manner that I have recommended?
I am not trying to shoot down instruction from those who probably know infinitely more about Qubes OS, and how this all works, more looking for insight and sage advice.
The last thing I need is to be trading on Binance (for lack of a better example), and then receive a ban or at least a request for extended KYC because they can confirm I was using TOR.
If they see that I was using a VPN, and let’s say one of the awesome 3 letter agencies wanted to request more info… Well, of course they can subpoena the VPN company and ask for any evidence or logs. But, with my method, as I understand this (which may indeed be wrong), wouldn’t the logs from Nord only show that some random device is connected through NordVPN via TOR? I mean yeah, it might show everything that I did and all the places I visited… But at the end of the day, if they want to figure out who the hell it was, they are going to have a very difficult time doing so as nothing will have ever been connected to any personal information whatsoever.
That’s why I figured to use the VPN paid for over TOR, with anonymous details, burner email, and payment using a (mostly) untraceable cryptocurrency like XMR.
Another user mentioned that it might be easier to fingerprint additional details (ie: usage of the TOR). because NordVPN is not safe and might be forthcoming with logs or additional details.
However, I do not understand what would be the problem if all they are seeing is that some random unidentifiable computer is connected to them through TOR…
The entire idea in theory, is to keep the whonix-ws template VM that is running, completely TOR’ified, and safe. This way I can use something like Discord or Telegram, with all traffic routed through TOR, alongside a working functioning TOR Browser connected to TOR… But, with this I can still have an additional Firefox browser on the side open and connected through a VPN for my other listed purposes on the same machine, all simultaneously. If I shut down the VPN or it disconnects at random, the next website I go to will use my Tor connection instead. (tested to work)
From a security standpoint… If something happens and I am scripted or download some malicious file while using the Firefox VPN extension, well then they have access to one of my Qube OS VM’s that doesn’t have any personal information tied to it in a truly sandboxed Qubes VM TOR’ified environment… It may be compromised, sure, but now I close/shutdown the Qube VM, erase the thing, and start fresh with a new VPN, new details, new burner emails, etc.
Please educate me friends, what am I not understanding? Where is the security lapse here?