[qubes-users] Best practice VPN in Qubes

Hi,

What is the best practice for setting up a VPN proxy in Qubes these days (for Mullvad, VPN over Tor)?

I found two versions for setup of VPN proxy in Qubes:

The first one is from tasket called Qubes-vpn-support. The last version is dated Dec 2020: GitHub - tasket/Qubes-vpn-support at v1.4.4

Second one is directly from Mullvad dated March 6th 2023 and so it seems more fresh.

I plan to use VPN over Tor with Mullvad. Which guide would you recommend to use for this case and why?

Thank you a ton!

I managed to make run the tasket guide even for VPN over Tor. The only issue I didn't solve is that it is not working with Torbrowser in anon-whonix AppVM.

If anon-whonix AppVM is set to use mullvad-VPN that is connected to sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based AppVM and runs vanilla Firefox, it works like a breeze.

Any ideas how to solve this?

Leo28C:

I think that's by design. Whonix does that to protect you from accidentally compromising your own privacy.

Andrew David Wong:

If anon-whonix AppVM is set to use mullvad-VPN that is connected to sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based AppVM and runs vanilla Firefox, it works like a breeze.

Any ideas how to solve this?

I think that's by design. Whonix does that to protect you from accidentally compromising your own privacy.

Thank you for the answer Patrick. It is possible. The question is how does one use VPN over Tor in this case with Torbrowser that doesn't compromise the privacy (see the use case below please).

The use case is to connect to a service like Twitter that is not Tor friendly from a static non-tor IP address (VPN), but at the same time hide my real IP address from the VPN provider by using Tor before I connect to the VPN.

Some services, like Twitter even if they have onion site keep forcing me to reset password periodically, reminding me that there is a suspicious behavior (just by connecting from Tor, not even posting anything) in an endless loop.

I would like to use the anon-whonix-twitter AppVM Torbrowser specifically for connection to that particular account only and nothing else, no other apps or even websites ever used in that anon-whonix-twitter AppVM.

Do you have any advice how to enable Torbrowser in the anon-whonix-twitter to work in the VPN over Tor scenario?

I would use the onion service and deal with the Twitter-side brokenness.
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Demi Marie Obenour:

Andrew David Wong:

If anon-whonix AppVM is set to use mullvad-VPN that is connected to sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based AppVM and runs vanilla Firefox, it works like a breeze.

Any ideas how to solve this?

I think that's by design. Whonix does that to protect you from accidentally compromising your own privacy.

The answer below was meant to you David. I misidentified Patrick as the author of the answer.

Thank you for the answer Patrick. It is possible. The question is how does
one use VPN over Tor in this case with Torbrowser that doesn't compromise
the privacy (see the use case below please).
The use case is to connect to a service like Twitter that is not Tor
friendly from a static non-tor IP address (VPN), but at the same time hide
my real IP address from the VPN provider by using Tor before I connect to
the VPN.

Some services, like Twitter even if they have onion site keep forcing me to
reset password periodically, reminding me that there is a suspicious
behavior (just by connecting from Tor, not even posting anything) in an
endless loop.

I would like to use the anon-whonix-twitter AppVM Torbrowser specifically
for connection to that particular account only and nothing else, no other
apps or even websites ever used in that anon-whonix-twitter AppVM.

Do you have any advice how to enable Torbrowser in the anon-whonix-twitter
to work in the VPN over Tor scenario?

I would use the onion service and deal with the Twitter-side brokenness.

So you would propose to drop the VPN entirely from the equation, use twitter's onion service and just use normal sys-whonix networking in the anon-whonix-twitter AppVM.

The issue I face is not much of a laziness to deal with the annoyance but with the requests for additional, looped identity checks like sms (I can deal with that from time to time, but not always), continuous password changes and similar craziness. They want to "protect me", omg. I have set the 2FA but still the same.

Funny part is that one even doesn't need to have any activity on the account that could be suspicious, because there is no activity at all. The issue is purely the fact of connection through their own onion service. Which would be funny if it wasn't sad.

Are there any significant drawbacks to use Torbrowser in the VPN over Tor scenario? Just in case they lock me out or something., for my protection of course.

Demi Marie Obenour:

Andrew David Wong:

If anon-whonix AppVM is set to use mullvad-VPN that is connected to sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based AppVM and runs vanilla Firefox, it works like a breeze.

Any ideas how to solve this?

I think that's by design. Whonix does that to protect you from accidentally compromising your own privacy.

The answer below was meant to you David. I misidentified Patrick as the author of the answer.

You can call me "Andrew." "David" is my middle name. :slight_smile:

Thank you for the answer Patrick. It is possible. The question is how does
one use VPN over Tor in this case with Torbrowser that doesn't compromise
the privacy (see the use case below please).
The use case is to connect to a service like Twitter that is not Tor
friendly from a static non-tor IP address (VPN), but at the same time hide
my real IP address from the VPN provider by using Tor before I connect to
the VPN.

Some services, like Twitter even if they have onion site keep forcing me to
reset password periodically, reminding me that there is a suspicious
behavior (just by connecting from Tor, not even posting anything) in an
endless loop.

I would like to use the anon-whonix-twitter AppVM Torbrowser specifically
for connection to that particular account only and nothing else, no other
apps or even websites ever used in that anon-whonix-twitter AppVM.

Do you have any advice how to enable Torbrowser in the anon-whonix-twitter
to work in the VPN over Tor scenario?

I would use the onion service and deal with the Twitter-side brokenness.

You should read this, then decide whether you still think this setup would be a good idea for you: