Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN


Chris Laprise:



Chris, I tried now to connect to the, which seems to be tor
unfriendly through me->tor->VPN-> but it returns error on
site "Disabled".

I learned now that despite I use the above connection model, using VPN
as an exit, I still exit from the tor exit not and not from the VPN. I
am not sure what broke.

If I understand your model: me->tor->VPN->
you are running Tor *through* your VPN - this means that your service
provider sees your connection to the VPN, and your VPN provider sees
your connection to the first Tor hop.
Naturally, when you exit the VPN and set up the TOR circuit, it's a Tor
exit node that connects to kraken.
The VPN is NOT an exit in this model. Nothing has broken.

I am actually using mullvad VPN. The idea is to have the possibility to
access websites or services (like that are not tor-friendly.
I would like to connect first to Tor through sys-whonix than connect to
the VPN through VPN AppVM and from that VPN to connect to the clearnet.

I set the AppVMs networking following way: anon-whonix networking set
to -> sys-whonix networking set to -> VPN-AppVM proxy that connects to
the clearnet. Is that right for my model?

Think about it.
anon-whonix creates a request.
sys-whonix takes that request, and builds a circuit.
VPN-AppVM sees the traffic to the first hop, and sends it down the VPN.
The VPN provider gets the Tor traffic, and sends it on to the first
Then it goes via Tor to the exit node and then to the target.
Your ISP sees traffic to the VPN; the VPN provider sees traffic from you
going to Tor; the target sees traffic coming from Tor network.

*Always* use to confirm your exit IP in this sort of
case (always) so that actual matches expectations.

What you have built (in packet terms) is:
me - Tor - VPN - target.

What you seem to want is:
me - VPN - Tor - target

To do that you need to build the VPN traffic and send it down a Tor
Your Qubes network configuration should be:
client - VPN qube - Tor qube - sys-firewall - sys-net

A good rule of thumb is that whichever proxyVM is directly attached to
your appVM will be the type of network that the remote service sees.

I have no idea if Whonix will let you do this.

This should work for most VPNs, as Patrick and I and others have tested
it (though I haven't tested Whonix specifically with Mullvad). The only
constraint is that the VPN use TCP instead of UDP.

Thank you for the hint with ProxyVM logic.

I tried both configurations from Mullvad with UDP and TCP 443, but
didn't get it work. The VPN-ProxyVM cycles at ready to start link but
never goes to the Link Up. Mullvad's options are Default (UDP), UDP 53,
TCP 80 and TCP 443.

Chris, if you have any chance to try the setup, would be very much

Hello everyone, did anyone actually managed to make this setup run? Posibly any aditional ideas how to acomplish the task of connecting in the above configuration?