Tor over VPN

I am experimenting with a “Tor over VPN” setup. Does anyone have any thoughts about further hardening my setup to prevent DNS & IP leaks or enhance overall security/privacy? Potential weak points? Pros and cons of Tor over VPN vs. VPN over Tor?

My VM network consists of:

AppVM → firewall → VPNproxy → firewall → whonix-gw → sys-firewall → sys-net

All VPN connections through the VPNproxy are TCP via port 443. It also has the firewall configured to block all non-VPN IP traffic, accepts DNS and drops ICMP. DNS leaks are mitigated by redirecting all DNS requests to the private IPs used by my VPN provider via /rw/config/qubes-firewall-user-script which is configured as follows:

iptables -F OUTPUT
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
iptables -F PR-QBS -t nat
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns2
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns2

I’m unclear about a couple of things.

  1. Do all three firewalls in my setup serve a beneficial function (at least theoretically) or am I wasting resources?

  2. Does the firewall script need to be modified to account for my use of TCP via port 443 for VPN traffic?

  3. Is there any way to further leakproof my DNS? It still throws occasional errors when I test it. What are the current DNS weaknesses of my setup?

  4. Are there any changes that should be made to my whonix-gw to account for my use of a VPN?

  5. Does the inclusion of Tor really help with privacy when using my VPN this way? In terms of local snooping or surveillance, doesn’t my traffic still look the same (i.e. going to and from my VPN service IP)? How does the addition of a Tor bridge or relays help enhance security or privacy when I first connect to my VPN?

1 Like

I believe that, contradictory to your first statement, the topology you diagrammed is actually “VPN over TOR”.


1 Like

@brendanhoar You know it’s funny you mention that because I naturally think of my set up as VPN over TOR… but I was “corrected” by the following article prior to posting this thread. Now I’m not sure at all which is the correct term.

1 Like

Ok, I don’t want to read the various articles.

My logic follows:

If I have firefox in appvm → vpn → net, I would say “I am using firefox over vpn”. I would not say “I am using VPN over firefox”.

So if I have whonix-gw → vpn → net, I would say “I am using Tor over VPN”, I would not say “I am using VPN over Tor.”

And if I have torbrowser in anon-whonix → whonix-gw → vpn → net, I would say “I am using torbrowser over Tor over VPN”. I would not say “I am using torbrowser over VPN over Tor.”


1 Like

@brendanhoar I totally understand your thinking and I agree with you. However, the article I posted states:

“When you opt for Tor over VPN, you would first connect to one of the servers offered by your VPN provider, which will encrypt your entire online traffic. Then, the encrypted traffic is redirected through the TOR network using a few TOR nodes, before it finally reaches the internet.”

That’s why I titled the thread as such. At this point, maybe someone else can clarify as to the most commonly accepted term for connecting to VPN before TOR.

The only thing I can think of is that “Tor over VPN” is somehow thought of as using Tor with VPN as your “base” or primary/initial connection. No idea.

See also this discussion:, especially this post:

1 Like

The left-most firewall might restrict app-specific traffic.
The firewall on the right side might restrict traffic to only be directed to the VPN gateway, given you have a static address.
Though I would recommend to use the anti-leak feature in Contents/ at master · Qubes-Community/Contents · GitHub (point 5) via iptables, which effectively only allows traffic for an isolated user, which is solely used by the openvpn client.

See the above mentioned guide and firewall script again.

Just pay attention to keep the Gateway TransPort active, which is enabled by default.

It depends :slight_smile: .
ISP will see you are using Tor.
VPN provider will only see your Tor IP.
The destination will see your VPN IP.
Tor bridges / relays can help in censored situations, where the ISPis actively blocking Tor.
There will be no Tor stream isolation - meaning all your tunneled traffic always will go through same Tor circuits, which might increase the chance for correlation attacks.

1 Like

Hey all,
I wrote a private message to @necker as I wasn’t sure my message would be useful for the community, but from his reaction I noticed that it may be useful to others too. So I hope this helps someone. (and please correct me where I’m wrong!)

The way I understand it is, for example

sys-net connects to your ISP
whonix-gw connects through your ISP to the TOR network
VPNproxy connects through the TOR network to your VPN

one ‘over’ another is a bit confusing… maybe we better say one ‘through’ the other?

My VPN provider allows me a bunch of connections at the same time, so what I do is…
when I don’t need anonymity:
AppVPN → firewall1 → VPN1 → VPN0 → firewall0 → sys-net
with VPN0 connected to a VPN in my country
with VPN1 connected to a VPN in another country
I don’t put a firewall in-between the VPN-proxies as apart from the VPN login there’s nothing in there
When I do need anonymity:
disposible-whonix-ws → firewall2 → sys-whonix → firewall1 → VPN1 → VPN0 → firewall0 → sys-net

That is my current setup. I still haven’t read The Hitchhiker’s Guide to Online Anonymity @ppc linked to, so I may change my mind.

I think:
using VPN through TOR (what you do) still identifies you as your VPN-username as the first part is anonymized, but the last part identifies you again as you use the exit-node connected to your VPN-username.
using TOR through VPN (what I do) will let the ISP know I’m using VPN. It will let my VPN-provider know I use TOR, and it will let the website I visit know the traffic comes from TOR.

To which @necker replied:

What helps me is to visualize things:

So let’s take the example of your ISP: "what does your ISP see?
Your ISP sees encrypted data coming in from your IP and forwards that data to VPN0
So, your ISP has your IP and the IP of your VPN provider. And the government could pressure to give them your IP address and the ip of your VPN provider, but your ISP can’t hand over the data as it is encrypted.

What does VPN0 see?
They see your IP address, that sends data routed through your ISP’s IP address. The data that comes in gets un-encrypted by your “VPN0-tunnel” encryption password, and the data (which is encrypted another time with an VPN1-tunnel encryption key) is forwarded to VPN1’s IP address.
So if the government forces your VPN0 provider, the VPN0 provider can give the government: your IP, your ISP’s details, your VPN1’s IP address, your VPN0-account-details and they could decrypt the first encryption-layer of your data (only VPN0-tunnel-encryption-password).

What does VPN1 see?
They see VPN0’s IP address. The data that comes in gets un-encrypted by your “VPN1-tunnel” encryption password, and the data (which is encrypted another time with an TOR-tunnel encryption key) is forwarded to TOR’s entry IP address.
So if the government forces your VPN1 provider, the VPN1 provider can give the government: your VPN0’s IP address, your VPN1-account-details, your TOR entry IP address and they could decrypt the second encryption-layer of your data (only VPN1-tunnel-encryption-password).

So… if the government starts from your IP address… they can force the ISP to give them everything… then go to VPN0 and demand everthing they know, so they end up with VPN1 and pressure them to expose you… but then they come to TOR and they are stuck… As they know you send data that was encrypted but have no idea what that data is.

What does the website you visit see?
They see the TOR’s exit-node IP address. The data that comes in via ‘https-encryption’. And they send back the data you requested.
So if the government forces the website to expose you, all they can give the government is TOR’s exit-node IP address, and all data you shared/requested on/to that website.

Now… if you do VPN through TOR through VPN it looks like this:

So let’s say the government pressures the website you visit to disclose your details, what can they tell you?
Well… they can disclose what you did on their site and the IP of your VPN1 provider… and that provider can give the government your user-account-details. Thus… by using VPN after you use TOR de-anonymizes your data and the government knows everything you do, even though you go through TOR.

However, if your VPN1 username and account is not connected to you… then they still can’t connect it to you as a person. But if you use a paid service… then somehow, your VPN-details are coupled to your bank account (or bitcoin-wallet), which may be traced back to you. (Your Bitcoin-wallet may be connected to your crypto exchange (or to someone else who gave you the bitcoin and can identify you)

I hope this may help someone, and hopefully there are not too many mistakes. If there are, then please let the community know :smiley:


when i normal read i don’t notched that, good to know

i can’t understand why you and anyone using this method came up with this, it not a good way

much better now

why not try tor (with bridge) through vpn through tor?

monero? if you even more paranoid

also about vpn

Fantastic diagrams.

Based on my limited knowledge, DNS leaks (among other things) might also be an issue with just VPNs; but I’m not sure how it interacts with a Tor-over-VPN (or reverse) setup. Would you happen to know?

Thank you. Those are great suggestions. I will try them out.

@ppc and @VPN-time Both Mullvad and IVPN accept mail in cash payments.

i don’t prefer that (for many reason)

@ppc Just curious… besides “lost in the mail” or the VPN stealing your money, what is the problem? Modern mail systems are extremely reliable and those two VPNs would stand to lose a lot more in reputation if they were stealing petty amounts of cash. There are no social media reports of customers from either company complaining of lost cash.

and more
i can’t accomplish there thing to make me anonymous

Well… those precautions are obvious. And any network activity is inherently risky. But I would personally consider the potential for digital traces via Monero purchases to have just as many risks as cash to de-anonymizing. For me, cash seems more anonymous because there always seems to be another hidden variable in the digital world.

For some people that may be that they have to go to a bank to buy Euro’s or dollars… => no jab = no entry

Someone suggested to look into companies that offer a credit card that you top up with crypto (my friend talked about wirexapp, but I haven’t had the time to look into it if it can really be anonymous.)
Anyone has experience such companies? And which ones offer true anonymity?

[doorbel rings]
me: hi, sorry to bother you, but there was a letter send to me, but they used the wrong address… did you get my letter?
other guy/gall: what’s your name
me: Bambi
other guy/gall: oh yeah, here it is
me: thanks! Here, enjoy this six-pack.