Tor -> vpn -> tor -> vpn?

Hello. I’m using Qubes with a whonix template.
I’m planning to set up: Whonix-Workstation → Whonix-Gateway → sys-vpn → Whonix-Gateway2 (clone Whonix-Gateway) → sys-vpn2 → sys-firewall → sys-net.
Both VPN I plan to set up according to this guide https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts (using iptables and CLI scripts).

1. Does this guide provide a sufficient degree of protection against IP and DNS leakage?
2. Should I put the sys-firewall also between the rest of the cubes?
3. Does it make sense to use a clone of the Whonix-Gateway cube as a second TOR? Or is it better to use a TOR from a VPN provider in a sys-vpn cube?
   I would be grateful for answers

No you don’t want to do this.

What made you think alternating tor and a vpn twice would be desirable?

Although I have encountered networks with obstacles bridges could not pass but a vpn acting as a bridge for tor would work, connecting tor directly without any bridging is still the ideal for maintaining the full anonymity and integrity of the network.

VPNs are good for when you want some degree of privacy and sites would otherwise be blocked if tor was detected. Also, if you want an iso of several GB, I would use VPN. Tor used to have a problem with load, but nowadays, F38 updates over tor aren’t using dedicated onion servers to update/download data. Whonix does and Debian sources can be onionized, but you can transfer a ton of data in a completely legitimate way over tor and no one should be yelling at you. Certain other protocols have problems. There are other issues with DNS configured according to the design of the network that might be suboptimal in those cases, I believe.

For me, this configuration doesn’t make sense because your connection will be very slow down for a security benefit that seems almost zero to me.

Tell me if I’m wrong but I believe that tor relays use their own dns but you can use dns-crypt, why not…

You can optionally use a vpn to encrypt the exit node…
rather than Tor -> vpn -> tor -> vpn
Tor-ws -> Tor-gw -> sys-vpn -> sys-dnscrypt -> sys-firewall -> sys-net
ou Tor-ws -> Tor-gw -> sys-dnscrypt -> sys-vpn -> sys-firewall -> sys-net
is more than enough!
This topic could help you to configure un dns-crypt VM…

This is not Qubes OS related topic, thus not a good place to ask. Qubes OS is about security, not anonymity.

I have never heard of that before.

The man page of tor displays many more options like fascist firewall and getting more user-defined control over your nodes (such as excluding) than people usually concern themselves with. Nxy displays these options. Sometimes guards need to be rotated before the 3 month automatic rotation, but I think this option is in network control rather than uses for optimization reasons. There are white papers about the math that supports the goals of the network. But the folks at Whonix are on top of this and I dont think there is much that can be done to improve many of the defaults, just the struggle against network obstacles and blocking.

If you are being serious, I would like to know why you say that. I’ve heard it before elsewhere. I doubt from the exact same person. I think an accurate metaphor for why anonymity strengthens security goes like this: you cannot hit a target if you don’t know who/what/where it is.

Qubes is built with Whonix inside which is all about tor/anonymity. Updates over tor is one of its most exciting features. I had all manner of software and updating requests blocked I could never get without tor, for example.

Is it possible tor allows anonymous ways into the system? If so, so does conventional networking.

Maybe you mean “security” as in the oppressive technical apparatus surveiling and doing harm to free citizens. In that case “security” (gestapo, secret police) is not the same as anonymity, true.

I would say there is no better place. No other OS can combine several OS together and make them interrelate so well. If the proposed network configuration had benefits, then this is the place. Having a system that can have a VPN, a DNS proxy qube, a yggrasil, a Veilid, a freenet qube, i2p, and Whonix all in the same place is something Qubes is suited for and sometimes those networks can interrelate. Take DNS and VPN. A DNS proxy for a VPN might be a legitimate combination. However, usually networks are perfecting the attainment of different design goals that do not combine with other designs well. But not having to have separate drives for each type of means and objective is nice.

Interesting question why the network does not see an “additive” improvement. Why are there only 3 nodes in tor? Seems like you were thinking of increasing the node itteration. Mixmaster tried doing this (Nym is the latest attempt at mix-node networking). I wish more work was done with this because Chaum’s ideas about concealing metadata through mix nodes is very interesting.

I suspect time correlation between a set of monitored VPNs would defeat the purpose of connecting to that VPN with tor. You might have more of a mix of IP to track down, but the time correlations would be easier.

Exactly why not to do this design is still an interesting technical question.

So…my bad!! sorry

@Tezeria Didn’t mean it that way. You obviously know a lot from what you are doing with fully ephemeral qubes. Thought you maybe knew something I never heard before. I think changing the exit with tor options is probably the better way. Making a new sys-whonix-n qube can be necessary if the gateway gets over-fingerprinted, deanonymized, or compromised as I have seen happen in the past. You will then have new entry guards, can increase stream isolation, and have new bridges that can get blocked over time if not kept fresh. The exit node is supposed to be as random as possible (unless you want to exclude 14 eyes countries which seems to be the only reason that option exists apart maybe from reducing latency by excluding the distant) and doesn’t benefit from what isn’t additional obfuscation by a VPN. I’m really curious if we could hear from a tor expert why the anonymity benefit is not additive. It’s something to do with entropy and stats math probably.

Does it really make sense for me to add a separate “dns-crypt” cube to my chain, or does whonix-workstation already protect me enough from DNS leaks?

Whonix already does but I think the person that brought this topic up for discussion is interested in how network modalities can interoperate synergistically if they can at all. I have seen sys-dns qubes proposed several places and even suggested as a default qube for the OS. Leaving your DNS to a VPN might not always be desirable. Let me put it this way: what do experts do when a website denies access because it detects tor? Good DNS and a VPN is all you can do then. There is no way to make the site think it is not tor when it is, is there?

For sure i never say i am an expert! lol
for me, the only reason to use a VPN on the way out of Tor is the fact that the exit node is not encrypted (hence the fact that I ALWAYS visit an https site and not http sites). The vpn would just be used to encrypt the exit node. Personally, I don’t use any vpn with tor, it’s a choice like a other

Indeed, it’s never a good idea to leave a DNS to a single person, hence the interest of dnscrypt:) Of course, some sites detect the use of tor, but some also detect the use of VPNs. In that case… No solution to Access without giving your IP. The only thing you can do to protect your data to a minimum is by using dnscrypt (again, it’s a bias on my part and only my responsibility )

Yeah, wouldn’t it be cool if there were onions for everything?

Now I understand why entry guards, the first node can be deanonymized over 3 months: they are establishing the initial connection with a certain amount of static regularity. That is deanonymizing from the perspective of an ISP or big, full-scale (inter)national, network analyzer.

The exit IP is just known by the site you visit. Maybe that is what you mean by “unencrypted.” You are right, it still is HTTPS encrypted. But that site still has to connect you with the other 2+ nodes. That’s not “unencrypted” to the site, meaning “knowable.” How you interact with the site (cursor motions what you type) and browser fingerprinting is known to them but your original IP is not and only things like keystroke analysis (which Whonix can do something about) and your diction would be attributable to you with a high volume of data.

But why are there options to specify and change exits? It must be for jurisdictional reasons or because you don’t trust that country code’s infrastructure. The exits otherwise should appear as highly random sites with thousands of other people sharing your browser characteristics or using the same protocols with greater or lesser isolated streams with a tor transport.

But total network view (14 eyes IC), time correlation attacks, RATS and Tailored Access, and Spectrum Analysis are a whole other level. Maybe there is something like highly “tuned in” sysadmins of sites that somehow are mystically and delusionally keeping track of you but, no, thinking of exits as “unencrypted” or “knowable” is not accurate. What is meant by running “bad” exits (people say the NSA runs them)? These guys are injecting malicious code into users that they still have to trace back through the middle nodes and entry? They are probably doing device fingerprinting more than anything. You have to exclude exits on a country code scale, so the designers of tor must have known that there is a way for state actors to do something to all the nodes in a country.

I found out why you would want to tor TO a VPN.

This way you could access tor-blocked sites (to the site it’s VPN not tor) and connect to the VPN more anonymously.

VPN first as a bridged can also be useful but not a series of alternating tor and vpn.

Tor over vpn is just the transport side, but it’s more than enough for most people, but only if done correctly.

Tor over vpn over tor over vpn over proxy over whatever does nothing if you customize the browser (fingerprinting) or make rookie mistakes to identify yourself (login). Even poor choice of hops increases your threat model. If you have a large ISP, it’s pretty much guaranteed they not only track and record everything (metadata) everyone is doing (and sell that info to advertisers, corporations and governments), but governments almost assuredly have installed high speed devices on their networks, for times when they want to actively track somebody down in real time. If each of your hops is a server on a network that tracks everything, and also colluding with government tracking devices, then all of that encryption does absolutely nothing to hide you. You might as well run around naked outside, it’s the same visibility. If they can see you at each hop, you’re not fooling anyone. In fact, it’s obvious what you are doing, and you get red flagged.

The bigger problem is client related. Sure a default tor browser helps protect from fingerprinting, but people who don’t understand the threat model will easily make mistakes like logging into an account, or worse, customize the tor browser that makes fingerprinting practically assured. Even a few changes to the nice mullvad browser will assure you are fingerprinted easily.

I used to run tor relays and bridges years ago. Today, I wouldn’t touch tor ever again. There are plenty of articles out there that prove tor has been compromised by the FBI, go google it. It’s safe to say anyone using tor is instantly red flagged. If you must tor, do it over a vpn, so your ISP doesn’t see and flag it (technically they can tell you are tor’ing over vpn from the traffic patterns, if they (ISP or gov’t) choose to actively monitor you), and make sure the vpn server is far enough away from your ISP to be out of their monitoring ability (same shared datacenter), but close enough to keep latency down and throughput high, and also hopefully located in a smaller datacenter that may or may not be actively tracked by governments, if that is even possible anymore. Oh, and a next hop to another country is an instant red flag too. You can bet your life every government on planet Earth actively monitors every packet crossing their borders.

Not to be pessimistic, but there is no such thing as perfect anonymity over the Internet. The only way for assured privacy, is to turn the computer off, and stay off the Internet.

Everything I see here has involved a LOT of assumptions that are unstated.

When ever I see discussions like this, there’s a question that must be asked:

What hunts you?

If you do not have a clear idea of the actual threats you face, you can not begin to determine if your countermeasures are sufficient.

As an example, I have been in conflict with right wing hate groups in the U.S. since 2010. If what I am doing is within the U.S. and publicly visible, I know that I will encounter corporate security, DHS or FBI undercover operations, and I must anticipate malicious prosecution and frivolous litigation. I have been involved in countering the Russian invasion of Ukraine, there I can expect all of the domestic troubles plus Russian intel.

Tor does not work for much of what I want to do and that has been a steadily increasing problem, it’s simply shunned by a lot of web sites. It still works for quick recon part of the time and my most common use case is employing it as a means of remote access, employing ssh as a hidden service.

VPNs, depending on how heavily they are used, are also fading as an access method. Many sites now lump VPNs into the same category as Tor - undesirable. You can just forget about anything that involves a financial transaction, and most of the major social media sites will also treat you as an unwanted prowler.

That begin said, I have used a VPN as a layer between Tor, ensuring that any foolishness related to Tor usage dead ends in an uncooperative jurisdiction. Keep in mind that quality VPNs like Mullvad and Proton offer multi-hop services. This is more or less a similar degree of protection to what Tor offers in the moment - you get on net in one place, get off somewhere else. If you onboard AND offboard in uncooperative jurisdictions, why do you need Tor? I can only think of one case where Proton gave up a user and it was highly situational - the perp, victim, and a lot of the network were all in Switzerland. If you’re not a Swiss cyberstalker, trouble seems highly unlikely. And with Mullvad’s no ID required payment options, they’re even safer.

I have seen it discussed, but I have never done the process of using Tor to connect to a VPN that permits TCP based sessions. This was being used in situations where the operator felt the need for Tor’s anonymity, but the destination refused Tor sessions. Laundering the Tor usage through a VPN got them in without surrendering anonymity. As above, VPNs are getting the same love that Tor does for many services, so this may also no longer work.

Given my threat model, a portion of what I do any more comes down to a burner phone with a generous tethering plan. I bridge a VirtualBox VM such that it pulls an IP via the USB tethered phone, and that’s fine. A subpoena or warrant would expose the phone, but I pay cash. A little more digging would get to the location data. Then someone would need physical surveillance or convincing a judge they need to paw through all the other subscriber data in the area. Actual physical USB tethering matters here, WiFi is NOT sufficient, read Jeremy Hammond’s indictment if it’s not immediately clear why this is the case.

A couple of years ago I did a stint working for an expert witness and we were servicing U.S. federal public defenders. DNS leaks were THE way that people were getting into trouble. How I solve for that with VirtualBox is something akin to the Whonix layout - a VM that’s the client side that uses a gateway VM for access. The gateway VM has static routes to a VPN provider and no default. If the VPN is up, things work. If not, they don’t. That config doesn’t leak. I presume same is possible with Qubes, but after nine years of periodically sampling I am just now starting to put it to work, so I don’t have a rigorous solution yet. It was easy to reproduce what I describe here, cloning sys-net and adding OpenVPN. I am not at all sure that’s the right way to do things.

So, I will say again …

What hunts you?

If you can’t answer that with some specificity, it’s hard to make well founded judgments about countermeasures.

Hunt: IDK. A delusional syndicate that thinks getting information from globally networked and encrypted protocols is easy? What we are talking about here is a pain in the ass for ISPs and Nation State actors, although by no means impossible for the latter.

These guides are a very useful source of quality info: Whonix Documentation
The “advanced” section would be at the level of multihop professional VPNs and Tor. It is not a “county” or “state” internet. The secured protocols (e.g. TLS, DOH), math of crypto curves, diffie-hellman handshakes, Wireguard, multiple nodes, etc are all going to make violating privacy very difficult for intercepts. What you share with a site by fingerprint and interaction specifics is different, but then again, TBB has this taken care of in many respects (full screen doesn’t even matter so much anymore like it used to, for instance). There are also other network architectures besides VPN and Tor. See Yggdrasil, Veilid, for more examples.

Also, there is no tor "over’ VPN, “to” and “through” would be less confusing prepositions. Tor makes an initial connection to the VPN (bridge, ~ obfs) and then exits it to connect to additional tor nodes. That is international traffic and no one ISP or even necessarily one political block (group of nations) is going to have full vantage over all connections, which are, besides, encrypted in themselves. I think the weak point is data the site or end node (person on the other end) can collect. But Tor has a huge adoption and your browser looks just like the rest. I have still not heard of what deep fingerprinting a site can glean that is obtaining hardware identifiers. Timing and spectrum attacks are another story, but that is top cyber arcana. No one knows how exactly that is done in the public.

Delusional Civil Liberties violators just like to pretend these are easy matters because the internet challenges their totalitarian, absolutist dictatorship egos. Try proving accusations it in a Court of Law for nothing illegal instead of just boasting false claims of omnipotence to the sheep of the streets—that’s what I would say to them.

The things I have seen on identification of Tor users via traffic analysis always have a fairly comical initial state assumption - that the ones attempting the unmasking have managed to get the user to download one very large file, and they have some sort of netflow data available to them from multiple points.

That being said, the network IS under constant threat, there’s a lot of motivtion to do this, and it only requires a partial success to cause a LOT of trouble.

Bad actor(s) run 27% of Tor relays.

Crypto monetization scheme blocked from running Tor relays.

The article I am seeking, which has thus far eluded my search abilities, is the story of a major donor of Tor relays being caught offering de-anonymizing services to various authorities.

It’s a mad, mad, mad, MAD world, and layered defenses are the best defenses.

I have heard of “bad actor” exit nodes on Tor. Nothing is perfect.

I’ve seen a lot of SSL downgrade attacks that happen inside tor which won’t with Mullvad VPN. Probably bad exits. Another cool thing about VPN for those who think tor is the only skillful option

It is “theoretically” possible to download GB ISOs from an .onion server. Just look at Qubes OS mirror list. Two different .onion sites for the ISO. But massive bandwidth is required or more than 24 hrs. Don’t know who does that practically. But small package downloads and updates aren’t going to be deanonymized easily. There is also onionshare.

Tailored access pwning seems to be more of the problem than network transport security since we have multiple layers like you said as Qubes users. And all the network infrastructure isn’t in our control which means there are network obstacles from time to time.