VPN and Whonix WS Configuration

User Support
1

I just configured my VPN using Micah Lees guide. I have changed my global settings so that default netVM goes through my VPN.

I just want to know if that makes it so all of my qubes now go through my VPN or all qubes I create from that point on go through my VPN.

Also, how does whonix work with my VPN? Do I create my workstation and network it with VPN, or network it with gw, and network Gateway with VPN.

2

I just want to know if that makes it so all of my qubes now go through my VPN

Not necessarily. You need to check in the Qube Manager or using qvm-prefs my_qube netvm to be sure.

or all qubes I create from that point on go through my VPN.

Yes. Although personally I have set default_netvm to ‘’ to make it so all newly created qubes are offline by default. If a qube needs network, I want to make the decision consciously and not by default.

how does whonix work with my VPN?

Just fine. You can either leave sys-whonix connected to clearnet or connect it to your VPN.

Do I create my workstation and network it with VPN, or network it with gw, and network Gateway with VPN.

Whonix workstations will not accept any netvm that is not a Whonix gateway.

3

This was very helpful.

Im still confused on the last part.
If i want to connect to vpn before whonix, I would set up sys-whonix with my vpn. Then run whonix ws?

4

If i want to connect to vpn before whonix, I would set up sys-whonix with my vpn. Then run whonix ws?

Principles:

  • qubes get network connection from proxy qubes assigned to their netvm property
  • if the proxy qube doesn’t have network connection (yet), it won’t be able to provide it either
  • a properly configured VPN proxy qube won’t provide network unless the VPN is active and connected
  • Whonix workstations will not accept any network connection other than from a Whonix gateway
  • a Whonix gateway will only provide network when it has established a TOR connection

Your case:

  • the Whonix workstation gets it’s network from sys-whonix
  • sys-whonix only provides network when a TOR connection is established
  • to establish TOR connection, sys-whonix needs it’s network connection to work
  • sys-whonix’s netvm is set to your VPN qube
  • the VPN qube (if configured correctly) will only provide network when the VPN is active and connected

Conclusion: you don’t have to worry about timing. Even better, if setup as described above Qubes OS will launch all the qubes needed automatically. If all of your qubes are shut down and you start your Whonix workstation a recursive chain of launches happens:

  1. Whonix workstation needs sys-whonix and starts it…
  2. sys-whonix needs VPN qube and starts it …
  3. VPN qube needs sys-firewall and starts it …
  4. sys-firewall needs sys-net and starts it …
  5. sys-net starts and establishes connection, provides network to sys-firewall
  6. sys-firewall comes online and provides network to VPN qube
  7. VPN qube gets network and establishes encrypted tunnel to VPN, then provides network to sys-whonix
  8. sys-whonix gets network and establishes TOR connection, then provides network to Whonix workstation
  9. Whonix workstations get network
1 Like