VPN inside app vm "test"

I am willing to use open-vpn config files for just one app. And I have configured it like this.

Created a fedora based appVM called “test”. Enabled “network-manager” by going to test’s qube settings. Now this, brings up the network icon for test appVM on the panel. I have set sys-whonix as networking VM for test appVM. Clicked the network icon for test appVM and added my vpn and connected.

So theoretically, my traffic must be going through test’s VPN>sys-whonix. Right? Or enabling network-manager will cause it to bypass sys-whonix?

Yes your traffic should always go via the NetVM you have chosen in the AppVM settings.

But using a VPN after connecting to Tor could potentially deanonymize you. This specific setup that you’re trying to achieve is discussed in detail on the Whonix wiki, so be sure to read that too: Combining Tunnels with Tor

1 Like

I’ve read VPN over Tor is preferred but I also found I can’t connect to VPN through sys-whonix.

Right! Your computer is establishing a connection through the Tor network to connect to your VPN.

What’s your use case for a setup like this? The most common uses of the Tor network and VPN providers are:

  • anonymity or pseudonymity by masking a user’s IP address
  • bypassing content blocks.

By using this setup, you’re actually weakening the an/pseudonymity protections in a couple ways.

  1. You’re sending all of your traffic over one circuit. Tor, in its standard configuration, sends traffic to different computers over different circuits (if I visit two sites at www.a.com and www.b.com, the traffic I exchange with the computers behind those two domains takes two different paths through the Tor network). However in your setup, your traffic is taking one defined path through the network (one circuit) because all of your traffic is going to one place (your VPN provider) before it goes anywhere else. As far as computers you’re connecting to are concerned, sure, your identity is masked because your IP address is the same as these ten or a hundred or a thousand different other sessions. However, anyone who’s able to observe traffic from your computer into your first hop into the Tor network and your hop out of the Tor network to your VPN provider can use traffic analysis techniques to be able to tell that your computer is connecting to that VPN. For example, an ISP might be able to do this, or what’s known as a “gloabl passive adversary”. You probably don’t have to worry about this unless you’re a dissident in a totalitarian state, but in that case, they’ve probably got Tor blocked, and you really shouldn’t be taking advice from me.

  2. Fingerprinting is a well-refined science (especially on the web). Just using a proxy, VPN or Tor isn’t enough to remain truly masked. Even though these other computers you’re connecting to via your VPN don’t know your IP, they can use metrics like latency, HTTP headers, even just a cookie to identify you across sessions. (“But I clear my cookies!” “Well, what about your apps? Those can use cookies too!”)

Your censorship/content blocking circumvention is unaffected. Any computer you can connect to over Tor, you can connect to with your VPN.

Okay, so those are the downsides of your setup. What are some of the upsides?

A couple use cases for a setup like this are:

  • Users want to control the IP address a computer sees them as connecting with. “I want to use a German exit node so Netflix lets me watch the newest season of Better Call Saul!” or “This computer I need to connect to blocks traffic from Tor exit nodes!”

    • You’d be better off using native Tor configuration (see “torrc”) to specify how you’d like Tor to create circuits for you, so you avoid the first an/pseudonymity concern of sending everything over one circuit, and using something like the Tor browser to avoid the second concern of fingerprinting. And if you’re using your personal Netflix account, well… your traffic will be linked back to you anyway :wink:
  • Users want to hide their true IP address from a VPN provider in case of compromise, so their traffic can’t be linked back to them. Check out all the “no-log” VPN leaks.

    • Unless you’re paying for this VPN through tumbled cryptocurrency and have no identifiers associated with your account or any prior sessions, anyone in control of your VPN can link your traffic back to you, anyway. A hypothetical adversarial VPN (which almost definitely does not exist) would need you to slip up just once to be able to link all of your traffic back to you,

For either of these purposes, maybe you’re better off connecting to a free proxy. Even if this free proxy keeps eternal, public logs, they’d just see a specific Tor node it’s seen a million times before sending traffic through it. Concern (1) still applies – everything over one circuit, but at least you’re not out of a Tor exit node… Just make sure you’re always using TLS to resist both snooping and most fingerprinting!


Hmm, lots of things might be going wrong here. Does your VPN use TCP or UDP? Your problem might be that Tor only supports TCP. Whonix does have a workaround for this… check out all the guides in the Qubes and Whonix docs to see if you can identify your problem.

You’re right. I tried a couple VPN and they connect on TCP only.

I think I understand the arguments against VPN but how is it any worse than an ISP? I mean… if you’re making it harder and creating more legal paperwork and delays to get a warrant from a VPN, why not?

On the other hand, I read VPN monitor traffic and individual accounts for abuses. If that’s the case, wouldn’t governments drool over this? They can get a warrant and chomp on popcorn monitoring your traffic live instead of painstakingly fall asleep fishing through old logs from the past.

This is a topic not directly related to Qubes OS. Such topics are discussed here in a special, hidden category “All around Qubes”, which is only accessible to users with Trust Level 2 and higher. We have a long discussion of this problem here:

I wish all registered users had at least reading access there.

1 Like

I’m only trying to access just one simple website that blocks tor IP address or won’t work on them. But if I connect to a VPN it will let me connect.
So I set this up only to let my VPN see my tor IP address and not mine. And the website I access sees my VPNs IP address. The VPN I use is free and requires no sign up.

Again my “test” appVM has network-manager enabled. I connect using open-vpn config or temporarily install vpn app in my test appVM. And I have set sys-whonix as my networking VM for “test”.

In this setup what I’m trying to understand that is VPN able to know my actual IP address? If yes, how? All traffic is routed through sys-whonix.

Great. Check this resource out:

Or as an Onion: http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Tunnel_UDP_over_Tor

You’re correct. Over this setup, your IP isn’t directly exposed to your VPN provider. Still, both the VPN and the web site you’re connecting to can fingerprint you. (Your VPN will have a much harder time fingerprinting over HTTPS but some attacks still apply.) If either can match this fingerprint with reasonable certainty to some profile they might already have on you then they can de-anonymize you, and potentially reveal your IP address if it is already associated with that profile.

For this specific use case, you might want to try is Startpage’s Anonymous View service over Tor browser. It works just like a proxy (+ over HTTPS) and is entirely in-browser, so you can rely on Tor browser’s anti-fingerprinting protections. It’s also nice to avoid setting up and potentially misconfiguring more ProxyVMs. Same attacks apply, both Startpage and the web site you want to connect to could potentially fingerprint you, but are going to have a lot harder of a time. Your IP address is exposed to neither.

I’d urge you to try to change your perspective from viewing the IP address as the be-all-end-all for anonymity on the Internet to just a piece of the puzzle. Understand that there’s a lot more to de-anonymizing than just getting someone’s IP address, high- and low-tech, including: analyzing usage habits, analyzing data transfer speeds, getting their e-mail address, spyware in a compromised machine (or a VM), supercookies, malicious Tor exit nodes, GPAs doing traffic analysis, tracking pixels in e-mails, recognizing their profile picture…

There’s a lot of great material to read out there if you’re interested. I’ll recommend Whonix’s “Do Not” guide:

Or as an Onion: http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/DoNot

It didn’t work for me. If I followed the gui route, it creates a firewall file here /var/temp/50_userXXuEiFF1.conf.

The terminal route refers to a firewall file here /usr/local/etc/whonix_firewall.d/50_user.conf.

I couldn’t get it to work either route. There’s a little point of confusion for me in those instructions. I modified the sys-whonix firewall AppVM. The instruction referred to Whonix-Workstation AppVM. Maybe I didn’t do it right.

I wish I could be of more help – I’ve never set up a UDP VPN, let alone through a Whonix Gateway.

I only gave the wiki page I linked a quick overlook. Having a second look, it looks like the “VPN method” described isn’t for setting up a UDP VPN, but uses a VPN for establishing a UDP connection. That is:

You > Tor > VPN (via TCP, converts stream to UDP) > Some server speaking UDP (in our case, another VPN)

Chaining together two VPNs over Tor is not ideal: leads to substantial latency and goes against the goal of not wanting to use a TCP VPN.

I’m thinking the reason it didn’t work is because you didn’t set up the VPN over VPN over Tor tunnel first and jumped right to the firewall reconfiguration so that your Gateway would accept UDP streams.

Before I give the methods described on this (Onion) wiki page a deeper dive to see if I can help you, can I ask first what your use case is? I understand that you’d like to use a VPN over Tor, which, as I discussed with @shdjune, has its drawbacks and compromises of an/pseudonymity. Why, not only a VPN, but specifically a UDP VPN?

Not a big deal. thanks anyway

Sorry I couldn’t be of more help. There are proposals to make VPN configuration and ProxyVM management much more user-friendly in Qubes. I think they might even be on the roadmap for 4.1.