Vpn over tor setup

i would simply like some tips about my setup

sys-net → sys-firewall → sys-whonix → vpn-firewall (to hold sys-vpn firewall rules) → sys-vpn

sys-vpn has a firewall set via qvm-firewall to only be able to access my vpn server, the vpn app itself has lockdown mode set running udp2tcp (wireguard)

  1. how leak proof is my set up? in what scenario could i leak?
  2. is there absolutely no way for sys-vpn to bypass sys-whonix somehow? i get internet speeds at times far greater than i should be getting (2mbps downloads at times)

right now, sys-vpn has a firewall rule to only accept from my vpn server, should i also add proto=tcp there or is that useless

after adding proto=tcp my internet speed decreased 4x, does this mean i was leaking ip/vpn connection bypassed tor? wtf

You should investigate this. Ask the same question in the whonix forum, they can probably help you better than I can, but:

  • You could check on sys-net with sudo tcpdump -ni any host <VPN_IP> and '(tcp or udp)'. There should be zero packets if Tor is in the path.
  • Maybe its also possible by opening “Onion Circuits” on whonix and look for a stream to your VPN server’s IP:port.

after switching to openvpn (instead of wireguard + udp2tcp) with the same firewall rules, speed is back to normal - perhaps udp2tcp bugs out when udp is blocked for whatever reason

This is completely overkill. Try this instead:

sys-net → sys-firewall → sys-whonix → tor-vpn

tor-vpn doesn’t have to be a network qube, as long as it has sys-whonix as its network qube. On tor-vpn install openvpn and get a tcp config. Launch it and everything in tor-vpn is now going through whonix to the openvpn server. You check sys-whonix Tor Control Panel for the kind of connections it’s making. You should see the IP address of the VPN server in there.

Please keep in mind that vpn over tor should be used with caution. It’s fine for temporary use, for example to access a site that blocks Tor, but I advise against using it for regular use. Ideally use temporary VPN tokens (< 3 days), such as those offered by AirVPN and cryptostorm.