Hello. I am thinking would it make any sense in terms of OPSEC to connect to whonix through VPN, so ISP doesn’t see tor usage so clearly. I heard that if it’s done this way, VPN first —> tor, the tor route/used nodes would be always the same? Or?
So, I’m using VPN on all other qubes to provide privacy, but thinking is it necessary to even bother with whonix, being reasonably secure already. And if so, why?
Share your thoughts.
Hi,
Tor will work the same if you use it behind a VPN, the circuit will change as usual (every dozen hours if I remember correctly). This will hide your Tor usage to your ISP or anyone looking at your network traffic nearby (public hotspot etc…)
I’ve seen thoughts on this quite a few times. Found +50 hits on the forum search too (whonix vpn). I think you’ll find plenty of balanced thought right there.
Thanks this was great read just what I needed to see.
what about this?
Mirai your link was a good choice – nice job
privacyguides dot org represents my stance completely. I have beat my head against this controversy for years and years. I always use VPN’s (one sometimes two) before entering the TOR nodes, but NEVER after the onion exit nodes. That is really bad OpSec because the circuits won’t rotate as designed by the TOR team. While this is my .02 it comes from years of network engineering and some common sense. In addition I have access to hundreds of physical servers and I never use a VPN server where I frequently connect to conduct “real name” workspace. Simply reserve a few dozen VPN servers for PRE-TOR circuits and don’t mix them. Another duhhhh.
Of course where possible you should connect via onion links so there is NO exit node, Duhhhh!!!
Don’t hate me folks, you have the right to disagree and I won’t be offended in the least!
You can use Tor pluggable transports to obfuscate your Tor usage from your ISP.
If this Tor + VPN still requires more insightful discussion, see this relevant GitLab issue.
Here are the benifits of using a VPN with Whonix.
Consideration:
Choose a Trusted VPN that strict no log policies and proven track record in privacy like ExpressVPN and PureVPN.
Tips:
Isolate your Tor activities on a separate device for enhanced security.
ExpressVPN was purchased in 2021 by Kape Technologies, which also owns many other large VPN providers, such as Private Internet Access and Cyberghost.
PureVPN also provided logs and information in a 2017 case.
If anyone is looking for a trustworthy VPN service, they should look here instead:
@DVM You are you saying to take @AdCharles recommendations with a grain of salt? 
I mean AdCharles (emphasis mine), managed to place two products in their first post, an hour after joining the forum and having read for 9min in total.
Folks, please remember to take all advice with caution, this is a public forum and anyone can create accounts.
yes it is better IF you don’t trust your personal ISP, you’re only shifting trust from your ISP to the VPN ISP.
your setup should be :
you (bare IP)=>VPN=>Tor
if you want something more complex, potentially more secure go for a set up like this :
you(bare IP)=>proxy-chains=>VPN=>Tor
combine two or 3 proxies (this will slow down your connection to Tor further more), the purpose of this is to add an extra layer of obfuscation on top of the VPN traffic encryption.
these two setups will mask Tor usage from ISP completely (potentially better than just using Tor bridge) and make it harder if not, impossible to eavesdrop from ISP, also making it harder for who ever who owns the exit node you are connecting to from running a correlation attack to de-anonymize you.
take into consideration that this is only for network privacy, how you use your device, and other variables that vary determines how secure you could be.
I think there are rather usage scenarios, no “better” or “worse” setups.
Qube → Tor → VPN might make sense as well, if you want to hide the fact from the website that you are using Tor. There are sites, that don’t allow usage via Tor, but permit VPNs.
Qube → Tor → VPN
you’re allowing your VPN to see all of your TOR traffic, big NO.
your exit node is exposed to VPN ISP, they will hand all of your info to LE (if that’s your threat model), if your Tor traffic is associated with something “sus”, that can be all exposed through the setup you mentioned easily since the VPN will have all of your TOR traffic.
if you’re browsing clearnet and want to spoof your IP, just use a proxy.
Well, the VPN only see that you are using Tor, they can’t see the content going through.
True, but given the number of VPN providers able and willing to provide access
logs, the correlation attacks are worrying.
I think the canonical statement comes from the Tor project FAQ -
Can I use a VPN with Tor?
Generally speaking, we don't recommend using a VPN with Tor unless you're an advanced user who knows how to configure both in a way that doesn't compromise your privacy.
More detailed information about Tor + VPN at the wiki
Few users who ask these questions are advanced users, and even fewer
are able to configure both, even if they are capable.
This is a bit inaccurate.
Tor → VPN → Website:
VPN provider knows visited website, and that someone connects from certain Tor exit node to VPN.
VPN → Tor → Website:
VPN provider knows your real ISP IP and that you are using Tor for something else.
Resource: Connecting to Tor before a VPN
E2E encryption is provided by HTTPS, so stating that VPN provider sees all traffic is not true (only domain; same as normal VPN). And I guess we agree that you shouldn’t use plain HTTP with Tor at all.
(It helps to visualize these things as being tunnels within tunnels, someone here in forum posted a great pic I currently cannot find. Otherwise thought experiments can quickly escalate into brain fucks )
I once experimented for fun and learning networks with Tor → VPN. My threat model just was not being ad-tracked by some big corp site, that did not allow Tor, but permitted VPN connections.
Using any other proxy certainly is an alternative, but wasn’t the question.
Yes, you get a one single Tor circuit for the whole VPN session, which is used to a establish a TCP connection to VPN provider. There isn’t any stream isolation without reconnect both VPN and Tor.
Hence good hint regarding recommendations by Tor project.
How are correlation attacks more worrying with vpn —> tor than IP —> tor? I don’t really get it.
I think the comment on correlation attacks was more about Tor -> VPN.
Normally tor circuits are switched automatically on certain conditions like domain, port and so on. If I recall that correctly, Tor browser also switches after certain amount of time within one domain. With VPN -> Tor you basically would have one single circut for the whole VPN session. I have no idea, what practical implications this has, but at least it works against some of the basic stream isolation principles of Tor.