Snowflake and other bridges are slow, so I want to connect to a VPN before Tor. Which VM is most reasonable to connect the VPN on in the chain anon-whonix → sys-whonix → sys-firewall → sys-net? sys-net or sys-firewall? Or would it be better to create sys-vpn and use anon-whonix → sys-whonix → sys-firewall → sys-vpn → sys-net?
I’m connecting my sys-whonix to sys-protonvpn which is my VPN qube. That’s then connected to sys-mirage-firewall which is connected to sys-net
Connecting to a VPN before Tor
What you want is
whonix-ws0 -> whonix-gate0 -> vpn0 -> sys-firewall -> sys-net
The machine names in the line above are arbitrary.
Your ISP will see your packets to/form the VPN provider. Your VPN provider will see packets to/from Tor.
You don’t understand qubesos at all.
sys-net is acting as router - any network hardware is working here so it must be the first. Period.
sys-firewall is doing firewall - even in first run after installation it’s a second one on chain, and TOR is like VPN and is connected to it.
So if you wan’t tor over vpn then you connect sys-whonix to vpn qube. What the question then?
In order to accomplish a VPN → Tor setup, I believe you must do the following:
- Clone sys-whonix (or, if you always want to connect to Tor through your VPN no matter what, skip this step)
- In the settings for your sys-whonix VM, set the netVM to the proxyVM for your VPN connection (e.g. the netVM for sys-whonix should be sys-vpn instead of sys-firewall)
- For the VPN proxyVM, the netVM should be set to sys-firewall
This way you achieve a sys-net/sys-firewall → sys-vpn → sys-whonix → internet
type of connection.
Is it better to create a dedicated qube for the VPN than connect to the VPN from sys-net’s NetworkManager?
I’m really not an expert but I think so. Isolating tasks is good idea and it allows me to force all traffic to only be allowed inside VPN connection. I managed to make that sys-protonvpn disposable VM too.
Yes. Dedicate a separate qube for the VPN. Do not put a VPN/proxy inside sys-net.