Confirming VPN over Tor setup

Support
1

I’ve read the Wiki twice and most of the forum and took a lot of notes but now it’s time for action and I don’t feel so certain I understood everything. My setup:

  • Whonix - Gateway
  • Whonix - Workstation 1 (Main)
  • Whonix - Workstation 2 (nested in 1)

My goal is VPN over Tor (user -> Tor -> VPN -> www).

  1. If I want only the nested (Workstation 2) to go through VPN+Tor, I’d install the VPN on Workstation 2 only? This would make Workstation 2 go VPN over Tor and Workstation 1 would go through Tor only. Correct?

  2. If I install the VPN on Workstation 1… Would that make the nested (Workstation 2) go VPN over Tor automatically (by default)?

  3. If I wanted everything I do in Whonix to go VPN over Tor… Would I then install the VPN on the Whonix-Gateway? or the host?

Thank you so much.

2

The nested VM is unsupported.
(Frequently Asked Questions - Whonix FAQ)

Not sure it would even work without disabling stream isolation. Untested.

2) If I install the VPN on Workstation 1... Would that make the nested (Workstation 2) go VPN over Tor automatically (by default)?
Not sure how this would interact with stream isolation. (https://www.whonix.org/wiki/Stream_Isolation)
3) If I wanted everything I do in Whonix to go VPN over Tor... Would I then install the VPN on the Whonix-Gateway? or the host?
Neither. Would never result in VPN over Tor (user -> Tor -> VPN -> www).

Whonix-Gateway / host always results in:
Tunnel Tor through VPN (user → VPN → Tor)

For user → Tor → VPN → www, you need to install the VPN inside the workstation.