Guide for "User -> VPN -> Tor -> Internet" does not work

The documentation here: Connecting to a VPN before Tor basically advises to connect to the VPN with your regular software within the host. For “Instructions on how to connect to a VPN before Tor.
UserVPNTorInternet” this is lacking and incorrect.

For instance, when I connect to VPN using OpenVPN from my Workstation when I curl it is my VPN IP, it is not a Tor exit. So the traffic is not being routed “User → VPN → Tor → Internet”

How can I actually perform this? Or tunnel some kind of secure/private tunnel before Tor (I’d like to mitigate against Sybil attacks)

This is impossible. If the VPN is running on the host, it is UserVPNTorInternet. Therefore Tor Browser won’t show a VPN IP.

Does not even matter if using Tor Browser Bundle on the host operating system or Whonix.

This is because the VPN connects first, because it’s on the network routing level. Tor connects “on top” of that similar to a “normal application”. Since the VPN connects first, Tor connects second.

The opposite UserVPNTorInternet is actually not simple to setup. This is possible by installing a VPN inside the Whonix-Workstation. The part Tor Browser Remove Proxy Settings isn’t exactly trivial either.

1 Like

I don’t know what to tell you. I ‘sudo openvpn ./vpn.ovpn’ in my workstation, and when I ‘curl’ its my VPN IP. I’ll provide screenshots when I get home

No need.

This is expected.

This is what is in the documentation. There are no mysteries about this. This probably already a decades old topic.

Here is a comparison table:
Combining Tunnels with Tor chapter Comparison Table in Whonix wiki

If a VPN is installed inside Whonix-Workstation then it logically must go the UserTorVPNInternet route.

This is because if the assumption is true that all connections originating from Whonix-Workstation are routed through Whonix-Gateway (Tor), then the VPN necessarily must also go through Tor.

Tor connects first. The ISP can only see Tor.

Tor connects first. The VPN necessarily connects second. In other words…
Tor connects first. The VPN necessarily connects last.

This is why when using curl.anondist-orig to download an IP check website inside Whonix-Workstation it is very much expected to see the VPN IP and not the Tor IP.

Stream isolation / .anondist-orig is another layer of complexity which might result in “only” Tor being used and the VPN circumvented (not used) but that is very much documented, please look that up in the documentation.

[1] Unless there’s another VPN software running on Whonix-Gateway, the host operating system or a sys-vpn VM after Whonix-Gateway.


Which is it? Is it

or is it

The latter makes more sense, but this makes the “Connecting to VPN before Tor” article misleading, as it says “When using a Whonix-Gateway virtual machine, connect to a VPN using software on the host operating system” but, as you’ve said in your last reply, this results in

The VPN connects after not before.

Maybe I’m misunderstanding the article, does “Connect to VPN before Tor” not mean User → VPN → Tor → Internet? When you say “host” and “workstation” are you meaning different things?

The words after and before are ambiguous. Ignore it.

Connection Scheme notation such as for UserTorproxy/VPN/SSHInternet is easier to understand. Just focus on that one.

The comparison table Combining Tunnels with Tor chapter Comparison Table in Whonix wiki is up-to-date and correct.

I added a new column just now:

Changes IP that Destination Websites (such as IP check websites) can see

Very different. Host means the host operating system. Not a virtual machine.

This is the terminology used consistently in the wiki:


We’ve never used host as a synonym for any VM.

But I do recognize that a shell prompt in a VM showing user@host can be confusing. Therefore I’ve made several improvements in the wiki in this style:

Host OS (host operating system, outside of any VMs)


Great. Thank you for the updates and clarification. I’m perfectly happy with User → Tor → VPN → Internet. This lets me access all resources and protects my real IP from my VPN provider. And since I’m using a dedicated VM (whonix-gateway) my Tor circuits are not static.

One thing though, how can I verify that OpenVPN is going over Tor? What are some ways I can verify my Tor circuits are changing? (I saw tor-ctl on the Wiki but it was said it was deprecated) Make sure theres no leaks?

Google can probably answer these questions with a bit of time, but if you know off the top of your head that would be very helpful.

The before, after, over terminology is ambiguous. Please use connection scheme otherwise I am not sure which one you’re asking about.


Not deprecated.
(tor-ctrl - Tor control port command line tool)

Please edit your above post:

  • Add a link to documentation you’ve followed.
  • Add where you’be run the commands seen on the screenshots.

I don’t really know what you’re asking without that information.

if you’re running openvpn from inside your whonix-workstation (user → tor → vpn → internet), the tor circuit for your openvpn connection will not change until you close the openvpn software connection.

a dirty workaround i’ve used for other software that will remain on the same tor circuit until closed is to run an infinitite while loop from the command line interface (terminal) which will kill and restart the software every 10 minutes, which is the default life of a tor circuit after initial use. you can easily do this with openvpn. however, depending on what software you’re using that communicates via the openvpn connection, you will leak a tor exit ip if the software sends outgoing packets while the openvpn connection is automatically killed and re-established. you might want to look at VPN-Firewall: Enforce use of a VPN if you employ such a loop command.

an example command is below.

sudo sh -c 'while true; do timeout --foreground 10m openvpn /path/to/My.OpenVPN.Config.File.ovpn; done'

when you want to quit the loop, you type ctrl-c in the terminal.