The documentation here: Connecting to a VPN before Tor basically advises to connect to the VPN with your regular software within the host. For “Instructions on how to connect to a VPN before Tor. User → VPN → Tor → Internet” this is lacking and incorrect.
For instance, when I connect to VPN using OpenVPN from my Workstation when I curl https://am.i.mullvad.net/json it is my VPN IP, it is not a Tor exit. So the traffic is not being routed “User → VPN → Tor → Internet”
How can I actually perform this? Or tunnel some kind of secure/private tunnel before Tor (I’d like to mitigate against Sybil attacks)
This is impossible. If the VPN is running on the host, it is User → VPN → Tor → Internet. Therefore Tor Browser won’t show a VPN IP.
Does not even matter if using Tor Browser Bundle on the host operating system or Whonix.
This is because the VPN connects first, because it’s on the network routing level. Tor connects “on top” of that similar to a “normal application”. Since the VPN connects first, Tor connects second.
The opposite User → VPN → Tor → Internet is actually not simple to setup. This is possible by installing a VPN inside the Whonix-Workstation. The part Tor Browser Remove Proxy Settings isn’t exactly trivial either.
I don’t know what to tell you. I ‘sudo openvpn ./vpn.ovpn’ in my workstation, and when I ‘curl https://am.i.mullvad.net/json’ its my VPN IP. I’ll provide screenshots when I get home
If a VPN is installed inside Whonix-Workstation then it logically must go the User → Tor → VPN → Internet route.
This is because if the assumption is true that all connections originating from Whonix-Workstation are routed through Whonix-Gateway (Tor), then the VPN necessarily must also go through Tor.
Tor connects first. The ISP can only see Tor.
Tor connects first. The VPN necessarily connects second. In other words…
Tor connects first. The VPN necessarily connects last.
This is why when using curl.anondist-orig to download an IP check website inside Whonix-Workstation it is very much expected to see the VPN IP and not the Tor IP.
Stream isolation / .anondist-orig is another layer of complexity which might result in “only” Tor being used and the VPN circumvented (not used) but that is very much documented, please look that up in the documentation.
[1] Unless there’s another VPN software running on Whonix-Gateway, the host operating system or a sys-vpn VM after Whonix-Gateway.
The latter makes more sense, but this makes the “Connecting to VPN before Tor” article misleading, as it says “When using a Whonix-Gateway virtual machine, connect to a VPN using software on the host operating system” but, as you’ve said in your last reply, this results in
The VPN connects after not before.
Maybe I’m misunderstanding the article, does “Connect to VPN before Tor” not mean User → VPN → Tor → Internet? When you say “host” and “workstation” are you meaning different things?
Great. Thank you for the updates and clarification. I’m perfectly happy with User → Tor → VPN → Internet. This lets me access all resources and protects my real IP from my VPN provider. And since I’m using a dedicated VM (whonix-gateway) my Tor circuits are not static.
One thing though, how can I verify that OpenVPN is going over Tor? What are some ways I can verify my Tor circuits are changing? (I saw tor-ctl on the Wiki but it was said it was deprecated) Make sure theres no leaks?
Google can probably answer these questions with a bit of time, but if you know off the top of your head that would be very helpful.
if you’re running openvpn from inside your whonix-workstation (user → tor → vpn → internet), the tor circuit for your openvpn connection will not change until you close the openvpn software connection.
a dirty workaround i’ve used for other software that will remain on the same tor circuit until closed is to run an infinitite while loop from the command line interface (terminal) which will kill and restart the software every 10 minutes, which is the default life of a tor circuit after initial use. you can easily do this with openvpn. however, depending on what software you’re using that communicates via the openvpn connection, you will leak a tor exit ip if the software sends outgoing packets while the openvpn connection is automatically killed and re-established. you might want to look at VPN-Firewall: Enforce use of a VPN if you employ such a loop command.
an example command is below.
sudo sh -c 'while true; do timeout --foreground 10m openvpn /path/to/My.OpenVPN.Config.File.ovpn; done'
when you want to quit the loop, you type ctrl-c in the terminal.