Is it really true that Whonix can allow the following configuration: vpn > tor > vpn > web?

I was talking to a friend and he was saying that it is the only virtual machine that allows said set up, which is both secure and private, of course. The great thing about such is that surfing the internet, regardless of whether it is an http or https site, is pretty much rock solid. Can anyone confirm this? Looking for a tutorial on how one would go about configuring their machine to use two separate VPNs that don’t conflict with one another and yet do both their separate jobs. Thanks

Hi drhall

I think this is what you are looking for:


Thanks, 0brand, yeah in case my message wasn’t clear, usually a person cannot connect to two separate VPNs, and even if they do they tend to conflict with one another rather than doing what one might think they’d do, which might be to somehow double encrypt the user data. As well, VPNs apparently encrypt everything beyond the connection from the client to their VPN service, but in cases where the user accesses an HTTP site for example, the data pretty much can’t be encrypted or the site would have no way to read it and so any exit node owner is going to be able to see all the traffic going through such a site so long as a person goes on one. With Whonix though, apparently the user can first encrypt their data via a VPN and then have it go through the tor network and then when it comes out, encrypt it again through yet another VPN, that way should they choose they can go anywhere on the web and it won’t matter because it really will be enctypted via the second VPN. Of course on an HTTP site the data still has to be able to be read by the site itself, but apparently the second VPN’s IP address is what would be visible to such an exit node owner rather than their true IP or say other information like passwords or so forth. So that was the point of showing the configuration vpn > tor > vpn > internet. No other set up can do that, apparently. So such is what I’m trying to find out. Is said configuration possible or is it just a rumor? Ill check out your link but I think it is more a link that shows you how to set up the VPN after tor, i.e. tor over vpn and not the other way around. My question is how to set up a VPN and then to enter the tor network and then set up a second VPN for the traffic leaving tor.

Yeah so far the link seems to be the same set up most tor users already have: VPN > tor, or tor > VPN. Since Whonix has a gate way and a work station, maybe that is how one would set up two VPNs such that they don’t conflict with one another and such that on both sides of the tor network one’s traffic is encrypted. Perhaps the set up isn’t as secure as it might sound in all circumstances though, assuming it is even possible.


Hi drhall

You can combine the instructions so you can:



Ah ok, thanks, I only went through part of the instructions and concluded that it was a way to set up just one, not both. Will have another gander :slight_smile:

No matter how many hoops you jump through, http can never be as secure or private as https. Once your vpn traffic is unencrypted by the vpn, it doesn’t magically appear at the destination. The unencrypted traffic still has to pass through the VPN’s ISP, all the intermediate hops, and the website’s ISP before finally reaching its destination.

How HTTPS and Tor Work Together to Protect Your Anonymity and Privacy


Thank you for the information, Entr0py, I have seen that before and it is indeed helpful to have. Exit nodes are of course a problem on http sites if one is using the tor network, that I know. But thanks to you, I now know that it’s still not as simple because the data still has to pass through the VPN’s ISP and so in a sense although it may not be rock-solid it’s far stronger than merely connecting to an http site through the tor network without a VPN at all.

A very helpful refrence indeed, thanks :slight_smile:

This is not the correct conclusion.

The correct conclusion is: Don’t use http. Period. The only time an url should begin with http: is if it ends with .onion

Let’s say you’re an activist that regularly visits A repressive regime does not agree with your agenda. A possible attack is to compel / coerce / compromise the hosting service or its ISP. If you use http, all of your communications will be intercepted.

If you believe that the content of your communications doesn’t matter as long as the anonymity of your routing is preserved, then you just haven’t thought it through. See Docs: Modern Privacy Threats.

It’s also not correct to say that tor -> vpn is “stronger”. You’ve simply shifted risk from random exit nodes to a permanent vpn. So while you’ve lowered the risk of being randomly targeted by an exit node, you’ve increased the risk of being specifically targeted by someone else.


So using tor and a VPN is no stronger than using tor alone? How can that be? I can understand if you mean on an HTTP site, but generally, one ISP can’t know that one is using tor, and otherwise I guess it wouldn’t matter because the only other options are HTTPS and .onion, in which case everything is encrypted, no?


So using tor and a VPN is no stronger than using tor alone? How can that be?

Explanation and references here:

Hi drhall

If you are using a VPN your ISP could use Deep Packet Inspection to see if you are using Tor. Also if you are using a VPN to hide your Tor usage from your ISP you might want to read up on Bridges.

Thank you, 0brand and Patrick, I appreciate the help clarifying these confusions of mine. I’ll read into them :slight_smile: