Is WHONIX more secure with a VPN?

Hi again!
I was wondering if WHONIX is more secure and “anonymous” when using a VPN like airVPN on a workstation?
That is simply it. Thanks! I appreciate your time. :slight_smile:

Cheers

Good day,

Well, yes, no, maybe. It’s a complex question which can’t be answered in any simple manner. Consensus is that in most cases, using a VPN on Workstation level (i.e. to “add” it after the Exit node) actually minimizes security, as you hand over your communication to a fixed server (i.e. the one from your VPN provider) who may or may not record what you do. So, if it isn’t absolutley necessary for you to hide from a server you access that you use Tor, it is to recommend against.

Have a nice day,

Ego

2 Likes

We have a writeup on that topic here.

Is WHONIX more secure with a VPN? -> Is Tor more secure than a VPN?

Yes.

HulaHoop:

Is WHONIX more secure with a VPN? → Is Tor more secure than a VPN?

Yes.

Hardly deniable indeed.

In a mind of a user I imagine it like this.

Tor more secure than VPN.

→ Tor has some security.
→ VPN has some security.

So why not combine both?

Our over simplified answer on
Combining Tunnels with Tor is “forget about it”.

Probably one of the most asked questions around here.

1 Like

I agree with that. It’s the summary the wiki is provided to have.

Looks like we need various forms. Multiple summaries even. The very short one “forget about it”, the longer overview as well as the full documentation on the topic.

The only thing I am not sure about.

For someone who wanted to use I2P anyhow, I guess user → Tor → I2P → destination is more anonymous than pure I2P?

Yes. Lots of people spend lots of time concentrating on that while totally ignoring other stuff such as keystroke based deanonymization attacks.

1 Like

But if you would get a vpn that gave you dynamic ips and dynamic dns for easy access… wouldn’t that just make your traffic more encrypted since that the dynamic ip you would get assigned to would hide you from your dynamic ip recieved from tor which hides the real ip? So hide + hide instead of just hide. Or am I misunderstanding some concepts here? Thanks

To simplify this for you: VPN = ISP. They all monitor even the ones that say they don’t. There are many reasons for this: data retention laws, liability, hacked by an Intel Agency and so on. Dynamic IPs don’t matter when they can see everything coming from your client.

And as mentioned already don’t get hung up on VPNs when there are a number of other important topics you need to be aware of for anonymity.

1 Like

Hi there! Thanks for the answer!
you say that dynamic ip doesn’t matter because they all lead to my client correct? But since I register the and use the Vpn on whonix/tor, wouldn’t my “real” client ip still be hidden and instead show the tor ip(another dynamic ip)? Am i wrong??

Yes, Tor -> I2P is probably more anonymous.

@Mirimir might want to chime in on this, since he loves long VPN-Tor-other tunnels :wink:

Totally agree with what you say on other issues. The big gap in the anonymity sphere right now is widespread adoption of the Kloak tool to defeat biometrics of typing and use of something like Anonymouth for blogging.

The research is very scary around blogging and how quickly you can be pinned as the author of something online without disguising your writing style.

This is a massive blindspot for a lot of knowledgable people I think.

The other major problem is encrypted email providers that are easy to use, and which you can convince others to use. In that space, I think we should be adding Protonmail as a recommended encrypted email provider in the wiki, because, lets face it, our friends/family are never going to shift to PGP encryption because it is technically beyond them, and thus useless for mass adoption.

Protonmail on the other hand supports:

  • free sign-up;
  • 2FA;
  • no key management required (browser does all the encryption)
  • an encrypted inbox like RiseUp;
  • all emails encrypted to other Protonmail recipients by default;
  • SMTP/IMAP support is coming (soon compatible with Thunderbird et al.);
  • Tor Browser logins are okay;
  • PGP key integration is planned for the future for those that have them;
  • no IP logging by the provider; and
  • you can now login with just one password (not two, as previously required).

So, for usability and security trade-off (using a browser method currently), I think Protonmail is a reasonable recommendation. I suppose that security could be further enhanced with Tor Browser logins from a Whonix-WS Disposable VM.

Thoughts?

torjunkie:

  • free sign-up;
  • 2FA;

Don’t get @HulaHoop started on 2FA. :slight_smile:

  • no key management required (browser does all the encryption)

Can only be security by policy, meaning once they are forced or hacked
this can be disabled.

  • PGP key integration is planned for the future for those that have them;

If you don’t hold your private key alone only on your disk, then you can
almost ignore PGP.

Good day,

While what you’ve said is reasonable and something I very much agree with, the thing is that we currently have Riseup on our E-Mail page as well which is hosted in the US, not Switzerland and doesn’t make their entire source code open.

Being hosted in the US (at least for me) is a far bigger security issue then anything you might justifiably level against Protonmail, at least in my opinion. Also, they still haven’t stopped tweeting about birds which is concerning: https://twitter.com/riseupnet/status/818846905270751233

Actually already has been implemented, though shouldn’t be used, as even if their open source code appears clean, whether they don’t deviate from their source on their servers is unknown.

Then again, if security really is the main goal, hosting a mail server yourself is the best solution. Making it secure isn’t hard anymore too, as like mentioned before, PM has made their source public: Proton Mail · GitHub

Have a nice day,

Ego

1 Like

Right, created riseup.net likely compromised - #19 by Patrick for it.

I want to revisit this Protonmail issue in depth later on (time-allowing) and really disect the security risks for Whonix users, since encryption is done client-side and not server side i.e. they hack the Swiss server -> doesn’t mean they get your stuff in the clear.

Hosting one’s own mail server is surely going to be beyond most users(?) and they would probably end up like Killary Clinton in all likelihood i.e. hacked.

So, if they have to individually attack every Tor user and (I think) 2 million Protonmail users to try and retrieve private keys, then good luck to them.

I also think that US-based services are probably a greater risk than most other factors right now, but I can’t back up that with any solid analysis.

Interesting that Rise-up is still tweeting inanities about birds and vultures while their warrant canary is almost 6 months overdue. Perhaps in the meantime they should update it as so:

1 Like

Just came home from a vaca… Thanks for all the replies! It certainly helped!! I just cannot see how institutions like the police would be able to track you if you use whonix gateway+vm workstation+vpn - So could anyone please explain this? I really appreciate the time guys!

Whonix (and Tor) are not designed with the express purpose of evading law enforcement. One would hope that police capture criminals using lawful investigative techniques and good old-fashioned police-work. So your question is too broad for this forum.

Why do you persist with the “+vpn” when everyone has told you that user -> tor -> vpn is a bad idea? It’s a permanent exit node that weakens the endpoints of your traffic - and the endpoints are already the most vulnerable parts of any transmission. (The “dynamic IPs” that you mentioned are not “random IPs”.)

What you should be asking is, “Does Tor do what I think it does? What vulnerabilities does it have?” Tor is designed with a specific purpose - it’s not a magical invisibility potion. Start by reading the design paper, particularly 3.1 Threat Model. (You’ll see that using a vpn at the end of your chain might make Tor’s vulnerabilities easier to exploit.) Also read Whonix docs: Warning.

More generally, a good explanation from Paul Syverson on “tor-relays” ML:

As we wrote in 1996, “Our motivation here is not to provide anonymous communication, but to separate identification from routing. Authenticating information must be carried in the data stream… use of a public network should not automatically reveal the identities of communicating parties. The goal here is anonymous routing, not anonymity.”

In other words,

4 Likes

Hmm whoops yea - Thanks for the sum up of the thread haha. So what is is actually even make you harder to track? I thought whonix and other servces like this would make you feel more safe from hackers and people like that + security institutions. I will certainly read the docs more carefully. Thank you!

Btw I have now read the docs and things started to get clearer but I would still like an answer to the above :slight_smile: