Is WHONIX more secure with a VPN?


Hi again!
I was wondering if WHONIX is more secure and “anonymous” when using a VPN like airVPN on a workstation?
That is simply it. Thanks! I appreciate your time. :slight_smile:



Good day,

Well, yes, no, maybe. It’s a complex question which can’t be answered in any simple manner. Consensus is that in most cases, using a VPN on Workstation level (i.e. to “add” it after the Exit node) actually minimizes security, as you hand over your communication to a fixed server (i.e. the one from your VPN provider) who may or may not record what you do. So, if it isn’t absolutley necessary for you to hide from a server you access that you use Tor, it is to recommend against.

Have a nice day,



We have a writeup on that topic here.


Is WHONIX more secure with a VPN? -> Is Tor more secure than a VPN?




Is WHONIX more secure with a VPN? -> Is Tor more secure than a VPN?


Hardly deniable indeed.

In a mind of a user I imagine it like this.

Tor more secure than VPN.

-> Tor has some security.
-> VPN has some security.

So why not combine both?

Our over simplified answer on
https://www.whonix.org/wiki/Tunnels/Introduction is “forget about it”.

Probably one of the most asked questions around here.


As a normal (non-technical) user, I used to be under the impression that adding a VPN to the tunnel length before connecting to the Tor network could only be a good thing (more encryption = more good LOL).

Now I firmly believe otherwise.

Re: Simple proxies

The wiki and Tor project docs indicate they are basically useless. Scratch that idea.

Re: Esoteric tunnels

Those built upon very small user populations e.g. I2P, probably hurt your anonymity. Scratch that idea.

Re: Tor -> VPN

The comparison table shows minimal benefits, except evading Tor bans by websites. You also can’t connect to .onions and will probably be part of only a handful of people running this arrangement, which seriously harms your privacy/anonymity goals.

Plus, it is a really, really bad idea to trust you picked a non-honeypot VPN provider and that they won’t abuse the permanent record of all your Tor activity at some time in the future. And so far as the ‘we don’t keep logs’ claims, big VPN providers in the recent past have shown that promise means diddly squat.

Scratch that idea as bad based upon simple logic.

Re: VPN -> Tor

This appears on the surface to be enticing, but:

  • It’s not clear the ISP can’t see you’re using Tor anyway (I seriously doubt they can’t do it, if they really wanted i.e. traffic fingerprinting);
  • You now have a money trail to the VPN provider (very hard to pay anonymously);
  • Increased complexity means there is a big likelihood you will stuff up something, somewhere and reduce your anonymity/security, or show your Tor activity at the network level when/if the VPN link fails;
  • The attack surface is increased by running more software and providing more data flows for big brother to play with; and
  • Permanent entry points into the Tor network are now limited to a MUCH smaller subset than general Tor users.

Thus this option could probably be summarised as:

  • ‘Might be beneficial’, but Tor devs aren’t convinced; and
  • I can gloat about ridiculously long tunnels on forums.

But on the downside:

  • It costs money;
  • Hurts your anonymity on the balance of probability;
  • Hurts your security on the balance of probability;
  • You play Russian roulette with VPN providers;
  • It’s hard to set up; and
  • It’s easy to misconfigure.

General political comments on privacy/security goals

I imagine most Whonix users are just using this split virtualized solution to increase their default security, and/or to have greater privacy from corporate psychopaths like Google, Amazon and Microsoft who are part of the military-intelligence network now as data harvesters/profilers.

At the end of the day, if somebody’s real (self-assessed) adversary is global in nature, or some blackhat who just gave a sermon at DEFCON, they shouldn’t use Whonix to run a Silk Road 5.0 enterprise from home, or if they’re considering dumping a treasure trove of intelligence documents.

Instead, these .000001% of users would default to TAILS from random locations. Or better yet, wouldn’t use computers or electronic peripherals at all, if it is feasible in their circumstances. They’d learn about spy opsec in the meatspace, since computer hardware and software security in 2017 is useless against targeted attacks by a determined, well-resourced agency with an army of hackers, billions in funding, the law on their side, and a collect-it-all, subvert-every-protocol mentality. Lots of internet material out there on that.

The long term solution for general Tor users concerned about their inalienable privacy rights is not another protocol. Instead, it is massively increasing the population of Tor users and the size of the Tor network, and dispelling the urban myth that Tor = bad, just because some pedo somewhere is running a dodgy .onion.

All technology has potentially good and bad uses, so the propaganda is very heavy right now globally on this issue to ram through anti-democratic measures. The real aim of the power-brokers is, and has always been, control, particularly of political dissidents and reformists that threaten the status quo.

Does SSH over Tor fix my endpoints?

I agree with that. It’s the summary the wiki is provided to have.

Looks like we need various forms. Multiple summaries even. The very short one “forget about it”, the longer overview as well as the full documentation on the topic.

The only thing I am not sure about.

For someone who wanted to use I2P anyhow, I guess user -> Tor -> I2P -> destination is more anonymous than pure I2P?

Yes. Lots of people spend lots of time concentrating on that while totally ignoring other stuff such as keystroke based deanonymization attacks.


But if you would get a vpn that gave you dynamic ips and dynamic dns for easy access… wouldn’t that just make your traffic more encrypted since that the dynamic ip you would get assigned to would hide you from your dynamic ip recieved from tor which hides the real ip? So hide + hide instead of just hide. Or am I misunderstanding some concepts here? Thanks


To simplify this for you: VPN = ISP. They all monitor even the ones that say they don’t. There are many reasons for this: data retention laws, liability, hacked by an Intel Agency and so on. Dynamic IPs don’t matter when they can see everything coming from your client.

And as mentioned already don’t get hung up on VPNs when there are a number of other important topics you need to be aware of for anonymity.


Hi there! Thanks for the answer!
you say that dynamic ip doesn’t matter because they all lead to my client correct? But since I register the and use the Vpn on whonix/tor, wouldn’t my “real” client ip still be hidden and instead show the tor ip(another dynamic ip)? Am i wrong??


Yes, Tor -> I2P is probably more anonymous.

@Mirimir might want to chime in on this, since he loves long VPN-Tor-other tunnels :wink:

Totally agree with what you say on other issues. The big gap in the anonymity sphere right now is widespread adoption of the Kloak tool to defeat biometrics of typing and use of something like Anonymouth for blogging.

The research is very scary around blogging and how quickly you can be pinned as the author of something online without disguising your writing style.

This is a massive blindspot for a lot of knowledgable people I think.

The other major problem is encrypted email providers that are easy to use, and which you can convince others to use. In that space, I think we should be adding Protonmail as a recommended encrypted email provider in the wiki, because, lets face it, our friends/family are never going to shift to PGP encryption because it is technically beyond them, and thus useless for mass adoption.

Protonmail on the other hand supports:

  • free sign-up;
  • 2FA;
  • no key management required (browser does all the encryption)
  • an encrypted inbox like RiseUp;
  • all emails encrypted to other Protonmail recipients by default;
  • SMTP/IMAP support is coming (soon compatible with Thunderbird et al.);
  • Tor Browser logins are okay;
  • PGP key integration is planned for the future for those that have them;
  • no IP logging by the provider; and
  • you can now login with just one password (not two, as previously required).

So, for usability and security trade-off (using a browser method currently), I think Protonmail is a reasonable recommendation. I suppose that security could be further enhanced with Tor Browser logins from a Whonix-WS Disposable VM.




  • free sign-up;
  • 2FA;

Don’t get @HulaHoop started on 2FA. :slight_smile:

  • no key management required (browser does all the encryption)

Can only be security by policy, meaning once they are forced or hacked
this can be disabled.

  • PGP key integration is planned for the future for those that have them;

If you don’t hold your private key alone only on your disk, then you can
almost ignore PGP.


Good day,

While what you’ve said is reasonable and something I very much agree with, the thing is that we currently have Riseup on our E-Mail page as well which is hosted in the US, not Switzerland and doesn’t make their entire source code open.

Being hosted in the US (at least for me) is a far bigger security issue then anything you might justifiably level against Protonmail, at least in my opinion. Also, they still haven’t stopped tweeting about birds which is concerning: https://twitter.com/riseupnet/status/818846905270751233

Actually already has been implemented, though shouldn’t be used, as even if their open source code appears clean, whether they don’t deviate from their source on their servers is unknown.

Then again, if security really is the main goal, hosting a mail server yourself is the best solution. Making it secure isn’t hard anymore too, as like mentioned before, PM has made their source public: https://github.com/ProtonMail/

Have a nice day,


riseup.net likely compromised

Right, created riseup.net likely compromised for it.


I want to revisit this Protonmail issue in depth later on (time-allowing) and really disect the security risks for Whonix users, since encryption is done client-side and not server side i.e. they hack the Swiss server -> doesn’t mean they get your stuff in the clear.

Hosting one’s own mail server is surely going to be beyond most users(?) and they would probably end up like Killary Clinton in all likelihood i.e. hacked.

So, if they have to individually attack every Tor user and (I think) 2 million Protonmail users to try and retrieve private keys, then good luck to them.

I also think that US-based services are probably a greater risk than most other factors right now, but I can’t back up that with any solid analysis.

Interesting that Rise-up is still tweeting inanities about birds and vultures while their warrant canary is almost 6 months overdue. Perhaps in the meantime they should update it as so:


Just came home from a vaca… Thanks for all the replies! It certainly helped!! I just cannot see how institutions like the police would be able to track you if you use whonix gateway+vm workstation+vpn - So could anyone please explain this? I really appreciate the time guys!


Whonix (and Tor) are not designed with the express purpose of evading law enforcement. One would hope that police capture criminals using lawful investigative techniques and good old-fashioned police-work. So your question is too broad for this forum.

Why do you persist with the “+vpn” when everyone has told you that user -> tor -> vpn is a bad idea? It’s a permanent exit node that weakens the endpoints of your traffic - and the endpoints are already the most vulnerable parts of any transmission. (The “dynamic IPs” that you mentioned are not “random IPs”.)

What you should be asking is, “Does Tor do what I think it does? What vulnerabilities does it have?” Tor is designed with a specific purpose - it’s not a magical invisibility potion. Start by reading the design paper, particularly 3.1 Threat Model. (You’ll see that using a vpn at the end of your chain might make Tor’s vulnerabilities easier to exploit.) Also read Whonix docs: Warning.

More generally, a good explanation from Paul Syverson on “tor-relays” ML:

As we wrote in 1996, “Our motivation here is not to provide anonymous communication, but to separate identification from routing. Authenticating information must be carried in the data stream… use of a public network should not automatically reveal the identities of communicating parties. The goal here is anonymous routing, not anonymity.”

In other words,


Hmm whoops yea - Thanks for the sum up of the thread haha. So what is is actually even make you harder to track? I thought whonix and other servces like this would make you feel more safe from hackers and people like that + security institutions. I will certainly read the docs more carefully. Thank you!

Btw I have now read the docs and things started to get clearer but I would still like an answer to the above :slight_smile: