Does installing Mullvad browser on the workstation seem like a reasonable solution for achieving Tor → VPN tunneling (for browser only of course)? Looks certainly better than using firefox with this or that extension or resorting to proxies.
I used the documented way for Tor → VPN in the past but that became much harder following the changes in upstream, as mentioned here:
Did anyone test it?
I’ve had success using Mullvad browser with the Mullvad vpn app. You have to change the vpn settings in the Mullvad vpn app to only use TCP to allow it to connect through Tor.
No further modifications? I had to follow their tor → vpn instructions with proxy settings in Mullvad browser (or same with firefox) to get it to work.
Now that I think about it, it this Tor over Tor…? @Patrick
Hard for me to comment as the content of external websites can change over time, making my comment outdated.
However, what I can say, that using command sudo apt install tor inside Whonix-Workstation won’t result in Tor over Tor thanks to:
Correct, more specifically:
No installations. Mullvad client isn’t required for this.
Essentially, the following lines are added to openvpn.conf:
route-nopull
route 10.8.0.1 255.255.255.255
socks-proxy 127.0.0.1 9050
Then a browser (either Mullvad browser, Firefox ESR, whatever) is configured to use SOCKS5 proxy with host 10.8.0.1 and port 1080 and “Proxy DNS when using SOCKS v5” is enabled.
I guess the essential question here, what happens if we use Tor port 9050 in the workstation in this way.
It’s clear only the browsers configured in this way have VPN connection and the rest of the workstation’s apps won’t. Not sure if it’s a big problem. The VPN after Tor setting isn’t used to increase anonymity but to deal with Tor blocking or restrictions (that mostly occur with websites). The consequences in case of no fail-safe mechanism are less severe than in other scenarios. Advantages include being able to use Tor directly when we need it, for example to update apt packages with Tor+ sources etc.
Other issues with this?
Tor port 9050 on Whonix-Workstation will use Tor on Whonix-Gateway. Unrelated to any VPN. That is what anon-ws-disable-stacked-tor is doing.
Thanks.
To set up openvpn as a systemd service without the Whonix modifications, I changed the suffix of
/lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf
so this file will be ignored.
Seems to work fine, but will my change persist through Whonix package upgrades? if not, what should I do that it will?
Either you need to:
(Documented just now.)
You can use anonymous view on Startpage search engine. It works great in Tor browser and you don’t need to install other browsers to bypass website blocks. I haven’t encountered any sites that block both Tor and Startpage proxies.
Related:
Thanks. Did you try it with registering / logging in to websites?
For registration - no. The sites, services, and social networks that I use in Whonix work with Tor. I don’t think it’s worth using Whonix for registering on resources that don’t respect Tor and track your behavior. In such cases need Mullvad
Mullvad (or other VPN service with similar policies and reputation) with Tor (Tor → VPN) seems to remove the need to trust the VPN completely. Why give my IP to the VPN provider? I also didn’t like the idea of (any) VPN client being installed, if openvpn can be used without one, that’s better. As for Mullvad browser, it being developed by Tor project gives it some points, but still the “separation of power” principle suffers here.
Of course the payment to VPN needs to be done in a very careful way or there is no point in Tor. But that’s another topic.