Okay. Got my feet wet with:
Will a VPN Service Protect Me?
3 Planning Advanced VM and VPN Setup
7 Paying Anonymously with Cash & Bitcoins
8 Creating Nested Chains of VPN’s & Tor
The guides were very well-written and mostly approachable for computer literate newcomers. I especially liked Planning Advanced VM and VPN Setup and its emphasis on compartmentalization with regards to identities. I thought strategies were well-reasoned and balanced, especially in light of the fact that he has a vested interest in promoting VPN use. I think he does a good job at outlining potential pitfalls. Author has a fully functional tinfoil hat (see DNA obfuscation for cash transactions)
It’s not surprising that many of his thoughts coincide with what I’ve read on whonix.org. After all, he’s a fan of Whonix docs:
(comments from Advanced Privacy and Anonymity Using VMs, VPN’s, Tor – Part 7)
This information [guide] is far more valuable than even the whonix documentation at the official site and that is saying something because the whonix documentation is very well done.
May 25, 2014 at 6:49 am
I must disagree about the Whonix documentation, though. That is far more comprehensive.
The first thing that should be pointed out is that the guides are over two years old - Qubes was in its early versions and Whonix-Qubes did not exist at the time. The setup in the guides is unnecessarily complicated and as Ego pointed out, inefficient in resource usage.
In terms of specific configuration recommendations, well, there aren’t any. mirimir, himself, points out that the setup is arbitrarily complex, implying that the optimal number of hops is unknown. The basic example shown in Creating Nested Chains of VPN’s & Tor can be diagrammed as follows:
user → VPN1 → VPN2 → Tor → VPN3 → destination
To use the classifications from Will a VPN Service Protect Me? where you mentioned you were concerned about the 8th threat model, Whonix by default is configured to deal with the 5th threat model (user → Tor → destination).
For censorship circumvention, Whonix provides access to bridge relays and provides methods for users to implement additional measures on their own (user → proxy / bridge → Tor → destination). (Not all of which are entirely recommended.)
In any setup, VPN3 should only be used when required since it is harmful to anonymity.
There is also a disagreement in philosophy. Whonix docs tend to favor tested / audited / large(r) anonymity set methods that leave little room for fatal user error. While VPN use and chaining is certainly not experimental by any means, the user base that might implement the example setup would be very small indeed. My bigger concern is the potential for user error, especially managing rarely-used critical identities.
The justification in the guide for adding 2 VPN hops before entering Tor is to provide a backup layer should a method for deanonymizing Tor users be discovered. VPN1 is hosted by a popular service in a non-suspicious locale (such as a Five Eyes country) and is used to hide Tor usage. VPN2 is designed to distribute the trust placed in VPN1 and also provide obstacles against provider cooperation by being located in a non-cooperative region. The reasoning goes: if Tor is compromised, the attacker would then need to successfully attack 2 additional entities to reveal the target. Would an adversary that has the resources to break Tor be able to compromise 2 VPNs? If yes, are there any number of VPNs that could stop this attacker?
Tunnels before and through Tor are one of the most popular topics on this forum. Documentation is also very in-depth. You should be able to find all the info you need in those 2 places. Unfortunately, you’ll have to decide for yourself what configuration best fits your threat model. The good news is that most configurations are quite straightforward to setup.
user → VPN1 → Tor → VPN2 → destination
can be set up with nothing but Whonix Gateway & Workstation.
Just remember, if you screw up signing-up / paying for VPN2, you might as well not be using Tor at all.