Safe to run openvpn inside the Whonix Workstation?

So many websites don’t work for me over Tor. I thought I’d try use the Whonix workstation as you normally would, over Tor through the Whonix gateway, but connect the Whonix workstation to my VPN.

So I’d basically run openvpn inside the Whonix Workstation.

Is this safe?

By safe I mean, I know it is not as secure as just using Tor, since I would put my trust in the VPN provider. By safe I just mean if it has some known issues like it breaks the Whonix Workstation, or it is a really bad idea for reasons I don’t know.

Hi rob75

A VPN is not going to break the Workstation unless you start messing with things you don’t understand. Stick with the documentation. Adding tunnel links creates additional complexity which can cause not just a configuration mistake but can also cause someone to shot themselves in the foot. My advice, read the documentation carefully and don’t add a tunnel link until you are comfortable that you understand the risks and what you need to do minimize them. I say minimize because you can never completely eliminate risk.

First, carefully read Combining Tunnels with Tor.

https://whonix.org/wiki/Tunnels/Introduction

Then read,

https://whonix.org/wiki/Tunnels/Introduction#Connecting_to_Tor_before_a_tunnel-link_.28proxy.2FVPN.2FSSH.29

Next,

https://whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN

Lastly, Come back here and I’ll do my best to answer your questions.

Much appreciated as always. You always provide very good links, I’m sorry I’m not familiar enough to find them on my own.

I’m curious, since there are quite a few steps to undo the protections in the Whonix Workstation just to make this happen, what about just using a regular Linux distribution?

If I don’t care if it fails open, and using Tor just to bypass Tor censorship to normal sites and don’t need onion sites, then are there any security concerns with using a normal distribution like Ubuntu?

It seems VirtualBox uses the system time by default, so the clock inside VirtualBox guest is the same as the host. I assume this is a problem?

Anything else?

Hi rob75

Its safer to use Whonix-Workstation

https://whonix.org/wiki/Other_Operating_Systems

Using a default workstation is easier and provides more Security out of the box! It is your responsibility to get the same security features for a Whonix-Custom-Workstation,

https://whonix.org/wiki/Host_Operating_System_Selection#Recommended_GNU.2FLinux_Distribution

For other reasons not to use Ubuntu or Ubuntu-derived distributions, expand this section.

There was a discussion started recently about Whobuntu

https://whonix.org/t/comments-and-thoughts-on-whobuntu/7012

https://whonix.org/wiki/Ubuntu

Whonix uses sdwdate. If you use a custom Whonix-Workstation (Ubuntu) you would be more susceptible to time attacks.

I see.

It seems the most complex topic for many (and me) is time attacks.

I understand that it is easy to make mistakes, e.g. overlook something, so I’m asking just because I’m curious and would like to understand more about timing attacks.

If I set my time zone to UTC, same as Whonix Workstation, disable VirtualBox time sync, disable any operating system time sync, and then add some random number of seconds to my time, is this as good as sdwdate?

What is the difference? Is it possible to explain in simple terms?

I would not have a correct time, but I don’t really care about that.

Hi rob75

I don’t think so. Its possible to prevent clock leak vectors but I’m not sure its that easy.

• Time is very important for system stability.
• You would have to remember to do this whenever you rebooted the VM or when starting a new VM for a separate identity.
• Time skew Fingerprint?

I understand the purpose of sdwdate. But I don’t think I have the understanding of sdwdate/time attacks/mitigations like Patrick so I’m gong the have to refer you to the documentation. I don’t want to give you incorrect information because its possible (likely?) I would miss something.

It is safe (assuming you are not leaving a paper trail) in the sense that running it won’t leak your IP. However for long-term browsing usage you will stick out since now all sites you visit will link you to each other since no per-tab Tor stream isolation is possible as all normal Tor Browser users have.