Separate VPN gateway before Tor ?


I would like to set up a configuration on Qubes like this :
User → VPN (installed in a proxyVM) → sys-whonix → anon-whonix → Internet

So the middle column on this link Combining Tunnels with Tor

My problem is I’m not willing to reinstall VPN into the sys-whonix gateway (as the documentation says “If the VPN is installed on Whonix-Gateway / When Whonix-Gateway ever gets compromised => you’re left without any protection” (see table Connecting to a VPN before Tor)) and documentation on this subject ( Connecting to a VPN before Tor ) only discuss on how to configure this setup on the host (so here the proxyVM) by reinstalling your VPN using a Firewall program to prevent data leak : GitHub - adrelanos/vpn-firewall: Leak Protection (Fail Safe Mechanism) for (Open)VPN

The documentation is well written to help installing this very usefull program on the host VPN-Firewall: Enforce use of a VPN, but as I had difficulties to make my VPN work on a proxyVM, I have no idea I should try this option or not, if this would work in my case and if I really need to as the official Qubes documentation on VPN looks already quite restrictive using openvpn and iptables (Redirecting…), especially with those 2 lines :
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP

It might looks kinda funny but I am using a VPN connected through UDP protocol, and I recently read that Tor is using TCP. If this is this unique cause that explain the fact my VPN refuses to connect to sys-whonix, well then sorry not being very well informed and ignorant enough to wait for 2 protocols to magically join, lol, but then I guess random newbish people would really appreciate to have one contribution precising this precious information under paragraph “How to add the VPN in Host OS”, as I guess not ever user actually knows Tor connects by default through TCP.

Also Qubes documentation is a little outdated on TorVM and sends back to Whonix, which in return don’t precise very clearly how to deals with this User → VPN → Tor → Internet problem when you don’t want your VPN to be installed into Whonix gateway and be exposed in case Whonix gateway was compromised. Blurred lines :slight_smile:

Sorry for the critics, but I feel like there is some sort of lack in the documentation there, as in the other way, this subject is way more documented (Connecting to Tor before a VPN see “Separate VPN gateway”).

In my case I’ll just change switch my VPN gateway / protocol and see if it fix my issue, hoping nevertheless Qubes & Whonix will unify a bit clearer their respectives documentations concerning VPN → Tor relationships, because it looks really extremely complex at first sight (hf configuring torrc when you’re new t_t).
And also I guess documentation could be really more simple by presenting options in a more accessible view like :
User → VPN → Tor → Internet, if you’re looking for a stronger anonymity configuration overall
User → Tor → VPN → Internet, if you’re looking for a stronger security configuration overall

I know that a bad settings between VPN and Tor might end up by making your anonymity less secured than if you would only using Tor, but at the end of the day, I guess everyone can understand a VPN provider is a service generally bound with different states authorities, which is acting as a bottle neck concerning your data, whatever log policies are used, where Tor is an non profit organization created at start by mathematicians in US Navy laboratory research to make sure everyone remains anonymous on it with few configuration, and that the more people use it, the more chances you got to have a secure network, which is a kinda different philosophy. That’s why I trust way more Tor than my VPN provider, I prefer the idea of wide open spaces than narrow streets when I think about freedom lol :slight_smile:

Thanks for reading

I changed my openvpn settings from UDP to TCP, now I can connect the VPN proxyVM to sys-whonix gateway, nice :slight_smile:
Unfortunately I am still blocked, I didn’t find how to connect with Tor under this set-up :confused:

Replied on qubes-users:

This is true. Whonix documentation re: tunnels hasn’t been fully updated yet for Qubes users.

The Qubes documentation you should be referencing is this one:
not the TorVM one.

Do not mix unrelated guides - TorVM vs Whonix VPN-Firewall vs Qubes ProxyVM.

Other topics (gateway compromise, udp/tcp) discussed in link.

What is missing?

Haven’t fully grasped this yet. Will later.

Does Separate VPN-Gateway (User -> Tor -> VPN -> Internet) apply?
Connecting to Tor before a VPN

Don’t mind. :slight_smile:

I don’t think it can be dumbed down as far. I wouldn’t want to make a statement as strong as an encouragement. It’s too complex, too dependent on assumptions and goals to do that. Hence only complexity is provided for advanced users to make an informed decision.

Sorry, posted in haste. I was thinking that Connecting to a VPN before Tor could use a subsection regarding Qubes. Just a description of vpn in proxyVM + links to Qubes vpn docs - full howto belongs over there I think. [I’ll add it to my list lol.]

Couple things I missed in previous post:

Yes, AFAIK the main advantage of VPN-Firewall is that it defeats shared Tor/VPN server leaks. If that’s important to you, VPN-Firewall will work in a proxyVM. Otherwise, the Qubes docs present a much simpler iptables ruleset.

This is not strictly correct. Each configuration will give you a different security/anonymity profile. For example, in the latter case, can you increase your security by becoming less anonymous - as arguably user → Tor → VPN promotes?

1 Like

I didn’t do a good job of communicating this, but Qubes ProxyVM VPN instructions also defeats shared Tor/VPN server leaks. Only the OpenVPN user is allowed to connect to external targets, so even if the VPN breaks down, Tor from the VM behind the ProxyVM cannot establish direct connections.

1 Like

Thanks a lot for your answer, I’ll answer you there.

Well, considering all VPN services are all about circumvent the law to download content that is restricted or prohibited under a specific State policy, I’d say it is as hypocrite as people living foreign to avoid paying taxes of theirs natives countries. So I would say the idea to oppose the same way security and anonymity on a tool which destination use is specifically made to make you live virtually somewhere else doesn’t make a lot of sense imo.

Your question is a bit like : “if you steal an apple in a grocery store with no crowd, will it expose you more being detected by the seller and then go to the police ?”. The answer looks quite obvious at first sight. But now if you say the problem is not really how the environment will provide you some sort of “crowd-funded-not-being-caught-firewall” (lol), but if the thief is experimented enough on how to hide himself, then you got your answer. And I see a VPN using encryption being more secure than Tor this way : it doesn’t matter if you’re less anonymous or not as long nobody can access what you’ve done, except you and your own consciousness.

Same reasoning as just before, but I’d say it makes even more sense when you think about Qubes as a revolutionary OS that might look less anonymity-oriented than Whonix at first sight, but that I personally consider more secured than Whonix if you think about security as a way to make as if things didn’t ever happen in reality, without leaving many traces behind you (like the disposable VM), or that you can go back in few clicks and delete a VM if you’re victim of a hacker.

I mean if Tor has such a bad reputation, it is because it is used by cyber criminals and they can do wrong w/o being tracked. Using Tor looks suspicious now because of those assholes. If the goal of Whonix is to provide an automated way to isolate people using safe protocols, attack surface reduced, isolate from security breaches while using Tor, then you can see it as a great invention to help people like Snowden to reveal mass surveillance from PRISM, to help activists or just random people willing to avoid mass surveillance. But you have to assume that you might also help criminals or bad people to hide…

So I wouldn’t say this idea can be “dumbed down as far”, because Tor has been released publicly by US Navy at first to make sure that they are not visible while using it and that the more it is used, the more people will benefit from anonymity increase. I am pretty sure every year that new people join the network, Tor becomes slowly more secured, if you think about security as 1 guy caught on 100 others not being caught while doing exactly the same legal or illegal activity (like to reveal your bank is full of corrupted folks laundering money on tax havens or to buy a weapon on the darknet, for instance). Anyway you can’t really P2P and download illegal content on Tor, it has not been made for, so this way I wouldn’t say it is less secured overall than a VPN, as obviously every people interested locally in open source and collaborative knowledge / share don’t really consider a lot huge globally industries making giant profits. It is just two different world right now, as producers founding those big movies are unfortunately themselves part of the oligarchic capitalist void that don’t give many fucks on ecological very urgent problems, like for instance earth is dying and next generation kids will suffer from apoplexy if they luckily survive fires, floods and tornados ._. (you don’t see many movies on this subject tbh, apart shitty disaster movies that make nobody acts conscientiously).

So to return to the subject, I was willing to configure my VPN before Tor to get rid of mass surveillance and on confidentially ethic bases. But this is a bit irrelevant as anyway my VPN provider got my address and I do personally believe you can’t be anonymous on the Internet right now, it is a myth ^^ It is a bit like to wear a mask and think you’re the king of the universe lol, but at some point, even if you used it only to have big sexual parties in Venise like Casanova in person, you need to remove it to brush your teeth lol :smiley:

No my idea here on Qubes OS was more to learn how to create a website and rule a server on my local machine as if it was distant (I am only using Linux since 2-3 months), because I find great that Qubes centralized different systems and then allows you eventually to host a website during a day on your machine, while remaining safe if eventually your VM was compromised and stay free do to other things while hosting :slight_smile:

But it looks indeed very complex, I read a lot documentation but I didn’t really understood how iptables nat work on Qubes. I probably should try to host a website locally from a VM first and just secure the VM without entering those gateway routes complications, as even if you can bypass the fact VM don’t communicate each others by default, I didn’t find how to bypass the iptables routes by default ^^

entr0py I’ll answer you on Google, as indeed I guess my problem is more Qubes specific (I still can’t connect my VPN to sys-whonix).

What makes me kinda sad when I look on difference between computers at the very beginning and now is that the only way to be secured is to be offline. As simple as the way computers work : 0 you’re safe, 1 you’re gonna get hacked or compromised. This is also why I think Tails or Qubes are more secured than others OS : they allow you to have a part of your computer that isn’t bound to the evil malicious hackers world… If you’re connected, it will take 1 week, 1 month, several years, but you can’t say your data are safe and secured as long as you’ve got an ethernet cable connected to your computer and your data are not isolated from it…

I have a big respect for the work done here on Whonix but honestly I find quite surprising that main developper here calls me dumb just bc he gots some coding development knowledge that I obviously don’t have. I’ll tell you why : if you look at war EU nation made to themselves through millennia, what finally brought security and peace to people ? Nuclear deterrence. It’s sad to say, but it’s he concept that the guy who is gonna attack me is gonna be wiped off the map. And I don’t get why cyberwar would have to be thought differently.

I don’t have any problem with people that think they will make the internet more secured by building some fortresses, but I think you’re wrong. The day one guy will develop a code that sends back to the attack a shit so huge that his hardware is either broken, either he can’t reinstall his OS, either he’s good to go cry to his mom, then ok, we might then seriously talk about security or anonymity over the internet.

I honestly do think genius people using their knowledge to bring more security by building strong defenses should instead install Kali linux and think about writing a global security script able to offensively reply to a wide kind of attacks, so the hacker don’t try again, or at least, he knows that if he does it, he is gonna loose big deal. Or a script that allows you to automatic reinstall your computer after being attacked…

If you think at peace as just a situation where humans stopped to make war just because it means to them “I will destroy myself if I attack”, I don’t see any other way to make sure internet will become safer in the future.
So I’d say to you a bit ironically that yea you can call me dumb if you want because you know how to build a complex script and I don’t, but still I think Tor → VPN → Internet is way more secure as there is less time and efforts to make this setup work and to have an encrypted output, which is overall safer. Also Qubes showed a strong reflection on links between persistence and security that I guess Whonix did not conduct at the very beginning (I noticed you can now configure anon-whonix like a dispVM). Also what’s security ? Is security provided by anonymity ? This is bullshit to me. You don’t know my story, but even if you would know it, would it make me less secure ? You was right saying it is complex, but I don’t think advanced users are more secured thinking about complexity this way. Saying a lot on a channel that you assume being secured don’t make more sense than saying few in a dangerous area. I can tell about it : danger comes more from trusting relatives or people that might betray you than showing no trust where you should. I got mostly fascist rats in my family and what I can say right now is that the best way to secure yourself is to make sure rats don’t have anymore access to you.

Google or Facebook surely knows about it as they log every data around (PRISM…) and I seriously don’t give a fuck about it as I don’t even use my VPN to tell them ublock origin sends back nothing to them, so I’m telling them “I disapprove this policy”. I suppose they already know what I’ve been through anyway. But I can tell you I don’t believe in this view, that anonymity provides security. I believe in trust and also fucking ads / shit policies that don’t respect dignity or privacy. One might think being anonymous makes you more secure nowadays, but I guess you’re less secure sending data to third parties with shit fingerprinting on an Tor exit node watched by the NSA than on your own ISP IP with ublock origin hard mode well configured, lots of addons, and a fingerprinting Firefox browser that makes almost no difference with Tor browser. That’s how you becoming one with the crowd Not feeling different. Why should you always be considered as a threat in our paranoid societies.
And it’s interesting because with almost the same amount of differences on Firefox and Tor that make my browser looks the same than the one from another guy (like a standard deviation), the probability that he has the same configuration than me is less important on Tor than on Firefox. It joins what I was saying about the fact the more people use Tor and look exactly the same (by default), the more you will be hidden just by bringing you in the middle of the Gauss curve. Unfortunately generally speaking people using their standard IP don’t usually configure their browser to make it look like Tor or people using Tor don’t make sure to have control over what they send, over outgoing network.

I am sorry you perceived it that way. I am not a native English speaker so I may have misused the phrase “dumb it down”.

What I meant to say was “I believe the topic is too complex to summarize it as User -> VPN -> Tor -> Internet, if you're looking for a stronger anonymity configuration overall or so.”. So please scratch the word “dumb”.

No worries, I reacted very poorly to your sentence and indeed overreacted. Sorry about that, I apologize. I am borderline so don’t pay attention on what I said, I was probably trying to get some attention as was probably feeling alone on the moment, my life kinda sucks.

I didn’t want either to offend you as I have big respect for the huge and impressive work done here on Whonix. It is a great project and I am pretty sure every people are very thankful about what you’ve done here.

I just wanted to say, in a bit ankward way because I am also not a native english speaker, that I feel a bit depressed about having to reinstall over and over your system. I left Windows 3 months ago after having infected by a very strong rootkit virus, I started by Debian in the Linux world, where everything happened fine although a distribution quite complex for a Linux beginner, then I got hacked on Linux Mint, security looked kinda poor imo or maybe I just downloaded an infected iso, I don’t know (now I verify every iso with gpg I get the lesson ^^). I should have tried openSuse instead, a german distribution that I find entertaining as they offer auto-updates for hardware with the Tumbleweed rolling release : )

That’s why I was trying to tell you that even if I really appreciate Whonix, I am pessimistic about the fact we are late against global mass surveillance and that defensive options should be considered in a more offensive way. That doesn’t mean that I don’t trust Whonix, it is strong project and the idea to separate 2 VMs making Tor go through a tunnel so if the first gets exposed the other is safe is just a great idea. But as you don’t have a lot of fortified castle still standing in EU, I just wanted to tell you that with your important coding knowledge you might be usefull to projects oriented on offensive security (e.g. making a code that might answer to attackers). I mean I don’t know why the only way to get rid of cyber attacks and reach peace on internet should be different than what we observed in the real life. At the end of the day, if we’re living in peace right now in EU is because you have this thing called nuclear bomb. It’s sad to say, but it’s a fact… Humanity sucks, to reach peace, you have to test it out weapons, how fun :confused: