Hello,
I would like to set up a configuration on Qubes like this :
User → VPN (installed in a proxyVM) → sys-whonix → anon-whonix → Internet
So the middle column on this link Combining Tunnels with Tor
My problem is I’m not willing to reinstall VPN into the sys-whonix gateway (as the documentation says “If the VPN is installed on Whonix-Gateway / When Whonix-Gateway ever gets compromised => you’re left without any protection” (see table Connecting to a VPN before Tor)) and documentation on this subject ( Connecting to a VPN before Tor ) only discuss on how to configure this setup on the host (so here the proxyVM) by reinstalling your VPN using a Firewall program to prevent data leak : GitHub - adrelanos/vpn-firewall: Leak Protection (Fail Safe Mechanism) for (Open)VPN
The documentation is well written to help installing this very usefull program on the host VPN-Firewall: Enforce use of a VPN, but as I had difficulties to make my VPN work on a proxyVM, I have no idea I should try this option or not, if this would work in my case and if I really need to as the official Qubes documentation on VPN looks already quite restrictive using openvpn and iptables (Redirecting…), especially with those 2 lines :
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
It might looks kinda funny but I am using a VPN connected through UDP protocol, and I recently read that Tor is using TCP. If this is this unique cause that explain the fact my VPN refuses to connect to sys-whonix, well then sorry not being very well informed and ignorant enough to wait for 2 protocols to magically join, lol, but then I guess random newbish people would really appreciate to have one contribution precising this precious information under paragraph “How to add the VPN in Host OS”, as I guess not ever user actually knows Tor connects by default through TCP.
Also Qubes documentation is a little outdated on TorVM and sends back to Whonix, which in return don’t precise very clearly how to deals with this User → VPN → Tor → Internet problem when you don’t want your VPN to be installed into Whonix gateway and be exposed in case Whonix gateway was compromised. Blurred lines
Sorry for the critics, but I feel like there is some sort of lack in the documentation there, as in the other way, this subject is way more documented (Connecting to Tor before a VPN see “Separate VPN gateway”).
In my case I’ll just change switch my VPN gateway / protocol and see if it fix my issue, hoping nevertheless Qubes & Whonix will unify a bit clearer their respectives documentations concerning VPN → Tor relationships, because it looks really extremely complex at first sight (hf configuring torrc when you’re new t_t).
And also I guess documentation could be really more simple by presenting options in a more accessible view like :
User → VPN → Tor → Internet, if you’re looking for a stronger anonymity configuration overall
User → Tor → VPN → Internet, if you’re looking for a stronger security configuration overall
I know that a bad settings between VPN and Tor might end up by making your anonymity less secured than if you would only using Tor, but at the end of the day, I guess everyone can understand a VPN provider is a service generally bound with different states authorities, which is acting as a bottle neck concerning your data, whatever log policies are used, where Tor is an non profit organization created at start by mathematicians in US Navy laboratory research to make sure everyone remains anonymous on it with few configuration, and that the more people use it, the more chances you got to have a secure network, which is a kinda different philosophy. That’s why I trust way more Tor than my VPN provider, I prefer the idea of wide open spaces than narrow streets when I think about freedom lol
Thanks for reading