User → Tor → VPN → Internet

merke · March 27, 2022, 3:47pm

I am new to Whonix.

When setting up VPN on Whonix workstation

According to

User → Tor → VPN → Internet
Tor onion services (onion) Connections not supported or not works on Workstation .

I would let tor-browser connects normally as it is over VPN in workstation without to show VPN IP

Same as normal setup :
Host ----VPN---- Tor browser

Is this possible ?

Patrick · March 28, 2022, 11:21am

Expected. This is mentioned in documentation.

user -> Tor -> VPN -> onion is impossible.
user -> VPN -> Tor -> onion is possible.

For that please follow the specific guides. Starting from Combining Tunnels with Tor is correct and then go to the instructions for the method which you’re interested in.

merke · March 28, 2022, 7:04pm

I followed guides but i dont unterstand yet
what sheme do i have if use torbrowser over vpn both in workstation ?

according to this :
user → gateway → worksattion ->vpn–>torbrowser

onion impossible?

Patrick · March 28, 2022, 9:13pm

No.

merke · March 28, 2022, 10:08pm

you mean its possible?
if not : how about tor bundle?

Patrick · March 29, 2022, 2:43pm

No.
= Not possible.
= Impossible.

merke · March 29, 2022, 7:54pm

thanks
thas sounds strange
coud you explain reason why onion will not work

Patrick · March 30, 2022, 2:11pm

It’s already mentioned on that wiki page.

merke · March 30, 2022, 7:48pm

Alright
This is because Tor Browser can no longer access Tor’s ControlPort (onion-grater) on Whonix-Gateway ™.

is the same if another Linux distro is used instead of whonix workstation?

Patrick · March 30, 2022, 8:53pm

No.

Why? To find out:

go to Combining Tunnels with Tor
use the inside browser search and search for:

onion

search more
You’ll find:

This configuration prevents access to Tor onion (.onion) services. [XX]

If you want to dig deep, read the footnote.

Same.
No difference.

This is unspecific to Whonix. In doubt, I recommend Free Support Principle.

merke · April 1, 2022, 6:20pm

Correct
I found it
When configuring User → Tor → proxy/VPN/SSH → Internet, it is impossible to connect to Onion Services because the last server is not a Tor relay. The only exception is running another Tor client on top, but this would lead to a Tor over Tor scenario which is discouraged for security reasons.

what i don’t understand

—because the last server is not a Tor relay—

Assuming last server its a VPN ?

why tor browser over VPN on Host works ? without Whonix

Is VPN useless on Workstation ?

I really don’t understand difference between VPN on normal Host versus on Workstation as VPN would be like ISP

Patrick · April 2, 2022, 8:44am

Combining Tunnels with Tor is the long answer.

Because:

That is: user → VPN → Tor → onion. (possible)
That is not: user → Tor → VPN → onion. (impossible)

VPN on the host:
Because VPN on the host connects before anything else can connect. This includes Tor. VPN connects before Tor can establish any connections. That’s why it’s user → VPN → Tor → destination.

VPN inside Whonix-Workstation:
All connections originating from within Whonix-Workstation are torified, meaning routed over Tor. That includes the VPN. Therefore it’s user → Tor → VPN → destination.

Only the Tor can connect to onions. It’s a Tor network internal thing. Tor handles the connections to onions.

If Tor is “obstructed” by a VPN, then the connection is not really internal to the Tor network. Nobody can connect to onions without the use of Tor. But if a VPN is used in a chain of user → Tor → VPN → destination, then one is “not really using Tor” from the perspective of destination onions.