User → Tor → VPN → Internet

I am new to Whonix.

When setting up VPN on Whonix workstation

According to

User → Tor → VPN → Internet
Tor onion services (onion) Connections not supported or not works on Workstation .

I would let tor-browser connects normally as it is over VPN in workstation without to show VPN IP

Same as normal setup :
Host ----VPN---- Tor browser

Is this possible ?

Expected. This is mentioned in documentation.

  • user -> Tor -> VPN -> onion is impossible.
  • user -> VPN -> Tor -> onion is possible.

For that please follow the specific guides. Starting from Combining Tunnels with Tor is correct and then go to the instructions for the method which you’re interested in.

I followed guides but i dont unterstand yet
what sheme do i have if use torbrowser over vpn both in workstation ?

according to this :
user → gateway → worksattion ->vpn–>torbrowser

onion impossible?


you mean its possible?
if not : how about tor bundle?

  • No.
  • = Not possible.
  • = Impossible.

thas sounds strange
coud you explain reason why onion will not work

It’s already mentioned on that wiki page.

This is because Tor Browser can no longer access Tor’s ControlPort (onion-grater) on Whonix-Gateway ™.

is the same if another Linux distro is used instead of whonix workstation?


Why? To find out:

  1. go to Combining Tunnels with Tor
  2. use the inside browser search and search for:


  1. search more
  2. You’ll find:
  • This configuration prevents access to Tor onion (.onion) services. [XX]
  1. If you want to dig deep, read the footnote.

No difference.

This is unspecific to Whonix. In doubt, I recommend Free Support Principle.

I found it
When configuring UserTorproxy/VPN/SSHInternet, it is impossible to connect to Onion Services because the last server is not a Tor relay. The only exception is running another Tor client on top, but this would lead to a Tor over Tor scenario which is discouraged for security reasons.

what i don’t understand

—because the last server is not a Tor relay—

Assuming last server its a VPN ?

why tor browser over VPN on Host works ? without Whonix

Is VPN useless on Workstation ?

I really don’t understand difference between VPN on normal Host versus on Workstation as VPN would be like ISP

Combining Tunnels with Tor is the long answer.


  • That is: user → VPN → Tor → onion. (possible)
  • That is not: user → Tor → VPN → onion. (impossible)

VPN on the host:
Because VPN on the host connects before anything else can connect. This includes Tor. VPN connects before Tor can establish any connections. That’s why it’s user → VPN → Tor → destination.

VPN inside Whonix-Workstation:
All connections originating from within Whonix-Workstation are torified, meaning routed over Tor. That includes the VPN. Therefore it’s user → Tor → VPN → destination.

Only the Tor can connect to onions. It’s a Tor network internal thing. Tor handles the connections to onions.

If Tor is “obstructed” by a VPN, then the connection is not really internal to the Tor network. Nobody can connect to onions without the use of Tor. But if a VPN is used in a chain of user → Tor → VPN → destination, then one is “not really using Tor” from the perspective of destination onions.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]