www. whonix. org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor#cite_note-all-traffic-1
As explained here:
To decide the best configuration in your circumstances, consider:
- Is it necessary to hide all traffic from the ISP? []Then install the VPN on the host.
> * Should the VPN provider be able to see all traffic ? []Then install the VPN on the host.
- Should the VPN provider be limited to seeing Tor traffic , but not clearnet traffic ? Then install the VPN on Whonix-Gateway ™.
How can VPN see your all traffic (as decrypted)?
Isnt connection between user and 1st tor node encrypted in a way that is designed for being secure towards “man-in-the-middle”?
If tor is not designed for being secure towards “man-in-the-middle” then how can Tor hide traffic from your ISP?