[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

User => VPN => Whonix => TOR => VPS => VPS => VPS... Need some advice

I am now triyng to configure such route user => VPN => Whonix => TOR => VNC => VNC => VNC. Seems that all works but i still have few problems and need some advice. It would be great if anybody could share some ideas on my questions. Thanks a lot and have a nice day. 8)

Sooo, I have already installed Xubuntu on my external hard drive. I created a truecrypt file container in which i save my virtual box machine with Whonix Workstation and Gateway. I also configured and updated whonix. After that i bought a vps server and configured openvpn server there.

So my first problem is that i can not figure out where to start openvpn client. As i understand it should start in my host OS Xubuntu? Should i make some changes to my vpn configuration, cause i heard whonix would work only with tcp not udp. Is this correct?

I also need to connect to my VPS servers via VNC or another RDP service. I tried and it connects ok. In my secure logs i see that i am connected to my vps server with tor. But i am not sure what would happen if i would sit for example on next config - user => VPN => Whonix => TOR => VNC server#1 => VNC server #2 => VNC server #3 and VNC server #1 would fail. All my connections would be disconnected or i would connect directly to VNC server#3 with TOR?

Is there any tool which can help me to monitor connections and to see that i am sitting user => VPN => Whonix => TOR => VNS => VNS => VNS and everything works ok? Right now i do everything manually i check my VPN and DNS leak, than check tor, than check security logs of my vnc servers. But is it possible to do it easier?

I am also interested if should i use VNC or maybe it is better to make a socks5 server on each of VPS and use privoxy to configure user>VPN>TOR>SOCKS>SOCKS>…etc.

So, making a conclusion i am interesting in next:

  1. Where should i start my vpn client? Is it ok to start on host system?
  2. Is there a possibility to connect user=>VPN=>TOR=>VNC=>VNC? What specific problems should i face with?
  3. Can someone advice connection monitor software, considering that i should be sure that my vnc servers are connected properly, too.
  4. Is it better to make a Socks5 server instead of VNC? As i understand VNC is safer cause it is harder to make any leaks than Socks5.
  5. Can someone advice me some spoofing software? And what hardware should i spoof? Only mac adress or external HDD or maybe something more?

[center]Great thanks for any help and for just a conversation. Havea nice day. [/center]

So my first problem is that i can not figure out where to start openvpn client. As i understand it should start in my host OS Xubuntu?
It depends on what you want to do. Options:

Tunnel Tor through proxy, VPN or SSH (user -> proxy/VPN/SSH -> Tor)
Tunnel Proxy/SSH/VPN through Tor (user -> Tor -> Proxy/SSH/VPN)

Depending on what you want, you need to install the VPN either/and/or on the host, on Whonix-Gateway or in Whonix-Workstation.
See also:

Should i make some changes to my vpn configuration, cause i heard whonix would work only with tcp not udp. Is this correct?
The Tor network, which Whonix uses (not Whonix itself) does not support UDP. Therefore if you want to connect to a VPN over Tor (user -> Tor -> VPN), only TCP can be used.
I also need to connect to my VPS servers via VNC or another RDP service. I tried and it connects ok. In my secure logs i see that i am connected to my vps server with tor. But i am not sure what would happen if i would sit for example on next config - user => VPN => Whonix => TOR => VNC server#1 => VNC server #2 => VNC server #3 and VNC server #1 would fail. All my connections would be disconnected or i would connect directly to VNC server#3 with TOR?
I haven't used VNC tunneling yet, but I would expect, that if the first VNC connection fails. the connection attempt will stop there already.

I am also interested if should i use VNC or maybe it is better to make a socks5 server on each of VPS and use privoxy to configure user>VPN>TOR>SOCKS>SOCKS>…etc.

1) Where should i start my vpn client? Is it ok to start on host system?
As said above, it is up to what you want to do. VPN on the host will result in user -> VPN -> Tor. (Works with TCP and UDP.)
2) Is there a possibility to connect user=>VPN=>TOR=>VNC=>VNC? What specific problems should i face with?
I don't see why not.
4) Is it better to make a Socks5 server instead of VNC? As i understand VNC is safer cause it is harder to make any leaks than Socks5.
Probably both has pros and cons. VNC server can monitor your keypress and mouse movements when you are in the VNC window / terminal. Would make me nervous.

You could also consider making VPN servers instead of socks and use VPN hopping (seems not well documented).

Also note:

Maybe more leak proof:

Half baked ideas, that would in theory be very leak proof, that need a lot more thought and work:

5) Can someone advice me some spoofing software? And what hardware should i spoof? Only mac adress or external HDD or maybe something more?
MAC spoofing is a difficult topic. See also: https://www.whonix.org/wiki/Pre_Install_Advice#MAC_Address

I wouldn’t know if it is useful/possible to reliably (against root compromise) spoof serials of other hardware. Certainly interesting topic.

Well, tested yesterday the vpn connection. Launched it on my host OS and everything works smoothly. At least this can be seen when i test the connection on my host OS. But i am not sure if these set up works properly. Can you suggest a way to check that the connection is going user=>VPN=>TOR. I tried to traceroute on the Whonix workstation, but i am not getting any route. Instead of ip i see * * *.
So my next questions are -

  1. Is there a way in Whonix to check if my set up works ok, that traffic goes to VPN and only than to TOR. For example i would make a traceroute or mtr command. Where should i make it - Workstation, Gateway or host OS? As i understand if i make on host i would see only VPN without TOR, so i should make it on gateway or workstation? Is there also a way to see the whole route including TOR servers and exit node?
  2. I can not actually understand how my vpn server deals with TOR. Should i make some additional configuration for this? Should i also make additional configuration on Whonix Gateway?
  3. In case i am making a set up user=>vpn>TOR, in what direction does the trafic goes? Is it going Whonix Workstation=>Whonix Gateway=>Host OS=>VPN=>Tor? Do i understand the set up correctly?
  4. UDP is suitable in set up user=>VPN=>TOR
  5. Can someone advice any VPN blocker soft? So if i loose my vpn connection everything should be blocked?
  6. How can i change the exit node of TOR? I am thinking of maybe creating my own exit node and use tor with it… Is it possible? Is there any manual or at least some info on doing this?

Thanks for helping with advice. And great thanks for such a great project. I am playing with whonix configuration for about a week and see that it has great potential. Thanks for your work 8)))

This may also be of inspiration:

Well, tested yesterday the vpn connection. Launched it on my host OS and everything works smoothly. At least this can be seen when i test the connection on my host OS. But i am not sure if these set up works properly. Can you suggest a way to check that the connection is going user=>VPN=>TOR. I tried to traceroute on the Whonix workstation, but i am not getting any route. Instead of ip i see * * *.
If you have a VPN installed on the host, connection will inevitably user -> VPN -> Tor - because the VPN connects first and Whonix-Gateway (Tor) uses whatever the system provides (which is a VPNified connection). Whonxi-Workstation is completely unaware of this and has no legitimate way to find out.
1) Is there a way in Whonix to check if my set up works ok, that traffic goes to VPN and only than to TOR. For example i would make a traceroute or mtr command.
Using tools such as wireshark and/or tshark. But those involve a learning curve.

You can also set up your own physical proxy next to your own physical computer (raspberry pi or else should suffice). Then you should only see a connection to the VPN. No Tor. Because the VPN hides it by using encryption.

Where should i make it - Workstation, Gateway or host OS?
In Whonix-Workstation you could try "tcptraceroute ". You'd only see connection to Whonix-Gateway. Because from there either Tor picks the connection and, encrypts to entry, middle and exit relay and answers; or Whonix-Gateway's firewall (or Tor) rejects it.

In Whonix-Gateway you could login as user clearnet (“sudo su clearnet”) and experiment with "traceroute ". Then you should see the VPN’s IP in the chain.

As i understand if i make on host i would see only VPN without TOR, so i should make it on gateway or workstation?
The host should be able to see a connection: host -> VPN -> Tor No more, because the connection from entry relay to exit relay is encrypted (onion routing).
Is there also a way to see the whole route including TOR servers and exit node?
Sure there is, but I haven't learned how to do this yet. Probably not easy. Not sure someone already documented how to do it. You'd need to take the key that Tor uses for encryption ("easy", because it happens on your own computer), capture the connection and then decrypt it with Tor's key. Wireshark has a feature to decrypt SSL if you give it access to the encryption key (again, "easy", because it happens on your own computer). I don't know how to get the keys from Tor, if wireshark can decrypt that as well or how to decrypt it.

I advise to take these interesting questions to the official Tor communication channels. The tor-talk mailing list is probably most appropriate here. If you don’t get a good answer there, also communication channels specialized for networking related questions could be tried. Last resort, study IT.

2) I can not actually understand how my vpn server deals with TOR. Should i make some additional configuration for this? Should i also make additional configuration on Whonix Gateway?
I am not sure I understand this question. A remote VPN server software such as OpenVPN does not check what kind of traffic it forwards. It just forwards. When your host connects to a VPN, anything, be it your clearnet host browser, the Tor Browser Bundle or else - the VPN server will accept the connection and forward it.
3) In case i am making a set up user=>vpn>TOR, in what direction does the trafic goes? Is it going Whonix Workstation=>Whonix Gateway=>Host OS=>VPN=>Tor? Do i understand the set up correctly?
Whonix-Workstation -> Whonix-Gatway -> Tor -> Host -> VPN

connection schema:
user -> VPN -> Tor -> destination

If a VPN is active on the host, inevitably everything must go through the VPN first.* Tor is no exception. Firefox is no exception. Whonix-Gateway is no exception.

Tor and Whonix-Gateway do not have a feature such as “yeah, but I don’t want to use the VPN, just let me connect without VPN”. It might be possible to develop this, but it probably would be difficult.

(*It might be possible to manually add exceptions, but usually that doesn’t happen by chance.)

4) UDP is suitable in set up user=>VPN=>TOR
Yes.
5) Can someone advice any VPN blocker soft? So if i loose my vpn connection everything should be blocked?
There is VPN-Firewall (https://github.com/adrelanos/VPN-Firewall) which also lists alternatives (https://github.com/adrelanos/VPN-Firewall#alternatives).
6) How can i change the exit node of TOR?
Depends on what you have in mind. Usually Tor manages that for you and automatically circles them.

Tor Button as a new identity button.

In some cases, new identity is useful, see:

Further, the Tor manual (https://www.torproject.org/docs/tor-manual-dev.html.en) explains the ExitNodes directive. But this is in my opinion nothing to peruse.

I am thinking of maybe creating my own exit node and use tor with it...Is it possible?
It's possible. The whole Tor network is run by volunteers.

However, you shouldn’t prefer your own Tor exit. On the contrary, it might be wise not using your own Tor exit? But these questions are best discussed in the official Tor communication channels.

Is there any manual or at least some info on doing this?
Info is on torproject.org. Note, for exit nodes, there are legal risks as well. When you're aware of them and fine with it, I am sure the Tor network needs more servers. There are also umbrella organizations such as torservers.net who help with legal stuff, technical stuff, organizational stuff etc.
Thanks for helping with advice. And great thanks for such a great project. I am playing with whonix configuration for about a week and see that it has great potential. Thanks for your work 8)))
Glad you like it!
  1. Can someone advice me some spoofing software? And what hardware should i spoof? Only mac adress or external HDD or maybe something more?

MAC spoofing is a difficult topic. See also:

I wouldn’t know if it is useful/possible to reliably (against root compromise) spoof serials of other hardware. Certainly interesting topic.

Im also interesting in MAC spoofing topic and i guess there is some interesting stuff.

Patrick you posted in TORRC-Trusted nodes topic config with your nodes,there is one HotPotato:

https://torstatus.rueckgr.at/router_detail.php?FP=60a5547b2203dd2e148ef9bdd6ff3891081c5df4

This guy have a blog https://perot.me/ and git https://github.com/EtiennePerot and he is developer of macchiato https://github.com/EtiennePerot/macchiato.

Currently i dont know much about this tool-script,but seems its great,spoofing in boot time,which is important anonimity option,like it was macchanger in Liberte Linux.

Maybe we better look at this for using in Whonix?

This was by chance. Just picked anyone.

This guy have a blog https://perot.me/ and git https://github.com/EtiennePerot and he is developer of macchiato https://github.com/EtiennePerot/macchiato.

Currently i dont know much about this tool-script,but seems its great,spoofing in boot time,which is important anonimity option,like it was macchanger in Liberte Linux.

Maybe we better look at this for using in Whonix?


Really difficult topic. I need help on that one! See also:
https://www.whonix.org/forum/index.php/topic,308.0.html
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]