This may also be of inspiration:
Well, tested yesterday the vpn connection. Launched it on my host OS and everything works smoothly. At least this can be seen when i test the connection on my host OS. But i am not sure if these set up works properly. Can you suggest a way to check that the connection is going user=>VPN=>TOR. I tried to traceroute on the Whonix workstation, but i am not getting any route. Instead of ip i see * * *.
If you have a VPN installed on the host, connection will inevitably user -> VPN -> Tor - because the VPN connects first and Whonix-Gateway (Tor) uses whatever the system provides (which is a VPNified connection). Whonxi-Workstation is completely unaware of this and has no legitimate way to find out.
1) Is there a way in Whonix to check if my set up works ok, that traffic goes to VPN and only than to TOR. For example i would make a traceroute or mtr command.
Using tools such as wireshark and/or tshark. But those involve a learning curve.
You can also set up your own physical proxy next to your own physical computer (raspberry pi or else should suffice). Then you should only see a connection to the VPN. No Tor. Because the VPN hides it by using encryption.
Where should i make it - Workstation, Gateway or host OS?
In Whonix-Workstation you could try "tcptraceroute ". You'd only see connection to Whonix-Gateway. Because from there either Tor picks the connection and, encrypts to entry, middle and exit relay and answers; or Whonix-Gateway's firewall (or Tor) rejects it.
In Whonix-Gateway you could login as user clearnet (“sudo su clearnet”) and experiment with “traceroute ”. Then you should see the VPN’s IP in the chain.
As i understand if i make on host i would see only VPN without TOR, so i should make it on gateway or workstation?
The host should be able to see a connection:
host -> VPN -> Tor
No more, because the connection from entry relay to exit relay is encrypted (onion routing).
Is there also a way to see the whole route including TOR servers and exit node?
Sure there is, but I haven't learned how to do this yet. Probably not easy. Not sure someone already documented how to do it. You'd need to take the key that Tor uses for encryption ("easy", because it happens on your own computer), capture the connection and then decrypt it with Tor's key. Wireshark has a feature to decrypt SSL if you give it access to the encryption key (again, "easy", because it happens on your own computer). I don't know how to get the keys from Tor, if wireshark can decrypt that as well or how to decrypt it.
I advise to take these interesting questions to the official Tor communication channels. The tor-talk mailing list is probably most appropriate here. If you don’t get a good answer there, also communication channels specialized for networking related questions could be tried. Last resort, study IT.
2) I can not actually understand how my vpn server deals with TOR. Should i make some additional configuration for this? Should i also make additional configuration on Whonix Gateway?
I am not sure I understand this question. A remote VPN server software such as OpenVPN does not check what kind of traffic it forwards. It just forwards. When your host connects to a VPN, anything, be it your clearnet host browser, the Tor Browser Bundle or else - the VPN server will accept the connection and forward it.
3) In case i am making a set up user=>vpn>TOR, in what direction does the trafic goes? Is it going Whonix Workstation=>Whonix Gateway=>Host OS=>VPN=>Tor? Do i understand the set up correctly?
Whonix-Workstation -> Whonix-Gatway -> Tor -> Host -> VPN
user → VPN → Tor → destination
If a VPN is active on the host, inevitably everything must go through the VPN first.* Tor is no exception. Firefox is no exception. Whonix-Gateway is no exception.
Tor and Whonix-Gateway do not have a feature such as “yeah, but I don’t want to use the VPN, just let me connect without VPN”. It might be possible to develop this, but it probably would be difficult.
(*It might be possible to manually add exceptions, but usually that doesn’t happen by chance.)
4) UDP is suitable in set up user=>VPN=>TOR
5) Can someone advice any VPN blocker soft? So if i loose my vpn connection everything should be blocked?
There is VPN-Firewall (https://github.com/adrelanos/VPN-Firewall) which also lists alternatives (https://github.com/adrelanos/VPN-Firewall#alternatives).
6) How can i change the exit node of TOR?
Depends on what you have in mind. Usually Tor manages that for you and automatically circles them.
Tor Button as a new identity button.
In some cases, new identity is useful, see:
Further, the Tor manual (How can we help? | Tor Project | Support) explains the ExitNodes directive. But this is in my opinion nothing to peruse.
I am thinking of maybe creating my own exit node and use tor with it...Is it possible?
It's possible. The whole Tor network is run by volunteers.
However, you shouldn’t prefer your own Tor exit. On the contrary, it might be wise not using your own Tor exit? But these questions are best discussed in the official Tor communication channels.
Is there any manual or at least some info on doing this?
Info is on torproject.org. Note, for exit nodes, there are legal risks as well. When you're aware of them and fine with it, I am sure the Tor network needs more servers. There are also umbrella organizations such as torservers.net who help with legal stuff, technical stuff, organizational stuff etc.
Thanks for helping with advice. And great thanks for such a great project. I am playing with whonix configuration for about a week and see that it has great potential. Thanks for your work 8)))
Glad you like it!