VPN after Tor on Whonix-Workstation: am I doing it right? Is it really that easy?

I find the available information on VPN setup after Tor on Whonix-Workstation rather confusing and complicated (I am talking about non-Qubes Whonix). I first read this official documentation

and gathered that I have to perform various complex modifications to the Whonix-Workstation in order to make it work. Things that I have never touched before, such as the Whonix Firewall, the 50_user.conf, openvpn_unpriv.conf and openvpn conf, that I have to install a resolvconf package… Definitely to complicated for a (yet?) non-technical user as me: when I use Whonix, I rather not mess up with things that I don’t fully understand the consequences.

So instead of messing with all these settings that I barely understand, I just ended up installing the AirVPN client (Eddie), corrected a few things inside the client (disable DNS and route checking) and… it works! Usual fingerprinting and leaks websites on Firefox correctly show my IP and DNS servers as coming from AirVPN. Tor Browser works just as usual (Tor exit nodes, nothing wrong on Tor IP check page: https://check.torproject.org/). Even more surprising, stream isolation seems to work: applications listed in the stream isolation page:

Stream Isolation

such as curl and wget show Tor exit nodes, and VPN exit IPs if used with UWT_DEV_PASSTHROUGH=1 command. Normal SSH command connects seamlessly to hidden services, and fails to do so with UWT_DEV_PASSTHROUGH=1, as is expected with VPN clearnet traffic!

So I have a perfectly well working VPN that does not know my identity and a working Whonix-Workstation that seems to allow Tor stream isolation at the same time, without me performing any obscure and poorly understood manipulations in the machine as per the official documentation. Is it really that easy? Is there something wrong with my configuration? Is there something that I have missed and that I should pay attention to?

Yes, it’s quite lengthy. But that’s what it takes. You’re better off
sticking with the documented way than using vendor specific third party
VPN clients.

It’s not checked if vendor specific third party VPN clients have an
actually functional fail closed mechanism as well as if they have, if
it’s conflicting with Whonix’s firewall.

Thanks Patrick, actually I also tried with another VPN provider which only has openvpn conf files and no client for Linux, and connection is done via terminal only (sudo openvpn conf_file.tcp443…). But it works fine all the same. As for fail closed mechanism, well I don’t really mind at this point as long as my real clearnet IP is not leaked, which is something Whonix protects me against.

I am still surprised that all seems to work well and stream isolation is preserved although VPN is enabled, all this without me messing with the settings of the Workstation… The biggest downside from your point of view would be that I put my trust into an non trusted third-party client, right?

onion_knight:

Thanks Patrick, actually I also tried with another VPN provider which only has openvpn conf files and no client for Linux, and connection is done via terminal only (sudo openvpn conf_file.tcp443…). But it works fine all the same. As for fail closed mechanism, well I don’t really mind at this point as long as my real clearnet IP is not leaked, which is something Whonix protects me against.

If you don’t care aboout the fail closed mechanism, why use a VPN at all?

I am still surprised that all seems to work well and stream isolation is preserved although VPN is enabled,

Stream isolation enabled means the VPN is not used at all, which is
besides the point of using a VPN.

I need a VPN to browse the Internet to do usual stuff (browsing, google searches, e-mail…) anonymously with a “grey IP” and to avoid the need to fill a captcha every 2 minutes or to be banned (that’s what happens with exit nodes), while being certain that the VPN provider does not know my clearnet address, which would be impossible under any other circumstances without Whonix. Of course, I do nothing that could be linked to my real identity (like logging in a personal e-mail account).

Given this configuration, if from time to time the VPN connection closes and leaks my exit tor node IP, it’s not a big deal for me, as long as my clearnet IP is never revealed. I understand that this does not apply to all situations where a fail closed mechanism would be needed at all costs. This being said, I have not yet noticed the VPN disconnecting while I was using it.

I think I got a little bit confused about the stream isolation part, as I thought that stream isolation would be broken in any case if using a VPN in the Workstation. It apparently is not the case. The only application for which the VPN works “out of the box” is Firefox, which is just fine as it is the only application I need it for.

Whonix documentation also strongly discourages using Firefox.