vpn after whonix (inside workstation) Not work anymore with TBB

I remember before some months , i was using vpn (openvpn) inside whonix workstation , it was good because works with tbb -needed change network settings , that anyway not support stream isolation i thing , but tbb is more secure from iceweaasel because of web fingerprint protection right? today , after upgrade whonix and tbb versions (i dont know what not support anymore the vpn) vpn can’t work with tbb , work with iceweasel , but tbb have protection for fingerprint , anyway can’t have stream isolation? but is less secure the iceweasel for vpn inside whonix because of web fingerprint, I try to set the network settings of tbb to no proxy but not work, So not supported anymore ?

Tunneling vpn through tor still works with tbb in workstation.
tor → vpn → destination

Just need to do this with tbb: Connecting to Tor before a VPN

Stream isolation is possible using ‘socks-proxy’ setting in openvpn conf. Otherwise, will use TransPort.

VPN is a long-lived connection so will stay on one circuit the whole time.

Additional troubleshooting you’ll have to do yourself, check nameservers and routes.

Thanks for link , i see, what ever browser will use its the same if use vpn, i mean even with tbb if use vpn can’t have web fingerprint protection , so i will use iceweasel , with addon https everywhere wil be the same when we speak for vpn inside workstation, because with iceweasel not need to disable all stream isolation on workstation.

So that finished. But i need a confirmation for :
’‘This is also called transparent torification. [1] It would break Stream Isolation for Tor Browser as well as break Tor Browser’s tab isolation by socks user name’’

Ok, if install adobe flash player plugin in workstation and enable it, will work and will work stream isolation to, because if we visit any site of that they tell you your ip , will can’t see your ip still, that can’t work with just a tbb alone in a normal operating system because will have not stream isolation , ok until that point i got it, Now please read carefully , Tor is trusted more that vpn’s because none can see your real ip , but with vpn can see the admin there, so when use vpn inside workstation we will have not stream isolation in browser , and lets say we have installed the adobe flash player plugin to , and enable it , and browsing online , the vpn provider can not see our real ip because of virtualized workstation, yes will be not anonymous but pseudonymous , but vpn can’t see our real ip.
If i am wrong please correct me .

No, no. Many of your statements are NOT correct.

First, make sure we are talking about the same setup:
me -> tor -> vpn -> destination

VPN is TUNNELED through Tor. Anyone outside the tunnel can not see what’s inside.

In this situation, it doesn’t matter what programs you run. Playing online games, streaming movies, inciting revolt, flash, TBB, iceweasel, xchat, whatever… To the Tor network, everything looks the same - it just looks like you sending traffic to the VPN. Your Gateway, which creates Tor circuits, also just sees one connection to your VPN. Nothing that you do in Workstation matters in terms of Stream Isolation. Only how you configure your VPN.

Stream Isolation can be applied to the VPN connection only. If no proxy is specified, then the VPN connects through the TransPort. If you isolate the VPN stream, then it can connect to another port on the Gateway. This is mostly pointless since all of your traffic will be routed through the VPN anyway. There is nothing to isolate the VPN from - meaning no identity correlation between VPN traffic and non-VPN traffic anyway. [If you use unmodified TorBrowser, then that will skip the VPN and use Tor normally.]

All of your traffic will go to your VPN over the same Tor circuit no matter what you try to do. There are no separate streams for a single connection to a VPN.

Your destination addresses will see somebody connecting from the same VPN. So you become less anonymous. Not quite pseudonymous yet because if you use a busy VPN with a shared IP, it’s possible that many people are connecting to the same destinations from the same VPN.

If a persistent foe is able to track you pre and post-VPN, or the VPN gives you up, then they’ll see that the connections all came from the same Tor exit node. This doesn’t necessarily make you unique, but you’ve lost a LOT of anonymity. How many people connect to your destinations using a VPN tunneled through Tor? Probably not many.

Iceweasel, even in this case, is NOT the same as TorBrowser. It’s true that neither Iceweasel nor TorBrowser will benefit from stream isolation because they both will be routed through the same VPN over the same static Tor circuit. BUT TorBrowser is designed to have the same browser fingerprint no matter how you route the connection. If you use TorBrowser, you will appear to be a random TorBrowser user to the destination. If you use Iceweasel, chances are good that you will have a UNIQUE fingerprint and immediately be pseudonymous everywhere.

You might get a private (speak unique, always same) VPN IP depending on the VPN provider. They could consider it a feature. So you would be banned nowhere as opposed to a shared VPN IP.

@entr0py: I was wondering about this also. This is what ended up in documentation…

From Combining Tunnels with Tor

When using a browser, worsens web fingerprint. It is unknown how anonymous it is to use user → (proxy/VPN/SSH ->) Tor → Proxy/VPN/SSH → Tor Browser → website. How many people show up with a proxy, VPN or SSH IP using Tor Browser? This setup is so special that probably only very few people are doing it. For this reason, recommend against. On the other hand, due to browser fingerprinting, it can’t be recommend using any browser other than Tor Browser either.

Tor Browser:

  • few are using user → (proxy/VPN/SSH ->) Tor → Proxy/VPN/SSH → Tor Browser → website
  • you are the one using VPN IP xyz using Tor Browser of very few
  • defenses against cookie tracking etc.

other browsers:

  • others likely also use some with with some browser
  • no defenses against tracking whatsoever (that is as difficult as creating Tor Browser)

Maybe the documentation can/should be improved on that. /cc @HulaHoop

Thanks a lot both of you, must i read how to setup tbb for vpn now …

The documentation looks good to me.

Don’t even think about using a regular browser. The number of ways they can be fingerprinted makes your hope of mixing in with the crowd impossible and you are probably deanonymizing yourself. Remember also VPN links cannot protect against traffic fingerprinting so observing that last stretch between Tor Exit and VPN can tell them you are sending browser traffic thru - so they know that regular Firefox traffic is coming from a Tor user + vpn (an uncommon setup).

So use TBB.

Yes , understood .
To much work needed for that (must setup the tbb for not stream isolation , and after for restore must delete and install again the tbb and thing must import again the bookmarks of tbb again , and therefore must keep allways updated backup bookmarks, so better to have multiple tbb’s, but even that or even multiple workstations must have total 2 tbb bokmarks because needed 2 tbb’s! ) become even more complicated

Agreed. Even in worst-case scenarios, 2 is still greater than 1 (unique browser). Although the number might literally be 2! LOL. Regular TBB, Tails users would have to be operating behind a Tor Gateway and know about TOR_TRANSPROXY… Even then, more likely to use Firefox to evade tor bans.

TorProject is going to have to address usability/security concerns with these Tor bans… My thoughts continued here: Cloudflare as a Security Risk

Try Whonix in Qubes. I’ve got a Workstation just for whonix.org, qubes stuff, general linux questions (ie stackexchange). No sweat. Can setup Gateways / Workstations with different firewalls, proxies, etc.

Firsty my apologies to all posters here , because that configuration for edit /etc/environment and put TOR_TRANSPROXY=1 i allready done succesfully before time and i was forgot it , i was set it after remove proxy settings on tbb and setup free openvpn provider inside workstation (vpnbook) it works then i remember , and today works again , not realy tweak needed , as for iceweasel fingerprint and tbb fingerprint , my confirmation: if visit http://ipaddress.com/ with iceweasel will show result operating system linux , and with tbb show win7 , because of fingerprint protection of tbb .

next time i will more remembering i promise :grin:

As for the TOR_TRANSPROXY=1 Undo
on whonix documentation write:
Undoing this setting is undocumented. Simply no longer setting that environment variable will not do the trick. This is because of limitations of Tor Browser. The easiest way to undo these instructions would be to start over with a fresh installation of Tor Browser. Please contribute these instructions.

but when i sudo killall -SIGINT openvpn , then restart tor from gateway -maybe and make a new indentity i dont’t remember clearly -oops i did it again, and close tbb and start it again , seems like normaly again , without need to put proxy again for stream isolation , and tor buton works again automaticaly,
can work tor buton and stream isolation not ? so now i disconnect from vpn , but the stream isolation of tbb not work anymore , and the solution is to dellete tbb and install it from start?

Sigh. I just contradicted myself in another thread.

Not sure if there’s any sense in my babbling… Maybe for small anonymity sets it’s better to strive for pseudonymity independence rather than cling to tenuous anonymity…