VPN on physical machine and Whonix-Gateway

thelasttime · May 27, 2014, 10:17am

Hi all,
i’ve 2 questions concerning Whonix Gateway, VPN and Windows-Workstation.
Sorry in advance for my english as it isn’t my first language.

My first doubt is about my internet connection :
my physical machine (on Windows 8) uses a VPN ; then i start my “Virtual System” composed of “Whonix Gateway AND Windows-Workstation”.

If i understand well, my “physical” network works like this :
user (windows 8) → ISP → VPN → INTERNET. (case 1)

Then, if i use my “virtual” network, it should work like that :
user (windows 8) → ISP → VPN → [WHONIX Gway → TOR → Windows-Workstation] → INTERNET (case 2)

In case number 2, if my VPN isn’t sufficiently safer and i lost connection ; does it mean that i will lost Tor connection too ?

Following the statement above, and after reading this very useful page (TorPlusVPN · Wiki · Legacy / Trac · GitLab) ; do you think that, finally, the better choice is to install a VPN on my virtual Windows-Workstation. If VPN connection is lost, all trafic go to Tor via Whonix-Gateway ?

Regards,

Patrick · May 27, 2014, 11:27am

In case number 2, if my VPN isn't sufficiently safer and i lost connection ; does it mean that i will lost Tor connection too ?

A correctly configured Whonix-(Windows or Default)-Workstation will always go through Tor. Internet connection on the host is irrelevant for this. When the VPN goes down, connection will be interrupted, and Tor will re-connect without VPN (because Whonix-Gateway does not "care" about the host internet connection, it uses what is provided).

Documentation:

Especially this is important for VPN’s to make sense:

do you think that, finally, the better choice is to install a VPN on my virtual Windows-Workstation.

Can't answer with yes/no. Depends on what you want to do. It changes the connection schema. VPN on the host: user -> VPN -> Tor -> destination VPN in Whonix-Workstation: user Tor -> VPN -> destination

If VPN connection is lost, all trafic go to Tor via Whonix-Gateway ?

Yes.

thelasttime · May 27, 2014, 4:53pm

Hi Patrick and thanks for your awesome work and advices here. Very useful.

Concerning my last question : i would like to hide the fact i’m using Tor in my Windows-Workstation because a lot of websites/services blacklist Tor.
The best, finally, would be to configure a VPN connection just after Tor, but where ?

in Whonix Gateway (but i think that my windows-workstation would not accept any connection different of Tor )
or
directly in Windows-workstation : in this case, i would like to avoid to start my VPN each time i open my windows-workstation.
The best thing would be to install/configure VPN once, and then it starts automatically when i use internet. I don’t like VPN’s client, i prefer to configure OpenVpn with configuration files.

Torproject writes about the same scheme :

[u]you -> Tor -> VPN/SSH[/u]
You can also route VPN/SSH services through Tor. That hides and secures your Internet activity from Tor exit nodes. Although you are exposed to VPN/SSH exit nodes, you at least get to choose them. If you’re using VPN/SSHs in this way, you’ll want to pay for them anonymously (cash in the mail [beware of your fingerprint and printer fingerprint], Liberty Reserve, well-laundered Bitcoin, etc).

However, you can’t readily do this without using virtual machines. And you’ll need to use TCP mode for the VPNs (to route through Tor). In our experience, establishing VPN connections through Tor is chancy, and requires much tweaking.

Even if you pay for them anonymously, you’re making a bottleneck where all your traffic goes – the VPN/SSH can build a profile of everything you do, and over time that will probably be really dangerous.

Regards,

Patrick · May 27, 2014, 8:36pm

So you want to hide Tor from websites (not from your ISP). Use a proxy, vpn or ssh inside the Workstation then. There are no other options.

The best, finally, would be to configure a VPN connection just [u]after Tor[/u], but where ?

Possible when you install the VPN in the Workstation.

- in Whonix Gateway (but i think that my windows-workstation would not accept any connection different of Tor )

Not possible. VPN installed on Whonix-Gateway might hide Tor from your ISP (drawback: you need fail closed mechanism as per documentation). But connection schema would be user -> VPN -> Tor -> destination. Therefore, websites would know you're using Tor.

or - directly in Windows-workstation : in this case, i would like to avoid to start my VPN each time i open my windows-workstation.

Up to the configuration of the VPN software.

The best thing would be to install/configure VPN once, and then it starts automatically when i use internet. I don't like VPN's client, i prefer to configure OpenVpn with configuration files.

I also prefer just using command line tools and text config files.

Torproject writes about the same scheme :

[u]you -> Tor -> VPN/SSH[/u]
You can also route VPN/SSH services through Tor. That hides and secures your Internet activity from Tor exit nodes. Although you are exposed to VPN/SSH exit nodes, you at least get to choose them. If you’re using VPN/SSHs in this way, you’ll want to pay for them anonymously (cash in the mail [beware of your fingerprint and printer fingerprint], Liberty Reserve, well-laundered Bitcoin, etc).

However, you can’t readily do this without using virtual machines. And you’ll need to use TCP mode for the VPNs (to route through Tor). In our experience, establishing VPN connections through Tor is chancy, and requires much tweaking.

Even if you pay for them anonymously, you’re making a bottleneck where all your traffic goes – the VPN/SSH can build a profile of everything you do, and over time that will probably be really dangerous.

The underlined statement is correct. You can’t have it both ways here. You can’t join the anonymity set of other Tor users + hide Tor from websites. You can’t use a VPN + profit from stream isolation (Stream Isolation). To combine best of both worlds, it would be best to only use the post-Tor proxy/VPN/ssh (user → Tor → proxy/VPN/ssh) when really needed and not for all use. Or somehow circle proxy/VPN/ssh, but that’s difficult.

thelasttime · May 28, 2014, 4:42pm

Thanks again Patrick.
Finally i decide to install a VPN on windows-workstation.

First i directly installed Mullvad Client but had some connection pb. Connection works (with TCP checked) but then failed after 10-20 seconds.
So i decided to install OpenVpn and download Mullvad configuration files. Same problem. :-\

Here is my config file :

client
dev tun
#remote openvpn.mullvad.net 443
#remote openvpn.mullvad.net 53
#remote se.mullvad.net # Servers in Sweden
#remote nl.mullvad.net # Servers in the Netherlands
remote openvpn.mullvad.net 1194
resolv-retry infinite
nobind
persist-key
persist-run
verb 3
remote-cert-tls server
ping-restart 60
service mullvadopenvpn
ping 10
ca ca.crt
cert mullvad.crt
key mullvad.key
crl-verify crl.pem
proto tcp

And my log :

Wed May 28 18:27:29 2014 OpenVPN 2.3.4 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 2 2014
Wed May 28 18:27:29 2014 library versions: OpenSSL 1.0.1g 7 Apr 2014, LZO 2.05
Enter Management Password:
Wed May 28 18:27:29 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed May 28 18:27:29 2014 Need hold release from management interface, waiting...
Wed May 28 18:27:29 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed May 28 18:27:30 2014 MANAGEMENT: CMD 'state on'
Wed May 28 18:27:30 2014 MANAGEMENT: CMD 'log all on'
Wed May 28 18:27:30 2014 MANAGEMENT: CMD 'hold off'
Wed May 28 18:27:30 2014 MANAGEMENT: CMD 'hold release'
Wed May 28 18:27:30 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 28 18:27:30 2014 MANAGEMENT: >STATE:1401294450,RESOLVE,,,
Wed May 28 18:27:31 2014 Attempting to establish TCP connection with [AF_INET]178.162.209.231:1194
Wed May 28 18:27:31 2014 MANAGEMENT: >STATE:1401294451,TCP_CONNECT,,,
Wed May 28 18:27:31 2014 TCP connection established with [AF_INET]178.162.209.231:1194
Wed May 28 18:27:31 2014 TCPv4_CLIENT link local: [undef]
Wed May 28 18:27:31 2014 TCPv4_CLIENT link remote: [AF_INET]178.162.209.231:1194
Wed May 28 18:27:31 2014 MANAGEMENT: >STATE:1401294451,WAIT,,,
Wed May 28 18:27:32 2014 Connection reset, restarting [0]
Wed May 28 18:27:32 2014 SIGUSR1[soft,connection-reset] received, process restarting
Wed May 28 18:27:32 2014 MANAGEMENT: >STATE:1401294452,RECONNECTING,connection-reset,,
Wed May 28 18:27:32 2014 Restart pause, 5 second(s)
Wed May 28 18:27:37 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 28 18:27:37 2014 MANAGEMENT: >STATE:1401294457,RESOLVE,,,
Wed May 28 18:27:37 2014 Attempting to establish TCP connection with [AF_INET]178.162.209.231:1194
Wed May 28 18:27:37 2014 MANAGEMENT: >STATE:1401294457,TCP_CONNECT,,,
Wed May 28 18:27:37 2014 TCP connection established with [AF_INET]178.162.209.231:1194
Wed May 28 18:27:37 2014 TCPv4_CLIENT link local: [undef]
Wed May 28 18:27:37 2014 TCPv4_CLIENT link remote: [AF_INET]178.162.209.231:1194
Wed May 28 18:27:37 2014 MANAGEMENT: >STATE:1401294457,WAIT,,,
Wed May 28 18:27:38 2014 Connection reset, restarting [0]
Wed May 28 18:27:38 2014 SIGUSR1[soft,connection-reset] received, process restarting
Wed May 28 18:27:38 2014 MANAGEMENT: >STATE:1401294458,RECONNECTING,connection-reset,,
Wed May 28 18:27:38 2014 Restart pause, 5 second(s)
Wed May 28 18:27:43 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 28 18:27:43 2014 MANAGEMENT: >STATE:1401294463,RESOLVE,,,
Wed May 28 18:27:43 2014 Attempting to establish TCP connection with [AF_INET]178.162.209.231:1194
Wed May 28 18:27:43 2014 MANAGEMENT: >STATE:1401294463,TCP_CONNECT,,,
Wed May 28 18:27:43 2014 TCP connection established with [AF_INET]178.162.209.231:1194
Wed May 28 18:27:43 2014 TCPv4_CLIENT link local: [undef]
Wed May 28 18:27:43 2014 TCPv4_CLIENT link remote: [AF_INET]178.162.209.231:1194
Wed May 28 18:27:43 2014 MANAGEMENT: >STATE:1401294463,WAIT,,,
Wed May 28 18:27:44 2014 Connection reset, restarting [0]
Wed May 28 18:27:44 2014 SIGUSR1[soft,connection-reset] received, process restarting
Wed May 28 18:27:44 2014 MANAGEMENT: >STATE:1401294464,RECONNECTING,connection-reset,,
Wed May 28 18:27:44 2014 Restart pause, 5 second(s)
Wed May 28 18:27:49 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 28 18:27:49 2014 MANAGEMENT: >STATE:1401294469,RESOLVE,,,
Wed May 28 18:27:49 2014 Attempting to establish TCP connection with [AF_INET]178.162.209.231:1194
Wed May 28 18:27:49 2014 MANAGEMENT: >STATE:1401294469,TCP_CONNECT,,,
Wed May 28 18:27:49 2014 TCP connection established with [AF_INET]178.162.209.231:1194
Wed May 28 18:27:49 2014 TCPv4_CLIENT link local: [undef]
Wed May 28 18:27:49 2014 TCPv4_CLIENT link remote: [AF_INET]178.162.209.231:1194
Wed May 28 18:27:49 2014 MANAGEMENT: >STATE:1401294469,WAIT,,,
Wed May 28 18:27:50 2014 Connection reset, restarting [0]
Wed May 28 18:27:50 2014 SIGUSR1[soft,connection-reset] received, process restarting
Wed May 28 18:27:50 2014 MANAGEMENT: >STATE:1401294470,RECONNECTING,connection-reset,,
Wed May 28 18:27:50 2014 Restart pause, 5 second(s)
Wed May 28 18:27:55 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 28 18:27:55 2014 MANAGEMENT: >STATE:1401294475,RESOLVE,,,
Wed May 28 18:27:55 2014 Attempting to establish TCP connection with [AF_INET]178.162.209.231:1194
Wed May 28 18:27:55 2014 MANAGEMENT: >STATE:1401294475,TCP_CONNECT,,,
Wed May 28 18:27:55 2014 TCP connection established with [AF_INET]178.162.209.231:1194
Wed May 28 18:27:55 2014 TCPv4_CLIENT link local: [undef]
Wed May 28 18:27:55 2014 TCPv4_CLIENT link remote: [AF_INET]178.162.209.231:1194
Wed May 28 18:27:55 2014 MANAGEMENT: >STATE:1401294475,WAIT,,,
Wed May 28 18:27:55 2014 Connection reset, restarting [0]
Wed May 28 18:27:55 2014 SIGUSR1[soft,connection-reset] received, process restarting
Wed May 28 18:27:55 2014 MANAGEMENT: >STATE:1401294475,RECONNECTING,connection-reset,,
Wed May 28 18:27:55 2014 Restart pause, 5 second(s)
Wed May 28 18:28:00 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 28 18:28:00 2014 MANAGEMENT: >STATE:1401294480,RESOLVE,,,
Wed May 28 18:28:00 2014 Attempting to establish TCP connection with [AF_INET]178.162.209.231:1194
Wed May 28 18:28:00 2014 MANAGEMENT: >STATE:1401294480,TCP_CONNECT,,,
Wed May 28 18:28:00 2014 TCP connection established with [AF_INET]178.162.209.231:1194
Wed May 28 18:28:00 2014 TCPv4_CLIENT link local: [undef]
Wed May 28 18:28:00 2014 TCPv4_CLIENT link remote: [AF_INET]178.162.209.231:1194
Wed May 28 18:28:00 2014 MANAGEMENT: >STATE:1401294480,WAIT,,,
Wed May 28 18:28:00 2014 Connection reset, restarting [0]
Wed May 28 18:28:00 2014 SIGUSR1[soft,connection-reset] received, process restarting
Wed May 28 18:28:00 2014 MANAGEMENT: >STATE:1401294480,RECONNECTING,connection-reset,,
Wed May 28 18:28:00 2014 Restart pause, 5 second(s)
Wed May 28 18:28:05 2014 SIGTERM[hard,init_instance] received, process exiting
Wed May 28 18:28:05 2014 MANAGEMENT: >STATE:1401294485,EXITING,init_instance,,

Any idea ? regards

Patrick · May 28, 2014, 8:52pm

No idea.

Since you’re using TCP, seems like not an Whonix issue. In theory, there could be VPN providers blocking connections from the Tor network. Consider researching this or asking the support.

Contacting VPN provider support and/or the OpenVPN support channels might help.