VPN-TOR-VPN with whonix (Gateway and Workstation) will Tor switches its path through the network?

I want to use VPN-TOR-VPN where first node will on one’s ip, and I will edit torrc to use first node always same, vpn’s also will be same, will tor switches its path through the network during connection? Here trac_torproject_org/projects/tor/wiki/doc/TorPlusVPN#You-X-Tor-X
I read that no in this case. But in same time under is written that yes if you use whonix. What is right? I want to use Whonix Gateway with Whonix Workstation, I want set to Whonix Gateway rules to use nodes I wrote before and VPN on host and VPN on Whonix Workstation. And if besides my entry node I will set exit nodes from several IP’s and there will no other’s exit nodes (their always will be from 5-6 IP’s setted in torrc), will tor switches its path through the network during connection?

I’m not going to do anonymous pentesting !

Would help to quote specific things.

Possibly misinterpretation.

TorPlusVPN · Wiki · Legacy / Trac · GitLab talks very little about Whonix. Quotes I can see:

You → your own (local) VPN server → Tor

“your own (local) VPN server” means a different implementation. Similar to Whonix. Instead of using the dual VM architecture of Whonix, one might be able to use a VPN to locally force all traffic to go through Tor. This is using VPN technology / OpenVPN perhaps. This doesn’t reference using any remote, commercial VPN servers one can purchase. Aka TorVPN. Details here:
TorVPN · Wiki · Legacy / Trac · GitLab

If you want this, it may unnecessary to use VPN, a simple Tor-Gateway may be easier, for example ​Whonix.

Let me translate. That means

“If you want this, it may unnecessary to use local (!) VPN (TorVPN. A simple Tor-Gateway may be easier. For example ​Whonix provides a Tor-Gateway.”

The other quote:

  • If you still want to combine Tor with a proxy, all combinations are possible using ​Whonix (anonymous general purpose operating system). Whonix’s optional configurations document this.

It’s true. Anyone who insists on combining Tor with VPNs can do so using Whonix.

Combining Tunnels with Tor documents this.

However, while Whonix ensures that Tor will be used and has documentation how to use a VPN “for real” (speak: no leaks) using a fail closed mechanism… None of this indicated that Tor acts any special on Whonix. See also:

Does Whonix ™ Modify Tor?

The the purpose of this question: “No”.
Tor - Whonix

Therefore I don’t think there is anything Whonix specific in this question. Therefore this question could also be researched as per Free Support for Whonix ™.

If you want to configure Tor in unique and discouraged ways, Whonix does not limit that.

Other Tor related questions unspecific to Whonix can be redirected at the Tor support.

As far I know and experienced for long running connections such as to a IRC chat server, Tor does - usually - not change the circuit in order to not interpreter the connection. It tries to do that. A connection user → Tor → VPN would be similar to a IRC chat server connection. Usually. Meaning if a Tor exit would be (briefly) offline or unreachable, the long running connection would be interrupted. Tor would open a new circuit - probably using another Tor exit relay. And the application (IRC chat client or VPN client) would reconnect and thereby ending up using the new Tor exit relay.

So unless you hardcode only 1 Tor exit, you risk that VPN servers see connections coming from different Tor exit relays.

Quoting the conclusive from Combining Tunnels with Tor

For the vast majority of Whonix ™ users, using Tor in isolation – without a VPN or proxy – is the correct choice.

Yes, that “You -> your own (local) VPN server -> Tor” that qoute I talked about. If I understood right, it’s about other thing. But why openvpn? Is openvpn is same? I read article about Torvpn you wrote, but this is difficult for me. I wanted use rent vpn-service with openvpn-connection on my host, for example whoe vpn, after that virtualbox with whonix and set firstnode as my own node, and rent vpn with open-vpn connection on workstation, I thought that I no need disable any dns or plugins etc., edit any nat setting etc. if I’m using whonix. I want buy vpn and use them. You wrote “Tor does - usually - not change the circuit in order to not interpreter the connection. It tries to do that.” I thought that it always changes path during connection each 10 minutes. And on official website is written same, If i understand right. “To not interpreter the connection”, I don’t understand what you mean. “So unless you hardcode only 1 Tor exit, you risk that VPN servers see connections coming from different Tor exit relays.” But is this bad for anonimity? All these exit notes will from that 5-6 exit nodes, that I set. So if I understood you right, tor doesn’t changes path during connection if I use vpn-tor-vpn with edit torrc with my first node always same, also with vpn-tor-vpn with default tor connection, but is this not dangerous for anonimity? If in this case just research time of connection of nodes can give first node, that connected to exit node?

OpenVPN can be used for both.

  • potentially to create a local TorVPN
  • to connect to remote, commercial VPN providers

Not for long running connections.

The logic on Tor circuit lifetimes is complex.

The 10 minutes thing might still be there for short lives circuits. I.e. an application continuously running on a Tor SocksPort not using any Tor options such as IsolateDestPort, others etc.

For example when apt-get is called, it actually runs torsocks apt-get and Whonix torsocks config uses IsolatePID 1 which results in using a new circuit for each execution of apt-get.

Not interrupt the connection.

I wouldn’t know why.
Simplified: a VPN in configurtion user → Tor → VPN → destination is bad for anonymity.
After reading Combining Tunnels with Tor I wonder why it is still so fascinating and desirable.

If you want to “shoot” yourself, feel free to.

I can’t follow.

Not clear. Recommendation is to use Whonix in default configuration. And even if you insist on using any VPNs, I really don’t see any need to change Tor config to hardcode Tor entry or exit relays.

Tor Project wrote something like: “don’t mess with Tor path selection - unless you’re more clever than Tor developers”.

1 Like

Could you give a link on official tor website, where it is written more about this?

Can you tell me how to set configuration of tor in whonix so that when using vpn tor vpn tor switches its path every 10 minutes? Changes nodes?

I want to use different ip for vpn1 (on host) and vpn2 (on whonix workstation). By same VPNs, I mean that ip vpn1 and vpn2 will be the same for different tor’s chains.
That means, ip vpn1 and ip vpn2 Their ip will always be the same, chains of tor will different in all cases.
VPNs will be rented from with openvpn connection.

If use tor default settings may be that entry and exit nodes are compromised and belong to the same person. This may be, although not so likely.

To avoid such cases, I will set entry node to always be the same. Please write how to make tor changes the chain every 10 minutes. That’s all.
Why is this needed? In order that it was impossible to correlate in time. From the exit node, the tor was connected to site x for 1 hour. To find the user, we look which of the second (relay) nodes was connected to the exit node for an hour. Of all nodes, there will be one most likely. Next, we also look for the entry node by same method. And the user is deanonymized.
Or maybe you can deanonymize in some other way.

That took 1 minute time with a search engine.
“10 minutes tor change circuit”

If I had to bet, I would bet that this is likely to be a failure. On one hand I am asked to provide a reference for things which are trivial to find out using a search engine. On the other hand, the goal is to invent a routing algorithm more clever than Tor.

Also as explained earlier, there is little to nothing Whonix specific in this question. Please refer to Free Support for Whonix ™.

This topic was automatically opened after 13 days.