Whonix : tor connection issue (PoW) / vpn

Hello Whonix forum,

This is my first post. I checked the similar topics but it doesn’t specifically answer my question.

So the issue I am encountering is when my mullvad vpn is all setup it works fine with every other qube. but the moment i switch the netvm for anon-whonix or sys-whonix nothing loads. when i turn it off it is fine.

but i am unable to connect to some onion sites and i suspect it is due to some proof of work protocol? i tried to update my tor browser as it was suggested that it automatically enables when updated but that seems to not be the case. every other onion site is fine expect for a few that i suspect got the built in dos protection of tor (PoW). I haven’t been successful in finding out how to enable that thru some config.

So summarized:
VPN works on any other QubeVM but not with Whonix qubes.
Without VPN some onion sites do not load requiring proof of work enabled.

1 Like

Connection scheme
User → Tor → VPN → Internet
breaks connections to onions.

This is not a Whonix issue. This is not an artificial user freedom restriction introduced by Whonix. This “issue” if it can be called that is inherited from Tor.

To use onions, you cannot use a VPN “after” Tor. This is because onions can only be reached from within the Tor network.

(Unless the VPN provider would add a confusing feature to add the capability to reach onion servers.)

I’d like to say feel free to test “User → Tor → VPN → Internet” without Whonix being involved but for that you would need to setup a Tor transparent proxy or something. Maybe not trivial but the issue would be reproducible there too. Nothing that Whonix can do about.

Connection scheme
User → VPN → Tor → Internet
does not break onions. Tor, Tor Browser and even sys-whonix does not really “know”, “understand” or “care” that a VPN is used “before” Tor and does not change its behavior based on that.

All of this is documented here:

It’s also important to start reading there if you want to do VPN anything.

Please confirm the breakage is limited to onions by actually testing clearnet websites.

Terms “before” and “after” are ambiguous. To be avoided. Non-ideal. Hence in quotes. So please use complete connection scheme when talking about it to avoid confusion.

You’re not supposed to do that.

1 Like

Hey Patrick. Thanks for the reply!

Ahh okay. That makes a lot more sense. The breakage is with all onions when using a vpn but it is probably due to me changing the sys-whonix net vm with my vpn net vm. I am pretty new to using qubes so I haven’t fully figured it out yet. I will definitely take a look at the that page!

However I do have still have the issue with specific onions not being reachable cuz of some proof of work dos protection feature. The onions are reachable on other machines just fine. But not thru the machine I am using qubes whonix. Can I enable it somehow by adding a line in the tor config?

1 Like

You’re not supposed to do that.

You can change sys-whonix’s Net Qube setting from sys-firewall to sys-vpn. That would be okay.

But please do not attempt to use anon-whonix directly with sys-vpn. It’s not designed for that. anon-whonix should always be conneted to a Whonix-Gateway.

Any onion proof of work issues:

1 Like

Yeah it’s definitely a pow issue. It is unrelated to the vpn. I’ve tried connecting to the same sites on other machines and it’s fine. Guess I’ll just wait out for a new version.

Also I changed sys-whonix netvm to sys vpn and that works! Didn’t know that anon-whonix should be left alone. That solves that thanks!

2 Likes