Why disabling stream isolation is necessary to connect Tor before VPN?

marcos-morar · June 5, 2026, 6:22pm

In the above document, it is mentioned that disabling stream isolation is necessary to prevent bypassing of the tunnel link. However, I don’t understand why this is necessary in a Qubes OS scenario.

In the following setup:
AppVM → sys-whonix → sys-vpn → sys-firewall → sys-net → internet

How could anything bypass the tunnel? The sys-vpn has a kill switch enabled, along with extra firewall rules to prevent traffic from bypassing the VPN. So how could anything bypass the VPN?

If what is mentioned in the document is true, and the sys-vpn configuration is preventing anything from bypassing the VPN, then Tor Browser should not work in this setup without disabling stream isolation. However, everything is working perfectly fine.

Can anyone explain this?

Patrick · June 6, 2026, 10:15am

This configuration has a separate VPN-Gateway between Whonix-Gateway and Whonix-Workstation: Whonix-Workstation → VPN-Gateway → Whonix-Gateway.

But for stream isolation an application must talk to Tor directly for Tor to be able to receive an identifier to be able to select a stream isolation circuit.

Once there’s an “obstacle” between applications and Tor, in this case the VPN-Gateway, this cannot work.

Identifiers (socks user name) cannot are lost. The SOCKS protocol is no longer being used. There’s no longer a direct connection between applications (or socksifiers (torsocks) / proxifiers) and Tor.

marcos-morar · June 6, 2026, 10:45am

So, is the setup not AppVM → sys-whonix → sys-vpn, but rather AppVM → sys-vpn → sys-whonix?

In this case, Tor is not connecting via the VPN; instead, the VPN is connecting via Tor, and the exit node is actually the VPN. Right? I had understood the opposite.

Patrick · June 6, 2026, 11:08am

Different scenarios, both possible and have a separate wiki page.

Combining Tunnels with Tor will lead to the page you need depending on desired network scheme.

via, over, through is ambiguous terminology. Wiki is avoiding it.

→ Terminology for Support Requests

marcos-morar · June 6, 2026, 11:10am

Just need to confirm one thing:

In this scenario

AppVM → sys-whonix → sys-vpn

Do I need to disable stream isolation?

The documentation is confusing in this regard.

Patrick · June 6, 2026, 11:42am

No. Because applications can talk to Tor directly just fine.

sys-whonix / Tor have no code level awareness of VPN yes versus no. Using available network connectivity.

sys-vpn could in theory be replaced with sys-ssh, sys-proxy, etc. or even stack multiple tunnel-links.

Wiki page applicable:

The idea of the wiki is to have Combining Tunnels with Tor provide general information, comparisons, let users select connection scheme, then link to a dedicated wiki page documenting implementation options.