Wiki Tunnel Builder

SSH before Tor page:

  • “Install ssh Client” section: not required. Already included in Whonix.

  • “Test Connection” section: I’d use curl or anything that doesn’t require installation on most distros instead of lynx.

  • More about the two points above - we perhaps should make it more obvious they apply to the case of setting up SSH on the Gateway rather than on the host. We have no knowledge what the host OS is. Currently it looks like the instructions assume a Debian based host.

  • “Configure Proxy” (using option 1 - Anon Connection Wizard), step 2 - ideally ssh specific info there rather than using the same general box from A.C.W page.

1 Like

moved -> https://www.whonix.org/wiki/Connecting_to_Lantern_before_Tor/Testing

I agree with sheep. This was placed on the wiki pages mostly for the Whonix 14 transitioned from using /etc/tor/torrc to the currently used folder. I’ve seen a few users try to edit /etc/tor/torrc in Whonix 14 even with this warning and a warning in /etc/tor/torrc stating users should not edit this folder.

  • We cant help when users don’t read/follow the documentation
  • These warnings served their purpose i.e. transistion to /usr/local/etc/torrc.d/50_user.conf
  • There is a warning in /etc/tor/torrc so this is sufficiently covered.

Lets move this to a footnote?

openssh--client is not installed in sys-whonix. (In Whonix-Workstation yes)

sudo apt list --installed | grep ssh


Maybe have a small section on host setup which would include something similar to but only basic info:

Yes good point.

Thanks for all the feedback sheep!

I have no excuse for this. Sorry about that. Maybe lack of sleep? I created the previous page (Testing JonDonym) the same way. Will fix later on today.

1 Like

Will do 0brand.

You’re doing some great work. Now you know why I never attempted all the tunnel stuff - it is Mt Everest.

Was waiting for a saviour :slight_smile:



Don’t worry. It’s a very minor mistake. Happens. I view the wiki / Open Source as a layer that keeps getting better. Even a new page with wrong name is an improvement and the page name can be fixed in a subsequent edit.

1 Like

Hi Patrick,

Would it be ok to add the tunnel provider that I use for testing to replace riseup in all the tunnel configs? (meaning in the actual set up- Connecting_to_a_VPN_before_Tor#VPN_Setup) This would be for convenience (all wiki editors and users can test) and they have a pretty good reputation. Plus riseup legacy VPN is slated to be deprecated.


Words of caution

NOTE! Are you using a Mac, Linux, or Android? If so, then please use the Black VPN. VPN Red is not as secure, and we are deprecating it!

Of course a disclaimer would be added as per our discussion. The name of the provider is (https://cryptostorm.is/). They have a github repo for all configuration files including the free service. Only the rsa works with Whonix due to the ssl and openvpn version requirements for the ed and secp configs.








I made the same mistake when I was moving this one x2 :roll_eyes: but I fixed. Small change but looks a little better.

1 Like

Since riseup is going down and philanthropic free alternatives don’t exist.


I vaguely remember that discussion. Should be mentioned that it’s just an example and not an endorsement. Neither we’re affiliated, sponsored or have any other relationship with the service. That is/was even true for riseup.

(For the nitpicky ones: Me using riseup as e-mail provider or Cryptostorm VPN Integration For Whonix? shoundn’t count as relationship. Perhaps we can word that perfectly?)

I wonder what the future of https://www.whonix.org/wiki/Tunnels/Examples should be?

I agree that a concrete, working example will be very helpful for the VPN related pages.

However, I am not sure using this provider as an example is the best choice. Reason being their token system is very different than what other VPN providers use, and their configuration files are built accordingly. I don’t think users should go through the learning curve of using their token system / token hasher etc. Those are very specific steps that apply only for this provider. Some users perhaps don’t even know what a hash is. Generating this hash requires running JS on their site. Is this really necessary?

It is correct that openvpn configuration files styles will be different for various providers. I believe this is one of the larger challenges users face when they try to follow the Whonix instructions in those pages.

I think it’s generally good to choose an example which is as simple as possible. I hope this specific choice won’t make those pages more difficult than they already are.

I can name other providers, but I don’t want to.

Ideally the choice I would go for here is a VPN server that can only be used for testing, such as one that allows connections only to example.com or to its own URL. Second best, any free provider with simple configuration.

1 Like

Thread "The Setup Tor before a VPN (User -> Tor -> VPN _> Internet) issues on Qubes 4" that I included in my above post contains that discussion. I should have expanded that to make sure you saw it. :slight_smile: I think you coved most (all?) of your concern there?

Yes extremely important.

Good question. Have to think about that. torjunkie always has good ideas. Interested to see his/her input on this.

The free (to use) service does not require a token so hashing token is not needed. Even if it did it would be a small matter to provide the correct command. Runing the Js token hasher on their site is not necessary.

echo -n <token> | sha512sum

Yes it is very likely that different service providers will require different openvpn.conf option and in general a slightly different setup overall. But i’ve done my homework on this particular provider (simplified set up, Patricks concerns etc) and I believe this provider will suit all requirements.

I disagree at least in part. This should only be used for testing (will be stated in disclaimer) but our goal is not to limit what the user can do with this. Having a usable VPN for all connectivity testing would be very handy to have.

Providing other choices or not is up to you. Any suggesting would be considered. :slight_smile:

1 Like

Perhaps I jumped the gun here. With instructions on the same complexity level of the current riseup example (preferably simpler :slight_smile: ) I take back all my reservation.

I think our goal with the VPN related pages is to show how this setup can be done in Whonix, preferably all the way to a working demonstration of the mechanism, not necessarily to provide a solution for actual general usage (whether this usage is testing or otherwise). Once armed with this knowledge users are not limited to choose whichever provider they prefer.

I would go for any of the more widely used providers, preferably those who accept crypto / cash as payment methods. Not that it’s a guarantee for anything, I just assume users who are interested in this setting are already familiar with them or trying to use Whonix with them.

1 Like

Much simpler than riseup imo.

I can think of many reasons to not limit usage. What would be gained by doing this? I doubt users would even try the test setup if they new it was only to see a Connection Successful message. Just because there might be users that could use the VPN for general use doesn’t mean that option should be taken away. If they don’t head the warning and recommendations its on them. This should be their choice to make.

As well as ease of setup, security etc are important. Very important there is a disclaimer as per Patricks post (please see the thread I quoted in my previous post for source):

1 Like

We gain no doubts about affiliation of Whonix with any VPN provider. Disclaimers are better than no disclaimers but it’s best if we don’t need them in the first place. At any case people are going to wonder, why provider X and not Y? riseup’s choice could be justified, or implicitly understood, without lengthy explanations, more easily than other choices (at least before their canary drama).

Look, my ideal solution isn’t going to happen. Say, if there was an openvpn server on whonix.org that only allows connections to whonix.org or maybe also to torproject.org. Users could then test the VPN setup with a real connection and then revise settings to match their own provider. If something doesn’t work at that point, they know they should look at the provider’s settings for answers. But that kind of infrastructure not only increases Whonix’s involvement with users connections, it might imply Whonix endorses VPN in general. Plus there will be added maintenance involved. Second best is using a real provider.

I think it’s a good criteria, but without the payment option.


Armed with knowledge and no specific example being done mostly isn’t how users operate.

The people who do most work just be the ones also to make most decisions.

Since in this case 0brand is working on research, testing and documentation of VPN documentation, I’ll leave the ultimate decision about choosing which provider to 0brand. This has also pragmatic reasons. By spoiling the fun for contributors, one’s likely to loose the contributor. So unless it’s something that justifies a objection or veto (which is unlikely in this specific case), I’d let 0brand decide.

Since 0brand is reasonable, we might talk 0brand into switching to another VPN provider. If 0brand thinks this is a useful discussion and not law of triviality / bikeshed?

Should we have a VPN provider review wiki page?


  • interesting for many people
  • we surely would pick unique categories for comparison (payable by BTC, monero, etc.; no log policy; previous incidents, …)


  • could fall out of date later
  • we might lack time and motivation in long run to keep it up to date since it’s not the core of Whonix, so we perhaps make it more like a blog post where we put a date on it?

Such an overview table would make picking the right provider a more obvious choice.

Anyone up for that? @sheep

Providing other choices or not is up to you. Any suggesting would be considered. :slight_smile:

Yes, very useful. I value sheeps opinion.

That would be cool. The only other issue I could think of would be wading through all the proposed edits from VPN adversisters. Also posts from users asking for sheep/other wiki maintainers to review a specific service provider. This could turn into a real mess.

This gave me an idea though. I could use some specific provider suggestions to use in https://www.whonix.org/wiki/Tunnels/Examples. Then i can go through and set them up in a Debian VM (when I have time) and add the steps needed on that page.

If possible that page should use providers that don’t require any type of email registration

1 Like

I agree some provider is better than no provider.

If we must choose one, I would go for NordVPN for this guide.

They’re not necessarily my personal choice, but consistently appears on any list I’ve seen that discusses anonymous / crypto accepting VPN providers. Others that are frequently mentioned are ExpressVPN, Private Internet Access (PIA), TorGuard, Mullvad, AirVPN, ProtonVPN. There are more.

Running a search on this forum, NordVPN were mentioned 7 times on support tickets. Mullvad appear 15 times. Five results for TorGuard. One for ExpressVPN, 11 results for PIA, 10 for AirVPN, none for Proton VPN.

Four results for Cryptostorm. Two of them initiated by a company representative and one of the results is this thread.

I would argue that unless they have very noticeable advantages, CryptoStorm are an obscure choice.

Hi sheep

I should have been more specific about recommendations. For any recommendation

  • the provider was thoroughly screened to the best your abilities. security very important.
  • has a free service or limited use free service.
  • has free service that supports both tcp and udp (possible exception could be made for a proto udp only provider)
  • no email registration if preferred (but not necessary)
  • (nice to have) provider that can be used for light browsing. This could be useful for maintainer/user: bypass Tor censorship testing? Tunnel over UDP testing? Tunnel testing in general?
  • took a look at some reviews of provider. has a good reputation
  • simplified setup

Possible/likely some the your recommendations meet requirements. cryptostorm meets those requirements. i.e. I thoroughly screened to the best of my abilities.

1 Like

I would also like to clarify my last posts.

I don’t recommend any of the providers above for usage. Not NordVPN or any of them. Users, please do your own due diligence.

I did recommended NordVPN to be used as an example for this guide. This is not intended to be any kind of review as to the quality of Nord or any of the others. It is simply an attempt to hypothesize what will be useful for Whonix users when they come to follow the VPN page instructions, many of them already come with a clear idea of which provider to use, as can be seen in the search results I presented. I just know that many Tor users who value their anonymity and also require VPN (with or without Tor) mostly go for those. Maybe they’re making a horrible mistake with their choice - I’m no authority on that matter.

If the choice was mine I’d take the 3 top providers who appeared in search results, and evaluate them only according to the technical aspects (have free service / tcp / ease of setup etc). Any attempt to make an opinion on the less then visible aspects (try to guess… do they really store logs or not? what is the chance they are compromised? etc) is meaningless, although it is very common to see those kind of reviews

By the way I’ve seen less than favorable reviews on the person behind CryptoStorm and about other points with them.

Now perhaps the author is just a hater of CryptoStorm for some reason. I can’t be the judge of that. Maybe the other providers give him better affiliate fees or something. Can’t tell. But when I see zero interest in this provider from users on this forum I will gladly move on.

I remember that from a while back.That was not the about the person behind cryptostorm. That was about an associate who help out from time to time. This person did not have admin access to the servers.


Didn’t dig into it beyond reading those two sources, but as far as I gathered the reason he got uninvolved with the project at some point was his drug dealing, smuggling and bestiality conviction and incarceration. After his release they took him back (!), then he had further legal issues so his involvement stopped. There are other question. This provider does not even clearly state in which jurisdiction they reside. “Contact us” page only gives emails.

This review (which also talks to a CryptoStorm spokesperson) states that CryptoStorm is based in Iceland. I can, however, find no other confirmation of this. Iceland is good for privacy, but if CryptoStorm is indeed based in there, then it is interesting to note that it runs no servers from that location. Update: CryptoStorm has told me that: " Which country are you based in from a legal perspective? Iceland, actually we don’t care. "

At any case - I am happy to assist on the technical sides of assessing providers, but it will take me some time. I really think we can do better then to give this provider as an example but as Patrick said, you’re doing it so it makes sense it will be your call.

Im not concerned about that idoit. For the short time he came back it was mostly helping out with forum support. He is long gone now so that review has quite a bit of outdated info. Not that there aren’t any good points though. Would like to have configs from several providers if possible. Its tough to find decent ones that have a free service with no email registration. There are some that provide free service but with required email reg. Appreciate that you’ve been helping out!

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]