Wiki Tunnel Builder

I agree that a concrete, working example will be very helpful for the VPN related pages.

However, I am not sure using this provider as an example is the best choice. Reason being their token system is very different than what other VPN providers use, and their configuration files are built accordingly. I don’t think users should go through the learning curve of using their token system / token hasher etc. Those are very specific steps that apply only for this provider. Some users perhaps don’t even know what a hash is. Generating this hash requires running JS on their site. Is this really necessary?

It is correct that openvpn configuration files styles will be different for various providers. I believe this is one of the larger challenges users face when they try to follow the Whonix instructions in those pages.

I think it’s generally good to choose an example which is as simple as possible. I hope this specific choice won’t make those pages more difficult than they already are.

I can name other providers, but I don’t want to.

Ideally the choice I would go for here is a VPN server that can only be used for testing, such as one that allows connections only to example.com or to its own URL. Second best, any free provider with simple configuration.

1 Like

Thread "The Setup Tor before a VPN (User -> Tor -> VPN _> Internet) issues on Qubes 4" that I included in my above post contains that discussion. I should have expanded that to make sure you saw it. :slight_smile: I think you coved most (all?) of your concern there?

Yes extremely important.

Good question. Have to think about that. torjunkie always has good ideas. Interested to see his/her input on this.

The free (to use) service does not require a token so hashing token is not needed. Even if it did it would be a small matter to provide the correct command. Runing the Js token hasher on their site is not necessary.

echo -n <token> | sha512sum

Yes it is very likely that different service providers will require different openvpn.conf option and in general a slightly different setup overall. But i’ve done my homework on this particular provider (simplified set up, Patricks concerns etc) and I believe this provider will suit all requirements.

I disagree at least in part. This should only be used for testing (will be stated in disclaimer) but our goal is not to limit what the user can do with this. Having a usable VPN for all connectivity testing would be very handy to have.

Providing other choices or not is up to you. Any suggesting would be considered. :slight_smile:

1 Like

Perhaps I jumped the gun here. With instructions on the same complexity level of the current riseup example (preferably simpler :slight_smile: ) I take back all my reservation.

I think our goal with the VPN related pages is to show how this setup can be done in Whonix, preferably all the way to a working demonstration of the mechanism, not necessarily to provide a solution for actual general usage (whether this usage is testing or otherwise). Once armed with this knowledge users are not limited to choose whichever provider they prefer.

I would go for any of the more widely used providers, preferably those who accept crypto / cash as payment methods. Not that it’s a guarantee for anything, I just assume users who are interested in this setting are already familiar with them or trying to use Whonix with them.

1 Like

Much simpler than riseup imo.

I can think of many reasons to not limit usage. What would be gained by doing this? I doubt users would even try the test setup if they new it was only to see a Connection Successful message. Just because there might be users that could use the VPN for general use doesn’t mean that option should be taken away. If they don’t head the warning and recommendations its on them. This should be their choice to make.

As well as ease of setup, security etc are important. Very important there is a disclaimer as per Patricks post (please see the thread I quoted in my previous post for source):

1 Like

We gain no doubts about affiliation of Whonix with any VPN provider. Disclaimers are better than no disclaimers but it’s best if we don’t need them in the first place. At any case people are going to wonder, why provider X and not Y? riseup’s choice could be justified, or implicitly understood, without lengthy explanations, more easily than other choices (at least before their canary drama).

Look, my ideal solution isn’t going to happen. Say, if there was an openvpn server on whonix.org that only allows connections to whonix.org or maybe also to torproject.org. Users could then test the VPN setup with a real connection and then revise settings to match their own provider. If something doesn’t work at that point, they know they should look at the provider’s settings for answers. But that kind of infrastructure not only increases Whonix’s involvement with users connections, it might imply Whonix endorses VPN in general. Plus there will be added maintenance involved. Second best is using a real provider.

I think it’s a good criteria, but without the payment option.


Armed with knowledge and no specific example being done mostly isn’t how users operate.

The people who do most work just be the ones also to make most decisions.

Since in this case 0brand is working on research, testing and documentation of VPN documentation, I’ll leave the ultimate decision about choosing which provider to 0brand. This has also pragmatic reasons. By spoiling the fun for contributors, one’s likely to loose the contributor. So unless it’s something that justifies a objection or veto (which is unlikely in this specific case), I’d let 0brand decide.

Since 0brand is reasonable, we might talk 0brand into switching to another VPN provider. If 0brand thinks this is a useful discussion and not law of triviality / bikeshed?

Should we have a VPN provider review wiki page?


  • interesting for many people
  • we surely would pick unique categories for comparison (payable by BTC, monero, etc.; no log policy; previous incidents, …)


  • could fall out of date later
  • we might lack time and motivation in long run to keep it up to date since it’s not the core of Whonix, so we perhaps make it more like a blog post where we put a date on it?

Such an overview table would make picking the right provider a more obvious choice.

Anyone up for that? @sheep

Providing other choices or not is up to you. Any suggesting would be considered. :slight_smile:

Yes, very useful. I value sheeps opinion.

That would be cool. The only other issue I could think of would be wading through all the proposed edits from VPN adversisters. Also posts from users asking for sheep/other wiki maintainers to review a specific service provider. This could turn into a real mess.

This gave me an idea though. I could use some specific provider suggestions to use in https://www.whonix.org/wiki/Tunnels/Examples. Then i can go through and set them up in a Debian VM (when I have time) and add the steps needed on that page.

If possible that page should use providers that don’t require any type of email registration

1 Like

I agree some provider is better than no provider.

If we must choose one, I would go for NordVPN for this guide.

They’re not necessarily my personal choice, but consistently appears on any list I’ve seen that discusses anonymous / crypto accepting VPN providers. Others that are frequently mentioned are ExpressVPN, Private Internet Access (PIA), TorGuard, Mullvad, AirVPN, ProtonVPN. There are more.

Running a search on this forum, NordVPN were mentioned 7 times on support tickets. Mullvad appear 15 times. Five results for TorGuard. One for ExpressVPN, 11 results for PIA, 10 for AirVPN, none for Proton VPN.

Four results for Cryptostorm. Two of them initiated by a company representative and one of the results is this thread.

I would argue that unless they have very noticeable advantages, CryptoStorm are an obscure choice.

Hi sheep

I should have been more specific about recommendations. For any recommendation

  • the provider was thoroughly screened to the best your abilities. security very important.
  • has a free service or limited use free service.
  • has free service that supports both tcp and udp (possible exception could be made for a proto udp only provider)
  • no email registration if preferred (but not necessary)
  • (nice to have) provider that can be used for light browsing. This could be useful for maintainer/user: bypass Tor censorship testing? Tunnel over UDP testing? Tunnel testing in general?
  • took a look at some reviews of provider. has a good reputation
  • simplified setup

Possible/likely some the your recommendations meet requirements. cryptostorm meets those requirements. i.e. I thoroughly screened to the best of my abilities.

1 Like

I would also like to clarify my last posts.

I don’t recommend any of the providers above for usage. Not NordVPN or any of them. Users, please do your own due diligence.

I did recommended NordVPN to be used as an example for this guide. This is not intended to be any kind of review as to the quality of Nord or any of the others. It is simply an attempt to hypothesize what will be useful for Whonix users when they come to follow the VPN page instructions, many of them already come with a clear idea of which provider to use, as can be seen in the search results I presented. I just know that many Tor users who value their anonymity and also require VPN (with or without Tor) mostly go for those. Maybe they’re making a horrible mistake with their choice - I’m no authority on that matter.

If the choice was mine I’d take the 3 top providers who appeared in search results, and evaluate them only according to the technical aspects (have free service / tcp / ease of setup etc). Any attempt to make an opinion on the less then visible aspects (try to guess… do they really store logs or not? what is the chance they are compromised? etc) is meaningless, although it is very common to see those kind of reviews

By the way I’ve seen less than favorable reviews on the person behind CryptoStorm and about other points with them.

Now perhaps the author is just a hater of CryptoStorm for some reason. I can’t be the judge of that. Maybe the other providers give him better affiliate fees or something. Can’t tell. But when I see zero interest in this provider from users on this forum I will gladly move on.

I remember that from a while back.That was not the about the person behind cryptostorm. That was about an associate who help out from time to time. This person did not have admin access to the servers.


Didn’t dig into it beyond reading those two sources, but as far as I gathered the reason he got uninvolved with the project at some point was his drug dealing, smuggling and bestiality conviction and incarceration. After his release they took him back (!), then he had further legal issues so his involvement stopped. There are other question. This provider does not even clearly state in which jurisdiction they reside. “Contact us” page only gives emails.

This review (which also talks to a CryptoStorm spokesperson) states that CryptoStorm is based in Iceland. I can, however, find no other confirmation of this. Iceland is good for privacy, but if CryptoStorm is indeed based in there, then it is interesting to note that it runs no servers from that location. Update: CryptoStorm has told me that: " Which country are you based in from a legal perspective? Iceland, actually we don’t care. "

At any case - I am happy to assist on the technical sides of assessing providers, but it will take me some time. I really think we can do better then to give this provider as an example but as Patrick said, you’re doing it so it makes sense it will be your call.

Im not concerned about that idoit. For the short time he came back it was mostly helping out with forum support. He is long gone now so that review has quite a bit of outdated info. Not that there aren’t any good points though. Would like to have configs from several providers if possible. Its tough to find decent ones that have a free service with no email registration. There are some that provide free service but with required email reg. Appreciate that you’ve been helping out!

Please edit to add to Criteria for Reviewing VPN Providers.


This could later on be turned into a table if someone is interested in doing that.

1 Like

No problem.

I don’t see email registration as an issue if temp email is acceptable and it does not need to be checked again in the future. Same deal as with this forum.

Mullvad provides 3 hours of free usage, no email or any registration required. Once the 3 hours expire you can get a new code (change it in the userpass file, restart openvpn) and continue. Good enough to get to a working setup, probably not very comfortable if user expects to use that for free for the longer term. A paid account doesn’t require email either. Tested successfully with Whonix and conforms to the other requirements you mentioned. Bitcoin accepted. I can write the instructions in a few days if interesting.

One point I like about NordVPN (Mullvad doesn’t have this advantage) is that don’t expose all of their servers as a public list. It’s less trivial for a site to blacklist or discriminate against their IPs. I guess still possible though. Searching in Shodan, I could easily identify that it is a Nord server.

1 Like

This is about simplicity as well. No email reg is desirable even if just for that reason. If there is a provider that meets other requirement but email registration is needed we can still use them.

Cool. Three hours is plenty of time. For most people that would be more than sufficient.

Definatly interested. I’d like to have a look at them give me little bit of time. BTW Have you been able to find if Nord uses bare metal or virtual servers?

1 Like

Don’t know. I see that Nord’s 7-days free trial requires a CC so not relevant here. There’s also a 30-day money back guarantee with crypto payment accepted but it still requires an advance payment for that month.

1 Like

A bit off topic. Not free and not a VPN but still related to tunneling:


Deploy VPS servers with Bitcoin or Bitcoin Cash. As anonymous as you make it, no account needed. Purely API driven.

I’ve been considering what you said. While I’m satisfied this person is not longer affiliated the the day to day operations with the provider you did bring up some interesting points.

  • Even after the first time this person was in trouble why was he allowed back? It would be obvious this bringing back person would have affected revenue? Why?
    • Personal relationship?
    • Business relationship
  • Stated as a Decentralized service - who really owns crytpostorm. Could this person still have partial ownership but does not have access to severs? (silent partner)They never mentioned that and refuse to state who really owns cryptstorm. (my mistake. I thought decentralized might be a good thing. No, not with service providers)
  • I have not attachment to this provider.
  • Whonix can not use this provider for examples. Other users will bring this up? I have no interest defending this decision when there are other providers that meet requirements. This could end up blowing up in out face.

sheep seems to have good ideas and judgement. Thanks for bringing this up. Who`s your number one pic for the examples?

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]