Wiki Tunnel Builder

New wiki tunnels testing pages created.

If everything looks ok I’ll go ahead and delete:


1 Like

Not reviewed in detail yet but since it’s in testing and not referenced anywhere anyhow should be very much alright.

New templates created for JonDonym. And also minor formatting in some previously created Templates.

1 Like


My plan is to create all tunnel-link before Tor pages then make all the necessary edits (still lots to do). Then work on the tunnel-link after Tor pages. That way you can (if you would like to) start in on editing the tunnel-link before Tor pages while I finish up the remaining chapters. :slight_smile:

1 Like

New page Testing Connecting to JonDonym before Tor created.


1 Like

New page Testing Connecting to Lantern before Tor created.


I’ll be going through all the Testing pages and making edits / moving content / formatting etc.

Please bear in mind:

Feedback is always welcome and very much appreciated! So if anyone has ideas to improve the tunnel chapters, now would be the perfect time for those requests. While no promises can be made that your ideas will be implemented, consideration will be made for any reasonable requests.

Also note: Anyone can edit wiki chapters if they wish. Don’t be shy!

1 Like

I suggest to remove the box

From Whonix 14 onwards, all user unique Tor configurations should be stored in /usr/local/etc/torrc.d/50_user.conf and not anywhere else. Note that Whonix will not modify /usr/local/etc/torrc.d/50_user.conf once it is created, therefore the user is responsible for adding or removing specific configurations in this file.

from all pages. It’s redundant. The instructions already specify in a very clear way which file should be edited. How do users benefit from a remark not to touch “anything else”?

Regarding the point of Whonix not modifying this file - I had no reason to think it will.

1 Like

SSH before Tor page:

  • “Install ssh Client” section: not required. Already included in Whonix.

  • “Test Connection” section: I’d use curl or anything that doesn’t require installation on most distros instead of lynx.

  • More about the two points above - we perhaps should make it more obvious they apply to the case of setting up SSH on the Gateway rather than on the host. We have no knowledge what the host OS is. Currently it looks like the instructions assume a Debian based host.

  • “Configure Proxy” (using option 1 - Anon Connection Wizard), step 2 - ideally ssh specific info there rather than using the same general box from A.C.W page.

1 Like

moved -> https://www.whonix.org/wiki/Connecting_to_Lantern_before_Tor/Testing

I agree with sheep. This was placed on the wiki pages mostly for the Whonix 14 transitioned from using /etc/tor/torrc to the currently used folder. I’ve seen a few users try to edit /etc/tor/torrc in Whonix 14 even with this warning and a warning in /etc/tor/torrc stating users should not edit this folder.

  • We cant help when users don’t read/follow the documentation
  • These warnings served their purpose i.e. transistion to /usr/local/etc/torrc.d/50_user.conf
  • There is a warning in /etc/tor/torrc so this is sufficiently covered.

Lets move this to a footnote?

openssh--client is not installed in sys-whonix. (In Whonix-Workstation yes)

sudo apt list --installed | grep ssh


Maybe have a small section on host setup which would include something similar to but only basic info:

Yes good point.

Thanks for all the feedback sheep!

I have no excuse for this. Sorry about that. Maybe lack of sleep? I created the previous page (Testing JonDonym) the same way. Will fix later on today.

1 Like

Will do 0brand.

You’re doing some great work. Now you know why I never attempted all the tunnel stuff - it is Mt Everest.

Was waiting for a saviour :slight_smile:



Don’t worry. It’s a very minor mistake. Happens. I view the wiki / Open Source as a layer that keeps getting better. Even a new page with wrong name is an improvement and the page name can be fixed in a subsequent edit.

1 Like

Hi Patrick,

Would it be ok to add the tunnel provider that I use for testing to replace riseup in all the tunnel configs? (meaning in the actual set up- Connecting_to_a_VPN_before_Tor#VPN_Setup) This would be for convenience (all wiki editors and users can test) and they have a pretty good reputation. Plus riseup legacy VPN is slated to be deprecated.


Words of caution

NOTE! Are you using a Mac, Linux, or Android? If so, then please use the Black VPN. VPN Red is not as secure, and we are deprecating it!

Of course a disclaimer would be added as per our discussion. The name of the provider is (https://cryptostorm.is/). They have a github repo for all configuration files including the free service. Only the rsa works with Whonix due to the ssl and openvpn version requirements for the ed and secp configs.








I made the same mistake when I was moving this one x2 :roll_eyes: but I fixed. Small change but looks a little better.

1 Like

Since riseup is going down and philanthropic free alternatives don’t exist.


I vaguely remember that discussion. Should be mentioned that it’s just an example and not an endorsement. Neither we’re affiliated, sponsored or have any other relationship with the service. That is/was even true for riseup.

(For the nitpicky ones: Me using riseup as e-mail provider or Cryptostorm VPN Integration For Whonix? shoundn’t count as relationship. Perhaps we can word that perfectly?)

I wonder what the future of https://www.whonix.org/wiki/Tunnels/Examples should be?

I agree that a concrete, working example will be very helpful for the VPN related pages.

However, I am not sure using this provider as an example is the best choice. Reason being their token system is very different than what other VPN providers use, and their configuration files are built accordingly. I don’t think users should go through the learning curve of using their token system / token hasher etc. Those are very specific steps that apply only for this provider. Some users perhaps don’t even know what a hash is. Generating this hash requires running JS on their site. Is this really necessary?

It is correct that openvpn configuration files styles will be different for various providers. I believe this is one of the larger challenges users face when they try to follow the Whonix instructions in those pages.

I think it’s generally good to choose an example which is as simple as possible. I hope this specific choice won’t make those pages more difficult than they already are.

I can name other providers, but I don’t want to.

Ideally the choice I would go for here is a VPN server that can only be used for testing, such as one that allows connections only to example.com or to its own URL. Second best, any free provider with simple configuration.

1 Like

Thread "The Setup Tor before a VPN (User -> Tor -> VPN _> Internet) issues on Qubes 4" that I included in my above post contains that discussion. I should have expanded that to make sure you saw it. :slight_smile: I think you coved most (all?) of your concern there?

Yes extremely important.

Good question. Have to think about that. torjunkie always has good ideas. Interested to see his/her input on this.

The free (to use) service does not require a token so hashing token is not needed. Even if it did it would be a small matter to provide the correct command. Runing the Js token hasher on their site is not necessary.

echo -n <token> | sha512sum

Yes it is very likely that different service providers will require different openvpn.conf option and in general a slightly different setup overall. But i’ve done my homework on this particular provider (simplified set up, Patricks concerns etc) and I believe this provider will suit all requirements.

I disagree at least in part. This should only be used for testing (will be stated in disclaimer) but our goal is not to limit what the user can do with this. Having a usable VPN for all connectivity testing would be very handy to have.

Providing other choices or not is up to you. Any suggesting would be considered. :slight_smile:

1 Like

Perhaps I jumped the gun here. With instructions on the same complexity level of the current riseup example (preferably simpler :slight_smile: ) I take back all my reservation.

I think our goal with the VPN related pages is to show how this setup can be done in Whonix, preferably all the way to a working demonstration of the mechanism, not necessarily to provide a solution for actual general usage (whether this usage is testing or otherwise). Once armed with this knowledge users are not limited to choose whichever provider they prefer.

I would go for any of the more widely used providers, preferably those who accept crypto / cash as payment methods. Not that it’s a guarantee for anything, I just assume users who are interested in this setting are already familiar with them or trying to use Whonix with them.

1 Like

Much simpler than riseup imo.

I can think of many reasons to not limit usage. What would be gained by doing this? I doubt users would even try the test setup if they new it was only to see a Connection Successful message. Just because there might be users that could use the VPN for general use doesn’t mean that option should be taken away. If they don’t head the warning and recommendations its on them. This should be their choice to make.

As well as ease of setup, security etc are important. Very important there is a disclaimer as per Patricks post (please see the thread I quoted in my previous post for source):

1 Like

We gain no doubts about affiliation of Whonix with any VPN provider. Disclaimers are better than no disclaimers but it’s best if we don’t need them in the first place. At any case people are going to wonder, why provider X and not Y? riseup’s choice could be justified, or implicitly understood, without lengthy explanations, more easily than other choices (at least before their canary drama).

Look, my ideal solution isn’t going to happen. Say, if there was an openvpn server on whonix.org that only allows connections to whonix.org or maybe also to torproject.org. Users could then test the VPN setup with a real connection and then revise settings to match their own provider. If something doesn’t work at that point, they know they should look at the provider’s settings for answers. But that kind of infrastructure not only increases Whonix’s involvement with users connections, it might imply Whonix endorses VPN in general. Plus there will be added maintenance involved. Second best is using a real provider.

I think it’s a good criteria, but without the payment option.


Armed with knowledge and no specific example being done mostly isn’t how users operate.

The people who do most work just be the ones also to make most decisions.

Since in this case 0brand is working on research, testing and documentation of VPN documentation, I’ll leave the ultimate decision about choosing which provider to 0brand. This has also pragmatic reasons. By spoiling the fun for contributors, one’s likely to loose the contributor. So unless it’s something that justifies a objection or veto (which is unlikely in this specific case), I’d let 0brand decide.

Since 0brand is reasonable, we might talk 0brand into switching to another VPN provider. If 0brand thinks this is a useful discussion and not law of triviality / bikeshed?

Should we have a VPN provider review wiki page?


  • interesting for many people
  • we surely would pick unique categories for comparison (payable by BTC, monero, etc.; no log policy; previous incidents, …)


  • could fall out of date later
  • we might lack time and motivation in long run to keep it up to date since it’s not the core of Whonix, so we perhaps make it more like a blog post where we put a date on it?

Such an overview table would make picking the right provider a more obvious choice.

Anyone up for that? @sheep

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]