Wiki Tunnel Builder


Providing other choices or not is up to you. Any suggesting would be considered. :slight_smile:

Yes, very useful. I value sheeps opinion.

That would be cool. The only other issue I could think of would be wading through all the proposed edits from VPN adversisters. Also posts from users asking for sheep/other wiki maintainers to review a specific service provider. This could turn into a real mess.

This gave me an idea though. I could use some specific provider suggestions to use in https://www.whonix.org/wiki/Tunnels/Examples. Then i can go through and set them up in a Debian VM (when I have time) and add the steps needed on that page.

If possible that page should use providers that don’t require any type of email registration

1 Like

I agree some provider is better than no provider.

If we must choose one, I would go for NordVPN for this guide.

They’re not necessarily my personal choice, but consistently appears on any list I’ve seen that discusses anonymous / crypto accepting VPN providers. Others that are frequently mentioned are ExpressVPN, Private Internet Access (PIA), TorGuard, Mullvad, AirVPN, ProtonVPN. There are more.

Running a search on this forum, NordVPN were mentioned 7 times on support tickets. Mullvad appear 15 times. Five results for TorGuard. One for ExpressVPN, 11 results for PIA, 10 for AirVPN, none for Proton VPN.

Four results for Cryptostorm. Two of them initiated by a company representative and one of the results is this thread.

I would argue that unless they have very noticeable advantages, CryptoStorm are an obscure choice.


Hi sheep

I should have been more specific about recommendations. For any recommendation

  • the provider was thoroughly screened to the best your abilities. security very important.
  • has a free service or limited use free service.
  • has free service that supports both tcp and udp (possible exception could be made for a proto udp only provider)
  • no email registration if preferred (but not necessary)
  • (nice to have) provider that can be used for light browsing. This could be useful for maintainer/user: bypass Tor censorship testing? Tunnel over UDP testing? Tunnel testing in general?
  • took a look at some reviews of provider. has a good reputation
  • simplified setup

Possible/likely some the your recommendations meet requirements. cryptostorm meets those requirements. i.e. I thoroughly screened to the best of my abilities.

1 Like

I would also like to clarify my last posts.

I don’t recommend any of the providers above for usage. Not NordVPN or any of them. Users, please do your own due diligence.

I did recommended NordVPN to be used as an example for this guide. This is not intended to be any kind of review as to the quality of Nord or any of the others. It is simply an attempt to hypothesize what will be useful for Whonix users when they come to follow the VPN page instructions, many of them already come with a clear idea of which provider to use, as can be seen in the search results I presented. I just know that many Tor users who value their anonymity and also require VPN (with or without Tor) mostly go for those. Maybe they’re making a horrible mistake with their choice - I’m no authority on that matter.

If the choice was mine I’d take the 3 top providers who appeared in search results, and evaluate them only according to the technical aspects (have free service / tcp / ease of setup etc). Any attempt to make an opinion on the less then visible aspects (try to guess… do they really store logs or not? what is the chance they are compromised? etc) is meaningless, although it is very common to see those kind of reviews

By the way I’ve seen less than favorable reviews on the person behind CryptoStorm and about other points with them.

Now perhaps the author is just a hater of CryptoStorm for some reason. I can’t be the judge of that. Maybe the other providers give him better affiliate fees or something. Can’t tell. But when I see zero interest in this provider from users on this forum I will gladly move on.


I remember that from a while back.That was not the about the person behind cryptostorm. That was about an associate who help out from time to time. This person did not have admin access to the servers.



Didn’t dig into it beyond reading those two sources, but as far as I gathered the reason he got uninvolved with the project at some point was his drug dealing, smuggling and bestiality conviction and incarceration. After his release they took him back (!), then he had further legal issues so his involvement stopped. There are other question. This provider does not even clearly state in which jurisdiction they reside. “Contact us” page only gives emails.

This review (which also talks to a CryptoStorm spokesperson) states that CryptoStorm is based in Iceland. I can, however, find no other confirmation of this. Iceland is good for privacy, but if CryptoStorm is indeed based in there, then it is interesting to note that it runs no servers from that location. Update: CryptoStorm has told me that: " Which country are you based in from a legal perspective? Iceland, actually we don’t care. "

At any case - I am happy to assist on the technical sides of assessing providers, but it will take me some time. I really think we can do better then to give this provider as an example but as Patrick said, you’re doing it so it makes sense it will be your call.


Im not concerned about that idoit. For the short time he came back it was mostly helping out with forum support. He is long gone now so that review has quite a bit of outdated info. Not that there aren’t any good points though. Would like to have configs from several providers if possible. Its tough to find decent ones that have a free service with no email registration. There are some that provide free service but with required email reg. Appreciate that you’ve been helping out!


Please edit to add to Criteria for Reviewing VPN Providers.


This could later on be turned into a table if someone is interested in doing that.

1 Like

No problem.


I don’t see email registration as an issue if temp email is acceptable and it does not need to be checked again in the future. Same deal as with this forum.

Mullvad provides 3 hours of free usage, no email or any registration required. Once the 3 hours expire you can get a new code (change it in the userpass file, restart openvpn) and continue. Good enough to get to a working setup, probably not very comfortable if user expects to use that for free for the longer term. A paid account doesn’t require email either. Tested successfully with Whonix and conforms to the other requirements you mentioned. Bitcoin accepted. I can write the instructions in a few days if interesting.

One point I like about NordVPN (Mullvad doesn’t have this advantage) is that don’t expose all of their servers as a public list. It’s less trivial for a site to blacklist or discriminate against their IPs. I guess still possible though. Searching in Shodan, I could easily identify that it is a Nord server.

1 Like

This is about simplicity as well. No email reg is desirable even if just for that reason. If there is a provider that meets other requirement but email registration is needed we can still use them.

Cool. Three hours is plenty of time. For most people that would be more than sufficient.

Definatly interested. I’d like to have a look at them give me little bit of time. BTW Have you been able to find if Nord uses bare metal or virtual servers?

1 Like

Don’t know. I see that Nord’s 7-days free trial requires a CC so not relevant here. There’s also a 30-day money back guarantee with crypto payment accepted but it still requires an advance payment for that month.

1 Like

A bit off topic. Not free and not a VPN but still related to tunneling:


Deploy VPS servers with Bitcoin or Bitcoin Cash. As anonymous as you make it, no account needed. Purely API driven.


I’ve been considering what you said. While I’m satisfied this person is not longer affiliated the the day to day operations with the provider you did bring up some interesting points.

  • Even after the first time this person was in trouble why was he allowed back? It would be obvious this bringing back person would have affected revenue? Why?
    • Personal relationship?
    • Business relationship
  • Stated as a Decentralized service - who really owns crytpostorm. Could this person still have partial ownership but does not have access to severs? (silent partner)They never mentioned that and refuse to state who really owns cryptstorm. (my mistake. I thought decentralized might be a good thing. No, not with service providers)
  • I have not attachment to this provider.
  • Whonix can not use this provider for examples. Other users will bring this up? I have no interest defending this decision when there are other providers that meet requirements. This could end up blowing up in out face.

sheep seems to have good ideas and judgement. Thanks for bringing this up. Who`s your number one pic for the examples?

1 Like

I think Mullvad will be good for the examples.

Another point re the VPN pages - if I recall correctly the instructions to install resolvconf are at a point the user lost internet connection due to reload of Whonix firewall, and before the new connection (with openvpn) is established. Should we move the following to the top?

sudo apt-get update
sudo apt-get install resolvconf

If users follow the instructions from top to bottom, there will be similar difficulties with downloading files from the VPN provider.

Alternatively, perhaps move the Fail Safe Mechanism to the bottom? anyway it’s clear users should use some kind of connection to download stuff required to configure the connection…

Last point: I recall previous versions of the VPN pages included the “aptitude keep-all” command. I see now that it was removed on Feb 3. Is it not required?

1 Like

Hi sheep

Lets recommend users clone the Whonix-Workstation and use the clone for VPN configuration. Its good practice to always have clean Whonix VM available for cases like this.

  • No need to download a new image every time a clean VM is needed. Convenience for the user. (saves a lot of time)
  • Avoid inexperienced users reverting edits without understanding what they are doing.

This way the cloned VM does not need to have an internet connection during configuration. And there will be a functional workstation for troubleshooting if they need it. If moving content around would simplify the instructions we could do that.

I was told recently “Don’t let perfect be the enemy of progress”. Or something similar to that. I think that applies here.

1 Like

Not required. Whonix packages are no longer using Breaks: resolvconf. Therefore no Whonix meta package removed. Therefore keep-all not required.


Downloading files from the VPN provider and installing resolvconf before breaking the connection solves the difficulties and will be simpler in my opinion than moving things between VMs after it’s broken.

How will you install resolvconf without a connection? I guess there is a way to download it on one machine then install on another but I don’t see how it’s simpler.

Using two VMs in parallel can be very helpful at times but if that’s a mandatory part of the setup here it adds more steps (for example editing the VM’s IP to make sure it can run in parallel).

1 Like

https://www.whonix.org/w/index.php?title=Transporting_UDP_Tunnels_over_Tor&oldid=40322&diff=cur worth making a template?

Long Wiki Edits Thread



Template added to “Transporting UDP Tunnels over Tor”


1 Like