Introduction[edit]

User → Tor → proxy/VPN/SSH → Internet
User → proxy/VPN/SSH → Tor → Internet

Advertisement:
Too difficult to set up? Provider specific automation can be created for you by the lead developer of Whonix ™. Send reasonable price suggestions. Get in contact.

It is possible to combine Tor with tunnels like VPNs, proxies and SSH. The traffic can be sent through both Tor and the second tunnel, in either order. However, this is an advanced topic and appropriate only for special cases. Adding a second connection does not automatically improve security, but it will add significant complexity. The potential positive or negative effects on anonymity ^[archive] are being controversially ^[archive] debated ^[archive]. On the balance of the evidence VPNs should be avoided, and these same arguments could be made against other tunnels too.

The improper combination of Tor and another service may actually degrade a user's security and anonymity. These configurations are difficult to set up and should only be attempted by advanced users. For the vast majority of Whonix ™ users, using Tor in isolation – without a VPN or proxy – is the correct choice.

Tor blocks by destination servers can usually be bypassed using simple proxies, rather than adding an additional tunnel to Tor. In order to circumvent state-level censorship of the Tor network, Bridges or other alternative circumvention tools will probably be required. ^[1]

The law of triviality / bikeshedding ^[archive] applies to VPNs. While VPNs are frequently discussed, related privacy issues receive much less attention, including: TCP Initial Sequence Numbers Randomization ^[archive] (tirdad ^[archive]); Keystroke Deanonymization (kloak ^[archive]); guard discovery and related traffic analysis attacks ^[archive] (vanguards); Time Attacks (sdwdate); and Advanced Deanonymization Attacks. See also: Anonymity Bibliography, Selected Papers in Anonymity ^[archive].

Warnings[edit]

Tunnel Link Risks[edit]

Anonymity can be negatively affected under some circumstances by using an additional tunnel, such as a VPN, proxy or SSH. ^[2] ^[3] To mitigate any potential risks refer to the background information below, draw your own conclusions and take preventative steps where necessary.

Table: Tunnel Warnings

Configuration	Description
Individual Tunnel Links	Individual tunnel-links should only be used for a single configuration and never reused in any other tunnel-link chains. If this advice is ignored, any anonymous identities associated with the tunnel-link might be tied to the user's ISP-assigned IP address.
Qubes Tunnel Configuration	It is not recommended to run the tunnel software from within a TemplateVM. This is because the `whonix-gw-16` TemplateVM acts more like a workstation since it is behind `sys-whonix` and is not `sys-whonix` itself. If `openvpn` is used inside Whonix-Gateway ™ (`sys-whonix`) or Whonix-Workstation ™ (`anon-whonix`) as per the Whonix ™ documentation, `openvpn` will not start inside the `whonix-gw-16` or `whonix-ws-16` TemplateVM. ^[4] In Qubes R4 and above, by default the TemplateVMs's NetVM is purposely set to `none` ^[archive]. (They are upgraded through the qrexec-based updates proxy that is running on `sys-whonix`.)
Tunnel Provider / Configuration	Do not use the same tunnel provider / configuration in more than one place at the same time. For example, do not use the same tunnel setup inside Whonix-Gateway ™ as well as inside Whonix-Workstation ™. Also do not use the same tunnel setup on the host and inside a Whonix-Gateway ™ or Whonix-Workstation ™ at the same time. Example: In tunnel-chain 1, the ISP-assigned IP address is permanently linked to the tunnel-link. In tunnel-chain 2, the same tunnel-link was reused. Since the user's ISP-assigned IP address was previously linked to that same tunnel-link, the "anonymous" identity can now be linked to the user's actual IP address. Tunnel-chain 1: (`User` → `Tunnel-link` (user's IP address is linked) → `Tor` → `Internet`) Tunnel-chain 2: (`User` → `Tor` → `Tunnel-link` (anonymous activities linked) → `Internet`) The previous example also holds true if the tunnel-link is first used with tunnel-chain 2 and then reused in tunnel-chain 1. In this case, all anonymous activities conducted with tunnel-chain 2 would be linked with the user's ISP-assigned IP address.

VPN Tunnel Risks[edit]

As noted in the introduction, whether or not VPNs materially improve security and/or anonymity is a hotly debated topic, and a configuration that is frequently raised in the Whonix ™ forums. The consensus opinion of security professionals is that VPNs pose more risks than benefits, and it is for this reason Whonix ™ does not endorse their use. As renowned cryptographer and computer security professional Bruce Schneier has noted: ^[5]

We don’t talk about it a lot, but VPNs are entirely based on trust. As a consumer, you have no idea which company will best protect your privacy. You don’t know the data protection laws of the Seychelles or Panama. You don’t know which countries can put extra-legal pressure on companies operating within their jurisdiction. You don’t know who actually owns and runs the VPNs. You don’t even know which foreign companies the NSA has targeted for mass surveillance. All you can do is make your best guess, and hope you guessed well.

Table: VPN Risks ^[6] ^[7]

Domain	Description
Anonymity	In the `User` → `VPN` → `Internet` configuration or `User` → `VPN` → `Tor` → `Internet` configuration, anonymous payments with Bitcoin, cash and other methods does not improve anonymity because a user is still connecting to the service from their own IP address (which can be logged). In the `User` → `VPN` → `Internet` configuration or `User` → `Tor` → `VPN` → `Internet` configuration the use of shared IP addresses does not confuse modern surveillance systems which have a host of additional fingerprinting methods (like user agents) to identify persons of interest. VPN traffic is sensitive to Deep Packet Inspection (DPI) ^[archive] and Website Traffic Fingerprinting ^[archive], ^[8] so it is ineffective in hiding use of Whonix ™ and Tor from the ISP or skilled adversaries. Certain variables make it likely Whonix ™ / Tor users can be identified. This includes: the hardened network configuration fingerprint, the list of installed packages and those fetched from repositories, the amount of traffic going to one IP address daily (guard nodes), and examination of dropped (invalid) versus non-dropped packets when the firewall is probed. ^[9] Apart from a few exceptions (see Use Case Exceptions), VPNs do not provide additional privacy -- it is still possible for adversaries to tap your connection, except at a different point (where traffic leaves the VPN server).
Design	VPNs are 'glorified proxies'. Since they can observe all user traffic, there is nothing preventing them from using that data for any purpose they like, including logging. ^[10]
Logging	Claims that providers do not log user activity are unverifiable; in fact this claim is exactly what could be expected from a malicious provider. Recent research reveals that around one-third of all popular VPN providers are owned by Chinese companies, while others are based in countries like Pakistan, with non-existent or weak privacy laws. ^[11] The implication is that traffic might be routinely examined in a high percentage of cases, despite corporate promises to the contrary. The only safe assumption to make is that all VPN providers log activity in order to deflect potential legal actions and to satisfy government demands for (meta)data on 'suspect' users. A number of high profile VPN providers like HideMyAss have already handed over user data in the past; ^[12] many VPN adherents are unaware of these precedents.
Malware	VPNs do no necessarily protect against today's advanced malware that tries to discover the true IP address via browser and other exploits. Adversaries who can break Tor Browser to make web requests not travel over Tor are probably also capable of: running arbitrary commands as a non-root user, gaining root privileges, or ultimately performing a VM escape from Whonix ™. In this case a VPN is useless in providing additional security.
Security	VPNs do not magically improve security; they are just a glorified proxy. 'Honeypot' or malicious providers might be ubiquitous. ^[13] The need to run additional software like OpenVPN can actually increase the attack surface and complicated configuration instructions can lead to mistakes that reduce overall security. The claim of 'additional encryption' does not stack up in providing more security; even with a VPN if the endpoint expects plaintext, it is not technically possible for a VPN to change that. It is still necessary to use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption for P2P and social applications for improved security. The only encrypted part of the connection when using a VPN is from the user to the provider. From the VPN provider onward the traffic is the same as it would have been without a VPN. Since the VPN provider can see this traffic (and potentially mess with it), this is arguably a net loss in security.
Tor + VPN	The `User` → `Tor` → `VPN` → `Internet` configuration attempts to display an IP address that is not associated with Tor. This throws away many of the anonymity and security benefits associated with Tor and places sole trust in the VPN provider where the traffic exits. Traffic is no longer separated on different browser tabs -- a single circuit is built in the Tor network, and this can break local state separation within Tor Browser. If other things are done over the VPN connection like SSH traffic, IRC traffic, SMTP or OS updates, all of this traffic is sitting right next to each other. Anonymity is affected because the ISP will see connections to the Tor guard (unless trying to hide it with a bridge) and a global adversary is likely capable of performing traffic analysis on the limited number of VPN exit points. Further, the VPN provider is granted greater trust under this configuration. This configuration slows down connection speed because there is a TCP stream (OpenVPN) inside of a TCP stream (Tor). ^[14]
Trust	VPN providers represent a single point/entity of potential failure. Unlike Tor which distributes trust across multiple relays, VPN adherents must trust the provider does not: keep payment information keep logs lie about their geolocation (see here ^[archive]) share information with adversaries get breached by advanced adversaries (see this recent NordVPN breach ^[archive]) fail to keep servers secure (see this recent TorGuard server configuration file error ^[archive])
Use Case Exceptions	There are two possible use cases that might warrant a VPN provider: A potentially 'hostile' network must be used, like those found in public airports (WiFi access points) and where ISPs have a questionable record of man-in-the-middle attacks. (`User` → `VPN` → `Tor` → `Internet`) It is necessary to hide an IP address from non-government-sanctioned adversaries. ^[15] If a VPN is essential in your circumstances for whatever reason, it is not recommended to set up your own Virtual Private Server (VPS) ^[archive]. This will lead to a unique fingerprint, and there is no guarantee that a rented server is less likely to be malicious than a standard VPN provider.
VPN + Tor	It is questionable the `User` → `VPN` → `Tor` → `Internet` configuration adds any additional protection; see this stackexchange discussion ^[archive]. If Tor is blocked for whatever reason it is simpler to configure a bridge with a pluggable transport to try and bypass it. ^[16] This configuration is unlikely to hide Tor use from a Global Passive Adversary (GPA) ^[archive]. Since a GPA is capable of watching all traffic enter and exit the Tor network, they are more likely to be capable of watching all traffic enter and exit from a single VPN provider. ^[17] ^[18] It has been assessed as difficult beyond practicality to Hide Tor use from the Internet Service Provider with proxies, bridges, VPNs or SSH tunnels.

Challenges in Tunnel-link Provider Selection[edit]

It is essential to consider the following factors when selecting a tunnel-link provider. Anonymity can be materially affected by the chosen network/operator's location, network/operator/IP address commonality with Tor relays, use of shared infrastructure, and other variables.

Table: Provider Selection Considerations

Domain	Description
End-to-end Correlation (Confirmation) Attacks	Tor avoids using more than one relay belonging to the same operator in the circuits it is building. Legitimate Tor relay operators adhere to Tor's relay operator practices of announcing which relays belong to them by declaring this in the Tor relay family setting. Tor also avoids using Tor relays that are within the same network by not using relays within the same /16 subnet. ^[19] Tor however does not take into account your real external IP address nor destination IP addresses. ^[20] In essence, you must avoid using the same network/operator as your first and last Tor relays since this would open up Confirmation Attacks.
Shared IP Addresses	Many tunnel providers use shared IP addresses which means that many users share the same external IP address. On the one hand this configuration is beneficial, since it is similar to Tor whereby many users share the same Tor exit relays. On the other hand, in some circumstances this may result in making you less anonymous.
Operator/Network Shared Infrastructure	It is possible to host Tor relays -- including bridges, entry, middle or exit relays -- behind VPNs or tunnel-links. For example, there are VPN providers that support VPN port forwarding ^[archive]. This is an interesting way to contribute to Tor while not exposing oneself to too much legal risk. This also means in certain situations a VPN or other tunnel-link could be hosted by the same operator providing support to Tor relays, in the same network or even on the same IP address. In an economy with deep labor division, certain operators are providing a service to host servers (VPS etc.), while others provide VPN and other tunnel-link services and rent such servers. It is therefore not uncommon for diverse customers to run or share the same IP address. This is another situation where a VPN or other tunnel-link could be hosted by the same operator supporting Tor relays, in the same network or even on the same IP address.
Tunnel-link Connection Chain Risk	Based on the section immediately above, it follows that adding arbitrary tunnel-links might lead to the same operator/network being used twice in your connection chain. Consider the scenarios below. Scenario 1: A VPN with a fixed IP address is used on the host, thereby it acts as the first relay. The same user's Tor client coincidentally selects a Tor exit relay running on the same VPN IP address. The user is now using the same IP address as the first and last proxy, meaning overall anonymity is reduced in this scenario. Scenario 2: A VPN with a fixed IP address is set up inside Whonix-Workstation ™. This results in the connection scheme `User` → `Tor` → `VPN` → `Internet`. A Tor entry guard is also hosted on the VPN IP address. The user is now using the same IP address as the first and last proxy, meaning overall anonymity is reduced in this scenario.
Tunnel Provider Criteria	Consider the physical location of networks/servers and the legal jurisdiction(s) they are operating in. Perhaps avoid using VPN or SSH providers that support port forwarding. Perhaps only use tunnel-link providers that are assigning private (non-shared), unique IP addresses. However, as noted earlier it is unclear if this does more harm than good. Perhaps use tunnel-link providers that run their own servers rather than relying on shared infrastructure.
Tor Relay Selection	It might be safer to manually select your Tor relay(s), specifically the Entry Guard(s) or Bridge(s) in operation. Tor documentation generally discourages tampering with Tor's routing algorithm by manually choosing relays. However, if you have decided to extend the length of the Tor chain -- despite the difficulty of this endeavor and potential adverse anonymity impacts -- then it might make sense to pick the entry guard(s) by hand. Using Bridges might be an alternative, but note this warning from experienced Tor developers ^[archive]: Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards.

Comparison Table[edit]

	`User` → `Proxy` → `Tor` → `Internet`	`User` → `VPN / SSH` → `Tor` → `Internet`	`User` → `Tor` → `Proxy / VPN / SSH` → `Internet`
Modified Configuration Location	Whonix-Gateway ™	Whonix-Gateway ™ [or host (FAQ)]	Whonix-Workstation ™
Evade Website Tor Bans	No	No	Maybe
Evade Network Censor Tor Bans	Maybe ^[21] ^[22]	Maybe ^[23]	No
Hide Tor and Whonix ™ from ISPs	Very weak ^[24]	Very weak ^[25]	No
No Loss of Stream Isolation	Yes	Yes	No
Browser Web Fingerprint is not Worsened	Yes	Yes	No
Extra Tunnel Link does not Require Reconfiguration ^[26] of Pre-configured Software ^[27]	Yes	Yes	No
No Permanent Exit Relay	Unaffected	Unaffected	No
Tor Onion Services (.onion) Connections	Yes	Yes	No
Hosting Location Hidden Services	No	No	Proxy: No VPN: If the VPN supports Remote Port Forwarding, yes SSH: If the SSH supports Remote Port Forwarding, yes
Increased Tunnel Length	Yes	Yes	Yes
Anonymity Effects	Disputed ^[28]	Disputed ^[28]	Disputed ^[28]
Tunnel UDP over Tor	No	No	Proxy: No VPN: If supported by the VPN, yes SSH: Undocumented

Connecting to a Tunnel-link (Proxy/VPN/SSH) before Tor[edit]

Table: Pre-Tor Tunnel-link

Domain	Description
Connection Scheme	`User` → `proxy/VPN/SSH` → `Tor` → `Internet`
Network Traffic	In this case, your Internet traffic will: pass through the ISP as proxy/VPN/SSH traffic; exit the proxy/VPN/SSH server as encrypted Tor traffic; enter the Tor network; and exit the Tor network at a Tor exit node as normal Internet traffic (encrypted or unencrypted).
Use Cases	You must connect to a VPN or proxy to access the Internet. Your ISP blocks Tor and Tor bridges but does not block the tunnel-link. Concerns exist over de-anonymizing attacks against the Tor network and a user believes a VPN or proxy may help protect their identity in such a case.
Warnings ^[29]	A VPN or proxy that knows your identity and/or location may be more willing and able to compromise your privacy than an ISP. If the software configuration does not block all traffic if/when the VPN connection suddenly disconnects, all encrypted Tor traffic will pass through the ISP without warning. This is the default for most VPN configurations and not a Whonix ™-specific issue. Workarounds are described in the links below. If Tor use is dangerous in your area, VPNs or SSH may provide insufficient protection (due to software misconfiguration or sophisticated packet inspection). Proxies do not provide encryption and should not be used to try and hide Tor.

How to connect to a VPN before Tor (User → VPN → Tor → Internet)

How to connect to a proxy before Tor (User → proxy → Tor → Internet)

How to connect to SSH before Tor (User → SSH → Tor → Internet)

How to connect to JonDonym before Tor (User → JonDonym → Tor → Internet)

How to connect to Lantern before Tor (User → Lantern → Tor → Internet)

Connecting to Tor before a Tunnel-link (Proxy/VPN/SSH)[edit]

Table: Post-Tor Tunnel-link

Domain	Description
Connection Scheme	`User` → `Tor` → `proxy/VPN/SSH` → `Internet`
Network Traffic	In this case, your Internet traffic will: pass through the ISP as encrypted Tor traffic; exit the Tor network at a Tor exit node as proxy/VPN/SSH traffic; and exit the proxy/VPN/SSH as normal Internet traffic (encrypted or unencrypted).
Use Cases	It is necessary to use a VPN or proxy anonymously for a specific reason. It is necessary to connect to an Internet server who bans Tor exit nodes. Concerns exist over de-anonymizing attacks against the Tor network and a user believes a VPN or proxy may help protect their identity in such a case.
Warnings ^[30]	Even though Tor will hide the IP address from the VPN or proxy, you can still be located via payment methods, usage logs, or other identifying information the tunnel-link service holds. This configuration prevents access to Tor onion (.onion) services. ^[31] Malware on Whonix-Workstation ™ cannot bypass Tor, but it can ignore the VPN or proxy unless a separate Tunnel-Gateway is configured. It is not simple to configure VPNs, SSH or proxies in a foolproof, leak-free manner. However, in the case of Whonix ™ it is impossible for traffic to bybass Tor, even if the VPN or proxy is misconfigured. ^[32] Most of the pre-installed software on Whonix-Workstation ™, including Tor Browser, is configured to take advantage of Stream Isolation. As a side effect, this software will ignore the VPN by default. It is necessary to reconfigure this software to disable stream isolation. When connecting to Tor before a tunnel link, the browser tab stream isolation feature of Tor Browser will be lost (or difficult to access). ^[33] The reason is Tor Browser will not talk to Tor directly anymore, but will connect to the tunnel-link instead. When using a browser, connecting to Tor before a tunnel link worsens the web fingerprint. The anonymity effects of using the configuration: `User` → (`Proxy / VPN / SSH` →) `Tor` → `Proxy / VPN / SSH` → `Tor Browser` → `Website` are unknown. This setup is so specialized that very few people are likely to configure it, reducing the Tor Browser user pool to a far smaller subset. Due to potential fingerprinting harm it is recommended against. If proceeding despite the risk, the tunnel configuration should not be combined with any browser other than Tor Browser (like Firefox or Chrome). This would further exacerbate the browser fingerprinting risk. ^[34]

How to connect to Tor before a VPN (User → Tor → VPN → Internet)

How to connect to Tor before a proxy (User → Tor → proxy → Internet)

How to connect to Tor before SSH (User → Tor → SSH → Internet)

How to connect to Tor before I2P (User → Tor → I2P → Internet)

How to connect to Tor before JonDonym (User → Tor → JonDonym → Internet)

Footnotes[edit]

↑ Users in China are unlikely to circumvent government censorship ^[archive] with vanilla bridges, as they are uniformly blocked. That said, Anon Connection Wizard configured with the meek-amazon or meek-azure pluggable transport was reported to bypass Chinese censorship in late 2017. In 2019, only meek-azure is available in Anon Connection Wizard.
↑ https://lists.torproject.org/pipermail/tor-talk/2016-July/041757.html ^[archive]
↑ research / document impact for tunnel users if Tor relays hosted at the same tunnel provider ^[archive]
↑
This is because file /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf ^[archive] checks the following condition:
```
ConditionPathExists=!/var/run/qubes-service/whonix-template
```
This means if file /var/run/qubes-service/whonix-template exists, which is the case in Whonix ™ TemplateVMs, the openvpn@openvpn service will not start.
↑ https://www.schneier.com/blog/archives/2021/06/vpns-and-trust.html ^[archive]
↑ https://gist.github.com/joepie91/5a9909939e6ce7d09e29 ^[archive]
↑ https://matt.traudt.xyz/posts/vpn-tor-not-mRikAa4h.html ^[archive]
↑
Website traffic fingerprinting is an attack where the adversary attempts to recognize the encrypted traffic patterns of specific web pages without using any other information. In the case of Tor, this attack would take place between the user and the Guard node, or at the Guard node itself.
↑ https://forums.whonix.org/t/hiding-tor-whonix-is-difficult-beyond-practicality/7408 ^[archive]
↑ It could be argued these services truly only exist to sell overpriced bandwidth, with flimsy promises made to attract gullible customers.
↑ https://www.computerweekly.com/news/252466203/Top-VPNs-secretly-owned-by-Chinese-firms ^[archive]
↑ https://www.theregister.co.uk/2011/09/26/hidemyass_lulzsec_controversy/ ^[archive]
↑ It is logical that governments would set up providers in this manner to attract citizens who have a greater interest in protecting their privacy, since that traffic is deemed more interesting for intelligence purposes.
↑ If any of these streams detect packet loss, then there is backing off of the transmission rates and re-transmitting of packets thought to be lost.
↑ In this case, the VPN provider will still be able to snoop on traffic and potentially manipulate it.
↑ Pluggable transports make Tor traffic look different so it is not fingerprinted, and thus hopefully not blocked.
↑ It is arguably better for a larger Tor user base to form over time and the Tor network to scale up in size to stymie this capability.
↑ It is likely GPAs will also compromise the most popular VPNs as part of their lawless 'Collect It All' philosophy.
↑ http://tor.stackexchange.com/a/114/80 ^[archive]
↑
- https://lists.torproject.org/pipermail/tor-talk/2016-July/041753.html ^[archive]
- https://lists.torproject.org/pipermail/tor-talk/2016-July/041756.html ^[archive]
↑ See Using a Proxy.
↑ This only works against simple IP blocking lists, because connections to proxies are usually not encrypted.
↑ In these situations, VPNs are also often censored. You might be better off using Bridges.
↑ See Using a Proxy.
↑ See Hide Tor and Whonix ™ from your ISP.
↑ Disabling Stream Isolation.
↑ If you did not disable Stream Isolation, then applications still pre-configured for Stream Isolation would only go through Tor and not through the extra tunnel link. You must decide which applications should have Stream Isolation disabled. For example, if for some reason you wanted to use gpg through the extra tunnel link, but not Tor Browser, then only disable stream isolation for gpg.
↑ ^28.0 ^28.1 ^28.2 See Tor Plus VPN or proxy ^[archive].
↑ These warnings are not specific to Whonix ™, but are general issues with combining Tor and various tunnel-links.
↑ These warnings are not specific to Whonix ™, but are general issues with combining Tor and various tunnel-links.
↑ When configuring User → Tor → proxy/VPN/SSH → Internet, it is impossible to connect to Onion Services because the last server is not a Tor relay. The only exception is running another Tor client on top, but this would lead to a Tor over Tor scenario which is discouraged for security reasons.
↑ If setting up a socksifier, proxy settings, transparent proxy with local redirection, SSH tunnel or a VPN in a leak-free manner were easy -- ensuring nothing will bypass the VPN, SSH or proxy -- then it would have been unnecessary to develop Whonix ™ in the first place. The methods described in the tunnel documentation have all been tested to work. In the case of misconfiguration or leak bugs, the protections afforded by Whonix ™ and Tor still apply. This means the leak will still go through Whonix-Gateway ™ and therefore be forced through Tor. The methods in the tunnel documentation are not as safe as a Whonix-Gateway ™. There were earlier development discussions and some progress (see Dev/Inspiration) towards chaining multiple Gateways (VPNBOX, JonDoBOX, I2PBOX, FreenetBOX and ProxyBOX), but nothing was finished due to the lack of community interest, support and developer input.
↑ Bug #3455: Tor Browser should set SOCKS username for a request based on referer ^[archive]
↑ https://forums.whonix.org/t/vpn-after-whonix-inside-workstation-not-work-anymore-with-tbb/2153/5 ^[archive]