On Wednesday, May 2, 2018 at 8:32:24 PM UTC+1, Daniil .Travnikov wrote: > I want to encrypt with VPN my traffic from third onion (exit nodes) in Tor > connection. > > So the main question is how to setup configuration in Qubes OS? > > > 1. I must install VPN config in Whonix-gw template or in sys-whonix > (proxyvm). It means vpn inside whonix. > > 2. I must install second ProxyVM with VPN which must have NetVM like whonix > and must connect with my AppVM? But in this case VPN will be after whonix, > not inside. > > > So what realisation would be safer from Tor Exit Nodes? > > > What is the official opinion from Qubes developers?
Actually it's much simpler than most people are making out. There's two ways you can do it, and I'm not sure which one you're trying to achieve. a) VPN over TOR : VPN goes through TOR. TOR wraps around the VPN, and the exit not is your VPN. b) TOR over VPN : TOR goes through the VPN. Your VPN tunnel wraps around TOR connections, and the exit node is a TOR exit node. Caveats a) VPN over TOR can be insecure. Your VPN provider may not know where you're connecting from, but still knows who you are - because you have authenticated. They have your credentials and/or your previous IPs. Traffic analysis can also be applied over the long-term, and through process of elimination, your identity can be revealed. Very few people will access this particular service over TOR, doing so hundreds of times will gradually reveal the connecting node - YOU. b) The TOR exit node can still see your connection, it's not protected by the VPN, only HTTPS/SSH etc, in some cases. This only serves to hide your TOR connection from your ISP, and doesn't provide any great deal of beneficial security or privacy. How to Setup your VMs/ProxyVMs in this order: a) app-vm -> vpn-vm -> whonix-gw -> net-vm b) whonix-ws -> whonix-gw -> vpn-vm -> net-vm Recommendations a) Ensure that you have an anonymous VPN, you have paid anonymously, and have never connected to it outside of tor. You can collect the public key/cert from outside of TOR, but it should be public information, and you should not expose any credentials to acquire it. b) None. Closing thoughts a) is really to protect your traffic from malicious tor nodes, but it can serve to reveal your identity. This should not be relied upon. You can only really stay anonymous by not using exit nodes, and the vanilla TOR browser only. Using any form of credentials will eventually expose you - which includes a VPN. You can combat this by moving around within your own borders, but come on - what are you trying to achieve? b) A small privacy increase. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/59cee15c-66c0-4877-b72f-0ecc0f9e1e28%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
