On 5/2/20 6:54 AM, unman wrote:
On Sat, May 02, 2020 at 08:22:57AM +0000, taran1s wrote:
unman:
On Fri, May 01, 2020 at 11:54:27AM +0000, taran1s wrote:
taran1s:
Chris, I tried now to connect to the kraken.com, which seems to be tor
unfriendly through me->tor->VPN->kraken.com but it returns error on the
site "Disabled".
I learned now that despite I use the above connection model, using VPN
as an exit, I still exit from the tor exit not and not from the VPN. I
am not sure what broke.
If I understand your model: me->tor->VPN->kraken.com
you are running Tor *through* your VPN - this means that your service
provider sees your connection to the VPN, and your VPN provider sees
your connection to the first Tor hop.
Naturally, when you exit the VPN and set up the TOR circuit, it's a Tor
exit node that connects to kraken.
The VPN is NOT an exit in this model. Nothing has broken.
I am actually using mullvad VPN. The idea is to have the possibility to
access websites or services (like kraken.com) that are not tor-friendly.
I would like to connect first to Tor through sys-whonix than connect to
the VPN through VPN AppVM and from that VPN to connect to the clearnet.
I set the AppVMs networking following way: anon-whonix networking set
to -> sys-whonix networking set to -> VPN-AppVM proxy that connects to
the clearnet. Is that right for my model?
No.
Think about it.
anon-whonix creates a request.
sys-whonix takes that request, and builds a circuit.
VPN-AppVM sees the traffic to the first hop, and sends it down the VPN.
The VPN provider gets the Tor traffic, and sends it on to the first
hop.
Then it goes via Tor to the exit node and then to the target.
Your ISP sees traffic to the VPN; the VPN provider sees traffic from you
going to Tor; the target sees traffic coming from Tor network.
*Always* use check.torproject.org to confirm your exit IP in this sort of
case (always) so that actual matches expectations.
What you have built (in packet terms) is:
me - Tor - VPN - target.
What you seem to want is:
me - VPN - Tor - target
To do that you need to build the VPN traffic and send it down a Tor
circuit.
Your Qubes network configuration should be:
client - VPN qube - Tor qube - sys-firewall - sys-net
A good rule of thumb is that whichever proxyVM is directly attached to
your appVM will be the type of network that the remote service sees.
I have no idea if Whonix will let you do this.
This should work for most VPNs, as Patrick and I and others have tested
it (though I haven't tested Whonix specifically with Mullvad). The only
constraint is that the VPN use TCP instead of UDP.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/6c8f7629-8bdf-a098-cd5c-7ee6207895bd%40posteo.net.
