Tor blocks by destination servers can usually be bypassed using simple proxies, rather than adding an additional tunnel to Tor.
In order to circumvent state-level censorship of the Tor network, Bridges or other alternative circumvention tools will probably be required. 
Trusting Service Providers
A tunnel service provider that knows your identity and/or location may be more willing and able to compromise your privacy than your ISP.
Failed Closed Configurations
If your software configuration doesn’t block all traffic when your tunnel-link connection suddenly disconnects, your encrypted Tor traffic will go through your ISP without warning. This is the default nature of most tunnel configurations and not an issue specific to Whonix ™.
Tunnel-links can Affect Anonymity
Using any extra tunnel, for example a VPN, proxy or SSH can can negatively affect anonymity under some circumstances.  
To explain why that is, some background information is required so you can draw conclusions and take actions to avoid this risk. See below.
Using the same Tunnel Provider in Multiple VMs at the same Time
Don't use the same tunnel provider / configuration in more than one place at the same time.
For example, do not use the same tunnel setup inside Whonix-Gateway ™ as well as inside Whonix-Workstation ™. Also do not use the same tunnel setup on the host and inside a Whonix-Gateway ™ or Whonix-Workstation ™ at the same time.
Individual tunnel-links should only be used for a single configuration and never reused in any other tunnel-link chains. Doing so could tie any anonymous identities associated with the tunnel-link to the user's ISP assigned IP address.
In tunnel-chain 1, the ISP assigned IP address is permanently linked to the tunnel-link. In tunnel-chain 2, the same tunnel-link was reused. Since the users ISP assigned IP address was previously linked to that same tunnel-link, that anonymous identity can now be linked to the user actual IP address.
- Tunnel-chain 1: (
Tunnel-link[users IP address is linked] →
- Tunnel-chain 2: (
Tunnel-link[anonymous activities linked] →
The previous example also holds true if the tunnel-link is first used with tunnel-chain 2 and then reused in tunnel-chain 1. If this were done, all anonymous activities conducted with tunnel-chain 2 would then be link with the users ISP assigned IP address.
Qubes-Whonix ™ TemplateVMs
Qubes-Whonix ™ users note:
You probably do not want to run the tunnel software from within a TemplateVM. This is because the
whonix-gw-15 TemplateVM "is more like a workstation". It is behind
sys-whonix. It is not
(If you are using
openvpn inside Whonix-Gateway ™ (commonly called
sys-whonix) or Whonix-Workstation ™ (commonly called
anon-whonix) while following Whonix documentation,
openvpn will not start inside the
whonix-ws-15 TemplateVM.) 
In Qubes R4 and above, the TemplateVMs's NetVM is purposely set to
none by Qubes default [archive]. (They are upgraded through the qrexec based updates proxy that will be running on