Combining Tunnels with Tor
Information on whether Tor gets more or less secure when combining Tor with tunnels such as VPN, SSH, proxies. (User → Tor → proxy/VPN/SSH → Internet) (User → proxy/VPN/SSH → Tor → Internet)
Introduction[edit]
User
→ Tor
→ proxy/VPN/SSH
→ Internet
User
→ proxy/VPN/SSH
→ Tor
→ Internet
It is possible to combine Tor with tunnels like VPNs, proxies and SSH. The traffic can be sent through both Tor and the second tunnel, in either order. However, this is an advanced topic and appropriate only for special cases. Adding a second connection does not automatically improve security, but it will add significant complexity. See also Whonix vs VPNs. On the balance of the evidence VPNs should be avoided, and these same arguments could be made against other tunnels too.
The improper combination of Tor and another service may actually degrade a user's security and anonymity. These configurations are difficult to set up and should only be attempted by advanced users. For the vast majority of Whonix users, using Tor in isolation – without a VPN or proxy – is the correct choice.
The potential positive or negative effects on anonymity are being controversially debated.
The law of triviality / bikeshedding applies to VPNs. While VPNs are frequently discussed, related privacy issues receive much less attention, including: browser fingerprinting, website traffic fingerprinting, TCP Initial Sequence Numbers Randomization (tirdad); Keystroke Deanonymization (kloak); guard discovery and related traffic analysis attacks (vanguards); Time Attacks (sdwdate); and Advanced Deanonymization Attacks. See also: Anonymity Bibliography, Selected Papers in Anonymity.
Warnings[edit]
Tunnel Link Risks[edit]
Anonymity can be negatively affected under some circumstances by using an additional tunnel, such as a VPN, proxy or SSH. [2] [3] To mitigate any potential risks refer to the background information below, draw your own conclusions and take preventative steps where necessary.
Table: Tunnel Warnings
Configuration | Description |
---|---|
Individual Tunnel Links | Individual tunnel-links should only be used for a single configuration and never reused in any other tunnel-link chains. If this advice is ignored, any anonymous identities associated with the tunnel-link might be tied to the user's ISP-assigned IP address. |
Qubes Tunnel Configuration | It is not recommended to run the tunnel software from within a Template. This is because the whonix-gateway-17 Template acts more like a workstation since it is behind sys-whonix and is not sys-whonix itself.
If |
Tunnel Provider / Configuration | Do not use the same tunnel provider / configuration in more than one place at the same time. For example, do not use the same tunnel setup inside Whonix-Gateway as well as inside Whonix-Workstation. Also do not use the same tunnel setup on the host operating system (OS) (outside any virtual machine (VM)) and inside a Whonix-Gateway or Whonix-Workstation at the same time.
Example: In tunnel-chain 1, the ISP-assigned IP address is permanently linked to the tunnel-link. In tunnel-chain 2, the same tunnel-link was reused. Since the user's ISP-assigned IP address was previously linked to that same tunnel-link, the "anonymous" identity can now be linked to the user's actual IP address.
The previous example also holds true if the tunnel-link is first used with tunnel-chain 2 and then reused in tunnel-chain 1. In this case, all anonymous activities conducted with tunnel-chain 2 would be linked with the user's ISP-assigned IP address. |
VPN Tunnel Risks[edit]
As noted in the introduction, whether or not VPNs materially improve security and/or anonymity is a hotly debated topic, and a configuration that is frequently raised in the Whonix forums.
Table: VPN Risks in Combination with Tor [5] [6]
Domain | Description |
---|---|
Anonymity |
|
Malware |
|
Tor + VPN |
|
VPN + Tor |
|
Challenges in Tunnel-link Provider Selection[edit]
It is essential to consider the following factors when selecting a tunnel-link provider. Anonymity can be materially affected by the chosen network/operator's location, network/operator/IP address commonality with Tor relays, use of shared infrastructure, and other variables.
Table: Provider Selection Considerations
Domain | Description |
---|---|
End-to-end Correlation (Confirmation) Attacks |
|
Shared IP Addresses |
|
Operator/Network Shared Infrastructure |
|
Tunnel-link Connection Chain Risk |
|
Tunnel Provider Criteria |
|
Tor Relay Selection |
|
Comparison Table[edit]
User → Proxy → Tor → Internet
|
User → VPN / SSH → Tor → Internet
|
User → Tor → Proxy / VPN / SSH → Internet
| |
---|---|---|---|
Modified Configuration Location | Whonix-Gateway | Whonix-Gateway [or host operating system (OS) (outside any virtual machine (VM)) (FAQ)] | Whonix-Workstation |
Changes IP that Destination Websites (such as IP check websites) can see | No | No | Yes, if correctly configured. |
Evade Website Tor Bans | No | No | Maybe |
Evade Network Censor Tor Bans | Maybe [15] [16] | Maybe [17] | No |
Hide Tor and Whonix from ISPs | Very weak [18] | Very weak [19] | No |
No Loss of Stream Isolation | Yes | Yes | No |
Browser Web Fingerprint is not Worsened | Yes | Yes | No |
Extra Tunnel Link does not Require Reconfiguration [20] of Pre-configured Software [21] | Yes | Yes | No |
No Permanent Exit Relay | Unaffected | Unaffected | No |
Tor Onion Services (.onion) Connections | Yes | Yes | No |
Hosting Location Hidden Services | No | No | Proxy: No VPN: If the VPN supports Remote Port Forwarding, yes |
Increased Tunnel Length | Yes | Yes | Yes |
Anonymity Effects | Disputed [22] | Disputed [22] | Disputed [22] |
Tunnel UDP over Tor | No | No | Proxy: No VPN: If supported by the VPN, yes |
Connecting to a Tunnel-link (Proxy/VPN/SSH) before Tor[edit]
Table: Pre-Tor Tunnel-link
Domain | Description |
---|---|
Connection Scheme | User → proxy/VPN/SSH → Tor → Internet
|
Network Traffic | In this case, your Internet traffic will:
|
Use Cases |
|
Warnings [23] |
|
How to connect to a VPN before Tor (User
→ VPN
→ Tor
→ Internet
)
How to connect to a proxy before Tor (User
→ proxy
→ Tor
→ Internet
)
How to connect to SSH before Tor (User
→ SSH
→ Tor
→ Internet
)
How to connect to Lantern before Tor (User
→ Lantern
→ Tor
→ Internet
)
Connecting to Tor before a Tunnel-link (Proxy/VPN/SSH)[edit]
Table: Post-Tor Tunnel-link
Domain | Description |
---|---|
Connection Scheme | User → Tor → proxy/VPN/SSH → Internet |
Network Traffic | In this case, your Internet traffic will:
|
Use Cases |
|
Warnings [24] |
|
How to connect to Tor before a VPN (User
→ Tor
→ VPN
→ Internet
)
How to connect to Tor before a proxy (User
→ Tor
→ proxy
→ Internet
)
How to connect to Tor before SSH (User
→ Tor
→ SSH
→ Internet
)
How to connect to Tor before I2P (User
→ Tor
→ I2P
→ Internet
)
Terminology for Support Requests[edit]
Phrases such as "over Tor" are ambiguous. Please do not coin idiosyncratic words or phrases, otherwise this leads to confusion. Please use the same terms that are consistently referenced in documentation, such as:
- Connect to a VPN Before Tor (
User
→VPN
→Tor
→Internet
). - Connect to Tor Before a VPN (
User
→Tor
→VPN
→Internet
). - And so on.
Always refer to the connection scheme when requesting support, such as:
User
→VPN
→Tor
→Internet
, orUser
→Tor
→VPN
→Internet
.
See Also[edit]
Footnotes[edit]
- ↑ Users in China are unlikely to circumvent government censorship with vanilla bridges, as they are uniformly blocked. That said, Anon Connection Wizard configured with the meek-amazon or meek-azure pluggable transport was reported to bypass Chinese censorship in late 2017. In 2019, only meek-azure is available in Anon Connection Wizard.
- ↑ https://lists.torproject.org/pipermail/tor-talk/2016-July/041757.html
- ↑ research / document impact for tunnel users if Tor relays hosted at the same tunnel provider
- ↑ This is because file /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf checks the following condition:
ConditionPathExists=!/var/run/qubes-service/whonix-template
This means if file
/var/run/qubes-service/whonix-template
exists, which is the case in Whonix Templates, the openvpn@openvpn service will not start. - ↑ https://gist.github.com/joepie91/5a9909939e6ce7d09e29
- ↑ https://web.archive.org/web/20220609222239/https://matt.traudt.xyz/posts/2016-11-12-vpn-tor-not-net-gain/
- ↑
Website traffic fingerprinting is an attack where the adversary attempts to recognize the encrypted traffic patterns of specific web pages without using any other information. In the case of Tor, this attack would take place between the user and the Guard node, or at the Guard node itself.
- ↑ https://forums.whonix.org/t/hiding-tor-whonix-is-difficult-beyond-practicality/7408
- ↑ If any of these streams detect packet loss, then there is backing off of the transmission rates and re-transmitting of packets thought to be lost.
- ↑ Pluggable transports make Tor traffic look different so it is not fingerprinted, and thus hopefully not blocked.
- ↑ It is arguably better for a larger Tor user base to form over time and the Tor network to scale up in size to stymie this capability.
- ↑ It is likely GPAs will also compromise the most popular VPNs as part of their lawless 'Collect It All' philosophy.
- ↑ https://tor.stackexchange.com/questions/113/how-does-a-tor-client-pick-tor-nodes-for-circuit-creation/114#114
- ↑
- ↑ See Using a Proxy.
- ↑ This only works against simple IP blocking lists, because connections to proxies are usually not encrypted.
- ↑ In these situations, VPNs are also often censored. You might be better off using Bridges.
- ↑ See Using a Proxy.
- ↑ See Hide Tor and Whonix from your ISP.
- ↑ Disabling Stream Isolation.
- ↑ If you did not disable Stream Isolation, then applications still pre-configured for Stream Isolation would only go through Tor and not through the extra tunnel link. You must decide which applications should have Stream Isolation disabled. For example, if for some reason you wanted to use gpg through the extra tunnel link, but not Tor Browser, then only disable stream isolation for gpg.
- ↑ 22.0 22.1 22.2 See Tor Plus VPN or proxy.
- ↑ These warnings are not specific to Whonix, but are general issues with combining Tor and various tunnel-links.
- ↑ These warnings are not specific to Whonix, but are general issues with combining Tor and various tunnel-links.
- ↑ When configuring
User
→Tor
→proxy/VPN/SSH
→Internet
, it is impossible to connect to Onion Services because the last server is not a Tor relay. The only exception is running another Tor client on top, but this would lead to a Tor over Tor scenario which is discouraged for security reasons. - ↑ If setting up a socksifier, proxy settings, transparent proxy with local redirection, SSH tunnel or a VPN in a leak-free manner were easy -- ensuring nothing will bypass the VPN, SSH or proxy -- then it would have been unnecessary to develop Whonix in the first place. The methods described in the tunnel documentation have all been tested to work. In the case of misconfiguration or leak bugs, the protections afforded by Whonix and Tor still apply. This means the leak will still go through Whonix-Gateway and therefore be forced through Tor. The methods in the tunnel documentation are not as safe as a Whonix-Gateway. There were earlier development discussions and some progress (see Dev/Inspiration) towards chaining multiple Gateways (VPNBOX, JonDoBOX, I2PBOX, FreenetBOX and ProxyBOX), but nothing was finished due to the lack of community interest, support and developer input.
- ↑ Bug #3455: Tor Browser should set SOCKS username for a request based on referer
- ↑ https://forums.whonix.org/t/vpn-after-whonix-inside-workstation-not-work-anymore-with-tbb/2153/5
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!