<h1>How to Anonymously access websites that block Tor</h1>
<p>In this tutorial we're going to cover how we can circumvent a website's attempts at blocking Tor traffic, by using a VPN. As we discussed <ahref="../torthroughvpn/index.html">previously</a>, this is relating to the serverside context required to know if we should combine the use of Tor with the use of a VPN. </p>
<imgsrc="../torthroughvpn/12.png"class="imgRz">
<p><b>Here we are using a VPN to hide from the website owner that we are connecting via Tor.</b> Effectively giving off the impression that we are only connecting via a VPN, while in reality Tor is protecting our Anonymity on the IP level. Now we also need to preserve our Anonymity when we are renting and using the VPN, that's why we have to use <ahref="../vpn/index.html">MullvadVPN</a> as they don't care who's using their service (they allow both <ahref="../torbrowsing/index.html">Tor connections</a> and<ahref="../monero2024/index.html"> Monero</a> payments). <b>We are also blending in their large userbase.</b> (which would not be the case if we were using a VPS with openvpn on it, in which we would be the only one to use it).</p>
<imgsrc="0.png"class="imgRz">
<p><u>DISCLAIMER:</u> Be aware that when doing a (you -> Tor -> VPN -> website) setup, you are getting rid of the stream isolation that is there by default in Whonix, <b>making every application in that Whonix VM go through one circuit, rather than through many circuits.</b> Over time this can lead to traffic use correlation if you start to use this VM for every other Anonymous use.</p>
<imgsrc="300.png"class="imgRz">
<p>So keep in mind that <b>a website blocking Tor traffic is the only scenario in which you need a (you -> Tor -> VPN -> website) setup. the rest of your anonymous activities are to remain in a regular Whonix VM (you -> Tor -> website) setup !</b></p>
<li><p>Application: <ahref="../index.html">Host-based VPN</a> (if your ISP doesn't allow Tor traffic) </p></li>
<li><p>VM: <ahref="../whonixqemuvms/index.html">Whonix VMs</a> (for any regular long-term Anonymous Use)</p></li>
</ol>
<p>I recommend using this setup into one of the above mentioned VMs, for <ahref="../anonymityexplained/index.html">Anonymous use</a>, as per the <ahref="../opsec4levels/index.html">4 basic OPSEC levels</a>.</p>
<p><u>Sidenote:</u> If your ISP does not allow Tor traffic, make sure that you <ahref="../vpnqemu/index.html">route the QEMU VMs traffic through a VPN</a>, to hide the tor traffic from your ISP (You -> VPN -> Tor) Setup</p>
<h2><b>Setting up the VM second Whonix Workstation VM </b></h2>
<p>Now the first thing to do here is that we copy the existing the second workstation which will be used as the vpn over tor setup later on so let's copy the .xml and .qcow2 after shutting down the existing workstation:</p>
<p>Be careful that you need 100Gb for the Whonix Gateway, 100Gb for the Whonix Workstation, and another 100Gb for the Whonix Workstation with the VPN setup we want to make. <b>So you need a total of 300Gb disk space at least!</b></p>
# then exit because we dont want to run the rest of wipe.sh
exit $?
fi
[ nowhere ] [ /dev/pts/23 ] [/mnt/veracrypt1]
→ ./script.sh
Network Whonix-External defined from Whonix-external.xml
Network Whonix-Internal defined from Whonix-internal.xml
Network Whonix-External marked as autostarted
Network Whonix-External started
Network Whonix-Internal marked as autostarted
Network Whonix-Internal started
Domain 'Whonix-Gateway' defined from Whonix-Gateway.xml
Domain 'Whonix-Workstation-vpn' defined from Whonix-Workstation-vpn.xml
Domain 'Whonix-Workstation' defined from Whonix-Workstation.xml
</code></pre>
<p>Then edit the new workstation VM to have the 10.152.152.12 ip by default (since the other one has the 10.152.152.11 ip):</p>
<imgsrc="11.png"class="imgRz">
<imgsrc="12.png"class="imgRz">
<p>You need to keep in mind that currently we have not given out any information about ourselves, other than we've used Tor. We won't stop there, and in order to use a VPN anonymously, you need to acquire it through Tor, buy it with Monero, and force the VPN Connection itself through Tor. Cherry on top is that we're going to use a well-used VPN service, so we won't be the only user with that public VPN ip. But what matters is that we do not give any information about us to the VPN provider. If the VPN provider forces you to provide anything personal (if the vpn provider blocks tor connections, or forces you to buy it with something else than monero), then it would not truly be a non-KYC VPN provider, and thus it's against your privacy. That's the only way you can find out which ones are all just marketing.</p>
<imgsrc="104.png"class="imgRz">
<p>Now that's done we can go find a vpn provider for the workstation2, let's try out the very praised mullvad vpn provider <ahref="https://kycnot.me/service/mullvad">here</a>, Firstly because it's a non-KYC VPN provider (meaning you can acquire it and use it through Tor, and pay with Monero), also due to the fact that we won't be the only ones using that service, it means we won't need to change the VPN server when we want to have another identity online. On top of that, mullvad gives us the ability to connect to a random server of theirs, via openvpn via TCP on port 443, which is definitely neat because it mimicks web HTTPS traffic, and isn't blockable by tor exit node hosters (which is definitely a trend, most of them block ports that are suceptible to abuse, 443 https being the least likely of them): </p>
<imgsrc="49.png"class="imgRz">
<imgsrc="50.png"class="imgRz">
<p>now to not loose your accesses , make sure to save credentials in a local keepass database on the VM.</p>
<imgsrc="51.png"class="imgRz">
<imgsrc="52.png"class="imgRz">
<imgsrc="53.png"class="imgRz">
<p>Now let's add time to our account, and of course we will pay with <ahref="https://iv.nowhere.moe/watch?v=YTTac2XjyFY">the only cryptocurrency that's used</a>:</p>
<imgsrc="54.png"class="imgRz">
<imgsrc="56.png"class="imgRz">
<p>To get some monero you can buy it on localmonero.co, and make sure it arrives on your monero wallet inside the whonix VM, never trust centralised exchanges with your assets, always keep them locally.</p>
<imgsrc="55.png"class="imgRz">
<p>Once it finishes installing, create your monero wallet:</p>
<imgsrc="57.png"class="imgRz">
<p>Then say no to mining and use an onion-based monero daemon, like the one i'm hosting, you can find a full list of other ones <ahref="https://monero.fail/">here</a>:</p>
<imgsrc="58.png"class="imgRz">
<p>Wait for it to finish synchronizing, then get some monero from a vendor on localmonero.co (by giving them a wallet address you'd have created: </p>
<imgsrc="59.png"class="imgRz">
<imgsrc="60.png"class="imgRz">
<p>Once you've paid, download the .ovpn file to connect via vpn:</p>
<imgsrc="61.png"class="imgRz">
<p>Then unzip and let's now make sure the vpn goes through tor:</p>
<imgsrc="62.png"class="imgRz">
<imgsrc="63.png"class="imgRz">
<p>To do that we need to make sure the VPN goes through the local SOCKS port 9050, and to mention the entry node which is the gateway 10.152.152.10:</p>
<imgsrc="66.png"class="imgRz">
<p>before we launch it keep in mind this:</p>
<imgsrc="67.png"class="imgRz">
<p>Then launch the VPN and you can then see that you no longer have a tor exit node IP:</p>
<imgsrc="68.png"class="imgRz">
<imgsrc="69.png"class="imgRz">
<p>Now check your ip from Firefox, not the tor browser:</p>
<imgsrc="70.png"class="imgRz">
<p>You can also check if there are any DNS leaks:</p>
<imgsrc="71.png"class="imgRz">
<p>here we see the test revealed a dns ip leak, but upon checking (in shodan.io) we see that it's a tor exit IP address:</p>
<imgsrc="72.png"class="imgRz">
<p>We can also check if there are any WebRTC leaks:</p>
<imgsrc="73.png"class="imgRz">
<p>and there we see that there are no webRTC leaks either, so it's all good.</p>
<p>To make sure the vpn is started automatically we can make it a systemd service:</p>
<p>Now thanks to that, you can still browse websites anonymously in case if they block tor exit nodes. However as stated above, make sure that you leave the rest of your Anonymous use in the regular Whonix VM, as there is no stream isolation in the Whonix-Workstation-VPN VM.</p>
Until there is Nothing left.</p></br></br><p>Creative Commons Zero: <ahref="../../../../opsec/runtheblog/index.html">No Rights Reserved</a></br><imgsrc="\CC0.png">