Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes USB ISO (coming soon) More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Superior anonymity - Whonix vs. VPNs

• VPNs provide a basic IP hiding feature.
• VPNs can often provide a basic network blocking circumvention feature.
• VPNs don't make you anonymous.
• VPN providers know what you are doing.
• Security experts have a very low opinion of VPNs.

Summary[edit]

• VPNs do not even hide visited websites from your internet service provider (ISP)
• VPN software is not designed for anonymity
• VPNs have an unrealistic expectation of users
• See also Whonix homepage VPN comparison summary and Why does Whonix use Tor?

VPNs don't make you anonymous[edit]

Quote ^[1]:

VPNs are not an anonymity tool and should not be used as such. The VPN provider knows exactly who you are and what you're doing. They can find out who you are from your IP address, payment information, emails, usernames, browsing history etc. The VPN provider is in full position to log all of your traffic or launch man in the middle attacks.

Due to browser fingerprinting, VPNs are not suitable for being anonymous when browsing the internet.

VPN software normally does not ensure that users have an uniform appearance on the Internet aside from replacing the user's IP address with an IP address provided by the VPN provider; see Data Collection Techniques. By merging the data, this means users are distinguishable and easily identifiable.

vpwns (research paper):

Other studies have shown passive browser fingerprinting to be effective at correlating user identities. [9] VPN based systems in which a user shares the same browser with non-anonymous web surfing are nearly certain to transfer at least one cookie or other session identifier via the VPN session, which is enough for such an observer to de-anonymize the user via correlation with their non-VPN identity.

This can be easily verified by the user using some of the many available Browser Tests. For example when using the popular fingerprint.com, the browser fingerprint will always be the same. The browser fingerprinting can equally be used to track the user similar to an IP address. This is common practice on the internet. The fingerprint.com tracking software alone is used by 12% of the largest 500 websites use fingerprint.com.

Two options:

• A) The user is running the VPN software normally on their host operating system, which most users do. Or
• B) The user is using a virtual or physical VPN-Gateway, which is much less popular.

Even if the user would be using a virtual or physical VPN-Gateway, would consistently always use a VPN and always use a web browser over VPN but never over clearnet, then due to browser fingerprinting it would still be pseudonymous rather than anonymous. And as soon as the user uses its real identity over the VPN, it would not even be pseudonymous.

By comparison, users using Tor Browser inside Whonix, even fingerprint.com can no longer track the user as soon as the user restarts Tor Browser or uses its new identity function.

Traffic Analysis Attacks[edit]

Quote ^[1]:

VPNs are extremely vulnerable to traffic analysis attacks. An adversary can see your connection to the VPN server, connections coming out from the VPN server, compare them and if they look the same, they can take a good guess that it is you. Tor is also vulnerable to traffic analysis attacks but not to the same extent due to the three hops involved in a regular circuit.

Update: Nowadays in Whonix its four, not three hops, thanks to vanguards.

Update: 3 hops until/if vanguards gets fixed.

Port Shadow Attacks[edit]

• Researchers at Citizen Lab presented a paper at the Privacy Enhancing Technologies Symposium 2024 that identifies vulnerabilities in popular VPN software (OpenVPN, WireGuard, and OpenConnect).
• They discovered a new exploit, called "port shadow", which allows attackers to hijack connections, deanonymize users, or redirect traffic.
• The vulnerability affects VPNs running on Linux and FreeBSD.
• Recommendations include using protocols like Shadowsocks or Tor, and VPN providers implementing specific firewall rules to mitigate the risks. Learn more: Vulnerabilities in VPNs
• Anatomy of the attack
  • A "port shadow" attack allows an attacker to exploit shared resources on a VPN server, similar to how users on shared WiFi can be vulnerable.
  • The attacker, sharing the same VPN server, can craft malicious packets to interfere with another user's VPN connection.
  • This can lead to snooping of unencrypted data, port scans, or even connection hijacking, making VPN users vulnerable to other users on the same server.
  • The vulnerability stems from the shared nature of ports in VPN servers.

VPNs do not even hide visited websites from your ISP[edit]

Any local observer on the network (ISP, WLAN) can make estimates of websites requested over the VPN by simply analyzing the size and timing of the encrypted VPN data stream (Website Fingerprinting Attacks).

A scientific article demonstrating the attack Website Fingerprinting: Attacking Popular Privacy Enhancing Technologies with the Multinomial Naïve-Bayes Classifier had the success over 90% for VPNs.

In contrast, Tor is quite resilient against this attack.

Security Experts Opinion on VPNs[edit]

The consensus opinion of security professionals is that VPNs pose more risks than benefits, and it is for this reason Whonix does not endorse their use.

We don’t talk about it a lot, but VPNs are entirely based on trust. As a consumer, you have no idea which company will best protect your privacy. You don’t know the data protection laws of the Seychelles or Panama. You don’t know which countries can put extra-legal pressure on companies operating within their jurisdiction. You don’t know who actually owns and runs the VPNs. You don’t even know which foreign companies the NSA has targeted for mass surveillance. All you can do is make your best guess, and hope you guessed well.Bruce Schneier, renowned cryptographer and computer security professional

Many VPN providers or products seem to overpromise in terms of where their products and tools work, making extremely bold claims about privacy, security, and anonymity without having had their claims evaluated to the standards found in the anonymity community.

[...]

“Hide your IP and ensure anonymous browsing.”

[...]

These claims are unreasonably absolute and they specifically fail to disclose the privileges afforded to the service operators by the design of the system as a whole.research paper vpwns: Virtual Pwned Networks by Security and Privacy Research Lab University of Washington & The Tor Project

The anonymity community often ignores VPN-based solutions, considering them obviously flawed against strong attackers. Nevertheless, these solutions are routinely employed by users who believe the claims of vendors.

in using a VPN, a user essentially transfers trust, say from their network provider, onto the VPN providerVPNalyzer

Researchers that submit papers to Anonymity Bibliography, Selected Papers in Anonymity do not even consider VPNs. Nowadays most research focuses on Tor.

The Snowden documents describe a successful Internet-wide campaign by advanced adversaries for covert access to VPN providers' servers: VPN and VOIP Exploitation With HAMMERCHANT and HAMMERSTEIN

VPN Software is not Designed for Anonymity[edit]

The two most popular VPN applications https://openvpn.net/ and https://www.wireguard.com/ do not even mention anonymity on their respective project homepages.

When searching only the OpenVPN homepage with search query site:https://openvpn.net anonymity or respectively the only WireGuard homepage with search query site:https://www.wireguard.com anonymity there are no relevant search results on VPNs for anonymity, except for a few questions by users in the OpenVPN user forum.

There are also no discussions on anonymity related attacks such as browser fingerprinting, website traffic fingerprinting and so forth on these websites.

By comparison, for example the homepage of the The Tor Project or the Whonix project are focused on anonymity.

vpwns (research paper):

Whenever a tool is pressed into service to provide data security properties for which it was not originally designed and tested, the potential for subtle security flaws greatly increases. In the particular case of a VPN used as an anonymizing service, the issues seem to arise primarily from the conventional relationship the VPN client software has with the endpoint system’s routing table.

But when the goal of the system is to provide strong user anonymity, the requirements become much more stringent. Even a single leaked DNS query or TCP SYN packet may be enough to reveal the user’s identity entirely and subject them to consequences much greater than those of a failed connection. Under these new requirements, the method of securing traffic via the endpoint system’s routing table is insufficient. It proves vulnerable to a number of generic problems that have the effect of expanding the user’s attack surface dramatically.

When the VPN is started, the VPN software modifies the routing table to route the traffic over the VPN. However, when the VPN looses connection, restarts or starts after networking was enabled, there could be clearnet leaks. Automatically started applications or daemons might make clearnet connections before the VPN started and modified the routing table. This is why something like VPN-Firewall is required. ^[2]

Unrealistic Expectations of User Behavior[edit]

An unrealistic set of operational rules is required to stay anonymous when a user is purely using a VPN for anonymity on most host operating systems such as Windows, Linux, macOS.

If the VPN is dysfunctional, the user would likely disable the VPN in order to search the internet for a solution or to contact the support of the VPN provider. When disabling the VPN however, all applications previously using the VPN are now using clearnet, i.e. normal internt connections which uses the users's real IP address, which then allows adversaries to trivially link the VPN and non-VPN (clearnet) sessions. Almost all users will use the same computer to research that solution and won't use a dedicated separate computer only for the purpose of contacting the support.

It is totally unrealistic to expect most users to terminate each and every application (some of them running in the background) beforehand as this requires too much complex technical knowledge, attention and discipline. But if some application keeps running, its connections will continue also without it's IP being cloaked by the VPN. The user's real IP address leaks in such situations and is then correlated with former sessions by server logs.

Enabling/disabling a VPN on the host operating system is similar to Tor Browser Bundle's (TBB) past toggle model. In the past, torbutton (which used to be a component of Tor Browser) had an option to enable anonymous (Tor) use for some websites and to toggle (disable) it for others and vice versa. This experiment in user experience design (usability) failed. Through the necessary trial and error in usability design, the developers of Tor Browser recognized that users can easily make mistakes, confuse one website for another under the toggle model. Hence, the toggle feature has been removed from TBB. Nowadays, TBB is an anonymous-only, Tor-only browser. ^[3]

vpwns (research paper):

If an attacker were simply to deny all traffic to the VPN host by way of Deep Packet Inspection, it may cause the user to disable or restart the VPN client, or the VPN connection may even restart itself with a watchdog timer of some kind. Until the VPN reconnection is complete, the client’s routing table momentarily assumes an unsecured default (or even unpredictable) state. Applications the user expects to be secure now simply connect directly.

When using Whonix, there is no documented way to disable its traffic anonymization through use of the Tor anonymity network. It is very difficult to reconfigure Whonix-Workstation^™ to connect over clearnet (non-anonymous). Users are unable to do this. ^[4] Therefore this cannot happen by accident.

VPN Providers Know What You Are Doing[edit]

Logging Incidents[edit]

A number of VPN providers have already handed over user data in the past. Many VPN adherents are unaware of these precedents. Non-exhaustive list of cases where there have been media reports includes, HideMyAss, IPVanish, PureVPN, see this list on reddit or media reports such as Seven 'no log' VPN providers accused of leaking.

https://web.archive.org/web/20220816044450/http://www.malwarebytes.com/blog/news/2021/03/21-million-free-vpn-users-data-exposed

In comparison with Tor with its need to know architecture and multiple server hops, there have never been any logging incidents.

Logging Risk[edit]

VPN providers only offer privacy by policy, while Whonix offers anonymity by design.

VPN providers:

• Unlike Tor, VPN hosts can track and save every user action since they control all VPN servers. The administrators and anyone else who has access to their servers, either knowingly or unknowingly, will have access to this information.
• Claims that VPN providers do not log user activity are unverifiable; in fact this claim is exactly what could be expected from a malicious provider.
• Recent research reveals that around one-third of all popular VPN providers are owned by Chinese companies, while others are based in countries like Pakistan, with non-existent or weak privacy laws. ^[5] The implication is that traffic might be routinely examined in a high percentage of cases, despite corporate promises to the contrary.
• OpenVPN has an IP logging feature which would have to be disabled by No-Log VPN providers. Similar situation for WireGuard. ^[6] See also VPN Software is not Designed for Anonymity. Much safer would be if the VPN software had no built-in logging feature. Then accidental logging would be impossible.
• The only safe assumption to make is that all VPN providers log activity in order to deflect potential legal actions and to satisfy government demands for (meta)data on 'suspect' users.

Whonix:

• Whonix uses the Tor anonymity network (with vanguards).
• Due to Tor's organisational separation and its need to know architecture the logging risk is much lower.
• There is no single person or legal entity that if logging was enabled could de-anonymize the user.
• The routing algorithm of the Tor software chooses multiple servers (Tor relays) and multiple countries (different jurisdictions) for connections through the Tor anonymity network (Tor circuit).
• By Tor's design, each Tor relay server must be hosted by a different organisation or person. ^[7]
• In Whonix, all 3 server hops (Tor relays) would have to be colluding.
• It is also unknown if any of the 3 hops (Tor relays) is keeping logs. However, one malicious node will have less impact. The entry guard will not know where you are connecting to, thus it is not a fatal problem if they log. The exit relay will not know who you are, but can see any unencrypted traffic -- this is only a problem if sensitive data is sent over this channel (which is unrecommended). Tor's model is only broken in the unlikely (but not impossible) event that an adversary controls all four relays in the circuit. ^[8] Tor distributes trust, while using VPN providers places all trust in the policy of one provider.
• Since Tor is designed for anonymity, the Tor software run by Tor relays has no IP logging feature that could be turned on. ^[9]
• Malicious Tor relays would have to add an IP logging feature themselves. Therefore there is no risk for Tor relays to accidentally keep IP logs.

Issues with VPNs[edit]

There are a number of serious security and anonymity risks in wholly relying on VPNs.

Table: Tor vs. VPN Comparison

Category	Discussion
Breaches	VPN provides got breaches by advanced adversaries. Ars Technica: Hackers steal secret crypto keys for NordVPN.: Breach happened 19 months ago. Popular VPN service is only disclosing it now. The revelations came as evidence surfaced suggesting that two rival VPN services, TorGuard and VikingVPN, also experienced breaches that leaked encryption keys.
Clearnet Risk	It is trivial to trick client applications behind a VPN to connect in the clear according to research paper vpwns: Virtual Pwned Networks by Security and Privacy Research Lab University of Washington & The Tor Project.
Design	VPNs do not magically improve security; they are just a 'glorified proxy'. Since they can observe all user traffic, there is nothing preventing them from using that data for any purpose they like, including logging. [10] 'Honeypot' or malicious providers might be ubiquitous. [11]
Identity Correlation	VPNs lack stream isolation. All connections originating from the same user (operating system updates, chat, all visited websites) are routed to the same IP. Therefore the VPN provider could correlate all user online activity. In contrast, Whonix and Tor implement stream isolation.
Static Routing	VPNs lack route randomization. All traffic is always routed to the same server using the same IP address. Tor has route randomization.
Malware	VPNs do not necessarily protect against today's advanced malware that tries to discover the true IP address via browser and other exploits. In Whonix-Workstation even malware with root rights cannot find out the users true IP address.
Multi-hop VPNs	Advertisements for double, triple or multi-hop VPNs are meaningless. For example as in case of DoubleVPN, quote Police seize DoubleVPN data, servers, and domain: law enforcement also seized “personal information, logs, and statistics kept by DoubleVPN about all of its customers.” Unless the user builds their own custom VPN chain by carefully choosing different VPN providers, operated by different companies, then they are fully trusting only one provider. But even in that case, the user would still lack route randomization.
Security	The need to run additional software like OpenVPN can actually increase the attack surface and complicated configuration instructions can lead to mistakes that reduce overall security. The claim of 'additional encryption' does not stack up in providing more security; even with a VPN if the endpoint expects plaintext, it is not technically possible for a VPN to change that. It is still necessary to use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption for P2P and social applications for improved security. The only encrypted part of the connection when using a VPN is from the user to the provider. From the VPN provider onward the traffic is the same as it would have been without a VPN. Since the VPN provider can see this traffic (and potentially mess with it), this is arguably a net loss in security.
Software	Some VPN providers require their proprietary closed source software to be used and do not provide an option for other reputable VPN software, such as OpenVPN. Tor code is fully open source.
TCP Timestamps	The fundamental design of VPN systems means they do not normally filter or replace the computer's TCP packets. Therefore, unlike Tor they cannot protect against TCP timestamp attacks.
Trust	VPN providers represent a single point/entity of potential failure. Unlike Tor which distributes trust across multiple relays, VPN adherents must trust the provider does not: keep payment information keep logs lie about their geolocation share information with adversaries fail to keep servers secure (see this recent TorGuard server configuration file error (archive.ph))
Payment Link Risk	VPNs: Most VPN providers require payments, a subscription. Most payment methods leave a trail to the user's real identity. For the VPN provider being able to decide which user should be granted access (those who have an active subscription) versus deny service (where the subscription expired) is a major risk for the user. During a VPN connection, the VPN provider must be necessarily always able to know which VPN connection is linked to which user and this information will also be linked to the user's payment information. Whonix: Tor, which Whonix is based on, does not require any payment information from the user. The user's active connection cannot be linked to any specific identity or payment information. Even if it was requested, neither the developers of Tor nor Whonix have a file of any user that could be linked to any identity or payment information. At most, the first server in the Tor chain of multiple relay servers, Tor entry guard which is run by the volunteers running the Tor anonymity network, knows the user's IP address, which is unavoidable. The other relay servers in the connection chain, however already don't know the user's IP address. The user can read more about this under need to know architecture.
VPN Configuration	If VPN software is run directly on the same machine that also runs client software such as a web browser, then Active Web Contents can read the real IP address. This can be prevented by utilizing a virtual or physical VPN-Gateway or a router. However, be aware that active contents can still reveal a lot of data concerning the computer and network configuration.

The law of triviality / bikeshedding[edit]

The potential positive or negative effects on anonymity are being controversially debated.

The law of triviality / bikeshedding applies to VPNs. While VPNs are frequently discussed, related privacy issues receive much less attention, including: browser fingerprinting, website traffic fingerprinting, TCP Initial Sequence Numbers Randomization (tirdad); Keystroke Deanonymization (kloak); guard discovery and related traffic analysis attacks (vanguards); Time Attacks (sdwdate); and Advanced Deanonymization Attacks. See also: Anonymity Bibliography, Selected Papers in Anonymity.

Use Case Exceptions[edit]

There are some possible use cases that might warrant a VPN provider:

• A potentially 'hostile' network must be used, like those found in public airports (WiFi access points) and where ISPs have a questionable record of man-in-the-middle attacks.
• It is necessary to hide an IP address from non-government-sanctioned adversaries. ^[12]
• Circumvention of geo-blocking although that is getting harder. ^[13]

If a VPN is essential in your circumstances for whatever reason, setting up one's own Virtual Private Server (VPS) could be considered. There is no guarantee that a rented server is less likely to be malicious than a standard VPN provider.

Criteria for Reviewing VPN Providers[edit]

The following list of criteria might be useful for a user reviewing the quality of various VPN providers.

Table: VPN Provider Quality Review Criteria

Conclusion[edit]

The host of security considerations suggest that relying purely on a VPN service for anonymity is unrealistic.

Whonix is more powerful for anonymity than a VPN.

Rationale[edit]

This chapter explains the rationale for this wiki chapter. The reader may skip this section.

This page risks stating things that are obvious, but the question must be asked: "Obvious to whom?". The above points may only be common sense to developers, hackers, geeks and other people with technological skills. It is useful to sometimes read usability papers or the feedback from people who do not post on mailing lists or in forums.

Why compare Whonix with VPN providers? Aren't VPN providers in a totally different category than Whonix or Tor? No.

VPNs in Combination with Tor[edit]

Whether it is worth combining Tor with a VPN -- either as pre-Tor-VPN (user → VPN → Tor) or as post-Tor-VPN (user → Tor → VPN) -- is a controversial topic and discussed on the Tor plus VPN page. If this configuration is preferred, it is easy to set up with Whonix; see Tunnel Support.

Sources[edit]

vpwns[edit]

vpwns: Research paper vpwns: Virtual Pwned Networks by Security and Privacy Research Lab University of Washington & The Tor Project.

VPNalyzer[edit]

VPNalyzer: VPNalyzer VPNalyzer: Crowdsourced Investigation into Commercial VPNs research paper “All of them claim to be the best”: Multi-perspective study of VPN users and VPN providers by a group of computer science researchers at the University of Michigan.

Other Sources[edit]

See footnotes.

See Also[edit]

• Why does Whonix use Tor
• Tor vs. Proxies, Proxy Chains
• https://web.archive.org/web/20230205050050/https://matt.traudt.xyz/posts/2019-10-17-you-want-tor-browser-not-a-vpn/

License[edit]

Appreciation is expressed to JonDos (Permission). This wiki page contains content from the JonDonym documentation Other Services page.

Footnotes[edit]

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!