OP here

Lessons learned:
1) proxychains are not very useful I don't see much point in using them, Tor and VPN is the way to go if you want to access the clearnet. I2P is cool too, but I'm waiting for integration of I2P router in Whonix Gateway to really give it a chance. The classic

"Hey Proxy1, can you please forward "forward to Proxy3; forward to Proxy4; forward to Proxy5; forward to https://encrypted.google.com 'c8e8df895c2cae-some-garbage-here-(encrypted)-166bad027fdf15335b'" to Proxy2? Thanks!"

really proves my point here. The only time this might be OK is if you're on a VPN through Tor session. At that point, your connection is secure from tampering and so far away from yourself, maybe you could use it to not get your VPN account b&? I'm not sure.

2) VPN through Tor is the best. It's the perfect for browsing clearnet sites, as it avoids the usual captcha or ban you get with Tor, it stops MITM attacks from the Exit Node, and it's not horribly slow. I was streaming youtube content without any stutters at 720p. That's good enough for me. Shoutouts to cryptostorm for letting Tor users not only connect up, but allowing anonymous payment with BTC and through Tor. I didn't like them for a while after one of the main guys got busted, but if I never have to show my true IP I feel safe anyway.

3) Qubes is good. Like, really good. TBH, I feel with Intel ME and SMM on modern CPUs, you're pretty much owned already. Hopefully Xen cleans up their act and secures their hypervisor more to stop these recent VM escape bugs. For serious, if you're using anything that can't libreboot, and you have 8GB+ of RAM, consider using Qubes. The only thing I'd consider more secure would be a classic parabola install on libreboot with the libre kernel and all that jazz. Qubes still has some distinct advantages over that though.

4) RUN A RELAY IF YOU HAVE THE BANDWIDTH. If you use the same internet everyday like me, and if you're pushing tons of traffic (primarily downloading) then it's easier for an APT to deanonymize you. Running a middle relay forces your internet to connect to Entry nodes and Exit nodes all day. You can't possibly know what's going through the relay, so it's like free masking Tor bandwidth. Early NSA papers on the studies of traffic correlation suggested that users who run relays are much harder to deal with.


All in all, I've learned a bunch over time. If anyone is curious about how to run VPN through Tor, I would be willing to write up a simple guide. I know of two ways that would definitely work, one in Qubes specifically and one at the router level, along with possibly another way running from one machine. I'm not too sure if it'd work, I don't have a machine without Qubes on it that'd make it easy to test.