Actions

Connecting to Tor before a VPN

From Whonix

< Tunnels



Ambox warning pn.svg.png Before combining Tor with other tunnels, be sure to read and understand the risks!

Ambox notice.png Advertisement:
Too difficult to set up? Provider specific automation can be created for you by the lead developer of Whonix ™. Send reasonable price suggestions. Get in contact.


UserTorVPNInternet


Increased Threat of Identity Correlation[edit]

By design, a VPN routes all your applications - those without any proxy settings - through the VPN. You may not want this, as explained below. To circumvent that, you should use this Whonix-Workstation ™ only for the particular application you want to route through the tunnel-link. You are advised to use Multiple Whonix-Workstation ™.

Prevent Bypassing of the Tunnel-Link[edit]

Ambox warning pn.svg.png Apply the following steps to avoid unexpected results such as broken connectivity and/or traffic bypassing the tunnel-link and only going through Tor.
Qubes-Whonix ™ exception: There is one tunnel configuration where Qubes-Whonix ™ users are better placed. When a separate tunnel-link VM is used between anon-whonix and sys-whonix (anon-whonixTunnel-linksys-whonix), these connections simply fail without the following modifications.

Introduction
Disabling stream isolation will prevent bypassing of the tunnel-link. By default, many pre-installed applications are configured for Stream Isolation in Whonix ™. These specific applications are configured to use Tor SocksPorts, instead of Tor's TransPort.

All applications which are configured to use Tor SocksPorts are not tunneled through the tunnel-link, but instead they are "only" tunneled through Tor. The reason is the following configuration does not touch local connections to 10.152.152.10, which is the Whonix-Gateway ™. Therefore, if for example you wish to tunnel Tor Browser via the route UserTorTunnel-linkInternet, all proxy settings from Tor Browser need to be removed. See below for instructions.

Deactivate uwt Wrappers

The following instructions permanently deactivate all uwt wrappers and remove stream isolation for uwt wrapped applications system-wide. Consequently, all uwt wrapped applications revert to the default system networking configuration.

If you want more granular control of uwt wrapper deactivation, see Stream_Isolation#Deactivate_uwt_Stream_Isolation_Wrapper.

Open file /etc/uwt.d/50_user.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/uwt.d/50_user.conf

Add.

uwtwrapper_global="0"

Save and exit.


Tor Browser Remove Proxy Settings

Introduction

This configuration means Tor Browser will no longer use proxy settings. With no proxy set, Tor Browser uses the (VM) system's default networking. This is identical to any other application inside the Whonix-Workstation ™ that has not been explicitly configured to use Tor via socks proxy settings or a socksifier. This setting is also called transparent torification. [1]

Note: This action will break both the Stream Isolation for Tor Browser and Tor Browser's tab isolation by socks user name [archive]. This worsens the web fingerprint and causes the user to be pseudonymous, rather than anonymous. To mitigate these risks, consider using More than one Tor Browser in Whonix ™, or better yet, Multiple Whonix-Workstation ™s.

If these settings are changed, expect Tor Button to show a red sign and state "Tor Disabled" if a mouse is hovered over it.

To enable transparent torification (no proxy setting), set the TOR_TRANSPROXY=1 environment variable. There are several methods, but the #/etc/environment Method is the simplest one.

Note: Choose only 1 method to enable transparent torification.

For other methods with finer granulated settings, please press on Expand on the right.

Command Line Method

Navigate to the Tor Browser folder.

cd ~/tor-browser_en-US

Every time Tor Browser is started, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

start-tor-browser Method

This only applies to a single instance of the Tor Browser folder that is configured. This method may not persist when Tor Browser is updated.

Find and open start-tor-browser in the Tor Browser folder in an editor.

This is most likely in ~/tor-browser_en-US/Browser/start-tor-browser below #!/usr/bin/env bash.

Set.

export TOR_TRANSPROXY=1

/etc/environment Method

This will apply to the whole environment, including any possible custom locations of Tor Browser installation folders. [2]

Open file /etc/environment in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/environment

Add the following line.

TOR_TRANSPROXY=1

Save and reboot.

Undo

Reverting this change is undocumented. Simply unsetting that environment variable will not work due to Tor Browser limitations. The easiest way to undo this setting is to install a fresh instance of Tor Browser (please contribute to these instructions)!

Ignore Tor Button's Open Network Settings

Whonix has disabled the Open Network Settings... menu option in Tor Button. Read the footnote for further information. [3]


Deactivate Miscellaneous Proxy Settings

On the Stream Isolation page, there is a list of applications that are pre-configured to use socks proxy settings via application configuration files. To disable this, the Whonix system default must be removed from the application's settings.

TODO: document and expand.

Remove proxy settings for APT repository files.

1. If you previously onionized any repositories, that has to be undone. See Onionizing Repositories.

2. Remove any mention of tor+ in file /etc/apt/sources.list (if you are using that - that file is empty by default in Whonix / Kicksecure) or any file in folder /etc/apt/sources.list.d.

3. Open file /etc/apt/sources.list /etc/apt/sources.list.d/* in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/apt/sources.list /etc/apt/sources.list.d/*

4. Remove any mention of tor+.

The process of removing proxy settings from APT repository files is now complete.

Remove proxy settings for Tor Browser Downloader by Whonix ™.

Open file /etc/torbrowser.d/50_user.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/torbrowser.d/50_user.conf

Paste. [4] [5]

TB_NO_TOR_CON_CHECK=1
CURL_PROXY="--fail"

Save.

For some applications, this is impossible:

These applications can only talk to Tor Onion Services directly and cannot be configured to use the system default. You can only deactivate sdwdate and/or not use Ricochet IM.

Use a Fail Closed Mechanism[edit]

A general problem with VPNs is that connections often fail to remain open. This means the VPN connection suddenly closes, leaving the user directly connected to the Internet (without first tunneling through the VPN). This is not a Whonix ™-specific problem. VPN servers and software can occasionally fail without prior notice. Therefore, if the VPN is unreachable or the connection breaks down for whatever reason, in most cases the user will continue to connect to the Internet without the VPN.

One of the key benefits of Whonix is that when a VPN connection fails, protection is still provided by the Tor process. In this instance, the Whonix-Workstation ™ will seamlessly continue to make "direct" connections through Tor. Failure of the VPN tunnel may be inconsequential if a VPN is only used to circumvent Tor censorship. On the other hand, if VPN use is intended to improve security, then it must be configured so that if/when the VPN connection fails, all connections between the outside world and the computer are halted.

Instructions below include a fail closed mechanism.


VPN Client Choice[edit]

Use OpenVPN.

Using bitmask for this use case is not possible. In other words, you cannot use user → Tor → bitmask → Internet. [6]

Other VPN clients are unsupported. We are not aware of any sane VPN client choices besides OpenVPN.


Setup Tor before a VPN (User → Tor → VPN → Internet)[edit]

Introduction[edit]

Two methods.


Separate VPN-Gateway[edit]

A separate VPN-Gateway between Whonix-Gateway ™ and Whonix-Workstation ™, i.e. Whonix-Workstation ™ → VPN-Gateway → Whonix-Gateway ™.

Qubes-Whonix ™ only! Non-Qubes-Whonix ™ is unsupported!

User → Tor → VPN → Internet

1. Clone a TemplateVM for example, debian-9 and name the new template clone debian-9-vpn.[7]

Qube Managerdebian-9Clone qubeEnter name for Qube clone: debian-9-vpnPress: OK

2. Create a new ProxyVM based on the newly cloned template. Name the VM VPN-Gateway and set the Whonix-Gateway ™ TemplateBasedProxyVM (commonly called sys-whonix) as NetVM. Make sure to check [✔] the box for provides_network.

Qube ManagerQubeCreate new qube

  • Name and label: VPN-Gateway (Set any color)
  • Type: AppVM
  • Template: debian-9-vpn
  • Networking: sys-whonix
  • Advanced: [] Provides network
  • Press: OK

3. Set up the VPN-Gateway as per Qubes VPN Documentation [archive]. The instructions to configure the VPN gateway using iptables and CLI scripts [archive] is preferred to prevent clearnet leaks when the VPN breaks down.

Without configuring a fail closed configuration when the VPN connection breaks down, all traffic originating from the Whonix-Workstation ™ AppVM (commonly called anon-whonix) would only be forced through Tor.

User → Tor → Internet

Note: UDP-style VPN connections are incompatible with Tor which requires that the VPN to be configured to use TCP.[8] To do that, add proto tcp to the VPN configuration file /rw/config/vpn/openvpn-client.ovpn. Most, but not all VPN providers support this configuration.

4. Check, that your VPN-Gateway is fully functional. Test connectivity from inside the VPN-Gateway as per: Qubes VPN Documentation [archive]

5. (Recommended) In Whonix-Workstation ™ (commonly called anon-whonix) apply instructions from the above chapter: #Prevent Bypassing of the Tunnel-Link.

When using a separate VPN Gateway no DNS configuration is required. System DNS should work out of the box.[9]

If using Tor Browser the following warning will be shown:

Something Went Wrong!
Tor is not working in this browser.

This is expected. For technical background, see footnote.[10]

For troubleshooting, see footnote. [11]

Done! It is recommended to run the related #Leak Tests.

Whonix ™ user forum discussion:
https://forums.whonix.org/t/setup-a-vpn-in-proxyvm-over-sys-whonix [archive] [12]


Inside Whonix-Workstation ™[edit]

Connect to your VPN using your preferred software *inside* the (Whonix ™-)Workstation.

Note that UDP-style VPN connections are incompatible with Tor; the VPN must be configured to use TCP. [13] To do that, add proto tcp to the VPN configuration file /etc/openvpn/openvpn.conf. Most, but not all VPN providers support this configuration.

User → Tor → VPN → Internet

Whonix ™ TUNNEL_FIREWALL vs standalone VPN-Firewall[edit]

When applying VPN instructions inside Whonix VMs, do not use the standalone VPN-Firewall. It is not required and is incompatible with the integrated Whonix TUNNEL_FIREWALL feature which is documented below.

Preparation[edit]

It is challenging to set up OpenVPN on Whonix with a secure, leak preventing Fail Closed Mechanism. For this reason, it is strongly recommended that users to learn how to set up OpenVPN on Debian stable (currently buster). The following steps are a simple overview of the process:

  1. Prepare a Debian stable VM.
  2. Install the Debian OpenVPN package: sudo apt-get install openvpn
  3. Research how to set up a VPN using OpenVPN on the command line. [14]
  4. Search for help with general VPN setup in the #VPN Setup chapter or on the TestVPN page. Help is available from various sources, and the VPN provider may also be of assistance.
Prerequisite Knowledge[edit]

Highly recommended reading and understanding before proceeding: Whonix Debian Packages

Firewall Settings[edit]

Modify Whonix-Workstation ™ User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix ™, complete these steps.
In Whonix-Workstation ™ AppVM.

Make sure folder /rw/config/whonix_firewall.d exists.

sudo mkdir -p /rw/config/whonix_firewall.d

Open /rw/config/whonix_firewall.d/50_user.conf with root rights.

sudoedit /rw/config/whonix_firewall.d/50_user.conf

If using a graphical Whonix-Workstation ™, complete these steps.

Start MenuApplicationsSettingsUser Firewall Settings

If using Non-Qubes-Whonix ™, complete this step.

In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.

sudo nano /etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_default.conf

The Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, follow these instructions.

If using Qubes-Whonix ™, complete these steps.

Qubes App Launcher (blue/grey "Q")Template: whonix-ws-15Whonix Global Firewall Settings

If using a graphical Whonix-Workstation ™, complete these steps.

Start MenuApplicationsSettingsGlobal Firewall Settings

If using Non-Qubes-Whonix ™, complete this step.

In Whonix-Workstation ™, open the whonix_firewall configuration file in an editor.

nano /etc/whonix_firewall.d/30_default.conf

Add the following settings.

WORKSTATION_FIREWALL=1
TUNNEL_FIREWALL_ENABLE=true

Save.

Reload Firewall[edit]

Reload Whonix-Workstation ™ Firewall.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Workstation ™ AppVM (commonly named anon-whonix)Reload Whonix Firewall

If you are using a graphical Whonix-Workstation ™, complete the following steps.

Start MenuApplicationsSystemReload Whonix Firewall

If you are using a terminal-only Whonix-Workstation ™, run.

sudo whonix_firewall

sudoers configuration[edit]

Open file /etc/sudoers.d/tunnel_unpriv in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/sudoers.d/tunnel_unpriv

Edit the file so the text looks looks like the following code block.

Note: This might include removing comments (#) and adding text. Do not remove the lines with the double hashes (##).

tunnel ALL=(ALL) NOPASSWD: /bin/ip
tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *
Defaults:tunnel !requiretty
Defaults:tunnel env_keep += script_type
Defaults:tunnel env_keep += dev

Save and exit.

VPN Setup[edit]
Introduction[edit]

The following example uses the free Riseup VPN, because it is known to support TCP, UDP and SSL. However, any preferred VPN can be used.

Update: The Riseup "legacy" VPN may have been discontinued, as it no longer works for the author of these instructions. The Riseup replacement service (Bitmask) has not been tested.

Get VPN Certificate[edit]

Look at the riseup VPN help page [archive] for RiseupCA.pem [archive] and (right-click) download [archive] it. Store the certificate in /etc/openvpn/RiseupCA.pem

curl --tlsv1.2 --proto =https https://help.riseup.net/security/network-security/riseup-ca/RiseupCA.pem | sudo tee /etc/openvpn/RiseupCA.pem

VPN Credentials[edit]

For this step, a riseup.net account and Riseup account name is required. Go to https://user.riseup.net/users/riseupusername/vpn [archive] to obtain a VPN secret (VPN password). Below, replace "riseupusername" with the actual riseup user name, or just go to https://user.riseup.net [archive], login and click on "VPN".

Open file /etc/openvpn/auth.txt in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/openvpn/auth.txt

Add the actual user name and password.

riseupusername
vpnsecret

Save and exit.

VPN IP Address[edit]

When editing the VPN configuration file the use of DNS hostnames is not supported. This means IP address(s) of the VPN must be used.[15] Therefore, vpn.riseup.net cannot be used, but an IP address such as 198.252.153.226 should be used instead. To discover the IP address, check with the provider or use nslookup on the host. For example, to verify the actual IP address of the vpn.riseup.net DNS server, run.

nslookup vpn.riseup.net

VPN Configuration File[edit]

Open file /etc/openvpn/openvpn.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/openvpn/openvpn.conf

Add.

Note: make sure to adjust the remote 198.252.153.226 80 variable in your config (unless you are using nyc.vpn.riseup.net as your VPN service). Replace the IP (198.252.153.226) and port (80) to match your VPN service.

##############################
## VPN provider specific settings ##
##############################
auth-user-pass auth.txt

## using nyc.vpn.riseup.net 80
remote 198.252.153.226 80

ca RiseupCA.pem

remote-cert-tls server

####################################
## TUNNEL_FIREWALL specific settings ##
####################################
client
dev tun0
persist-tun
persist-key

script-security 2
up "/etc/openvpn/update-resolv-conf script_type=up dev=tun0"
down "/etc/openvpn/update-resolv-conf script_type=down dev=tun0"

user tunnel
iproute /usr/bin/ip_unpriv

############################################
## Connecting to Tor before a VPN specific settings #
############################################

proto tcp

[16] [17]

Save.

install resolvconf[edit]

Update the package lists.

sudo apt-get update

Install resolvconf. [18]

sudo apt-get install resolvconf

Users preferring not to install resolvconf should read the footnotes. [19]

DNS Configuration[edit]

Open file /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf

Add. [20]

d       /run/resolvconf 0775    root      tunnel    -       -
d       /run/resolvconf/interface         0775      root    tunnel    -    -

Save.

Adjust permissions. [20]

sudo chown --recursive root:tunnel /run/resolvconf

sudo chmod --recursive 775 /run/resolvconf

Open file /etc/resolvconf/run/interface/original.resolvconf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/resolvconf/run/interface/original.resolvconf

Comment everything out by adding a # in front of all entries. Alternatively, empty or delete that file. [21]

Save and exit.

Setup[edit]

Configuration Folder Permissions[edit]

Since OpenVPN will be run under user tunnel, that user requires read access to the folder /etc/openvpn.

sudo chown -R tunnel:tunnel /etc/openvpn

sudo chown -R tunnel:tunnel /var/run/openvpn

systemd setup[edit]

Create the OpenVPN systemd service file.

sudo cp /lib/systemd/system/openvpn@.service /lib/systemd/system/openvpn@openvpn.service

Enable the OpenVPN systemd service file.

sudo systemctl enable openvpn@openvpn

Start the OpenVPN systemd service.

sudo systemctl start openvpn@openvpn

Check the OpenVPN systemd service status.

sudo systemctl status openvpn@openvpn

resolvconf adjustments[edit]

Restart resolvconf. [22]

sudo service resolvconf restart

Verify DNS Settings[edit]

See current /etc/resolv.conf settings.

sudo cat /etc/resolv.conf

Should not include the following settings.[23]

nameserver 10.152.152.10

Should not include the following settings.[24]

nameserver 10.137.3.1
nameserver 10.137.3.254

Should include only the DNS server of your DNS provider. For example.

nameserver 10.5.0.1
whonixcheck[edit]

whonixcheck cannot work in this configuration out of the box. To unbreak it.

Open file /etc/whonix.d/50_user.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/whonix.d/50_user.conf

Add.

whonixcheck_skip_functions+=" check_tor_bootstrap "
whonixcheck_skip_functions+=" check_tor_socks_port_reachability "
whonixcheck_skip_functions+=" check_tor_socks_port "
whonixcheck_skip_functions+=" check_tor_trans_port "
whonixcheck_skip_functions+=" check_stream_isolation "
whonixcheck_skip_functions+=" download_whonix_news "

## {{ Alternative to disabling check_tor_trans_port.

## Make the Tor TransPort test work by simulating the Tor SocksPort test succeeded.
#CHECK_TOR_RESULT_SOCKS_PORT=0

## Do not warn if Tor was not detected. (Will be the VPN.)
#WHONIXCHECK_NO_EXIT_ON_TRANS_PORT_DETECTION_FAILURE=1

## }}

## {{ Alternative to download_whonix_news.

## Download news through system default.
#CURL_PROXY_WHONIX_NEWS="--fail"

## }}

Save.

Qubes specific[edit]

Placeholder. Ignore the Qubes specific chapter for now. TODO

When using a TemplateBasedVM, to persist these changes use the Qubes bind dirs mechanism.

sudo mkdir /rw/config/qubes-bind-dirs.d

Open file /rw/config/qubes-bind-dirs.d/50_user.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /rw/config/qubes-bind-dirs.d/50_user.conf

binds+=( '/etc/sudoers.d/tunnel_unpriv' )
binds+=( '/etc/openvpn' )
binds+=( '/lib/systemd/system/openvpn@openvpn.service' )
binds+=( '/etc/systemd/system/multi-user.target.wants/openvpn@openvpn.service' )

TODO: Does not work yet. Files need to exist first.

/usr/lib/qubes/bind-dirs.sh umount
/usr/lib/qubes/bind-dirs.sh
Test[edit]

Test ping to IP. Ping some IP. Ping google's DNS server or maybe better some server of your choice.

ping 8.8.8.8

Test DNS. DNS resolve some domain. Resolve check.torproject.org or maybe better some server of your choice.

nslookup check.torproject.org

Test DNS and output IP address.

whonixcheck_skip_functions="" \
CHECK_TOR_RESULT_SOCKS_PORT=0 \
WHONIXCHECK_NO_EXIT_ON_TRANS_PORT_DETECTION_FAILURE=1 \
whonixcheck --function check_tor_trans_port
Done[edit]

Done. If you have any issues, see below chapter #Troubleshooting. Once it is working, it is recommended to run the #Leak Tests.

Troubleshooting[edit]

You can skip this troubleshooting chapter unless any difficulties are encountered.

ip_unpriv vs ip-unpriv[edit]

There are two similar, yet distinct projects: standalone VPN-FIREWALL and Whonix TUNNEL_FIREWALL. Although both are alike, there is one difference that might be encountered. For instance, in chapter #VPN Configuration File:

  • Whonix TUNNEL_FIREWALL uses ip_unpriv (underscore)
  • Standalone VPN-FIREWALL uses ip-unpriv (hyphen)


Be sure to use the right version of ip unpriv according to whether the VPN-FIREWALL or Whonix TUNNEL_FIREWALL project is being used.

50_openvpn_unpriv.conf vs 50_openvpn-unpriv.conf[edit]

Like the example above:

  • Whonix TUNNEL_FIREWALL uses /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf ip_unpriv (underscore)
  • Standalone VPN-FIREWALL uses /usr/lib/tmpfiles.d/50_openvpn-unpriv.conf ip-unpriv (hyphen)
Cannot ioctl TUNSETIFF[edit]
 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)

In openvpn.conf do not use.

dev tun

Use.

dev tun0
Dev tun Mismatch[edit]

In openvpn.conf do not use.

dev tun

Use.

dev tun0
/run/openvpn/openvpn.status Permission denied[edit]
 Options error: --status fails with '/run/openvpn/openvpn.status': Permission denied

Do not start OpenVPN as root. Do not use sudo openvpn, because this will lead to permission issues. Files in the /run/openvpn folder are owned by root, so they cannot be overwritten by the user tunnel.

debug start[edit]

To start debug, run the following commands concurrently.

sudo /usr/sbin/openvpn --rmtun --dev tun0
sudo /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel
cd /etc/openvpn/
sudo -u tunnel openvpn /etc/openvpn/openvpn.conf

Linux ip link set failed[edit]
 Linux ip link set failed: external program exited with error status: 2

Use ip_unpriv as documented above.

DNS Configuration[edit]

This only applies if resolvconf is used.

Permissions on two directories may need to be manually changed if they are not automatically applied. Check if changes are necessary via the following command.

ls -la /run/resolvconf

If the output lists tunnel as having read / write / execute permissions for both /run/resolvconf and /run/resolvconf/interface, then nothing needs modification. If tunnel is not listed as a group for one or both of these directories, then permissions need to be changed. In that case, run.

sudo chown --recursive root:tunnel /run/resolvconf

Then set the necessary permissions.

sudo chmod --recursive 775 /run/resolvconf

In /run/resolvconf, resolv.conf may or may not be owned by tunnel, depending on whether the systemd service has already started. There is no need to modify permissions on this file, as the permissions will change when the service starts.

Terminology for Support Requests[edit]

Phrases such as "over Tor" are ambiguous. Please do not coin idiosyncratic words or phrases, otherwise this leads to confusion. Please use the same terms that are consistently referenced in documentation, such as:

  • How to Connect to a VPN Before Tor (User → VPN → Tor → Internet).
  • How to Connect to Tor Before a VPN (User → Tor → VPN → Internet).
  • And so on.


Always refer to the connection scheme when requesting support: User → VPN → Tor → Internet or User → Tor → VPN → Internet and so on.

How to Submit a Support Request[edit]

Before submitting a support request for VPN related issues users are encouraged to follow the Free Support Principle when working towards a solution. Whonix developers will use the information provided by the user to determine if the issue is a technical problem (aka bug) and/or configuration error which is a common reason for VPN connectivity issue.

Before Whonix developers will review the support request, the following information must be provided.

  • Steps to reproduce the behavior. For example, list all command that were run up to this point.[25]
  • Actual behavior. (Detailed explanation. Reports stating "VPN does not work" will be rejected.)
  • Expected behavior. (Reports stating "VPN works" will be rejected.)

The following information is also required.

  • All error messages.
  • VPN logs from debug start section. This can be found under Troubleshooting on this page. Make sure to redact all sensitive information such as VPN server IP addresses. For more on this see why you should Never Post Full System Logs or Configuration Files. VPN logs are required because a configuration error and/or miss-match may not produce an noticeable error.
  • Please answer: Has the VPN configuration been modified aside from the instructions on this page?

Note: Users are encouraged to troubleshoot their VPN issues in an effort to find a solutions. However, if the VPN has been modified with custom configuration options, a favorable outcome is less likely if Whonix developers are not made aware of the modification.

  • Please answer: Is Whonix currently configured to use a second tunnel-link/proxy or bridge?
  • (If applicable) Links to similar issues found on the Whonix forums [archive] and/or other offsite forums/resources.

Leak Tests[edit]

Introduction[edit]

We want to verify, that the traffic always goes User → Tor → VPN → Internet and not only User → Tor → Internet. Therefore you should run the following related leak tests inside Whonix-Workstation ™. Test Tor Browser, a uwt wrapper deactivated application as well as a regular application for leaks.

regular application test[edit]

Same test as above, but use curl without pre-configured stream isolation.

UWT_DEV_PASSTHROUGH=1 curl --silent --tlsv1.2 --proto =https https://check.torproject.org | grep IP

[26] [27]

Should show something along the lines: Your IP address appears to be: xxx.xxx.xxx.xxx
Should show the IP of your VPN.

uwt wrapped application test[edit]

Connect to check.torproject.org.

curl --silent --tlsv1.2 --proto =https https://check.torproject.org | grep IP

[26] [28]

Browser IP Test[edit]

You can skip this test if you do not care about using Tor Browser through the VPN.

If you did correctly configure everything, test your setup. Open https://check.torproject.org [archive] in Tor Browser. It will tell you then "You are not using Tor." and you'll see your VPN's IP. In fact your VPN was tunneled through Tor first. (Because Whonix-Workstation ™ can not make any non-Tor connections by design, everything is tunneled over Tor.)

DNS Leak Test[edit]

Other Leak Tests[edit]

If you are feeling awesome, you could also run more general leak tests that are not related to tunneling. However, these are more difficult to do and target developers rather than users. If you are interested, see leak tests.


Footnotes[edit]

  1. This term was coined in context of a Tor Transparent Proxy [archive]. It acts as a simple gateway that routes all connections through Tor, but does not provide Stream Isolation.
  2. Unless this environment variable is manually unset before starting Tor Browser.
  3. The regular Tor Browser Bundle from The Tor Project (without Whonix ™) allows networking settings to changed inside Tor via the Open Network Settings menu option. It has the same effect as editing Tor's config file torrc. In Whonix ™, the environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 has been set [archive] to disable the Tor BrowserOpen Network Settings... menu item. It is not useful and confusing to have in the Whonix-Workstation ™ because:
    • In Whonix ™, there is only limited access to Tor's control port (see Dev/CPFP for more information).
    • For security reasons, Tor must be manually configured in /usr/local/etc/torrc.d/50_user.conf on the Whonix-Gateway ™, and not from the Whonix-Workstation ™ (see VPN/Tunnel support for more information).
  4. TB_NO_TOR_CON_CHECK=1 needs to be set because there is no filtered Tor ControlPort access when Whonix tunnel firewall is enabled, which would break tb-updater's Tor connectivity check.
  5. By tb-updater default, if unset, variable CURL_PROXY will be dynamically set to a Tor SocksPort on Whonix-Gateway ™. For example to CURL_PROXY="--proxy socks5h://user:password@10.137.6.1:9115".
    By using a curl parameter we are using anyhow, i.e. CURL_PROXY="--fail" we can in effect disable the environment variable even if it's technically still set. This will result in downloading by using the system's default networking.
  6. https://github.com/leapcode/bitmask_client/issues/1009 [archive]
  7. At the time of writing Debian 9 stretch was the stable release version.
  8. Tor#UDP
  9. Because a properly configured Qubes VPN-Gateway will be able to resolve DNS.
  10. This is because Tor Browser can no longer access Tor's ControlPort (onion-grater) on Whonix-Gateway ™.
    • Check, that your VPN-Gateway is fully functional. Test connectivity from inside the VPN-Gateway.
    • When testing the VPN connection Do Not! add any VMs that have been previoiulsy used for non-anonymous activities behind your VPN-Gateway. This will burn the VPN making it unsuitable for use with Whonix!
    • If users wish to use a non-Whonix ™ VM behind the VPN-Gateway for testing, a freshly created VM should be created for this purpose.
  11. Tor#UDP
  12. Only proceed if this is successful. Do not post support requests regarding these instructions before completing this basic exercise.
  13. Many VPN service providers include DNS hostnames in their configuration files. The hostnames typically include the providers name followed by (.net, .com, .ch, .pw).
  14. We must run OpenVPN as user 'tunnel', because that is the only user besides user clearnet that will be allowed to establish external connections when using Whonix ™ Firewall setting VPN_FIREWALL=1.
  15. /etc/openvpn/update-resolv-conf uses resolvconf. resolvconf needs to be installed for the lines beginning with script-security, up, and down to function properly.
  16. In the /etc/openvpn/openvpn.conf file, change the following text.
    script-security 2
    up "/etc/openvpn/update-resolv-conf script_type=up dev=tun0"
    down "/etc/openvpn/update-resolv-conf script_type=down dev=tun0"
    

    To the following. Remove or comment out the lines beginning with "up" and "down", and change the 2 to a 1.

    script-security 1
    

    Open file /etc/resolv.conf in an editor with root rights.

    (Qubes-Whonix ™: In TemplateVM)

    This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

    sudoedit /etc/resolv.conf

    Comment out.

    #nameserver 10.152.152.10
    

    Add.

    ## Riseup.net OpenVPN DNS server
    nameserver 172.27.100.1
    

    If Riseup is not being used, replace 172.27.100.1 with the virtual LAN IP address of the VPN provider's DNS server. If unsure, the VPN provider might provide it. Users can also try to infer it by running sudo route after successfully connecting to the VPN. The first destination default gateway should also function as a DNS server.

    Save and exit.

    Users who want to prevent /etc/resolv.conf being overwritten by other packages like DHCP or resolvconf should run.

    sudo chattr +i /etc/resolv.conf
    

    In order to revert this change, use -i.

    Ignore the /etc/resolv.conf instructions below.

  17. 20.0 20.1 Removeable in Whonix ™ 14 since merged in usablity-misc package.
  18. This is done to prevent the old DNS server being used. For further discussion of this issue, see: https://github.com/adrelanos/vpn-firewall/issues/16 [archive]
  19. So changes in /etc/resolvconf/run/interface/original.resolvconf from chapter #DNS Configuration take effect.
  20. These is the standard Whonix ™ DNS server.
  21. These are standard Qubes DNS servers.
  22. To list previous commands, run.
    history
  23. 26.0 26.1 In case you have no functional system DNS, you could also alternatively just test TCP. The IP 138.201.14.212 might change. You can find out the current one by running the following command inside a VM that has functional system DNS. (Ideally inside a Whonix-Workstation ™.)
    nslookup check.torproject.org
  24. UWT_DEV_PASSTHROUGH=1 curl --silent --tlsv1.2 --proto =https -H 'Host: check.torproject.org' -k https://138.201.14.212 | grep IP
  25. curl --silent --tlsv1.2 --proto =https -H 'Host: check.torproject.org' -k https://138.201.14.212 | grep IP


https [archive] | (forcing) onion [archive]
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.

Monero donate whonix.png