Jump to: navigation, search

Tunnels/Connecting to Tor before a VPN


Connecting to Tor before a VPN

User -> Tor -> VPN -> Internet


Increased Threat of Identity Correlation[edit]

By design, a VPN routes all your applications - those without any proxy settings - through the VPN. You may not want this, as explained below. To circumvent that, you should use this Whonix-Workstation only for the particular application you want to route through the tunnel-link. You are advised to use Multiple Whonix-Workstations.

Prevent Bypassing the Tunnel-Link[edit]

Introduction
In essence, you prevent bypassing the tunnel-link by disabling stream isolation.

By Whonix default, a lot pre-installed applications are configured for Stream Isolation. These applications are by default configured to use Tor SocksPorts, instead of Tor's TransPort.

All applications, which are configured to use Tor SocksPort's, will not be tunneled through the tunnel-link. They will be "only" tunneled through Tor. This is because, the following configuration will not touch local connections to 10.152.152.10, which is the Whonix-Gateway. For example, if you wish to tunnel Tor Browser the route User -> Tor -> tunnel-link -> Internet, you have to remove all proxy settings from Tor Browser, see below.

deactivate uwt wrappers
To deactivate all uwt wrappers permanently... To deactivate stream isolation for all uwt wrapped applications... To make all uwt wrapped applications use the system default networking again... See below...

(Otherwise, if you want more fine granulated control of uwt wrapper deactivation, see Stream_Isolation#Deactivate_uwt_Stream_Isolation_Wrapper.)

Open /etc/uwt.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/uwt.d/50_user.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/uwt.d/50_user.conf

And add.

uwtwrapper_global="0"

Save.


Tor Browser Remove Proxy Settings

Introduction
Applying this configuration would result in Tor Browser no longer using proxy settings. In other words, setting to no proxy. Thereby Tor Browser would be using the (VM) system's default networking. Just like any other application inside the workstation that is not explicitly configured through socks proxy settings or a socksifier to use Tor. This is also called transparent torification. [1] It would break Stream Isolation for Tor Browser as well as break Tor Browser's tab isolation by socks user name feature, thereby worsen your web fingerprint and be pseudonymous rather than anonymous. (To limit the risks, consider using More than one Tor Browser in Whonix or better Multiple Whonix-Workstations.)

If you change these settings, Tor Button showing a red sign and 'Tor Disabled' if you hover over it by mice is expected.

If you want to set it to no proxy... You could set the TOR_TRANSPROXY=1 environment variable. There are various methods to do so. #/etc/environment Method is the simplest one.

For other methods with more fine granulated settings, please press on expand on the right.

<span id="
od"></span> Command Line Method
Get into your Tor Browser folder.

cd ~/tor-browser_en-US

Every time you start Tor Browser, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

start-tor-browser Method
This applies to the one instance/folder of Tor Browser that you configure only. This method might not persist when Tor Browser is updated.

Find and open start-tor-browser in the Tor Browser folder in an editor.

Most likely in ~/tor-browser_en-US/Browser/start-tor-browser below #!/usr/bin/env bash.

export TOR_TRANSPROXY=1

/etc/environment Method
This applies to the whole environment. I.e. any possible custom locations of Tor Browser installation folders.[2]

Open /etc/environment in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/environment

If you are using a terminal-only Whonix, run:

sudo nano /etc/environment

Add the following content.

TOR_TRANSPROXY=1

Save.

Reboot.

Undo
Undoing this setting is undocumented. Simply no longer setting that environment variable will not do the trick. This is because of limitations of Tor Browser. The easiest way to undo these instructions would be to start over with a fresh installation of Tor Browser. Please contribute these instructions.

Forget about Tor Button's Open Network Settings
Forget about Tor Button's -> Open Network Settings. See footnote, if you want to know why.[3]


Deactivate Misc Proxy Settings

On the Stream Isolation page, there is a list of applications that are pre-configured to use socks proxy settings using application configuration files. If you want to disable this...

You must go to the applications settings and remove what Whonix has applied by default.

TODO: document, expland

For some applications this is impossible.

  • sdwdate
  • Ricochet IM

Those can only talk to Tor Hidden Services directly. You cannot configure them to use the system default. You can only deactivate sdwdate and/or not use Ricochet IM.

Use a Fail Closed Mechanism[edit]

A general problem with VPNs is that during a connection, they often fail to remain open (meaning that the VPN connection becomes closed, in which the user is now directly connected to the Internet without tunneling through the VPN). This is not a Whonix specific problem. VPN servers and VPN software can occasionally break down without announcement. This means, if the VPN is unreachable, the connection breaks down for whatever reason, which in most cases you continue to connect to the internet without the VPN.

One of the benefits of Whonix is that when a VPN connection breaks down, you still have the protections provided by Tor. In such an event where the VPN connection breaks down, Whonix-Workstation will seamlessly continue to make "direct" connections through Tor. If you are using the VPN only to circumvent the censorship of Tor, you may not care so much. On the other hand, if you believe a VPN improves your security, you should make sure that when the VPN connection breaks down, all connections with the outside world and your computer cease.

Instructions below include a fail closed mechanism.


Setup Tor before a VPN (User -> Tor -> VPN -> Internet)[edit]

Introduction[edit]

Two methods.


Separate VPN-Gateway[edit]

A separate VPN-Gateway between Whonix-Gateway and Whonix-Workstation, i.e. Whonix-Workstation -> VPN-Gateway -> Whonix-Gateway.

Qubes-Whonix only! Non-Qubes-Whonix is unsupported!

User -> Tor -> VPN -> Internet

These "Separate VPN-Gateway" instructions are new. You might be one of the first users. You might run into minor issues. Please test and report how it went.

Create a new ProxyVM called for example VPN-Gateway.

Set the NetVM of the VPN-Gateway to Whonix-Gateway (commonly called sys-whonix).

Note that UDP-style VPN connections will not work with Tor. Therefore configure the VPN to use TCP. [4] You can do that by adding proto tcp to your VPN configuration file /rw/config/vpn/openvpn-client.ovpn. Although this should be supported by most VPN providers, it is possibly not supported by all VPN providers.

Setup the VPN-Gateway as per Qubes VPN documentation for ProxyVMs. It is also highly recommended to setup the iptables firewall rules as described in Qubes VPN documentation to prevent clearnet traffic when the VPN breaks down. (In that cases, Whonix-Workstation (commonly called anon-whonix traffic would only go user -> Tor -> Internet as opposed to user -> Tor -> VPN -> Internet, which is what you want if you are reading this documentation chapter.

Check, that your VPN-Gateway is fully functional. Test connectivity from inside the VPN-Gateway.

In Whonix-Workstation (commonly called anon-whonix) you might want to apply instructions from above chapter #Prevent Bypassing the Tunnel-Link.

No DNS configuration required. System DNS should work out of the box. [5]

If you would use Tor Browser, it would show the following warning: Something Went Wrong!
Tor is not working in this browser.
This is because Tor Browser can no longer access Tor's ControPort (control-port-filter-proxy-python) on Whonix-Gateway.

For troubleshooting, see footnote. [6]

Done. It is recommended to run the related #Leak Tests.

Whonix user forum discussion:
https://forums.whonix.org/t/setup-a-vpn-in-proxyvm-over-sys-whonix

[7]


Inside Whonix-Workstation[edit]

Connect to your VPN using your preferred software *inside* the (Whonix-)Workstation.

Note that UDP-style VPN connections will not work with Tor. Therefore configure the VPN to use TCP. [4] You can do that by adding proto tcp to your VPN configuration file /etc/openvpn/openvpn.conf. Although this should be supported by most VPN providers, it is possibly not supported by all VPN providers.

User -> Tor -> VPN -> Internet

Whonix TUNNEL_FIREWALL vs standalone VPN-Firewall[edit]

When applying VPN instructions inside Whonix VMs, do not use and forget about standalone VPN-Firewall. It is incompatible and not required because below it is documented how to use the integrated Whonix TUNNEL_FIREWALL feature.

Preparation[edit]

Since setting up OpenVPN on Whonix including a secure, leak preventing Fail Closed Mechanism is challenging, it is highly recommend to learn how to set up OpenVPN on Debian stable (currently: jessie). Get a Debian stable VM. Install the Debian openvpn package. (sudo apt-get install openvpn) Figure out how to set up your VPN using OpenVPN in the command line. Only proceed if you succeeded setting that up. Do not post support requests regarding these instructions before you succeeded with that basic exercise. You find some help with general VPN setup in the #VPN Setup chapter or on the TestVPN page. There however are ways to get help from various sources for that basic exercise, also your VPN provider may be of assistance.

Whonix 12 users may remember variable VPN_SERVERS. Don't wonder. That variable was abolished for better security. [8]

Prerequisite Knowledge[edit]

Highly recommended reading and understanding before proceeding: Whonix Debian Packages

Firewall Settings[edit]

Modify Whonix User Firewall Settings.

Note: Initially, if you have not made any changes to Whonix Firewall Settings, then Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty, because it does not exist. This is expected.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Template: whonix-ws -> Whonix User Firewall Settings

If you are using a graphical Whonix-Workstation, complete the following steps:

Start Menu -> Applications -> Settings -> User Firewall Settings

If you are using a terminal-only Whonix-Workstation, complete the following steps:

sudo nano /etc/whonix_firewall.d/50_user.conf

For more help, press on expand on the right.

Note: Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_default.conf contains default settings and explanatory comments what these settings purpose. It gets opened read-only by default. By default you are not supposed to directly edit the file. Below, we recommend to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, complete the following steps.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Template: whonix-ws -> Whonix Global Firewall Settings

If you are using a graphical Whonix-Workstation, complete the following steps:

Start Menu -> Applications -> Settings -> Global Firewall Settings

If you are using a terminal-only Whonix-Workstation, complete the following steps:

nano /etc/whonix_firewall.d/30_default.conf

Add the following settings. You can skip comments (starting with #). Don't use ; for comments. [9] Likely you do not need to either uncomment (removing the # in front) or modify VPN_INTERFACE / LOCAL_NET.

WORKSTATION_FIREWALL=1
TUNNEL_FIREWALL_ENABLE=true

Save.

Reload Firewall[edit]

Reload Whonix-Workstation Firewall.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named anon-whonix) -> Reload Whonix Firewall

If you are using a graphical Whonix-Workstation, complete the following steps:

Start Menu -> Applications -> System -> Reload Whonix Firewall

If you are using a terminal-only Whonix-Workstation, run:

sudo whonix_firewall

sudoers configuration[edit]

Open /etc/sudoers.d/tunnel_unpriv in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/sudoers.d/tunnel_unpriv

If you are using a terminal-only Whonix, run:

sudo nano /etc/sudoers.d/tunnel_unpriv

Comment in. (Remove the single hashes (# in front of all lines, but do not remove the double hashes (##). So it looks like this.

tunnel ALL=(ALL) NOPASSWD: /bin/ip
tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *
Defaults:tunnel !requiretty

Save.

Add.

Defaults:tunnel env_keep += script_type
Defaults:tunnel env_keep += dev

Save.

VPN Setup[edit]
Introduction[edit]

In the following example we are using the free Riseup VPN, because it is known to support TCP, UDP, SSL. You can use any VPN you like.

Update: Riseup "legacy" VPN may have been discontinued. It did not work anymore for the author of these instructions. The riseup replacement service bitmask has not been tested.

Get VPN Certificate[edit]

Look inside the riseup VPN help page for RiseupCA.pem and (right click) download it. Store it in /etc/openvpn/RiseupCA.pem.

scurl https://help.riseup.net/security/network-security/riseup-ca/RiseupCA.pem | sudo tee /etc/openvpn/RiseupCA.pem
VPN Credentials[edit]

You need a riseup.net account. You need to know your riseup account name. Go to https://user.riseup.net/users/riseupusername/vpn to obtain your VPN secret. (VPN password) (Replace "riseupusername" with your actual riseup user name.) (Or just got to https://user.riseup.net, login and click on "VPN".)

Open /etc/openvpn/auth.txt in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/openvpn/auth.txt

If you are using a terminal-only Whonix, run:

sudo nano /etc/openvpn/auth.txt

Add. (Add your actual user name and password.)

riseupusername
vpnsecret

Save.

VPN IP Address[edit]

Note, you must use IP addresses. You cannot use DNS hostnames. For example, you could not use vpn.riseup.net. You have to use IP addresses such as for example 198.252.153.226. You find out the IP from your provider or by using nslookup on the host. Example. (You need to use your actual DNS hostname, not vpn.riseup.net.)

nslookup vpn.riseup.net
VPN Configuration File[edit]

Open /etc/openvpn/openvpn.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/openvpn/openvpn.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/openvpn/openvpn.conf

Add.

Note: make sure to adjust the remote 198.252.153.226 80 variable in your config (unless you are using nyc.vpn.riseup.net as your VPN service). Replace the IP (198.252.153.226) and port (80) to match your VPN service.

##############################
## VPN provider specific settings ##
##############################
auth-user-pass auth.txt

## using nyc.vpn.riseup.net 80
remote 198.252.153.226 80

ca RiseupCA.pem

remote-cert-tls server

####################################
## TUNNEL_FIREWALL specific settings ##
####################################
client
dev tun0
persist-tun
persist-key

script-security 2
up "/etc/openvpn/update-resolv-conf script_type=up dev=tun0"
down "/etc/openvpn/update-resolv-conf script_type=down dev=tun0"

user tunnel
iproute /usr/bin/ip_unpriv

############################################
## Connecting to Tor before a VPN specific settings #
############################################

proto tcp

[10] [11]

Save.

install resolvconf[edit]

Update package lists.

sudo apt-get update

Install resolvconf. [12]

sudo apt-get install resolvconf

(If you do not wish to install resolvconf then please see footnotes. [13])

This will remove several Whonix meta packages. To find out what that is about and what the following command is good for, please read the prerequisite knowledge wiki page Whonix Debian Packages.

sudo aptitude keep-all

Next time you run whonixcheck you will get the following warning.

Whonix Meta Packages test Result: Whonix-Workstation detected that the meta package (non-)qubes-whonix-workstation is not installed

The background of this is also explained on the wiki page Whonix Debian Packages.

DNS Configuration[edit]

Open /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf

If you are using a terminal-only Whonix, run:

sudo nano /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf

Add. [14]

d       /run/resolvconf 0775    root      tunnel    -       -
d       /run/resolvconf/interface         0775      root    tunnel    -    -

Save.

Adjust permissions. [14]

sudo chown --recursive root:tunnel /run/resolvconf
sudo chmod --recursive 775 /run/resolvconf

Open /etc/resolvconf/run/interface/original.resolvconf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/resolvconf/run/interface/original.resolvconf

If you are using a terminal-only Whonix, run:

sudo nano /etc/resolvconf/run/interface/original.resolvconf

Comment everything out by adding a # in front of all entries. Alternatively empty or delete that file. [15]

Save.

Setup[edit]

Configuration Folder Permissions[edit]

Since we will be running OpenVPN under user tunnel, that user requires read access to folder /etc/openvpn.

sudo chown -R tunnel:tunnel /etc/openvpn
sudo chown -R tunnel:tunnel /var/run/openvpn
systemd setup[edit]

Create the OpenVPN systemd service file.

sudo cp /lib/systemd/system/openvpn@.service /lib/systemd/system/openvpn@openvpn.service

Enable the OpenVPN systemd service file.

sudo systemctl enable openvpn@openvpn

Start the OpenVPN systemd service.

sudo service openvpn@openvpn start

Check the OpenVPN systemd service status.

sudo service openvpn@openvpn status
resolvconf adjustments[edit]

Restart resolvconf. [16]

sudo service resolvconf restart
Verify DNS Settings[edit]

See current /etc/resolv.conf settings.

sudo cat /etc/resolv.conf

Should not include the following settings.[17]

nameserver 10.152.152.10

Should not include the following settings.[18]

nameserver 10.137.3.1
nameserver 10.137.3.254

Should include only the DNS server of your DNS provider. For example.

nameserver 10.5.0.1
whonixcheck[edit]

whonixcheck cannot work in this configuration out of the box. To unbreak it.

Open /etc/whonix.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/whonix.d/50_user.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/whonix.d/50_user.conf

whonixcheck_skip_functions+=" check_tor_bootstrap "
whonixcheck_skip_functions+=" check_tor_socks_port_reachability "
whonixcheck_skip_functions+=" check_tor_socks_port "
whonixcheck_skip_functions+=" check_tor_trans_port "
whonixcheck_skip_functions+=" check_stream_isolation "
whonixcheck_skip_functions+=" download_whonix_news "

## {{ Alternative to disabling check_tor_trans_port.

## Make the Tor TransPort test work by simulating the Tor SocksPort test succeeded.
#CHECK_TOR_RESULT_SOCKS_PORT=0

## Do not warn if Tor was not detected. (Will be the VPN.)
#WHONIXCHECK_NO_EXIT_ON_TRANS_PORT_DETECTION_FAILURE=1

## }}

## {{ Alternative to download_whonix_news.

## Download news through system default.
#CURL_PROXY_WHONIX_NEWS="--fail"

## }}

Save.

Qubes specific[edit]

Placeholder. Ignore the Qubes specific chapter for now. TODO

When using a TemplateBasedVM, to persist these changes use the Qubes bind dirs mechanism.

sudo mkdir /rw/config/qubes-bind-dirs.d

Open /rw/config/qubes-bind-dirs.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /rw/config/qubes-bind-dirs.d/50_user.conf

If you are using a terminal-only Whonix, run:

sudo nano /rw/config/qubes-bind-dirs.d/50_user.conf

binds+=( '/etc/sudoers.d/tunnel_unpriv' )
binds+=( '/etc/openvpn' )
binds+=( '/lib/systemd/system/openvpn@openvpn.service' )
binds+=( '/etc/systemd/system/multi-user.target.wants/openvpn@openvpn.service' )

TODO: Does not work yet. Files need to exist first.

/usr/lib/qubes/bind-dirs.sh umount
/usr/lib/qubes/bind-dirs.sh
Test[edit]

Test ping to IP. Ping some IP. Ping google's DNS server or maybe better some server of your choice.

ping 8.8.8.8

Test DNS. DNS resolve some domain. Resolve check.torproject.org or maybe better some server of your choice.

nslookup check.torproject.org

Test DNS and output IP address.

whonixcheck_skip_functions="" \
CHECK_TOR_RESULT_SOCKS_PORT=0 \
WHONIXCHECK_NO_EXIT_ON_TRANS_PORT_DETECTION_FAILURE=1 \
whonixcheck --function check_tor_trans_port
Done[edit]

Done. If you have any issues, see below chapter #Troubleshooting. Once it is working, it is recommended to run the #Leak Tests.

Troubleshooting[edit]

You can skip this troubleshooting chapter unless you notice any issues.

ip_unpriv vs ip-unpriv[edit]

There are two similar distinct projects. Standalone VPN-FIREWALL and Whonix TUNNEL_FIREWALL. They share a lot similarities, but one difference that you might stumble upon. In chapter #VPN Configuration File there is a difference.

  • Whonix TUNNEL_FIREWALL uses ip_unpriv (underscore)
  • Standalone VPN-FIREWALL uses ip-unpriv (hyphen)

So make sure you are using the right version of ip unpriv according to the project you are using, VPN-FIREWALL and Whonix TUNNEL_FIREWALL.

50_openvpn_unpriv.conf vs 50_openvpn-unpriv.conf[edit]

Similar to above...

  • Whonix TUNNEL_FIREWALL uses /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf ip_unpriv (underscore)
  • Standalone VPN-FIREWALL uses /usr/lib/tmpfiles.d/50_openvpn-unpriv.conf ip-unpriv (hyphen)
Cannot ioctl TUNSETIFF[edit]
ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)

In openvpn.conf do not use.

dev tun

Use.

dev tun0
Dev tun missmatch[edit]

In openvpn.conf do not use.

dev tun

Use.

dev tun0
/run/openvpn/openvpn.status Permission denied[edit]
Options error: --status fails with '/run/openvpn/openvpn.status': Permission denied

Do not start openvpn as root. Do not use "sudo openvpn". This would lead to permission issues. Files in /run/openvpn folder owned by root. So they cannot be overwritten by user tunnel.

debug start[edit]

Debug start in command line.

sudo /usr/sbin/openvpn --rmtun --dev tun0
sudo /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel
cd /etc/openvpn/
sudo -u tunnel openvpn /etc/openvpn/openvpn.conf
Linux ip link set failed[edit]
Linux ip link set failed: external program exited with error status: 2

Use ip_unpriv as documented above.

DNS Configuration[edit]

If you are using resolvconf only...

You may need to manually change permissions on two directories if they are not automatically applied. Check to see if changes are necessary by running the following command:

ls -al /run/resolvconf

If the output lists tunnel as having read/write/execute permissions for both /run/resolvconf and /run/resolvconf/interface then you will not need to modify anything. If tunnel is not listed as group for one or both of these directories then you will need to change the permissions, like so:

sudo chown --recursive root:tunnel /run/resolvconf

then you will need to set the permissions bits

sudo chmod --recursive 775 /run/resolvconf

In /run/resolvconf, resolv.conf may or may not be owned by tunnel depending on whether the systemd service has started already or not. There is no need to modify permissions on this file, as its permissions will change when the service starts.

Terminology for Support Requests[edit]

Phrases such as "over Tor" are ambiguous. Please do not prevent your own coining of words. That leads to people talking past each other. Please use the same terms that are consistently used in documentation such as.

  • How to connect to a VPN before Tor (User -> VPN -> Tor -> Internet)
  • How to connect to Tor before a VPN (User -> Tor -> VPN -> Internet)
  • etc.

Always refer to the connection scheme, User -> VPN -> Tor -> Internet or User -> Tor -> VPN -> Internet etc.


Leak Tests[edit]

Introduction[edit]

We want to verify, that the traffic always goes User -> Tor -> VPN -> Internet and not only User -> Tor -> Internet. Therefore you should run the following related leak tests inside Whonix-Workstation. Test Tor Browser, a uwt wrapper deactivated application as well as a regular application for leaks.

regular application test[edit]

Same test as above, but use use curl without pre-configured stream isolation.

UWT_DEV_PASSTHROUGH=1 curl --silent --tlsv1.2 --proto =https https://check.torproject.org | grep IP

[19] [20]

Should show something along the lines: Your IP address appears to be: xxx.xxx.xxx.xxx
Should show the IP of your VPN.

uwt wrapped application test[edit]

Connect to check.torproject.org.

curl --silent {{Curl Secure}} https://check.torproject.org | grep IP

[19] [21]

Browser IP Test[edit]

You can skip this test if you do not care about using Tor Browser through the VPN.

If you did correctly configure everything, test your setup. Open https://check.torproject.org in Tor Browser. It will tell you then "You are not using Tor." and you'll see your VPN's IP. In fact your VPN was tunneled through Tor first. (Because Whonix-Workstation can not make any non-Tor connections by design, everything is tunneled over Tor.)

DNS Leak Test[edit]

Other Leak Tests[edit]

If you are feeling awesome, you could also run more general leak tests that are not related to tunneling. However, these are more difficult to do and target developers rather than users. If you are interested, see leak tests.


Footnotes[edit]

  1. That term was coined in context of a Tor Transparent Proxy. A simple gateway that routes all connections through Tor and does not provide Stream Isolation.
  2. Unless you manually unset this environment variable before starting Tor Browser.
  3. When using the regular Tor Browser Bundle from The Tor Project without Whonix, that menu can be used to change network settings inside Tor. It has the same effects as editing Tor's config file torrc.

    Using this graphical user interface isn't possible in Whonix, because for security reasons, in Whonix there is only limited access to Tor's control port. (See Dev/CPFP for more information.) (You could change such settings manually in /etc/tor/torrc on Whonix-Gateway. (See also VPN/Tunnel suppprt for more information.)

    We are setting environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 to disable the "TorButton" -> "Open Network Settings..." menu item. It is not useful and confusing to have on a workstation, because Tor must be configured on the gateway, which is for security reasons forbidden from the workstation.
  4. 4.0 4.1 Tor#UDP
  5. Because a properly configured Qubes VPN-Gateway will be able to resolve DNS.
    • Check, that your VPN-Gateway is fully functional. Test connectivity from inside the VPN-Gateway.
    • Add a non-Whonix VM behind your VPN-Gateway. For example, add a debian based AppVM behind your VPN-Gateway. Figure out if the VPN-Gateway works at all before involving Whonix.
  6. https://phabricator.whonix.org/T460
  7. That config file is a bash fragment.
  8. The /usr/bin/ip_unpriv wrapper script is being provided by the usabilty-misc package. The /etc/sudoers.d/tunnel_unpriv wrapper script is being provided by the usabilty-misc package. The /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf wrapper script is being provided by the usabilty-misc package.
  9. We must run OpenVPN as user 'tunnel', because that is the only user besides user clearnet that will be allowed to establish external connections when using Whonix Firewall setting VPN_FIREWALL=1.
  10. /etc/openvpn/update-resolv-conf uses resolvconf. You will need to install resolvconf in order for the lines beginning with script-security, up, and down to function properly.
  11. In /etc/openvpn/openvpn.conf file change...
    script-security 2
    up "/etc/openvpn/update-resolv-conf script_type=up dev=tun0"
    down "/etc/openvpn/update-resolv-conf script_type=down dev=tun0"
    

    to this (i.e. remove or out comment the lines beginning with "up" and "down" and change the 2 to a 1)

    script-security 1
    

    Open /etc/resolv.conf in an editor with root rights.

    If you are using a graphical Whonix or Qubes-Whonix, run:

    kdesudo kwrite /etc/resolv.conf

    If you are using a terminal-only Whonix, run:

    sudo nano /etc/resolv.conf

    Comment out.

    #nameserver 10.152.152.10
    

    Add.

    ## Riseup.net OpenVPN DNS server
    nameserver 172.27.100.1
    

    If you are not using riseup, you need to replace 172.27.100.1 and enter the virtual LAN IP address of your VPN providers DNS server. You might be able to obtain it from your VPN provider. You can also try to infer it after successfully connecting to the VPN from running "sudo route". The first destination default gateway should function as DNS server also.

    Save.

    If you want to be sure, that /etc/resolv.conf does not get overwritten by other packages. (Such as DHCP or resolvconf.)

    sudo chattr +i /etc/resolv.conf

    If you ever want to remove it, use -i.

    Ignore /etc/resolv.conf instructions below.

  12. 14.0 14.1 Removeable in Whonix 14 since merged in usablity-misc package.
  13. This is done to prevent the old DNS server being used. Further discussion: https://github.com/adrelanos/vpn-firewall/issues/16
  14. So changes in /etc/resolvconf/run/interface/original.resolvconf from chapter #DNS Configuration take effect.
  15. These is the standard Whonix DNS server.
  16. These are standard Qubes DNS servers.
  17. 19.0 19.1 In case you have no functional system DNS, you could also alternatively just test TCP. The IP 138.201.14.212 might change. You can find out the current one by running the following command inside a VM that has functional system DNS. (Ideally inside a Whonix-Workstation.)
    nslookup check.torproject.org
    
  18. UWT_DEV_PASSTHROUGH=1 curl --silent --tlsv1.2 --proto =https -H 'Host: check.torproject.org' -k https://138.201.14.212 | grep IP
  19. curl --silent --tlsv1.2 --proto =https -H 'Host: check.torproject.org' -k https://138.201.14.212 | grep IP

Random News:

Did you know that anyone can edit Whonix's wiki?


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.