Jump to: navigation, search

Tunnels/Connecting to a VPN before Tor


Connecting to a VPN before Tor

User -> VPN -> Tor -> Internet


Connecting to a VPN before Tor (User -> VPN -> Tor -> Internet)[edit]

Introduction[edit]


What's the difference of installing a VPN on the host versus installing on Whonix-Gateway?

If the VPN is installed on the host If the VPN is installed on Whonix-Gateway If a VPN is installed on the host and another VPN on Whonix-Gateway
all Whonix traffic goes user -> host's VPN -> Tor -> Internet user -> gateway's VPN -> Tor -> Internet user -> host's VPN -> gateway's VPN -> Tor -> Internet
all host traffic goes user -> host's VPN -> Internet user -> Internet user -> host's VPN -> Internet
When Whonix-Gateway ever gets compromised left with protections by the host's VPN left without any protections left with protections by the host's VPN

When making the decision, you must ask yourself...

What do you want to hide from your ISP? All traffic[1]? Then install the VPN on the host.

What should your VPN provider be able to see? All traffic[1]? Then install the VPN on the host.

Should your VPN provider only be able to see Tor traffic but not your clearnet traffic? Then install the VPN on Whonix-Gateway.


Separate VPN-Gateway[edit]

Qubes-Whonix only! Non-Qubes-Whonix is unsupported!

A separate VPN-Gateway between Whonix-Gateway and sys-firewall, i.e. Whonix-Workstation -> Whonix-Gateway -> VPN-Gateway -> sys-firewall -> sys-net.

User -> VPN -> Tor -> Internet

These "Separate VPN-Gateway" instructions are new. You might be one of the first users. You might run into minor issues. Please test and report how it went.

Create a new ProxyVM called for example sys-vpn.

Set the NetVM of Whonix-Gateway (commonly called sys-whonix) to sys-vpn.

Both, the VPN software either using TCP and UDP should work.

Setup the VPN-Gateway as per Qubes VPN documentation for ProxyVMs. It is also highly recommended to setup the iptables firewall rules as described in Qubes VPN documentation to prevent clearnet traffic when the VPN breaks down. (In that cases, Whonix-Gateway (commonly called sys-whonix traffic would only go user -> Tor -> Internet as opposed to user -> VPN -> Tor -> Internet, which is what you want if you are reading this documentation chapter.

Check, that your VPN-Gateway is fully functional. Test connectivity from inside the VPN-Gateway.

No DNS configuration for Whonix-Gateway required. [2]

For troubleshooting, see footnote. [3]


On the Host[edit]

Non-Qubes-Whonix only! (Because in Qubes, the host is non-networked by default. Qubes-Whonix users have the option to use a #Separate VPN-Gateway but could also install the VPN software #Inside Whonix-Gateway.)

User -> VPN -> Tor -> Internet

When using a Whonix-Gateway virtual machine, connect to a VPN using software on the host operating system (and not on the Whonix-Workstation nor Whonix-Gateway).

Using software inside the host operating system may be more convenient if your more familiar with the host operating system than Whonix. Additionally, your VPN provider might provide custom software with tools for connecting to their servers. However, there are issues that you must consider:

  • A VPN on the host operating system will route all traffic originating from the host through the VPN, as well as Whonix's traffic. It is up to your preferences, if you like this or not.
  • Your VPN software may not be designed or configured to "fail closed". That is, if your VPN session suddenly disconnects, your Tor connection will be automatically sent through your ISP without going through your VPN service.

How to add the VPN in Host OS[edit]

Use the host operating system's built-in tools connect to your VPN or use the software provided by your VPN service.

Use a Fail Closed Mechanism[edit]

A general problem with VPNs is that during a connection, they often fail to remain open (meaning that the VPN connection becomes closed, in which the user is now directly connected to the Internet without tunneling through the VPN). This is not a Whonix specific problem. VPN servers and VPN software can occasionally break down without announcement. This means, if the VPN is unreachable, the connection breaks down for whatever reason, which in most cases you continue to connect to the internet without the VPN.

One of the benefits of Whonix is that when a VPN connection breaks down, you still have the protections provided by Tor. In such an event where the VPN connection breaks down, Whonix-Workstation will seamlessly continue to make "direct" connections through Tor. If you are using the VPN only to circumvent the censorship of Tor, you may not care so much. On the other hand, if you believe a VPN improves your security, you should make sure that when the VPN connection breaks down, all connections with the outside world and your computer cease.

If you want to enforce, that the VPN always gets used, try VPN-Firewall.

(Or if that works for you, install the VPN on the gateway instead, because it comes with an integrated TUNNEL_FIREWALL feature, i.e. stay away from the standalone VPN-Firewall when you set up a VPN on the gateway.)


Inside Whonix-Gateway[edit]

Whonix-Gateway can be configured to connect to a VPN server before Tor, as well as "fail closed", blocking all Tor traffic if the VPN disconnects.

User -> VPN -> Tor -> Internet

Whonix TUNNEL_FIREWALL vs standalone VPN-Firewall[edit]

When applying VPN instructions inside Whonix VMs, do not use and forget about standalone VPN-Firewall. It is incompatible and not required because below it is documented how to use the integrated Whonix TUNNEL_FIREWALL feature.

Setup Time[edit]

If you are interested in Hide Tor and Whonix from your ISP (read that page first)... After installing Whonix-Gateway, do the following steps before activating Tor in Whonix Setup Wizard.

Preparation[edit]

Since setting up OpenVPN on Whonix including a secure, leak preventing Fail Closed Mechanism is challenging, it is highly recommend to learn how to set up OpenVPN on Debian stable (currently: jessie). Get a Debian stable VM. Install the Debian openvpn package. (sudo apt-get install openvpn) Figure out how to set up your VPN using OpenVPN in the command line. Only proceed if you succeeded setting that up. Do not post support requests regarding these instructions before you succeeded with that basic exercise. You find some help with general VPN setup in the #VPN Setup chapter or on the TestVPN page. There however are ways to get help from various sources for that basic exercise, also your VPN provider may be of assistance.

Whonix 12 users may remember variable VPN_SERVERS. Don't wonder. That variable was abolished for better security. [4]

Firewall Settings[edit]

Modify Whonix User Firewall Settings.

Note: Initially, if you have not made any changes to Whonix Firewall Settings, then Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty, because it does not exist. This is expected.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Template: whonix-gw -> Whonix User Firewall Settings

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> User Firewall Settings

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/whonix_firewall.d/50_user.conf

For more help, press on expand on the right.

Note: Whonix Global Firewall Settings File /etc/whonix_firewall.d/30_default.conf contains default settings and explanatory comments what these settings purpose. It gets opened read-only by default. By default you are not supposed to directly edit the file. Below, we recommend to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

See also Whonix modular flexible .d style configuration folders.

To view the file, complete the following steps.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Template: whonix-gw -> Whonix Global Firewall Settings

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Global Firewall Settings

If you are using a terminal-only Whonix-Gateway, complete the following steps:

nano /etc/whonix_firewall.d/30_default.conf

Add the following settings. You can skip comments (starting with #). Don't use ; for comments. [5] Likely you do not need to either uncomment (removing the # in front) or modify VPN_INTERFACE / LOCAL_NET.

## Make sure Tor always connects through the VPN.
## Enable: 1
## Disable: 0
## DISABELD BY DEFAULT, because it requires a VPN provider.
VPN_FIREWALL=1

## For OpenVPN.
#VPN_INTERFACE=tun0

## Destinations you don not want routed through the VPN.
## 10.0.2.2-10.0.2.24: VirtualBox DHCP
#      LOCAL_NET="\
#         127.0.0.0-127.0.0.24 \
#         192.168.0.0-192.168.0.24 \
#         192.168.1.0-192.168.1.24 \
#         10.152.152.0-10.152.152.24 \
#         10.0.2.2-10.0.2.24 \
#      "

Save.

Reload Firewall[edit]

Reload Whonix-Gateway Firewall.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Reload Whonix Firewall

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> System -> Reload Whonix Firewall

If you are using a terminal-only Whonix-Gateway, run:

sudo whonix_firewall

sudoers configuration[edit]

Open /etc/sudoers.d/tunnel_unpriv in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/sudoers.d/tunnel_unpriv

If you are using a terminal-only Whonix, run:

sudo nano /etc/sudoers.d/tunnel_unpriv

Comment in. (Remove the single hashes (# in front of all lines, but do not remove the double hashes (##). So it looks like this.

tunnel ALL=(ALL) NOPASSWD: /bin/ip
tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *
Defaults:tunnel !requiretty

Save.

VPN Setup[edit]
Introduction[edit]

In the following example we are using the free Riseup VPN, because it is known to support TCP, UDP, SSL. You can use any VPN you like.

Update: Riseup "legacy" VPN may have been discontinued. It did not work anymore for the author of these instructions. The riseup replacement service bitmask has not been tested.

Get VPN Certificate[edit]

TODO: Documentation bug fix required. Won't work without Tor being enabled. You need to get the certificate elsewhere and then File Transfer it into Whonix-Gateway.

Look inside the riseup VPN help page for RiseupCA.pem and (right click) download it. Store it in /etc/openvpn/RiseupCA.pem.

scurl https://help.riseup.net/security/network-security/riseup-ca/RiseupCA.pem | sudo tee /etc/openvpn/RiseupCA.pem
VPN Credentials[edit]

You need a riseup.net account. You need to know your riseup account name. Go to https://user.riseup.net/users/riseupusername/vpn to obtain your VPN secret. (VPN password) (Replace "riseupusername" with your actual riseup user name.) (Or just got to https://user.riseup.net, login and click on "VPN".)

Open /etc/openvpn/auth.txt in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/openvpn/auth.txt

If you are using a terminal-only Whonix, run:

sudo nano /etc/openvpn/auth.txt

Add. (Add your actual user name and password.)

riseupusername
vpnsecret

Save.

VPN IP Address[edit]

Note, you must use IP addresses. You cannot use DNS hostnames. For example, you could not use vpn.riseup.net. You have to use IP addresses such as for example 198.252.153.226. You find out the IP from your provider or by using nslookup on the host. Example. (You need to use your actual DNS hostname, not vpn.riseup.net.)

nslookup vpn.riseup.net
VPN Configuration File[edit]

Open /etc/openvpn/openvpn.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/openvpn/openvpn.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/openvpn/openvpn.conf

Add.

Note: make sure to adjust the remote 198.252.153.226 80 variable in your config (unless you are using nyc.vpn.riseup.net as your VPN service). Replace the IP (198.252.153.226) and port (80) to match your VPN service.

##############################
## VPN provider specific settings ##
##############################
auth-user-pass auth.txt

## using nyc.vpn.riseup.net 80
remote 198.252.153.226 80

ca RiseupCA.pem

remote-cert-tls server

####################################
## TUNNEL_FIREWALL specific settings ##
####################################
client
dev tun0
persist-tun
persist-key

script-security 2
#up "/etc/openvpn/update-resolv-conf script_type=up dev=tun0"
#down "/etc/openvpn/update-resolv-conf script_type=down dev=tun0"

user tunnel
iproute /usr/bin/ip_unpriv

Do not worry about TCP mode on Whonix-Gateway. Using the VPN in TCP mode may be possible depending the services provides by your VPN provider, but is not required on Whonix-Gateway. The VPN in UDP mode should work just fine. [6] Your pick.

[7] [8]

Save.

DNS Configuration[edit]

DNS configuration, resolvconf, update-resolv-conf or similar is not required for Whonix-Gateway. [9]

Configuration Folder Permissions[edit]

Since we will be running OpenVPN under user tunnel, that user requires read access to folder /etc/openvpn.

sudo chown -R tunnel:tunnel /etc/openvpn
sudo chown -R tunnel:tunnel /var/run/openvpn
systemd setup[edit]

Create the OpenVPN systemd service file.

sudo cp /lib/systemd/system/openvpn@.service /lib/systemd/system/openvpn@openvpn.service

Enable the OpenVPN systemd service file.

sudo systemctl enable openvpn@openvpn

Start the OpenVPN systemd service.

sudo service openvpn@openvpn start

Check the OpenVPN systemd service status.

sudo service openvpn@openvpn status
Enable Tor[edit]

Enable Tor using Whonix Setup Wizard.

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Whonix Setup

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> System -> Whonix Setup Wizard

For terminal-only Whonix-Gateway, use.

sudo whonixsetup

Troubleshooting[edit]

You can skip this troubleshooting chapter unless you notice any issues.

ip_unpriv vs ip-unpriv[edit]

There are two similar distinct projects. Standalone VPN-FIREWALL and Whonix TUNNEL_FIREWALL. They share a lot similarities, but one difference that you might stumble upon. In chapter #VPN Configuration File there is a difference.

  • Whonix TUNNEL_FIREWALL uses ip_unpriv (underscore)
  • Standalone VPN-FIREWALL uses ip-unpriv (hyphen)

So make sure you are using the right version of ip unpriv according to the project you are using, VPN-FIREWALL and Whonix TUNNEL_FIREWALL.

50_openvpn_unpriv.conf vs 50_openvpn-unpriv.conf[edit]

Similar to above...

  • Whonix TUNNEL_FIREWALL uses /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf ip_unpriv (underscore)
  • Standalone VPN-FIREWALL uses /usr/lib/tmpfiles.d/50_openvpn-unpriv.conf ip-unpriv (hyphen)
Cannot ioctl TUNSETIFF[edit]
ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)

In openvpn.conf do not use.

dev tun

Use.

dev tun0
Dev tun missmatch[edit]

In openvpn.conf do not use.

dev tun

Use.

dev tun0
/run/openvpn/openvpn.status Permission denied[edit]
Options error: --status fails with '/run/openvpn/openvpn.status': Permission denied

Do not start openvpn as root. Do not use "sudo openvpn". This would lead to permission issues. Files in /run/openvpn folder owned by root. So they cannot be overwritten by user tunnel.

debug start[edit]

Debug start in command line.

sudo /usr/sbin/openvpn --rmtun --dev tun0
sudo /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel
cd /etc/openvpn/
sudo -u tunnel openvpn /etc/openvpn/openvpn.conf
Linux ip link set failed[edit]
Linux ip link set failed: external program exited with error status: 2

Use ip_unpriv as documented above.

DNS Configuration[edit]

If you are using resolvconf only...

You may need to manually change permissions on two directories if they are not automatically applied. Check to see if changes are necessary by running the following command:

ls -al /run/resolvconf

If the output lists tunnel as having read/write/execute permissions for both /run/resolvconf and /run/resolvconf/interface then you will not need to modify anything. If tunnel is not listed as group for one or both of these directories then you will need to change the permissions, like so:

sudo chown --recursive root:tunnel /run/resolvconf

then you will need to set the permissions bits

sudo chmod --recursive 775 /run/resolvconf

In /run/resolvconf, resolv.conf may or may not be owned by tunnel depending on whether the systemd service has started already or not. There is no need to modify permissions on this file, as its permissions will change when the service starts.

Terminology for Support Requests[edit]

Phrases such as "over Tor" are ambiguous. Please do not prevent your own coining of words. That leads to people talking past each other. Please use the same terms that are consistently used in documentation such as.

  • How to connect to a VPN before Tor (User -> VPN -> Tor -> Internet)
  • How to connect to Tor before a VPN (User -> Tor -> VPN -> Internet)
  • etc.

Always refer to the connection scheme, User -> VPN -> Tor -> Internet or User -> Tor -> VPN -> Internet etc.

Additional Tweaks / Recommendations / Troubleshooting[edit]

If having problems with the connection / Tor is not fully bootstrapped, please press on expand on the right.

You have may have to manually restart Tor. This is because the VPN may not be ready when Tor is attempting to connect, because the VPN connection initialization takes too long. Due to a bug in Tor, it won't keep trying to connect. To fix this, you may have to manually restart Tor after boot, if whonixcheck reports that Tor is not fully bootstrapped. The same may be necessary if your VPN software or connection temporarily broke down.

To Manually restart Tor:

Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Leak Tests

When you shut down the VPN, neither Tor, nor Whonix-Gateway's whonixcheck/apt-get/etc. nor Whonix-Workstation should be able to connect anywhere anymore.

Force Tor to wait for OpenVPN

Create a folder /etc/systemd/system/tor.service.d.

sudo mkdir /etc/systemd/system/tor.service.d

Create a file /etc/systemd/system/tor.service.d/50_user.conf.

Open /etc/systemd/system/tor.service.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/systemd/system/tor.service.d/50_user.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/systemd/system/tor.service.d/50_user.conf

Add the following content.

[Unit] After=openvpn.service

Save.

At next boot, the Tor daemon will be started after the OpenVPN daemon.

Debugging: [10]

Limitations

  • Only tested with OpenVPN. Most other VPN's have deficiencies anyway.
  • DNS (IP address) of VPN server has to be manually resolved. There is technically no way to automatically resolve DNS without making the setup much more complex. The VPN server's IP address should not be resolved over Tor, because that's what you wanted to hide in the first place. Since outside observers will know, that you are connecting to the VPN IP anyway, it is probably save to resolve the DNS over clearnet or by asking the VPN provider if they don't already document their IPs on their website anyway.
  • No support for IPv6 yet.

Troubleshooting VPN -> Tor

  • If not connecting, see above to manually restart Tor
  • Check your VPN software's logs.
  • Test if you are able to connect using your VPN

1. Login as user clearnet.

sudo su clearnet

2. Try connecting to check.tpo. Note, at time of writing, it looked like usaip free trial is probably blocking SSL, therefore it might not work.

UWT_DEV_PASSTHROUGH=1 curl --silent --tlsv1.2 --proto =https -H 'Host: check.torproject.org' -k https://138.201.14.212 | grep IP

Should show something along: Your IP address appears to be: xxx.xxx.xxx.xxx

3. Get back to normal user.

exit


Footnotes[edit]

  1. 1.0 1.1 All traffic generated by the host. All applications running on the host. Firefox, NTP, anything. This also includes traffic generated by Whonix.
  2. Because Whonix-Gateway does not require any clearnet DNS anyhow.
    • Check, that your VPN-Gateway is fully functional. Test connectivity from inside the VPN-Gateway.
    • Add a non-Whonix VM behind your VPN-Gateway. For example, add a debian based AppVM behind your VPN-Gateway. Figure out if the VPN-Gateway works at all before involving Whonix.
  3. https://phabricator.whonix.org/T460
  4. That config file is a bash fragment.
  5. The Tor software cannot transport UDP yet, but it does not have to in this case. (Reference: Tor#UDP.) Since the VPN connects over clearnet, UDP should just work as usual. Once the VPN is functional, Tor will have no issue to connect using it (without "knowing" it is over a VPN).
  6. The /usr/bin/ip_unpriv wrapper script is being provided by the usabilty-misc package. The /etc/sudoers.d/tunnel_unpriv wrapper script is being provided by the usabilty-misc package. The /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf wrapper script is being provided by the usabilty-misc package.
  7. We must run OpenVPN as user 'tunnel', because that is the only user besides user clearnet that will be allowed to establish external connections when using Whonix Firewall setting VPN_FIREWALL=1.
  8. Because Whonix-Gateway by default has no and needs no system DNS for its own traffic. See Whonix-Gateway System DNS if you would like to read an explanation why that is so.
  9. Reload systemd. sudo systemctl daemon-reload Check Tor service status. sudo service tor status It should list the drop-in file /etc/systemd/system/tor.service.d/50_user.conf.

Random News:

Did you know, that Whonix could provide protection against backdoors? See Verifiable Builds. Help wanted.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.