Actions

VPN Tunnel Setup Examples

From Whonix

< Tunnels


Dykeroad-41832640.jpg

Ambox warning pn.svg.png Before combining Tor with other tunnels, be sure to read and understand the risks!

Ambox notice.png Advertisement:
Too difficult to set up? Provider specific automation can be created for you by the lead developer of Whonix ™. Send reasonable price suggestions. Get in contact.

Introduction[edit]

This page is intended to demonstrate how easy it is to add a VPN to Whonix ™, whether utilizing a VPN tunnel-link before Tor (UserTorVPNInternet) or after Tor (UserVPNTorInternet).

The examples below are mainly for testing purposes. It is possible to set up accounts for the same reasons, or the information can be used as a very rough guide for setting up a VPN with Whonix ™. To remain anonymous:

  • In all cases, never enter personal information when signing up for an account.
  • Use an extra email address solely for registration purposes.
  • If planning on the UserTorVPN configuration, then you should obviously sign up through Tor.
  • If planning on the UserVPNTor configuration, it is unknown whether it is best to sign up via Tor or not, but it probably cannot hurt.

Riseup[edit]

Riseup Quick VPN Command Line Test[edit]

Riseup [archive] is known to support TCP, UDP and TLS.

1. Create a new Riseup account [archive].

Note an account can only be created with an invite code [archive].

2. Obtain your VPN secret (VPN password).

The VPN secret [archive] is a special password that is used instead of the regular password to access the Riseup VPN [archive]:

  • login to account.riseup.net
  • click Passwords on the left sidebar
  • click the Service Passwords tab

3. Download the Riseup CA certificate.

The "CA certificate" is used by the local program to confirm the identity of servers you connect to. Download it from this page [archive] or click this link: RiseupCA.pem [archive].

4. Open a terminal.

Navigate to the folder where RiseupCA.pem was saved.

5. Install OpenVPN [archive].

sudo apt-get update && sudo apt-get install openvpn

6. Test the connection from the command line.

The following line from the Riseup OpenVPN for Linux page [1] will not work for the connection: userTorVPNInternet, because the Tor network does not support UDP.

sudo openvpn --client --dev tun --auth-user-pass --remote vpn.riseup.net 1194 --keysize 256 --auth SHA256 --cipher AES-256-CBC --ca RiseupCA.pem

Instead, use the following functional command utilizing TCP for the connection: userTorVPNInternet.

sudo openvpn --client --dev tun --auth-user-pass --remote vpn.riseup.net 1194 --keysize 256 --auth SHA256 --cipher AES-256-CBC --ca RiseupCA.pem --proto tcp

7. For DNS, see Riseup DNS below.

Riseup riseup.conf[edit]

Riseup [archive] is known to support TCP, UDP and TLS.

1. Utilize the Riseup account and name created in the previous section.

2. Obtain your VPN secret (VPN password).

Navigate to the Riseup Red Account [archive] page (.onion [archive]), log in and click on "VPN".

3. Download the Riseup CA certificate.

The "CA certificate" is used by the local program to confirm the identity of servers you connect to. Download it from this page [archive] or click this link: RiseupCA.pem [archive].

4. Create a file auth.txt inside the same folder.

riseupusername
vpnsecret

5. Create a file riseup.conf inside the same folder.

client
dev tun
auth-user-pass auth.txt
#remote vpn.riseup.net 443
#remote seattle.vpn.riseup.net 443
remote nyc.vpn.riseup.net 80
ca RiseupCA.pem
remote-cert-tls server
script-security 1
#user nobody
#group nobody
proto tcp
#log /var/log/openvpn.log

6. Start OpenVPN.

sudo openvpn riseup.conf

7. For DNS, see Riseup DNS below.

Riseup DNS[edit]

Setup[edit]

1. Open file /etc/resolv.conf in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/resolv.conf

2. Comment out the nameserver.

#nameserver 10.152.152.10

3. Add the Riseup OpenVPN DNS server.

## Riseup.net OpenVPN DNS server
nameserver 172.27.100.1

If Riseup is not being used in your configuration, then replace 172.27.100.1 with the virtual LAN IP address of your VPN provider's DNS server. It probably can be obtained directly from the VPN provider. Another method of inferring it is running sudo route after successfully connecting to the VPN. The first destination default gateway should also function as a DNS server.

Save the file.

4. Optional: Prevent overwriting of the configuration file.

To ensure that /etc/resolv.conf is not overwritten by other packages like DHCP or resolvconf, run.

sudo chattr +i /etc/resolv.conf

If you ever want to remove it, use -i.

Testing[edit]

Use nslookup to query the DNS to obtain domain name and IP address mapping. [2]

When using nameserver 10.152.152.10 ...

nslookup idnxcnkne4qt76tg.onion

The command will show.

Server:         10.152.152.10
Address:        10.152.152.10#53
Non-authoritative answer:
Name:   idnxcnkne4qt76tg.onion
Address: 10.192.0.1

When using nameserver 172.27.100.1 ...

nslookup idnxcnkne4qt76tg.onion

The command will show.

Server:         172.27.100.1
Address:        172.27.100.1#53
** server can't find idnxcnkne4qt76tg.onion: NXDOMAIN

The reason is .onion domains cannot be accessed when a VPN has been chained (userTorVPNInternet).

Resolving clearnet DNS should work.

nslookup riseup.net

The command should show.

Server:         172.27.100.1
Address:        172.27.100.1#53
Non-authoritative answer:
Name:   riseup.net
Address: 198.252.153.35

USAIP[edit]

For testing purposes, usaip.eu (USAIP) [archive] was used in the past. The primary reason was they were free and did not block the tested, outgoing UDP port. The free version of USAIP is only suitable for testing purposes, because this version forcibly disconnects every seven minutes. For longer and serious/stable use, another VPN account is necessary. If you would still like to learn more, please press on expand on the right.

Info At the time of writing, it appeared that USAIP was probably blocking TLS, therefore the following command is possibly non-functional:

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https https://check.torproject.org

1. Install OpenVPN.

sudo apt-get install openvpn

2. Navigate to USAIP [archive] and source the free test.

  • click on free demo
  • download usaip.zip (this contains the OpenVPN configuration files)
  • unpack the file

3. Open a terminal.

Navigate to the USAIP folder.

cd usaip

List the available files.

dir

4. Connect to a free VPN.

For example, run.

sudo openvpn /home/user/usaip/eu-luxemburg.ovpn

At the time of writing, the page stated, the password was demo, while the password was also demo.

Wait until it is connected. If it is successful, it will show "Initialization Sequence Completed". If the connection does not succeed for some unknown reason, then try replacing eu-luxemburg.ovpn from the above example with another <country>.ovpn from the USAIP folder.

Note: DNS settings have not been considered in this entry.

Using a Graphical User Interface[edit]

KDE Network Manager[edit]

If you want to install the KDE Network Manager. If you would like to see more information, please press on expand on the right.

sudo apt-get install network-manager-kde

Start menu → System Settings → Network Settings

At the time of writing the former, unfinished OpenVPN instructions for KDE [3] had been removed from the Riseup website. Another guide for KDE Network Manager might be found via Internet research, or use the command line based examples above.

Also, do not be concerned if you cannot see the Whonix-Workstation ™ (virtual) wired network interface to Whonix-Gateway ™; see footnote. [4]

GNOME Network Manager[edit]

It is usually possible to integrate GNOME applications. If you would like to see more information, please press on expand on the right.

In the case of GNOME Network Manager, more fiddling is required because upstream developers wanted to make GNOME and KDE as compatible as possible. This means that one settings manager will not show up when the other desktop has been started in a dual (KDE, GNOME) installation.

If you want to install the GNOME Network Manager, run.

sudo apt-get install network-manager-gnome network-manager-openvpn-gnome

If you want to autostart GNOME Network Manager, open /etc/xdg/autostart/nm-applet.desktop with root rights.

Open file /etc/xdg/autostart/nm-applet.desktop in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/xdg/autostart/nm-applet.desktop

And comment out.

NotShowIn=KDE;

If you want to make the nm-applet start menu entries visible and to start it manually, open /usr/share/applications/nm-applet.desktop.

Open file /usr/share/applications/nm-applet.desktop in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /usr/share/applications/nm-applet.desktop

And comment out.

NotShowIn=KDE;

Then add.

Categories=GNOME;GTK;Settings;X-GNOME-NetworkSettings;

If you want to make the nm-connection-editor start menu entries visible and to start it manually, open nm-connection-editor.desktop.

Open file /usr/share/applications/nm-connection-editor.desktop in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /usr/share/applications/nm-connection-editor.desktop

And comment out.

NotShowIn=KDE;

Then you could open the settings.

Applications → Settings → Network Connections

You could also try the Riseup OpenVPN instructions for GNOME [archive].

Footnotes[edit]

  1. https://riseup.net/en/vpn/vpn-red/linux [archive]
  2. https://en.wikipedia.org/wiki/nslookup [archive]
  3. https://www.riseup.net/en/openvpn-linux#kde [archive]
  4. That is still managed by the ordinary ifupdown way.
    • /etc/network/interfaces
    • /etc/network/interfaces.d/30_non-qubes-whonix
    See Dev/Network Manager for further information on why network-manager is not used by default in Whonix ™.


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.