Jump to: navigation, search

Tunnels/Examples


VPN Tunnel Setup Examples

Introduction[edit]

The purpose of this page is mainly to demonstrate how easy it is to add a VPN to Whonix, whether is to use a VPN tunnel-link before or after Tor (i.e. User -> Tor -> VPN -> Internet or User -> VPN -> Tor -> Internet).

The examples given below were mainly for testing purposes. You may setup accounts for the same reasons, or use the information below as a very rough "guide" for setting up a VPN with Whonix. When setting up the accounts within the examples, make sure not to enter personal information while signing up. Use an extra e-mail address for registration, which you will never use for anything else. If you plan to use User -> Tor -> VPN, you should obviously also sign up through Tor. When using User -> VPN -> Tor, it is unknown what is best (to sign up through Tor or not), but using probably Tor can't hurt.

Riseup.net[edit]

Riseup.net Quick VPN Command Line Test[edit]

Known to support TCP, UDP, SSL.

(1) You need a riseup.net account.
(2) You need to know your riseup account name.
(3) Go to riseup.net -> help -> VPN and obtain your VPN secret. (VPN password)
(4) Look inside the riseup VPN help page for RiseupCA.pem and download it.
(5) Open a terminal. (konsole) Get into the same folder, you stored RiseupCA.pem.
(6) Install openvpn. sudo apt-get update && sudo apt-get install openvpn (7) The following line from the riseup OpenVPN help page[1] won't work for user -> Tor -> VPN -> Internet, because the Tor network does not support UDP.
sudo openvpn --client --dev tun --auth-user-pass --remote vpn.riseup.net 1194 --ca RiseupCA.pem The following line works for user -> Tor -> VPN -> Internet.
sudo openvpn --client --dev tun --auth-user-pass --remote vpn.riseup.net 1194 --ca RiseupCA.pem --proto tcp (8) For DNS, see #Riseup DNS below.

Riseup.net riseup.conf[edit]

Known to support TCP, UDP, SSL.
(1) You need a riseup.net account.
(2) You need to know your riseup account name.
(3) Go to https://user.riseup.net/users/riseupusername/vpn to obtain your VPN secret. (VPN password) (Replace "riseupusername" with your actual riseup user name.) (Or just got to https://user.riseup.net, login and click on "VPN".)
(4) Look inside the riseup VPN help page for RiseupCA.pem and (right click) download it.
(5) Create a file auth.txt inside the same folder.

riseupusername
vpnsecret

(6) Create a file riseup.conf inside the same folder.

client
dev tun
auth-user-pass auth.txt
#remote vpn.riseup.net 443
#remote seattle.vpn.riseup.net 443
remote nyc.vpn.riseup.net 80
ca RiseupCA.pem
remote-cert-tls server
script-security 1
#user nobody
#group nobody
proto tcp
#log /var/log/openvpn.log

(7) Start OpenVPN.

sudo openvpn riseup.conf

(8) For DNS, see #Riseup DNS below.

Riseup DNS[edit]

Setup[edit]

Open /etc/resolv.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/resolv.conf

If you are using a terminal-only Whonix, run:

sudo nano /etc/resolv.conf

Comment out.

#nameserver 10.152.152.10

Add.

## Riseup.net OpenVPN DNS server
nameserver 172.27.100.1

If you are not using riseup, you need to replace 172.27.100.1 and enter the virtual LAN IP address of your VPN providers DNS server. You might be able to obtain it from your VPN provider. You can also try to infer it after successfully connecting to the VPN from running "sudo route". The first destination default gateway should function as DNS server also.

Save.

If you want to be sure, that /etc/resolv.conf does not get overwritten by other packages. (Such as DHCP or resolvconf.)

sudo chattr +i /etc/resolv.conf

If you ever want to remove it, use -i.

Testing[edit]

When using "nameserver 10.152.152.10"...

nslookup idnxcnkne4qt76tg.onion

Will show.

Server:         10.152.152.10
Address:        10.152.152.10#53
Non-authoritative answer:
Name:   idnxcnkne4qt76tg.onion
Address: 10.192.0.1

When using "nameserver 172.27.100.1"...

nslookup idnxcnkne4qt76tg.onion

Will show.

Server:         172.27.100.1
Address:        172.27.100.1#53
** server can't find idnxcnkne4qt76tg.onion: NXDOMAIN

Because you can not access .onion domains when a VPN has be chained. (user -> Tor -> VPN -> Internet)

Resolving clearnet DNS should work.

nslookup riseup.net

Should show.

Server:         172.27.100.1
Address:        172.27.100.1#53
Non-authoritative answer:
Name:   riseup.net
Address: 198.252.153.35

usaip.eu[edit]

For testing purposes, in past, usaip.eu was used. They have been chosen, because they were free and didn't block the tested outgoing UDP port. The free version of usaip.eu can probably only be used for testing purposes, as it's only a test version, which force disconnects every 7 minutes. For longer and serious/stable use, you'll probably need another, VPN account. If you would like to see more information anyway, please press on expand on the right.

Note, at time of writing, it looked like, that usaip is probably blocking SSL, therefore

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https https://check.torproject.org

will probably not work.

Install OpenVPN.

sudo apt-get install openvpn

Go to usaip.eu and click on free demo. Download the usaip.zip. It contains the OpenVPN configuration files. Unpack. Open a shell and get into the folder cd usaip. List all files dir. Connect to a VPN, for example:

sudo openvpn /home/user/usaip/eu-luxemburg.ovpn

At time of writing, the page stated, the password was demo, password also demo. Wait until it's connected. When success, it will show "Initialization Sequence Completed". It might happen, that the connection will not succeed for some unknown reason. In this case try replacing the eu-luxemburg.ovpn from the example above with another <country>.ovpn from the usaip folder.

DNS settings have not been considered for this usaip.eu chapter.

Using a graphical user interface[edit]

KDE Network Manager[edit]

If you want to install the KDE Network Manager. If you would like to see more information, please press on expand on the right.

sudo apt-get install network-manager-kde

Start menu -> System Settings -> Network Settings

At time of writing the riseup.net OpenVPN instructions for KDE where not finished. Perhaps you'll find out yourself, use another guide for KDE Network Manager or use the command line based examples above.

Don't wonder if you don't see Whonix-Workstation's (virtual) wired network interface to Whonix-Gateway. [2]

GNOME Network Manager[edit]

Although Whonix is by default based on KDE, you can usually integrate GNOME applications. If you would like to see more information anyway, please press on expand on the right.

In case of GNOME Network Manager it just requires some more fiddling because upstream developers wanted to make GNOME and KDE as compatible as possible, which includes that one settings manager won't show up when the other desktop has been started in a dual (KDE, GNOME) installation.

If you want to install the GNOME Network Manager.

sudo apt-get install network-manager-gnome network-manager-openvpn-gnome

If you want to autostart GNOME Network Manager, open /etc/xdg/autostart/nm-applet.desktop with root rights.

Open /etc/xdg/autostart/nm-applet.desktop in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/xdg/autostart/nm-applet.desktop

If you are using a terminal-only Whonix, run:

sudo nano /etc/xdg/autostart/nm-applet.desktop

And comment out.

NotShowIn=KDE;

If you want to make the nm-applet start menu entries visible and to start it manually, open /usr/share/applications/nm-applet.desktop.

Open /usr/share/applications/nm-applet.desktop in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /usr/share/applications/nm-applet.desktop

If you are using a terminal-only Whonix, run:

sudo nano /usr/share/applications/nm-applet.desktop

And comment out.

NotShowIn=KDE;

And add.

Categories=GNOME;GTK;Settings;X-GNOME-NetworkSettings;

If you want to make the nm-connection-editor start menu entries visible and to start it manually, open nm-connection-editor.

Open /usr/share/applications/nm-connection-editor.desktop in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /usr/share/applications/nm-connection-editor.desktop

If you are using a terminal-only Whonix, run:

sudo nano /usr/share/applications/nm-connection-editor.desktop

And comment out.

NotShowIn=KDE;

Then you could open the settings.

Applications -> Settings -> Network Connections

You could try the riseup.net OpenVPN instructions for GNOME.

Footnotes[edit]

  1. https://help.riseup.net/en/openvpn-linux
  2. That's still managed by the ordinary ifupdown way.
    • /etc/network/interfaces
    • /etc/network/interfaces.d/30_non-qubes-whonix
    See Dev/Network Manager if you want to know why network-manager is not used by default in Whonix.