VPN Tunnel Setup Examples

From Whonix
Jump to navigation Jump to search

Introduction[edit]

Before combining Tor with other tunnels, be sure to read and understand the risks!

Advertisement:
Too difficult? Consider purchasing Premium Support.

This page is intended to demonstrate how easy it is to add a VPN to Whonix, whether utilizing a VPN tunnel-link before Tor (UserTorVPNInternet) or after Tor (UserVPNTorInternet).

The examples below are mainly for testing purposes. It is possible to set up accounts for the same reasons, or the information can be used as a very rough guide for setting up a VPN with Whonix. To remain anonymous:

  • In all cases, never enter personal information when signing up for an account.
  • Use an extra email address solely for registration purposes.
  • If planning on the UserTorVPN configuration, then you should obviously sign up through Tor.
  • If planning on the UserVPNTor configuration, it is unknown whether it is best to sign up via Tor or not, but it probably cannot hurt.

Riseup[edit]

Riseup Quick VPN Command Line Test[edit]

Riseuparchive.org is known to support TCP, UDP and TLS.

1. Create a new Riseup accountarchive.org.

Note an account can only be created with an invite codearchive.org.

2. Obtain your VPN secret (VPN password).

  • login to account.riseup.net
  • click Passwords on the left sidebar
  • click the Service Passwords tab

3. Download the Riseup CA certificate.

The "CA certificate" is used by the local program to confirm the identity of servers you connect to. Download it from this pagearchive.org or click this link: RiseupCA.pemarchive.org.

4. Open a terminal.

Navigate to the folder where RiseupCA.pem was saved.

5. Install OpenVPNarchive.org.

sudo apt update && sudo apt install openvpn

6. Test the connection from the command line.

The following line from the Riseup OpenVPN for Linux page [1] will not work for the connection: userTorVPNInternet, because the Tor network does not support UDP.

sudo openvpn --client --dev tun --auth-user-pass --remote vpn.riseup.net 1194 --keysize 256 --auth SHA256 --cipher AES-256-CBC --ca RiseupCA.pem

Instead, use the following functional command utilizing TCP for the connection: userTorVPNInternet.

sudo openvpn --client --dev tun --auth-user-pass --remote vpn.riseup.net 1194 --keysize 256 --auth SHA256 --cipher AES-256-CBC --ca RiseupCA.pem --proto tcp

7. For DNS, see Riseup DNS below.

Riseup riseup.conf[edit]

Riseuparchive.org is known to support TCP, UDP and TLS.

1. Utilize the Riseup account and name created in the previous section.

2. Obtain your VPN secret (VPN password).

Navigate to the Riseup Red Accountarchive.org page (.oniononion), log in and click on "VPN".

3. Download the Riseup CA certificate.

The "CA certificate" is used by the local program to confirm the identity of servers you connect to. Download it from this pagearchive.org or click this link: RiseupCA.pemarchive.org.

4. Create a file auth.txt inside the same folder.

Open file auth.txt in a text editor of your choice as a regular, non-root user.

If you are using a graphical environment, run. mousepad auth.txt

If you are using a terminal, run. nano auth.txt

5. Paste the following content.

Notes:

  • Replace riseupusername with your actual Riseup user name.
  • Replace vpnsecret with your actual Riseup password.
riseupusername
vpnsecret

6. Create a file riseup.conf inside the same folder.

client
dev tun
auth-user-pass auth.txt
#remote vpn.riseup.net 443
#remote seattle.vpn.riseup.net 443
remote nyc.vpn.riseup.net 80
ca RiseupCA.pem
remote-cert-tls server
script-security 1
#user nobody
#group nobody
proto tcp
#log /var/log/openvpn.log

7. Start OpenVPN.

sudo openvpn riseup.conf

8. For DNS, see Riseup DNS below.

Riseup DNS[edit]

Setup[edit]

1. Open file /etc/resolv.conf in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

Qubes-Whonix

NOTE: When using Qubes-Whonix, this needs to be done inside the Template.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/resolv.conf

2. Comment out the nameserver.

#nameserver 10.152.152.10

3. Add the Riseup OpenVPN DNS server.

## Riseup.net OpenVPN DNS server
nameserver 172.27.100.1

If Riseup is not being used in your configuration, then replace 172.27.100.1 with the virtual LAN IP address of your VPN provider's DNS server. It probably can be obtained directly from the VPN provider. Another method of inferring it is running sudo route after successfully connecting to the VPN. The first destination default gateway should also function as a DNS server.

Save the file.

4. Optional: Prevent overwriting of the configuration file.

To ensure that /etc/resolv.conf is not overwritten by other packages like DHCP or resolvconf, run.

sudo chattr +i /etc/resolv.conf

If you ever want to remove it, use -i.

Testing[edit]

Use nslookup to query the DNS to obtain domain name and IP address mapping. [2]

When using nameserver 10.152.152.10 ...

nslookup vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion

The command will show.

Server:         10.152.152.10
Address:        10.152.152.10#53
Non-authoritative answer:
Name:   vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion
Address: 10.192.0.1

When using nameserver 172.27.100.1 ...

nslookup vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion

The command will show.

Server:         172.27.100.1
Address:        172.27.100.1#53
** server can't find vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion: NXDOMAIN

The reason is .onion domains cannot be accessed when a VPN has been chained (userTorVPNInternet).

Resolving clearnet DNS should work.

nslookup riseup.net

The command should show.

Server:         172.27.100.1
Address:        172.27.100.1#53
Non-authoritative answer:
Name:   riseup.net
Address: 198.252.153.35

USAIP[edit]

For testing purposes, usaip.eu (USAIP)archive.org was used in the past. The primary reason was they were free and did not block the tested, outgoing UDP port. The free version of USAIP is only suitable for testing purposes, because this version forcibly disconnects every seven minutes. For longer and serious/stable use, another VPN account is necessary. If you would still like to learn more, please press on expand on the right.

Info At the time of writing, it appeared that USAIP was probably blocking TLS, therefore the following command is possibly non-functional: UWT_DEV_PASSTHROUGH=1 curl --tlsv1.3 https://check.torproject.org

1. Install OpenVPN.

sudo apt install openvpn

2. Navigate to USAIParchive.org and source the free test.

  • click on Free Demoarchive.org
  • download usaip.zip (this contains the OpenVPN configuration files)
  • unpack the file

3. Open a terminal.

Navigate to the USAIP folder.

cd usaip

List the available files.

dir

4. Connect to a free VPN.

For example, run.

sudo openvpn /home/user/usaip/eu-luxemburg.ovpn

At the time of writing, the page stated, the password was demo, while the password was also demo.

Wait until it has connected. If it is successful, it will show "Initialization Sequence Completed". If the connection does not succeed for some unknown reason, then try replacing eu-luxemburg.ovpn from the above example with another <country>.ovpn from the USAIP folder.

Note: DNS settings have not been considered in this entry.

Using a Graphical User Interface[edit]

KDE Network Manager[edit]

This entry is useful if you want to install the KDE Network Manager. If you would like to see more information, please press on expand on the right.

sudo apt install network-manager-kde

Start menuSystem SettingsNetwork Settings

At the time of writing the former, there is no OpenVPN instructions for KDE on riseup website (removed). Another guide for KDE Network Manager might be found via Internet research, or use the command line based examples above.

Also, do not be concerned if you cannot see the Whonix-Workstation (virtual) wired network interface to Whonix-Gateway; see footnote. [3]

GNOME Network Manager[edit]

It is usually possible to integrate GNOME applications. If you would like to see more information, please press on expand on the right.

In the case of GNOME Network Manager, more fiddling is required because upstream developers wanted to make GNOME and KDE as compatible as possible. This means that one settings manager will not show up when the other desktop has been started in a dual (KDE, GNOME) installation.

If you want to install the GNOME Network Manager, run.

sudo apt install network-manager-gnome network-manager-openvpn-gnome

Autostart GNOME Network Manager[edit]

If you want to autostart GNOME Network Manager, follow these steps.

1. Open /etc/xdg/autostart/nm-applet.desktop with root rights.

Open file /etc/xdg/autostart/nm-applet.desktop in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

Qubes-Whonix

NOTE: When using Qubes-Whonix, this needs to be done inside the Template.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/xdg/autostart/nm-applet.desktop

2. Comment out.

NotShowIn=KDE;

Visible nm-applet Start Menu Entries[edit]

If you want to make the nm-applet start menu entries visible and to start it manually, follow these steps.

1. Open /usr/share/applications/nm-applet.desktop.

Open file /usr/share/applications/nm-applet.desktop in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

Qubes-Whonix

NOTE: When using Qubes-Whonix, this needs to be done inside the Template.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /usr/share/applications/nm-applet.desktop

2. Comment out.

NotShowIn=KDE;

3. Add.

Categories=GNOME;GTK;Settings;X-GNOME-NetworkSettings;

Visible nm-connection-editor Start Menu Entries[edit]

If you want to make the nm-connection-editor start menu entries visible and to start it manually, follow these steps.

1. Open nm-connection-editor.desktop.

Open file /usr/share/applications/nm-connection-editor.desktop in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

Qubes-Whonix

NOTE: When using Qubes-Whonix, this needs to be done inside the Template.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /usr/share/applications/nm-connection-editor.desktop

2. Comment out.

NotShowIn=KDE;

3. Open the settings.

Applications → Settings → Network Connections

Alternatively, you could also try the Riseup OpenVPN instructions for GNOMEarchive.org.

Footnotes[edit]

  1. https://riseup.net/en/vpn/linuxarchive.org
  2. https://en.wikipedia.org/wiki/Nslookuparchive.org
  3. That is still managed by the ordinary ifupdown way.
    • /etc/network/interfaces
    • /etc/network/interfaces.d/30_non-qubes-whonix
    See Dev/Network Manager for further information on why network-manager is not used by default in Whonix.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!