User → Tor → VPN → Internet

Introduction[edit]

By design, a VPN routes all your applications -- those without any proxy settings -- through the VPN. This may be undesirable as explained below; for example, it increases the threat of identity correlation. To circumvent this possibility, only use this Whonix-Workstation ™ for particular applications that should be routed through the tunnel-link. Refer to the Multiple Whonix-Workstation ™ wiki chapter for further instructions.

Security Precautions[edit]

Prevent Bypassing of the Tunnel-Link[edit]

sudoedit /etc/uwt.d/50_user.conf

uwtwrapper_global="0"

cd ~/tor-browser_en-US

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

export TOR_TRANSPROXY=1

sudoedit /etc/environment

TOR_TRANSPROXY=1
## newline at the end

sudoedit /etc/apt/sources.list /etc/apt/sources.list.d/*

sudoedit /etc/torbrowser.d/50_user.conf

TB_NO_TOR_CON_CHECK=1
CURL_PROXY="--fail"

Use a Fail Closed Mechanism[edit]

A general problem with VPNs is that connections often fail to remain open. This means the VPN connection suddenly closes, leaving the user directly connected to the Internet (without first tunneling through the VPN). This is not a Whonix ™-specific problem. VPN servers and software can occasionally fail without prior notice. Therefore, if the VPN is unreachable or the connection breaks down for whatever reason, in most cases the user will continue to connect to the Internet without the VPN.

One of the key benefits of Whonix ™ is that when a VPN connection fails, protection is still provided by the Tor process. In this instance, the Whonix-Workstation ™ will seamlessly continue to make "direct" connections through Tor. Failure of the VPN tunnel may be inconsequential if a VPN is only used to circumvent Tor censorship. On the other hand, if VPN use is intended to improve security, then it must be configured so that if/when the VPN connection fails, all connections between the outside world and the computer are halted.

Instructions below include a fail closed mechanism.

VPN Client Choice[edit]

It is recommended to utilize OpenVPN. Other VPN clients are unsupported because we are unaware of any sane VPN client choice besides OpenVPN.

Using Bitmask VPN ^[archive] for this use case is not possible. ^[8] In other words, you cannot use user → Tor → bitmask → Internet. ^[9]

Set Up Tor before a VPN (User → Tor → VPN → Internet)[edit]

Introduction[edit]

Two configurations are available:

• Qubes-Whonix ™ users have the option of a Separate VPN-Gateway, but could also use Inside Whonix-Workstation ™ instructions.
• Non-Qubes-Whonix ™ users should prefer Inside Whonix-Workstation ™ instructions.

Separate VPN-Gateway[edit]

This configuration has a separate VPN-Gateway between Whonix-Gateway ™ and Whonix-Workstation ™: Whonix-Workstation ™ → VPN-Gateway → Whonix-Gateway ™.

User → Tor → VPN → Internet

Notes:

• No DNS configuration is required when using a separate VPN Gateway and system DNS should work out of the box. ^[12]
• For troubleshooting, see footnote. ^[13]
• Whonix ™ user forum discussion: Set up a VPN in ProxyVM over sys-whonix ^{[archive] [14]}
• The following warning will appear when using Tor Browser and is expected (see technical footnote): ^[15]

Something Went Wrong!
Tor is not working in this browser.

Inside Whonix-Workstation ™[edit]

This configuration will connect to the VPN using your preferred software inside the (Whonix ™-)Workstation.

Note that UDP-style VPN connections are incompatible with Tor; the VPN must be configured to use TCP. ^[16] This requires adding proto tcp to the VPN configuration file /etc/openvpn/openvpn.conf. Nearly all VPN providers support this configuration.

User → Tor → VPN → Internet

Whonix ™ TUNNEL_FIREWALL vs Standalone VPN-Firewall[edit]

When applying VPN instructions inside Whonix ™ VMs, do not use the standalone VPN-Firewall. It is not required and is incompatible with the integrated Whonix ™ TUNNEL_FIREWALL feature which is documented below.

Preparation[edit]

It is challenging to set up OpenVPN on Whonix ™ with a secure, leak-preventing Fail Closed Mechanism. For this reason, it is strongly recommended to learn how to set up OpenVPN on Debian stable (currently bullseye). The following steps are a simple overview of the process:

1. Prepare a Debian bullseye VM.
2. Install the Debian OpenVPN package: sudo apt install openvpn.
3. Research how to set up a VPN using OpenVPN on the command line. ^[17]
4. Search for help with general VPN setup in the VPN Setup section or in the VPN Tunnel Setup Examples chapter. Help is available from various sources, and the VPN provider may also be of assistance.

Prerequisite Knowledge[edit]

Before proceeding, it is strongly recommended to read and understand the Whonix Debian Packages chapter.

Firewall Settings[edit]

Modify Whonix-Workstation ™ User Firewall Settings

sudo mkdir -p /usr/local/etc/whonix_firewall.d

sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name}} is updated, this
## file may be overwritten.

nano /etc/whonix_firewall.d/30_whonix_workstation_default.conf

Add the following settings.

WORKSTATION_FIREWALL=1
TUNNEL_FIREWALL_ENABLE=true

Save.

Reload Firewall[edit]

Reload Whonix-Workstation ™ Firewall.

sudo whonix_firewall

sudoers Configuration[edit]

Open file /etc/sudoers.d/tunnel_unpriv in an editor with root rights.

sudoedit /etc/sudoers.d/tunnel_unpriv

Edit the file so the text looks looks like the following code block.

Note: This might include removing comments (#) and adding text. Do not remove the lines with double hashes (##).

tunnel ALL=(ALL) NOPASSWD: /bin/ip
tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *
Defaults:tunnel !requiretty
Defaults:tunnel env_keep += script_type
Defaults:tunnel env_keep += dev

Save and exit.

VPN Setup[edit]

Introduction[edit]

Get VPN Certificate[edit]

1. Inspect the Riseup Certificate Authority ^[archive] page and download (right-click) the Riseup CA certificate ^[archive]. ^[18]
2. Advanced users can optionally verify the Riseup CA certificate ^[archive] before storing it. ^[19]
3. Store the certificate in /etc/openvpn/RiseupCA.pem:

curl --tlsv1.3 --proto =https https://help.riseup.net/security/network-security/riseup-ca/RiseupCA.pem | sudo tee /etc/openvpn/RiseupCA.pem

VPN Credentials[edit]

For this example, for this step, a Riseup account is required. Unfortunately, the former free VPN service is no longer available. ^[20] This means to create an account you will need an "invite code" from a current Riseup user.

• If you have one:
  • 1. Navigate to the account creation page ^[archive] in Tor Browser.
  • 2. Enter the invite code.
  • 3. Choose a username unrelated to your real identity.
  • 4. Enter a strong password.
• If you do not have an invite code:
  • Please do not ask Whonix ™ developers or forums for an invite code because none will be available.
  • Instead tailor the instructions in this section to work with any other OpenVPN provider.

1. Open file /etc/openvpn/auth.txt in an editor with root rights.

sudoedit /etc/openvpn/auth.txt

2. Add.

Note: Replace riseupusername with the actual Riseup user name and replace vpnsecret with the actual user name and password or just go to https://account.riseup.net/ ^[archive], log in and click on "VPN".

riseupusername
vpnsecret

3 . Save and exit.

VPN IP Address[edit]

When editing the VPN configuration file the use of DNS hostnames is not supported. This means IP address(s) of the VPN must be used.^[21] Therefore, vpn.riseup.net cannot be used, but an IP address such as 198.252.153.226 should be used instead. To discover the IP address, check with the provider or use nslookup on the host. For example, to verify the actual IP address of the vpn.riseup.net DNS server, run.

nslookup vpn.riseup.net

VPN Configuration File[edit]

sudoedit /etc/openvpn/openvpn.conf

##############################
## VPN provider specific settings ##
##############################
auth-user-pass auth.txt

## using nyc.vpn.riseup.net 80
remote 198.252.153.226 80

ca RiseupCA.pem

remote-cert-tls server

####################################
## TUNNEL_FIREWALL specific settings ##
####################################
client
dev tun0
persist-tun
persist-key

script-security 2
up "/etc/openvpn/update-resolv-conf script_type=up dev=tun0"
down "/etc/openvpn/update-resolv-conf script_type=down dev=tun0"

user tunnel
iproute /usr/bin/ip_unpriv

############################################
## Connecting to Tor before a VPN specific settings #
############################################

proto tcp

Install resolvconf[edit]

Update the package lists.

sudo apt update

Install resolvconf. ^[24]

sudo apt install resolvconf

Users preferring not to install resolvconf should read the footnotes. ^[25]

DNS Configuration[edit]

sudoedit /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf

d       /run/resolvconf 0775    root      tunnel    -       -
d       /run/resolvconf/interface         0775      root    tunnel    -    -

sudo chown --recursive root:tunnel /run/resolvconf

sudo chmod --recursive 775 /run/resolvconf

sudoedit /etc/resolvconf/run/interface/original.resolvconf

Additional Setup[edit]

Configuration Folder Permissions[edit]

Since OpenVPN will be run under user tunnel, that user requires read access to the folder /etc/openvpn.

sudo chown -R tunnel:tunnel /etc/openvpn

sudo chown -R tunnel:tunnel /run/openvpn

systemd Setup[edit]

sudo cp /lib/systemd/system/openvpn@.service /lib/systemd/system/openvpn@openvpn.service

sudo systemctl enable openvpn@openvpn

sudo systemctl start openvpn@openvpn

sudo systemctl status openvpn@openvpn

resolvconf Adjustments[edit]

Restart resolvconf. ^[28]

sudo service resolvconf restart

Verify DNS Settings[edit]

sudo cat /etc/resolv.conf

nameserver 10.152.152.10

nameserver 10.137.3.1
nameserver 10.137.3.254

nameserver 10.5.0.1

systemcheck[edit]

systemcheck cannot work in this configuration out of the box. Perform the following steps to unbreak it.

sudoedit /etc/systemcheck.d/50_user.conf

systemcheck_skip_functions+=" check_tor_bootstrap "
systemcheck_skip_functions+=" check_tor_socks_port_reachability "
systemcheck_skip_functions+=" check_tor_socks_port "
systemcheck_skip_functions+=" check_tor_trans_port "
systemcheck_skip_functions+=" check_stream_isolation "
systemcheck_skip_functions+=" download_whonix_news "

## {{ Alternative to disabling check_tor_trans_port.

## Make the Tor TransPort test work by simulating the Tor SocksPort test succeeded.
#CHECK_TOR_RESULT_SOCKS_PORT=0

## Do not warn if Tor was not detected. (Will be the VPN.)
#SYSTEMCHECK_NO_EXIT_ON_TRANS_PORT_DETECTION_FAILURE=1

## }}

## {{ Alternative to download_whonix_news.

## Download news through system default.
#CURL_PROXY_WHONIX_NEWS="--fail"

## }}

Qubes-specific[edit]

sudo mkdir /rw/config/qubes-bind-dirs.d

sudoedit /rw/config/qubes-bind-dirs.d/50_user.conf

binds+=( '/etc/sudoers.d/tunnel_unpriv' )
binds+=( '/etc/openvpn' )
binds+=( '/lib/systemd/system/openvpn@openvpn.service' )
binds+=( '/etc/systemd/system/multi-user.target.wants/openvpn@openvpn.service' )

/usr/lib/qubes/bind-dirs.sh umount

/usr/lib/qubes/bind-dirs.sh

Test[edit]

ping 8.8.8.8

nslookup check.torproject.org

whonixcheck_skip_functions="" \
CHECK_TOR_RESULT_SOCKS_PORT=0 \
WHONIXCHECK_NO_EXIT_ON_TRANS_PORT_DETECTION_FAILURE=1 \
whonixcheck --function check_tor_trans_port

Additional Information[edit]

The procedure is complete. If you have any issues, refer to the Troubleshooting section below. Once the setup is functional, it is recommended to perform Leak Tests.

Troubleshooting[edit]

You can skip this troubleshooting chapter unless any difficulties are encountered.

ip_unpriv vs ip-unpriv[edit]

There are two similar, yet distinct projects: standalone VPN-FIREWALL and Whonix TUNNEL_FIREWALL. Although both are alike, there is one difference that might be encountered. For instance, in the VPN Configuration File section:

• Whonix TUNNEL_FIREWALL uses ip_unpriv (underscore)
• Standalone VPN-FIREWALL uses ip-unpriv (hyphen)

Be sure to use the right version of ip unpriv depending on whether VPN-FIREWALL or Whonix TUNNEL_FIREWALL is in use.

50_openvpn_unpriv.conf vs 50_openvpn-unpriv.conf[edit]

Like the example above:

• Whonix TUNNEL_FIREWALL uses /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf ip_unpriv (underscore)
• Standalone VPN-FIREWALL uses /usr/lib/tmpfiles.d/50_openvpn-unpriv.conf ip-unpriv (hyphen)

Cannot ioctl TUNSETIFF[edit]

 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)

In openvpn.conf do not use.

dev tun

Use.

dev tun0

Dev tun Mismatch[edit]

In openvpn.conf do not use.

dev tun

Use.

dev tun0

/run/openvpn/openvpn.status Permission denied[edit]

 Options error: --status fails with '/run/openvpn/openvpn.status': Permission denied

To avoid permission issues, do not:

• start OpenVPN as root; or
• use sudo openvpn.

Files in the /run/openvpn folder are owned by root, so they cannot be overwritten by the user tunnel.

debug start[edit]

To start debug, run the following commands successively.

sudo /usr/sbin/openvpn --rmtun --dev tun0

sudo /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel

cd /etc/openvpn/

sudo -u tunnel openvpn /etc/openvpn/openvpn.conf

Linux ip link set failed[edit]

 Linux ip link set failed: external program exited with error status: 2

Use ip_unpriv as documented above.

DNS Configuration[edit]

This only applies if resolvconf is in use.

Permissions on two directories may need to be manually changed if they are not automatically applied. Check if changes are necessary with the following command.

ls -la /run/resolvconf

If the output lists tunnel as having read / write / execute permissions for both /run/resolvconf and /run/resolvconf/interface, then nothing needs modification. If tunnel is not listed as a group for one or both directories, then permissions need to be changed. In that case, run.

sudo chown --recursive root:tunnel /run/resolvconf

Then set the necessary permissions.

sudo chmod --recursive 775 /run/resolvconf

In /run/resolvconf, resolv.conf may or may not be owned by tunnel, depending on whether the systemd service has already started. There is no need to modify permissions on this file, as the permissions will change when the service starts.

Terminology for Support Requests[edit]

Phrases such as "over Tor" are ambiguous. Please do not coin idiosyncratic words or phrases, otherwise this leads to confusion. Please use the same terms that are consistently referenced in documentation, such as:

• Connect to a VPN Before Tor (User → VPN → Tor → Internet).
• Connect to Tor Before a VPN (User → Tor → VPN → Internet).
• And so on.

Always refer to the connection scheme when requesting support, such as:

• User → VPN → Tor → Internet, or
• User → Tor → VPN → Internet.

How to Submit a Support Request[edit]

Before submitting a support request for VPN-related issues, users are encouraged to follow the Free Support Principle to work towards a solution. Whonix ™ developers will use the reported information to determine if the issue is a technical problem (legitimate bug) and/or configuration error which is a common cause of VPN connectivity issues.

Before Whonix ™ developers will review the support request, the following information is required:

• Steps to reproduce the behavior. For example, list all command that were run up to this point. ^[29]
• A detailed explanation of actual behavior. Incomplete reports stating the "VPN does not work" will be rejected.
• Expected behavior. Reports simply stating "VPN works" will be rejected.

The following technical information is also necessary:

• All error messages.
• VPN logs from the debug start section:
  • This can be found using the Troubleshooting section on this page.
  • Redact all sensitive information such as VPN server IP addresses; see Never Post Full System Logs or Configuration Files for a rationale.
  • VPN logs are required because a configuration error and/or mismatch may not produce a noticeable error.
• Confirmation of whether the VPN configuration has been modified aside from the instructions on this page.
  • Note: Users are encouraged to troubleshoot their VPN issues in an effort to find a solution. However, if the VPN was modified with custom configuration options, a favorable outcome is less likely if this information is not shared with Whonix ™ developers.
• Confirmation of whether Whonix ™ is configured to use a second tunnel-link/proxy or bridge.
• If applicable, whether links to similar issues were found on the Whonix ™ forums ^[archive] and/or other offsite forums/resources.

Leak Tests[edit]

Introduction[edit]

It is important to verify the network traffic configuration enforces User → Tor → VPN → Internet and not only User → Tor → Internet. Therefore, it is recommended to run the following related leak tests inside Whonix-Workstation ™. Test Tor Browser, a uwt wrapper deactivated application, as well as a regular application for leaks.

Regular Application Test[edit]

Use curl without pre-configured stream isolation.

UWT_DEV_PASSTHROUGH=1 curl --silent --tlsv1.3 --proto =https https://check.torproject.org | grep IP

^{[30] [31]}

The output should show something similar to: Your IP address appears to be: xxx.xxx.xxx.xxx
It should also list the VPN's IP address.

uwt-wrapped Application Test[edit]

Connect to check.torproject.org.

curl --silent --tlsv1.3 --proto =https https://check.torproject.org | grep IP

^{[30] [32]}

Browser IP Test[edit]

This test can be skipped if Tor Browser will not be used through the VPN.

If everything was configured correctly, test the setup. Open https://check.torproject.org [archive] in Tor Browser. It will state "You are not using Tor." and the VPN's IP address will be visible. In fact this means the VPN was tunneled through Tor first because Whonix-Workstation ™ can not make any non-Tor connections by design (everything is tunneled over Tor).

DNS Leak Test[edit]

• DNS leak test.com ^[archive]
• DNS Leak Test ^[archive]
• Perfect Privacy VPN: DNS leak test ^[archive]
• Anonymster DNS leak test ^[archive]
• PureVPN DNS leak test ^[archive]
• Surfshark DNS leak test ^[archive]

Other Leak Tests[edit]

Advanced users can also run a host of additional, general leak tests that are unrelated to tunneling. However, these are more difficult to perform and are targeted at developers rather than general users. For further information, see: Leak Tests.

Footnotes[edit]

	100px
Fosshost	About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow:

Support:

Donate:

Priority Support | Investors | Professional Support

Whonix ™ | © ENCRYPTED SUPPORT LP | Freedom Software / Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.