Tor before VPN problem

Henry · June 9, 2018, 9:35am

Added another Whonix-Workstation, with a new MAC created by VirtualBox, and 10.152.152.12 set in /etc/network/interfaces.d/30_non-qubes-whonix
Used Tor Browser Downloader, everything works well.
Ran sudo apt-get update && sudo apt-get dist-upgrade. Everything is good.
D/L VPN specific files from my VPN provider. Copied them to /etc/openvpn

5, Followed the instructions in Connecting to Tor before a VPN carefully, step by step

Once done and I ran

sudo service openvpn@openvpn start

I get no error messages.

When I run

sudo service openvpn@openvpn status

Initially everything looks good. Active: active (running) in green. And all the messages seem positive.
However there is no connection. When I repeat (after say 10 seconds)

sudo service openvpn@openvpn status

I get “Active: failed” in red, with the error:

host ovpn-openvpn[24580]: WARNING: Failed running command (–up/–down): external program exited with error status: 2

When I try to debug start on the command line as in the instructions, a long sequence of positive messages finally ends with:

sbin/resolvconf: 159: / sbin/resolvconf: cannot create tun0.openvpn_new.27993: permission denied
WARNING: Failed running command (–up/–down): external program exited with error status: 2

I tried to look in the toubleshooting section, I do use tun0 and not tun

0brand · June 9, 2018, 10:19am

Hi Henry,

Sorry your having trouble with your VPN configuration.

Could you please run the following command and post the output.

ls -al /run/resolvconf

Henry · June 9, 2018, 10:53am

Hi 0brand,

Thank you for your quick reply. Please see below:

user@host:/etc/openvpn$ ls -al /run/resolvconf
total 4
drwxr-xr-x 3 root tunnel 100 Jun 8 19:42 .
drwxr-xr-x 31 root root 840 Jun 8 19:40 …
-rw-r–r-- 1 root root 0 Jun 8 19:42 enable-updates
drwxrwxr-x 2 root tunnel 60 Jun 8 20:00 interface
-rw-r–r-- 1 root root 171 Jun 8 19:42 resolv.conf

Henry · June 9, 2018, 11:20am

I now noticed I had an extra line in the /etc/sudoers.d/tunnel-unpriv file, between

tunnel ALL=(ALL) NOPASSWD: /bin/ip
tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *
Defaults:tunnel !requiretty

and

Defaults:tunnel env_keep += script_type
Defaults:tunnel env_keep += dev

I removed that line, and I now get good results while running

sudo service openvpn@openvpn status

I also manage to get results for ping and nslookup.

However when I run something like

curl check.torproject.org

or

curl http://example.com/

or any other site, it just freezes.

Also, nothing gets loaded with Tor Browser.

When I debug again, I get:

/etc/resolvconf/update.d/libc: 133: /etc/resolvconf/update.d/libc: cannot create /etc/resolvconf/run/resolv.conf_new.4036: Permission denied
run-parts: /etc/resolvconf/update.d/libc exited with return code 2
WARNING: Failed running command (–up/–down): external program exited with error status: 1
Exiting due to fatal error

I now changed ownership and permissions, output of ls is now:

ls -al /run/resolvconf

drwxrwxr-x 3 root tunnel 100 Jun 8 21:17 .
drwxr-xr-x 31 root root 840 Jun 8 21:04 …
-rwxrwxr-x 1 root tunnel 0 Jun 8 21:02 enable-updates
drwxrwxr-x 2 root tunnel 60 Jun 8 21:17 interface
-rw-r–r-- 1 tunnel tunnel 171 Jun 8 21:17 resolv.conf

I noticed resolv.conf was

-rwxrwxr-x 1 root tunnel 151 Jun 8 21:02 resolv.conf

but when I restart the openvpn@openvpn service again, it changes back to:

-rw-r–r-- 1 tunnel tunnel 171 Jun 8 21:17 resolv.conf

After the changes in permissions / ownership, I debug again, and the only error I get it:

Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)

But it runs until

Initialization Sequence Completed

Doesn’t exit for some reason. When I break it, no connection to any site again.

Henry · June 9, 2018, 2:29pm

I think I solved it.

I previously skipped the section of “Prevent Bypassing of the Tunnel-Link” (I thought it’s optional), so ping and nslookup and traceroute worked but curl and wget and tor browser didn’t.

So I deactivate the uwt wrappers with

uwrtwrapper_global=“0”

in /etc/uwt.d/50_user.conf

and set

TOR_TRANSPROXY=1

in /etc/enviornment

and

TB_NO_TOR_CON_CHECK=1
CURL_PROXY=“–fail”

in /etc/torbrowser.d/50_user.conf

Then, I restarted the machine and… nothing worked! not even ping…

I then noticed the permissions I set before in /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf were wrong. I used 755 instead of 775 in one of the lines. I fixed it, restarted the service and things seem to work, including tor browser.

Hope it stays that way!

Henry · August 12, 2018, 5:30pm

Follow up on the above (which has been working smoothly since my last post).

If I upgrade from Whonix 13 to Whonix 14 using the instructions in Release Upgrade - Whonix, can it break the setup of Tor before VPN?

Patrick · August 12, 2018, 6:40pm

Could be, could not be.

ping btw:
Frequently Asked Questions - Whonix ™ FAQ

Henry · August 13, 2018, 3:53am

I see. So I’ll have to duplicate the VM first / create a snapshot or start from fresh. Will wait till I have some spare time.

Regarding ping in my initial posts, I wasn’t trying to ping the Gateway, I was pinging other sites from the Workstation. That works nicely when the Tor before VPN setup is done.