Add VPN in whonix gateway

Hello
In the whonix description there is written

Initially, if you have not made any changes to Whonix Firewall Settings, then Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty, because it does not exist. This is expected.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey “Q”) → Template: whonix-gw → Whonix User Firewall Settings

Do I make this changes in whonixgw or in sys whonix?
because subsequently there is written

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey “Q”) → Whonix-Gateway ProxyVM (commonly named sys-whonix) → Reload Whonix Firewall

Thank you

The changes should be done in the root image, i.e. in the TemplateVM, otherwise they do not persist as per general Qubes default. Does that answer your question?

sys-whonix - if it is a StandaloneVM - make changes in sys-whonix.

Otherwise if it is TemplateBasedVM (default), then these changes need to be made in the root image, i.e. in the TempalteVM. Otherwise these changes would not persist as per general Qubes default.

In Whonix 13 it will be possible to use /rw/config/whonix_firewall.d/.

Same was discussed here:
Customizing Whonix Firewall / torified dom0 upgrades

Yes, there are gateway and workstation connected to sys-whonix, then I have to make changes in sys-whonix

Not sure you are on the wrong track. Just verify after reboot if changes persist and I am sure you figure out.

I added in /50_user in whonix-gw
VPN_FIREWALL=1
VPN_SERVERS="ip address of my vpn"
and skip all the other lines

After reload firewall in sys-whonix

There is a problem: Tor doesn’t connect, tried vpn like a normal vpn on the host instead in gateway, but bootstrap stops at 45%.
Strange, I use it in ubuntu/debian with virtualbox/kvm like virtualization. Can be a problem with xen?

The problem is very unlikely xen.

Add .conf to your config files as in Whonix 13 (which is soon to be released) config files without that file extension will be ignored.

Connecting to a VPN before Tor contains quite some advice for troubleshooting. Press the expand button. Test if you are able to connect using your VPN - Result?

Added .conf to config file, used my VPN with browser and works. Restarted Tor manually as says the topic and I see that Tor is Active (in green) but Tor bootstrap always fails.

Hi
Done some test (only with VPN on the host)
Using a new VPN, finally connected to Tor. Start whonix-check in whonix-sys and after 10 minutes arrives to 2/3 of loading, start also whonix-check in gateway and after another 10 minutes (always 2/3 for sys and 1/2 for gw loading) crash VPN.
Restart VPN and run gw and ws, this time I open the konsole of both, run sudo apt-get update and after the first 4-5 lines of loading, crash another time VPN.
Change, use the VPN that yesterday can’t connect but today there isn’t problems (my VPN never had because I utilize it daily). Here there isn’t crash because when I run command in the konsole the result is:
"Failed to fetch http://deb.qubes-os.org…cannot initiate the connection to 10.137.255.254:8082 (10.137.255.254). -connect (111:connection refused)
as well as all the others

Whonix-check of gw gives this result:
Socksport test result: Connected to Tor IP: 128.52.128.105
Error: whonix news result. Download of Whonix News file failed
Warning: Debian Package Update Check Result: Could not for software updates! apt-get code 100
Please manually check inside your "whonix-gw TemplateVM …
Info: Whonix APT repository Enabled …

When I open gw always shows this windows
Whonix-Gateway NetVM required for updates
Please ensure that this TemplateVM has a Whonix-Gateway as its NetVM
No updates are possible without an active(running) Whonix-Gateway VM

That one is unrelated:
https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway

Did you run the VPN in the whonix-gw TemplateVM? That you should not do. Because the whonix-gw TemplateVM “is more like a workstation” (because it is behind sys-whonix, it is not sys-whonix).

It works (sudo touch…), but I have to run it each time (I ran on sys and gw)

Did you run the VPN in the whonix-gw TemplateVM? That you should not do. Because the whonix-gw TemplateVM “is more like a workstation” (because it is behind sys-whonix, it is not sys-whonix).

Overwritten 50_user.conf (on sys already existed, I don’t know what there was inside) with VPN_FIREWALL=1 and VPN_SERVERS=“ip address” and works fine (without additional vpn on the host). I want be sure that VPN is setup correctly (I don’t want that TOR run because there isn’t)
How do I do?

If it is all ok, now the question is why with VPN on the host, TOR is very,very slow?

Click Connecting to a VPN before Tor, press expand, see Leak Tests.

Doesn’t work… when I shutdown sys and open, 50_user.conf is empty. Yesterday it is connected to my ip. I can’t give a explaination, try with a new installation but this time I install whonix VM manually after Qubes

Because changes in the root image do not persist in TemplateBasedVMs and need to be done in the TemplateVM. Are you aware of this standard Qubes behavior?

The firewall changes are fine in the whonix-gw TemplateVM. Running the actual OpenVPN daemon should be avoided in the TemplateVM and should better be run inside sys-whonix.

Solved the slowness of VPN

Installed openvpn network gnome but when open the interface I can’t modify anything.

jamesferkin:

Solved the slowness of VPN

How?

Installed openvpn network gnome but when open the interface I can’t modify anything.

Probably unspecific to Whonix, can you fix it as per
Free Support for Whonix ?

VPN on host has been setup with PPTP that in Qubes doesn’t work
“Limitations
Only tested with OpenVPN. Most other VPN’s have deficiencies anyway”

That is out of context. A misquote.

PPTP is so insecure that you can leave it aside for this purpose anyhow.
This fact you can verify by using a search engine looking for “PPTP
security”.

That is what meant by the quote.