Add VPN in whonix gateway

jamesferkin · May 14, 2016, 12:13pm

Hello
In the whonix description there is written

Initially, if you have not made any changes to Whonix Firewall Settings, then Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty, because it does not exist. This is expected.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey “Q”) -> Template: whonix-gw -> Whonix User Firewall Settings

Do I make this changes in whonixgw or in sys whonix?
because subsequently there is written

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey “Q”) -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Reload Whonix Firewall

Thank you

Patrick · May 14, 2016, 1:14pm

The changes should be done in the root image, i.e. in the TemplateVM, otherwise they do not persist as per general Qubes default. Does that answer your question?

sys-whonix - if it is a StandaloneVM - make changes in sys-whonix.

Otherwise if it is TemplateBasedVM (default), then these changes need to be made in the root image, i.e. in the TempalteVM. Otherwise these changes would not persist as per general Qubes default.

In Whonix 13 it will be possible to use /rw/config/whonix_firewall.d/.

Same was discussed here:
Customizing Whonix Firewall / torified dom0 upgrades

jamesferkin · May 14, 2016, 3:29pm

Yes, there are gateway and workstation connected to sys-whonix, then I have to make changes in sys-whonix

Patrick · May 14, 2016, 3:32pm

Not sure you are on the wrong track. Just verify after reboot if changes persist and I am sure you figure out.

jamesferkin · May 14, 2016, 6:20pm

I added in /50_user in whonix-gw
VPN_FIREWALL=1
VPN_SERVERS="ip address of my vpn"
and skip all the other lines

After reload firewall in sys-whonix

There is a problem: Tor doesn’t connect, tried vpn like a normal vpn on the host instead in gateway, but bootstrap stops at 45%.
Strange, I use it in ubuntu/debian with virtualbox/kvm like virtualization. Can be a problem with xen?

Patrick · May 14, 2016, 6:36pm

The problem is very unlikely xen.

Add .conf to your config files as in Whonix 13 (which is soon to be released) config files without that file extension will be ignored.

https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor#Additional_Tweaks_.2F_Recommendations_.2F_Troubleshooting contains quite some advice for troubleshooting. Press the expand button. Test if you are able to connect using your VPN - Result?

jamesferkin · May 14, 2016, 8:30pm

Added .conf to config file, used my VPN with browser and works. Restarted Tor manually as says the topic and I see that Tor is Active (in green) but Tor bootstrap always fails.

jamesferkin · May 15, 2016, 5:47pm

Hi
Done some test (only with VPN on the host)
Using a new VPN, finally connected to Tor. Start whonix-check in whonix-sys and after 10 minutes arrives to 2/3 of loading, start also whonix-check in gateway and after another 10 minutes (always 2/3 for sys and 1/2 for gw loading) crash VPN.
Restart VPN and run gw and ws, this time I open the konsole of both, run sudo apt-get update and after the first 4-5 lines of loading, crash another time VPN.
Change, use the VPN that yesterday can’t connect but today there isn’t problems (my VPN never had because I utilize it daily). Here there isn’t crash because when I run command in the konsole the result is:
"Failed to fetch http://deb.qubes-os.org…cannot initiate the connection to 10.137.255.254:8082 (10.137.255.254). -connect (111:connection refused)
as well as all the others

Whonix-check of gw gives this result:
Socksport test result: Connected to Tor IP: 128.52.128.105
Error: whonix news result. Download of Whonix News file failed
Warning: Debian Package Update Check Result: Could not for software updates! apt-get code 100
Please manually check inside your "whonix-gw TemplateVM …
Info: Whonix APT repository Enabled …

When I open gw always shows this windows
Whonix-Gateway NetVM required for updates
Please ensure that this TemplateVM has a Whonix-Gateway as its NetVM
No updates are possible without an active(running) Whonix-Gateway VM

Patrick · May 15, 2016, 6:08pm

That one is unrelated:
https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway

Patrick · May 15, 2016, 6:11pm

Did you run the VPN in the whonix-gw TemplateVM? That you should not do. Because the whonix-gw TemplateVM “is more like a workstation” (because it is behind sys-whonix, it is not sys-whonix).

jamesferkin · May 15, 2016, 8:24pm

It works (sudo touch…), but I have to run it each time (I ran on sys and gw)

Did you run the VPN in the whonix-gw TemplateVM? That you should not do. Because the whonix-gw TemplateVM “is more like a workstation” (because it is behind sys-whonix, it is not sys-whonix).

Overwritten 50_user.conf (on sys already existed, I don’t know what there was inside) with VPN_FIREWALL=1 and VPN_SERVERS=“ip address” and works fine (without additional vpn on the host). I want be sure that VPN is setup correctly (I don’t want that TOR run because there isn’t)
How do I do?

If it is all ok, now the question is why with VPN on the host, TOR is very,very slow?

Patrick · May 15, 2016, 10:23pm

Click https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor#Additional_Tweaks_.2F_Recommendations_.2F_Troubleshooting, press expand, see Leak Tests.

jamesferkin · May 16, 2016, 11:49am

Doesn’t work… when I shutdown sys and open, 50_user.conf is empty. Yesterday it is connected to my ip. I can’t give a explaination, try with a new installation but this time I install whonix VM manually after Qubes

Patrick · May 16, 2016, 12:00pm

Because changes in the root image do not persist in TemplateBasedVMs and need to be done in the TemplateVM. Are you aware of this standard Qubes behavior?

Patrick · May 16, 2016, 12:32pm

The firewall changes are fine in the whonix-gw TemplateVM. Running the actual OpenVPN daemon should be avoided in the TemplateVM and should better be run inside sys-whonix.

jamesferkin · May 16, 2016, 9:33pm

Solved the slowness of VPN

Installed openvpn network gnome but when open the interface I can’t modify anything.

Patrick · May 16, 2016, 10:41pm

jamesferkin:

Solved the slowness of VPN

How?

Installed openvpn network gnome but when open the interface I can’t modify anything.

Probably unspecific to Whonix, can you fix it as per
https://www.whonix.org/wiki/Support#Free_Support_Principle ?

jamesferkin · May 17, 2016, 10:01am

VPN on host has been setup with PPTP that in Qubes doesn’t work
"Limitations
Only tested with OpenVPN. Most other VPN’s have deficiencies anyway"

Patrick · May 17, 2016, 11:13am

That is out of context. A misquote.

PPTP is so insecure that you can leave it aside for this purpose anyhow.
This fact you can verify by using a search engine looking for “PPTP
security”.

That is what meant by the quote.