No, unless reinventing Whonix TUNNEL_FIREWALL / standalone VPN-Firewall.
Yes, there is fail closed mechanism.
And user root is not a good choice as tunnel user because many things run under user root. The basic idea behind the fail closed mechanism is “only have the OpenVPN process” or “only have the tunnel user” allowed to establish external network connections.
Is it more safe to run openvpn under regular user?
As far as I understand using this setup I loose fail close mechanism only.
And the only problem is that when VPN server is down my connections will go via TOR?
I think it is not so bad in terms of privacy and anonymity.
I have the same problem, instructions are also not working for me. Openvpn is unable to connect to an openvpn server on tcp port 443 inside Whonix Workstation. Followed every step in the guide closely. If you want me to I can elaborate the exact configuration changes I’ve made. What troubleshooting options do I have left?
I have updated my previous message. One thing I’ve noticed is that the openvpn example in the documentation tries to connect to port 80, and I’m trying to connect to 443. Does the firewall somehow block port 443? What other troubleshooting options do I have? What else do you want me to post? I can post all the changes I’ve made if you would like me to.
No. The tunnel user under which openvpn is running is free to do anything.
Full openvpn connection log of 1 attempt. You can redact IP, times and provider name for privacy reasons and since it’s mostly irrelevant. Same for openvpn.conf.
Perhaps your VPN provider is blocking connections from the Tor network? Please ask your VPN provider if that could be the case.
Perhaps your VPN provider does not support TCP?
Can you use OpenVPN using the standard instructions without fail closed mechanism for testing purposes only? Then we could rule out we are chasing a ghost here, namely a configuration or (less likely) Whonix issue.
Ah you are correct, it is able to run manually. My provider does not block tor and allows 443. Just not automatically while enabling the systemd service.
Maybe this is because systemd runs it as root? I did specify user tunnel in the openvpn configuration file. I enabled the configuration file with sudo systemctl enable openvpn@country and the configuration file sits at /etc/openvpn/country.conf. Here’s the connection log:
Thu Aug 11 12:33:10 2016 OpenVPN 2.3.4 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 19 2015
Thu Aug 11 12:33:10 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Thu Aug 11 12:33:10 2016 WARNING: file 'pass' is group or others accessible
Thu Aug 11 12:33:10 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Aug 11 12:33:10 2016 Control Channel Authentication: tls-auth using INLINE static key file
Thu Aug 11 12:33:10 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 11 12:33:10 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 11 12:33:10 2016 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Aug 11 12:33:10 2016 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Aug 11 12:33:10 2016 Attempting to establish TCP connection with [AF_INET]xx:443 [nonblock]
Thu Aug 11 12:33:20 2016 TCP: connect to [AF_INET]xxx:443 failed, will try again in 5 seconds: Connection timed out
Also tried to disable the whonix workstation firewall, but didn’t have an effect.