Alternative VPN setup

I’m setting up Workstation → TOR → VPN → Web

For some reasons this instructions do not work for me -

But I found other way to do it:
In “clean” Workstation I start
sudo openvpn --config vpn-config.ovpn
And untill I stop it all my connections go through VPN.

Is it possible to configure fail close mechanism here?

Are there some security problems with this setup comparing using integrated Whonix TUNNEL_FIREWALL feature?

No, unless reinventing Whonix TUNNEL_FIREWALL / standalone VPN-Firewall.

Yes, there is fail closed mechanism.

And user root is not a good choice as tunnel user because many things run under user root. The basic idea behind the fail closed mechanism is “only have the OpenVPN process” or “only have the tunnel user” allowed to establish external network connections.

Is it more safe to run openvpn under regular user?

As far as I understand using this setup I loose fail close mechanism only.
And the only problem is that when VPN server is down my connections will go via TOR?
I think it is not so bad in terms of privacy and anonymity.

Generally recommended.

I am myself skeptical about it:
Strong Linux User Account Isolation

I have the same problem, instructions are also not working for me. Openvpn is unable to connect to an openvpn server on tcp port 443 inside Whonix Workstation. Followed every step in the guide closely. If you want me to I can elaborate the exact configuration changes I’ve made. What troubleshooting options do I have left?

Connecting to Tor before a VPN ?

I have tried all of those

What was the result of the debug start?

Error opening configuration file when running: sudo -u tunnel openvpn /etc/openvpn/openvpn.conf

/etc/openvpn permissions are 755 and tunnel:tunnel

sudo chmod 755 -R /etc/openvpn
sudo chown tunnel:tunnel -R /etc/openvpn

Can’t find an answer so far to that error.

But basically all the troubleshooting command does is to start openvpn manually right? In that case bootstrapping openvpn gets stuck at:

Wed Aug 10 16:41:46 2016 TCP: connect to [AF_INET]ip-address:443 failed, will try again in 5 seconds: Connection timed out

Error message?

/etc/openvpn file permissions?

Fix them? ( Connecting to Tor before a VPN )

I have updated my previous message. One thing I’ve noticed is that the openvpn example in the documentation tries to connect to port 80, and I’m trying to connect to 443. Does the firewall somehow block port 443? What other troubleshooting options do I have? What else do you want me to post? I can post all the changes I’ve made if you would like me to.

No. The tunnel user under which openvpn is running is free to do anything.


Full openvpn connection log of 1 attempt. You can redact IP, times and provider name for privacy reasons and since it’s mostly irrelevant. Same for openvpn.conf.

Perhaps your VPN provider is blocking connections from the Tor network? Please ask your VPN provider if that could be the case.

Perhaps your VPN provider does not support TCP?

Can you use OpenVPN using the standard instructions without fail closed mechanism for testing purposes only? Then we could rule out we are chasing a ghost here, namely a configuration or (less likely) Whonix issue.

Ah you are correct, it is able to run manually. My provider does not block tor and allows 443. Just not automatically while enabling the systemd service.

Maybe this is because systemd runs it as root? I did specify user tunnel in the openvpn configuration file. I enabled the configuration file with sudo systemctl enable openvpn@country and the configuration file sits at /etc/openvpn/country.conf. Here’s the connection log:

Thu Aug 11 12:33:10 2016 OpenVPN 2.3.4 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 19 2015
Thu Aug 11 12:33:10 2016 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Thu Aug 11 12:33:10 2016 WARNING: file 'pass' is group or others accessible
Thu Aug 11 12:33:10 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Aug 11 12:33:10 2016 Control Channel Authentication: tls-auth using INLINE static key file
Thu Aug 11 12:33:10 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 11 12:33:10 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 11 12:33:10 2016 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Aug 11 12:33:10 2016 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Aug 11 12:33:10 2016 Attempting to establish TCP connection with [AF_INET]xx:443 [nonblock]
Thu Aug 11 12:33:20 2016 TCP: connect to [AF_INET]xxx:443 failed, will try again in 5 seconds: Connection timed out

Also tried to disable the whonix workstation firewall, but didn’t have an effect.

Referencing: Debian jessie vm configured with a VPN vs whonix workstation configured with a VPN

Only openvpn@openvpn comes pre-configured.

usability-misc/50_unpriv.conf at master · Kicksecure/usability-misc · GitHub

1 Like

Thanks, this solved my problem.