Ah you are correct, it is able to run manually. My provider does not block tor and allows 443. Just not automatically while enabling the systemd service.
Maybe this is because systemd runs it as root? I did specify user tunnel in the openvpn configuration file. I enabled the configuration file with sudo systemctl enable openvpn@country and the configuration file sits at /etc/openvpn/country.conf. Here’s the connection log:
Thu Aug 11 12:33:10 2016 OpenVPN 2.3.4 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 19 2015
Thu Aug 11 12:33:10 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Thu Aug 11 12:33:10 2016 WARNING: file 'pass' is group or others accessible
Thu Aug 11 12:33:10 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Aug 11 12:33:10 2016 Control Channel Authentication: tls-auth using INLINE static key file
Thu Aug 11 12:33:10 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 11 12:33:10 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 11 12:33:10 2016 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Aug 11 12:33:10 2016 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Aug 11 12:33:10 2016 Attempting to establish TCP connection with [AF_INET]xx:443 [nonblock]
Thu Aug 11 12:33:20 2016 TCP: connect to [AF_INET]xxx:443 failed, will try again in 5 seconds: Connection timed out
Also tried to disable the whonix workstation firewall, but didn’t have an effect.
Referencing: Debian jessie vm configured with a VPN vs whonix workstation configured with a VPN