Confused about VPN setup (Firewall)

Hi,

I try to follow the guide to install a VPN inside the gateway (Since I can’t post links: Whonix Wiki article “Connecting to a VPN before Tor”) but I’m getting a bit confused with the two firewall options. At the beginning the guide says

When applying VPN instructions inside Whonix VMs, do not use the standalone VPN-Firewall. It is not required and is incompatible with the integrated Whonix TUNNEL_FIREWALL feature which is documented below.

But a few lines later I’m being instructed to set VPN_FIREWALL=1 in my User Firewall Config.

Add the following settings: 

## Make sure Tor always connects through the VPN.
## Enable: 1
## Disable: 0
## DISABELD BY DEFAULT, because it requires a VPN provider.
VPN_FIREWALL=1

To make this even more confusing: If I open the global Firewall Config there is the following comment:

##############################
## Tunnel Firewall Settings ##
##############################

## Make sure Tor always connects through the tunnel (such as VPN).
## Enable: 1
## Disable: 0
## DISABELD BY DEFAULT, because it requires a tunnel provider.
## (Previously this option was called 'VPN_FIREWALL=1'.)
#TUNNEL_FIREWALL_ENABLE=true

So I don’t understand what is the correct way to go here? Are VPN_FIREWALL and TUNNEL_FIREWALL two different things like it sound in the first quote (with VPN_FIREWALL being discouraged)? Is VPN_FIREWALL the correct switch to enable like it sounds in the second quote or is TUNNEL_FIREWALL just the new name for what was previously called VPN_FIREWALL and I should set TUNNEL_FIREWALL_ENABLE=true?

Standalone VPN-Firewall is a different github repository. The setting have the same name is unfortunate but ignore it.

Just don’t focus on this. Just ignore this. Don’t be confused. Proceed normally. End of story. Really.

1 Like

Quote /usr/libexec/whonix-firewall/firewall-common:

  ## Legacy.
  ## Whonix-Gateway firewall does not support TUNNEL_FIREWALL_ENABLE=true yet.
  ## It only supports VPN_FIREWALL="1".
  ## In case someone confused this setting, i.e. using TUNNEL_FIREWALL_ENABLE=true
  ## since this is how it is done on Whonix-Workstation, then gracefully enable
  ## VPN_FIREWALL="1" to prevent users shooting their own feet.
  [ -n "${TUNNEL_FIREWALL_ENABLE:-}" ] || TUNNEL_FIREWALL_ENABLE=""
  [ -n "${VPN_FIREWALL:-}" ] || VPN_FIREWALL=""
  if [ "${TUNNEL_FIREWALL_ENABLE}" = "true" ]; then
    VPN_FIREWALL="1"
  fi
  if [ "${VPN_FIREWALL}" = "1" ]; then
    TUNNEL_FIREWALL_ENABLE="true"
  fi

Meaning: Whichever you choose, it will be OK.

This is only in the Whonix-Workstation config file /etc/whonix_firewall.d/30_whonix_workstation_default.conf which you should not see/open when using Whonix-Gateway.

1 Like

Oh yes, I was mixing this up. Thank you for clarifying.