Hi,
I use VPN on my Whonix Gateway to connect with TOR.
I managed to configure everything as in this tutorial. My fail close mechanism works great but I’m not sure if I should do something more to prevent OpenVPN DNS leaks ? Normally I would edit /etc/resolv.conf and set static nameservers (VPN’s nameservers), but I’m not sure if that’s fine with Whonix. I don’t want to mess up something.
Thanks.
Feel free to edit that file, but be are of this:
What should I put into that file?
I have working connection me -> VPN on W-Gateway -> TOR
I already set up VPN Firewall on W-Gateway by using built in fail closed mechanism.
Last thing to do is preventing from DNS leaks when using my VPN.
Normally when I use OpenVPN I always set VPN static nameserver in /etc/resolv.conf to avoid DNS leaks but I’m not sure if that is a good idea for Whonix.
My /etc/resolv.conf on Whonix Gateway contains this line:
nameserver 127.0.0.1Is it a good idea to change it to:
#nameserver 127.0.0.1
nameserver MY.VPN.IP.NAMESERVER?
You can do this, but it doesn’t really matter, because Whonix-Gateway has no functional system DNS for its own traffic by default and design anyhow.
(DNS requests you do in the workstation will still be resolved by Tor [in default config, unless you installed a VPN there as well or so]. But as you configured Tor on the gateway, any Tor connection will go through the VPN first as you expect.)
I understand then it makes more sense to edit /etc/resolv.conf on Whonix Workstation like in this example: https://www.whonix.org/wiki/TestVPN#Riseup_DNS
Editing on W-Gateway is pointless because Gateway has Torified nameservers ?
For example if I had me -> VPN -> Tor -> VPN connection I could edit /etc/resolv.conf on W-Workstation to prevent TOR DNS leaks from there?
Pointless yes, because when VPN_FIREWALL=1, no connections besides connections to the VPN server IP are allowed anyhow and because all applications using the network are configured to use Tor [font=courier]SocksPort[/font]s. System DNS on the gateway is neither desired nor needed for anything.
For example if I had me -> VPN -> Tor -> VPN connection I could edit /etc/resolv.conf on W-Workstation to prevent TOR DNS leaks from there?Yes, that would make sense. Then you could prevent DNS from hitting Tor exit relays and rather let it go through the post-Tor-VPN.