I use VPN on my Whonix Gateway to connect with TOR.
I managed to configure everything as in this tutorial. My fail close mechanism works great but I’m not sure if I should do something more to prevent OpenVPN DNS leaks ? Normally I would edit /etc/resolv.conf and set static nameservers (VPN’s nameservers), but I’m not sure if that’s fine with Whonix. I don’t want to mess up something.
You can do this, but it doesn’t really matter, because Whonix-Gateway has no functional system DNS for its own traffic by default and design anyhow.
(DNS requests you do in the workstation will still be resolved by Tor [in default config, unless you installed a VPN there as well or so]. But as you configured Tor on the gateway, any Tor connection will go through the VPN first as you expect.)
Pointless yes, because when VPN_FIREWALL=1, no connections besides connections to the VPN server IP are allowed anyhow and because all applications using the network are configured to use Tor [font=courier]SocksPort[/font]s. System DNS on the gateway is neither desired nor needed for anything.
For example if I had me -> VPN -> Tor -> VPN connection I could edit /etc/resolv.conf on W-Workstation to prevent TOR DNS leaks from there?
Yes, that would make sense. Then you could prevent DNS from hitting Tor exit relays and rather let it go through the post-Tor-VPN.