I have to use a VPN because Tor is blocked for me, and bridges are too slow to be practical. I’ve installed the VPN on my host, and I can use the normal TorBrowser just fine, but when I boot up the whonix gateway, it fails to connect. I looked at the virtual network settings for the gateway and saw that I can change it from “virtual network ‘default’ : NAT” to “host device [VPN] : macvtap”.
I think this might work, but I don’t know what consequences it will have. Is it safe to try this?
I wouldn’t change the settings - and this won’t work with Whonix 14+ because the GW relies on a static IP. Whether its NAT’d or not shouldn’t prevent the host from connecting to a VPN. There is something else preventing this from working.
offtopic: Most of the countries that block Tor also block VPN. Openvpn adopted Tor’s obfsproxy plugins to bypass censorship.
Why not try running the VPN on the GW? You can have a better chance there.
Because I’m using a GUI client from the VPN provider (It’s an open source client with lots of options like fail closed mechanism that make it easier to use than normal OpenVPN) that has no command line only option, and I have to run the GW with 192 MB RAM without desktop environment, because it freezes if I use the desktop environment. Same problem as the other guy who made the thread about this. Using normal OpenVPN is too difficult for me. I have no idea how to properly configure a firewall script to fail closed, even though I’ve read what I can find about it.
Just to be precise, the authors may be just as trustworthy but even good people make mistakes. The code is definitely less trustworthy because it uses the OpenVPN code plus more GUI code. In addition, more people look at and review the OpenVPN code than the front-end of one vpn provider.
You are in a bit of a pickle because you have limited support options. You’re one of a handful of people who use Tor with KVM with a specific OpenVPN client. If it’s not a general VPN issue then KVM, Whonix, Tor, and OpenVPN support can’t really help you - especially without knowing what client you’re even referring to. I would try asking for help from the authors - if it’s open-source, you can probably post to the Github Issues page.
Before asking, you can make sure it’s not a KVM or Whonix issue by eliminating some possibilities:
The code is definitely less trustworthy because it uses the OpenVPN code plus more GUI code. In addition, more people look at and review the OpenVPN code than the front-end of one vpn provider.
This is certainly true. I thought Ego was under the belief that my client was proprietary.
You are in a bit of a pickle etc
It’s the Mullvad client.
1, 2, 3, 4
I will test these last two. However, does anyone know if it’s safe to try what I mentioned in the original post? I personally think it might be solved by choosing the VPN interface for Whonix Gateway instead of the NAT that’s used by default.
I believe this would be a form of bridged networking - albeit to a
virtual device. I can’t answer your question but here are a few
discussions that you can read through: Security Guide - Whonix
Host-only network with forwarding could probably work too. But I can’t imagine that would be a good idea security-wise.
I’ll treat that as a last resort, then.
In your openvpn config, are you using dev tap or dev tun?
I’m not at home right now, so I can’t answer that atm. Will do once I get back.
I also had another thought: Maybe I could just connect the Whonix Gateway to a third VM, which would then be running the VPN client, acting as a sort of VPN gateway? I know this works in Qubes with the Mullvad client (Tried Qubes once, but my computer isn’t powerful enough to run it properly). Is this possible in KVM?