Failure to connect when VPN on host

I have to use a VPN because Tor is blocked for me, and bridges are too slow to be practical. I’ve installed the VPN on my host, and I can use the normal TorBrowser just fine, but when I boot up the whonix gateway, it fails to connect. I looked at the virtual network settings for the gateway and saw that I can change it from “virtual network ‘default’ : NAT” to “host device [VPN] : macvtap”.

I think this might work, but I don’t know what consequences it will have. Is it safe to try this?

Thank you

I wouldn’t change the settings - and this won’t work with Whonix 14+ because the GW relies on a static IP. Whether its NAT’d or not shouldn’t prevent the host from connecting to a VPN. There is something else preventing this from working.

offtopic: Most of the countries that block Tor also block VPN. Openvpn adopted Tor’s obfsproxy plugins to bypass censorship.

The host can connect to the VPN without issues. The problem is that when my VPN is active on the host, Whonix cannot connect to Tor, even though Tor Browser works fine on my host, outside of Whonix.

Does anyone have any ideas what may be causing this?

And Whonix 14+ hasn’t been released yet, has it?

Does anyone have any ideas what may be causing this?

Why not try running the VPN on the GW? You can have a better chance there.

And Whonix 14+ hasn’t been released yet, has it?

Has not but I wanted to let you know.

Why not try running the VPN on the GW? You can have a better chance there.

Because I’m using a GUI client from the VPN provider (It’s an open source client with lots of options like fail closed mechanism that make it easier to use than normal OpenVPN) that has no command line only option, and I have to run the GW with 192 MB RAM without desktop environment, because it freezes if I use the desktop environment. Same problem as the other guy who made the thread about this. Using normal OpenVPN is too difficult for me. I have no idea how to properly configure a firewall script to fail closed, even though I’ve read what I can find about it.

Has not but I wanted to let you know.

Okay, thanks.

Good day,

Please never use us grafical client provided by your provider. Only OpenVPN, as you cannot make sure how/what the provider coded.

Have a nice day,

Ego

It’s an open source client released under the GPL, written by people I’ve looked into and trust. It’s no less trustworthy than OpenVPN.

And in any case, as I said, OpenVPN is too difficult to use. I’ve tried. I’m not a computer professional.

Just to be precise, the authors may be just as trustworthy but even good people make mistakes. The code is definitely less trustworthy because it uses the OpenVPN code plus more GUI code. In addition, more people look at and review the OpenVPN code than the front-end of one vpn provider.

You are in a bit of a pickle because you have limited support options. You’re one of a handful of people who use Tor with KVM with a specific OpenVPN client. If it’s not a general VPN issue then KVM, Whonix, Tor, and OpenVPN support can’t really help you - especially without knowing what client you’re even referring to. I would try asking for help from the authors - if it’s open-source, you can probably post to the Github Issues page.

Before asking, you can make sure it’s not a KVM or Whonix issue by eliminating some possibilities:

With VPN running in host:

1. Does host internet work? check.
2. Does TBB in host work? check.
3. Does internet in a plain Debian-8 VM work?
4. Does TBB in a plain Debian-8 VM work?

Thank you for responding.

The code is definitely less trustworthy because it uses the OpenVPN code plus more GUI code. In addition, more people look at and review the OpenVPN code than the front-end of one vpn provider.

This is certainly true. I thought Ego was under the belief that my client was proprietary.

You are in a bit of a pickle etc

It’s the Mullvad client.

1, 2, 3, 4

I will test these last two. However, does anyone know if it’s safe to try what I mentioned in the original post? I personally think it might be solved by choosing the VPN interface for Whonix Gateway instead of the NAT that’s used by default.

I believe this would be a form of bridged networking - albeit to a virtual device. I can’t answer your question but here are a few discussions that you can read through: https://www.whonix.org/wiki/Security_Guide#Warning:_Bridged_Networking

Host-only network with forwarding could probably work too. But I can’t imagine that would be a good idea security-wise.

In your openvpn config, are you using dev tap or dev tun?

They seem to have a reputation for transparency. Plus I’ve seen them donate to various open-source projects - which is a far better form of marketing than the BS that most providers spew.

I believe this would be a form of bridged networking - albeit to a
virtual device. I can’t answer your question but here are a few
discussions that you can read through: https://www.whonix.org/wiki/Security_Guide#Warning:_Bridged_Networking

Thanks.

Host-only network with forwarding could probably work too. But I can’t imagine that would be a good idea security-wise.

I’ll treat that as a last resort, then.

In your openvpn config, are you using dev tap or dev tun?

I’m not at home right now, so I can’t answer that atm. Will do once I get back.

I also had another thought: Maybe I could just connect the Whonix Gateway to a third VM, which would then be running the VPN client, acting as a sort of VPN gateway? I know this works in Qubes with the Mullvad client (Tried Qubes once, but my computer isn’t powerful enough to run it properly). Is this possible in KVM?

At time of writing, the mullvad vpn client apparently is not Open Source.

Possible in theory but unsupported.