Not working TOR-VPN tunnel Whonix TUNNEL_FIREWALL on VirtualBox

Hello!
I followed instructions for setup Whonix TUNNEL_FIREWALL. on my Whonix-GATEWAY runing in VirtualBox

After setup and VPN start Workstation can’t connect to internet, on Gateway ping not work, nslookup works.
what is wrong? What to check?

ping from Gatway says “From 10.0.2.15 icmp_seq=1 Packet filtered”

Nslookup works:
user@host:~$ nslookup check.torproject.org
Server: 10.0.2.3
Address: 10.0.2.3#53

check.torproject.org canonical name = chiwui.torproject.org.
Name: chiwui.torproject.org
Address: 138.201.14.212

VPN is running but have some problems -
user@host:~$ sudo service openvpn@openvpn status
● openvpn@openvpn.service - OpenVPN connection to openvpn
Loaded: loaded (/lib/systemd/system/openvpn@openvpn.service; enabled)
Drop-In: /lib/systemd/system/openvpn@openvpn.service.d
└─50_unpriv.conf
Active: active (running) since Wed 2016-07-13 19:00:52 UTC; 1h 6min ago
Process: 1343 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=0/SUCCESS)
Process: 1330 ExecStartPre=/usr/bin/sudo /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel (code=exited, status=0/SUCCESS)
Process: 1236 ExecStartPre=/usr/bin/sudo /usr/sbin/openvpn --rmtun --dev tun0 (code=exited, status=0/SUCCESS)
Main PID: 1344 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@openvpn.service
└─1344 /usr/sbin/openvpn --daemon ovpn-openvpn --status /run/openvpn/openvpn.status 10 --cd /etc/openvpn --config /etc/openvpn/o…

Jul 13 20:07:08 host ovpn-openvpn[1344]: TCPv4_CLIENT link remote: [AF_INET]52.34.77.11:443
Jul 13 20:07:08 host ovpn-openvpn[1344]: Connection reset, restarting [0]
Jul 13 20:07:08 host ovpn-openvpn[1344]: SIGUSR1[soft,connection-reset] received, process restarting
Jul 13 20:07:13 host ovpn-openvpn[1344]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 13 20:07:13 host ovpn-openvpn[1344]: Attempting to establish TCP connection with [AF_INET]52.34.77.11:443 [nonblock]
Jul 13 20:07:14 host ovpn-openvpn[1344]: TCP connection established with [AF_INET]52.34.77.11:443
Jul 13 20:07:14 host ovpn-openvpn[1344]: TCPv4_CLIENT link local: [undef]
Jul 13 20:07:14 host ovpn-openvpn[1344]: TCPv4_CLIENT link remote: [AF_INET]52.34.77.11:443
Jul 13 20:07:14 host ovpn-openvpn[1344]: Connection reset, restarting [0]
Jul 13 20:07:14 host ovpn-openvpn[1344]: SIGUSR1[soft,connection-reset] received, process restarting

Not sure if this is what you meant. If you want to setup a VPN in your Whonix-Gateway, you should follow:
https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor

I need TOR before VPN.
But In instruction they say to change “Firewall Settings” - but Firewall is only on Gateway - so I followed instructions on Gateway instaed of Workstation.

Then “sudo nano /etc/sudoers.d/tunnel_unpriv” - also found only on Gateway so I followed instructions on Workstation instead of Gateway.
Are there additional steps to do it on Workstattion?

Wrong.

This is completely the wrong approach. Documentation does usually not say to do something on the workstation if you have to do it on the gateway. Exchanging them and then wondering it doesn’t work will get you into trouble.

Also please do not leave out information about such jumps in creative reinterpretation of the documentation.

The missing /etc/sudoers.d/tunnel_unpriv file could have the following reason… Are you sure you upgraded the workstation to Whonix 13 or are using a new Whonix 13 VM? Check if you have the most recent stable usability-misc package that ships that file.

 dpkg -l | grep usability-misc

ii  usability-misc                                              3:1.4-1                              all          Misc usability improvements

Thanks!
Will try to do it all on workstation!

But I’m sure there is no Firewall on workstation - how to install one?

There is one. Check:

dpkg -l | grep whonix-ws-firewall

More info:

man whonix_firewall

https://github.com/Whonix/whonix-ws-firewall

I follow instructions and after launching firewall on workstation it can not connect to internet and I can not
sudo apt-get install resolvconf

And ping 8.8.8.8 do not work in workstation 13 out of the box (

ping requires UDP which is not supported by Tor. More info on Tor UDP:

https://www.whonix.org/wiki/Tor#UDP

I installed fresh workstation+gateway, followed instructions -

after sudo service openvpn@openvpn status I get status -

user@host:~$ sudo service openvpn@openvpn status
● openvpn@openvpn.service - OpenVPN connection to openvpn
Loaded: loaded (/lib/systemd/system/openvpn@openvpn.service; enabled)
Drop-In: /lib/systemd/system/openvpn@openvpn.service.d
└─50_unpriv.conf
Active: active (running) since Sun 2016-07-17 16:48:11 UTC; 51min ago
Process: 13975 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=0/SUCCESS)
Process: 13971 ExecStartPre=/usr/bin/sudo /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel (code=exited, status=0/SUCCESS)
Process: 13964 ExecStartPre=/usr/bin/sudo /usr/sbin/openvpn --rmtun --dev tun0 (code=exited, status=0/SUCCESS)
Main PID: 13982 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@openvpn.service
└─13982 /usr/sbin/openvpn --daemon ovpn-openvpn --status /run/openvpn/openvpn.status 10 --cd /etc/openvpn --config …

Jul 17 17:39:59 host ovpn-openvpn[13982]: TCPv4_CLIENT link remote: [AF_INET]52.34.77.11:443
Jul 17 17:39:59 host ovpn-openvpn[13982]: Connection reset, restarting [0]
Jul 17 17:39:59 host ovpn-openvpn[13982]: SIGUSR1[soft,connection-reset] received, process restarting
Jul 17 17:40:04 host ovpn-openvpn[13982]: NOTE: the current --script-security setting may allow this configuration to ca…cripts
Jul 17 17:40:04 host ovpn-openvpn[13982]: Attempting to establish TCP connection with [AF_INET]52.34.77.11:443 [nonblock]
Jul 17 17:40:05 host ovpn-openvpn[13982]: TCP connection established with [AF_INET]52.34.77.11:443
Jul 17 17:40:05 host ovpn-openvpn[13982]: TCPv4_CLIENT link local: [undef]
Jul 17 17:40:05 host ovpn-openvpn[13982]: TCPv4_CLIENT link remote: [AF_INET]52.34.77.11:443
Jul 17 17:40:06 host ovpn-openvpn[13982]: Connection reset, restarting [0]
Jul 17 17:40:06 host ovpn-openvpn[13982]: SIGUSR1[soft,connection-reset] received, process restarting

what should I check?
My host successfully connects to OpenVPN server with the same credentials.

Since it’s a working VPN, most likely you made a typo or missed one of the steps. The only thing anybody could do for you is walk through the instructions you linked and made sure you did each step correctly - but you can do this yourself.

If you want somebody to take a look at your openvpn config, redact any sensitive info, then post your /etc/openvpn/yourvpn.ovpn file here.

I tried connect to different public VPN access servers.
Most of them can not establish connection(TLS Error: TLS handshake failed).
Maybe I should check firewall settings?
I have this settings - WORKSTATION_FIREWALL=1 TUNNEL_FIREWALL_ENABLE=true
MAybe it is need to add some of this? - VPN_FIREWALL=1 VPN_INTERFACE=tun0

My host (MAC OS) connects to public VPNs on any TCP port. But maybe whonix gateway or workstation blocks it?

Where can I see logs of connection attempts to VPN server? Maybe this will help me…

My config is -
auth-user-pass auth.txt
remote 126.25.194.75 1712
ca RiseupCA.pem
remote-cert-tls server

client
dev tun0
persist-tun
persist-key

script-security 2
up "/etc/openvpn/update-resolv-conf script_type=up dev=tun0"
down “/etc/openvpn/update-resolv-conf script_type=down dev=tun0”

user tunnel
iproute /usr/bin/ip_unpriv
proto tcp

VPN status error after minute of handshaking -
Jul 17 21:03:00 host ovpn-openvpn[1542]: TCPv4_CLIENT link remote: [AF_INET]126.25.194.75:1712
Jul 17 21:04:00 host ovpn-openvpn[1542]: TLS Error: TLS key negotiation failed to occur within 60 seconds…vity)
Jul 17 21:04:00 host ovpn-openvpn[1542]: TLS Error: TLS handshake failed
Jul 17 21:04:00 host ovpn-openvpn[1542]: Fatal TLS error (check_tls_errors_co), restarting

And after some time is says -

Jul 17 23:02:13 host ovpn-openvpn[10720]: TCP connection established with [AF_INET]126.25.194.75:1712
Jul 17 23:02:13 host ovpn-openvpn[10720]: TCPv4_CLIENT link local: [undef]
Jul 17 23:02:13 host ovpn-openvpn[10720]: TCPv4_CLIENT link remote: [AF_INET]126.25.194.75:1712
Jul 17 23:02:16 host ovpn-openvpn[10720]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Jul 17 23:02:16 host ovpn-openvpn[10720]: TLS Error: TLS object -> incoming plaintext read error
Jul 17 23:02:16 host ovpn-openvpn[10720]: TLS Error: TLS handshake failed
Jul 17 23:02:16 host ovpn-openvpn[10720]: Fatal TLS error (check_tls_errors_co), restarting

I don’t think that IP address belongs to riseup. And you probably should not have posted it for your own protection. With that IP, if you are not using riseup VPN, you should not use the RiseupCA.pem. And as documentation states:

Update: Riseup “legacy” VPN may have been discontinued. It did not work anymore for the author of these instructions. The riseup replacement service bitmask has not been tested.

Did anyone successfully connect setting up a VPN using Whonix TUNNEL_FIREWALL with hostnames rather than IP addresses on gateway and/or workstation?

On the host… Did you successfully connect using an IP address or hostname? If only hostname, try with an IP instead.

There might be certain kind of VPN providers / VPN configurations that require using hostnames rather than IP addresses. This is because they might be using public SSL / TLS certificate authorities for authentication. And TLS public CA verification works with hostnames, not IP addresses. Which then would contradict Whonix’s requirement to use IP addresses rather than hostnames. I don’t know if that is the case or a solution for this.

• On the host I connect to VPN with IP address, the same as I try to connect on workstation.

• “RiseupCA.pem” is just filename - I open it by sudo nano and paste CA certificate of corresponding (not Riseup) VPN server.

Patric, or anyone willing to help, can you please give me the name of public VPN provider with which your workstation successfully connects User -> TOR -> VPN ->WWW.

I’d like to be sure that problem not in VPN provider.

Generally, I would advise STARTING with the .ovpn file that your provider gives you and then making whonix specific changes to that (not the other way around). For example, your provider may provide .ovpn files that have ca/cert/key embedded in the config file itself.

Since you said that you connected to the (same?) VPN using your host, the only way that the VPN might be the issue is if either the VPN or the VPN’s ISP blocks connections from Tor. This would be highly unusual given the nature of a VPN’s business. (Why would anyone domicile a VPN in a heavily censored region?)

If public VPNs exist, I would question their reliability and/or security. If you need to find a VPN to test, look for free trials.

You mean I should copy .ovpn file to Workstation and cut everything except section?
Or leave other settings like “remote”, “dev tun” and so on?

It don’t think any free VPN providers exist at the moment. In past the riseup VPN was used for exactly that reason. Free to sign up, free to use for ever (as long as it existed), no bullshit (no blocking of Tor, no public CA style authentication, no blocked ports, etc.).

There are some kinda like this, but still too limited. ( https://www.whonix.org/wiki/Tunnels/Examples )

Dunno. There are other people who succeeded with the documentation that we have in place right now.

I managed to configure it with Riseup.net public VPN server!!!
It works but:

• IceWeasel works fine but TBB not connecting - why? How can I make it workong?

Still can not connect to my own OpenVPN server on Amazon.
I checked - server https://52.34.77.11:943/admin/ is accessible via TOR - no filtering TOR connections from Amazon.
My host connects to my VPN with IP address (no hostname)
But when Workstation try to connect with the same credentials it says:
"TCP connection established with [AF_INET]52.34.77.11:443"
“Connection reset, restarting [0]”

What configuration on my VPN server I must change to have it working?
How can I debug what is VPN daemon says why it reset connection?

Did you configure TBB as suggested in documentation?

Patrick, thanks!
TBB is working now.

But I still can not connect to my own VPN server - can you advice me what setings on server should I set up?