I need TOR before VPN.
But In instruction they say to change “Firewall Settings” - but Firewall is only on Gateway - so I followed instructions on Gateway instaed of Workstation.
Then “sudo nano /etc/sudoers.d/tunnel_unpriv” - also found only on Gateway so I followed instructions on Workstation instead of Gateway.
Are there additional steps to do it on Workstattion?
This is completely the wrong approach. Documentation does usually not say to do something on the workstation if you have to do it on the gateway. Exchanging them and then wondering it doesn’t work will get you into trouble.
Also please do not leave out information about such jumps in creative reinterpretation of the documentation.
The missing /etc/sudoers.d/tunnel_unpriv file could have the following reason… Are you sure you upgraded the workstation to Whonix 13 or are using a new Whonix 13 VM? Check if you have the most recent stable usability-misc package that ships that file.
dpkg -l | grep usability-misc
ii usability-misc 3:1.4-1 all Misc usability improvements
Since it’s a working VPN, most likely you made a typo or missed one of the steps. The only thing anybody could do for you is walk through the instructions you linked and made sure you did each step correctly - but you can do this yourself.
If you want somebody to take a look at your openvpn config, redact any sensitive info, then post your /etc/openvpn/yourvpn.ovpn file here.
I tried connect to different public VPN access servers.
Most of them can not establish connection(TLS Error: TLS handshake failed).
Maybe I should check firewall settings?
I have this settings - WORKSTATION_FIREWALL=1 TUNNEL_FIREWALL_ENABLE=true
MAybe it is need to add some of this? - VPN_FIREWALL=1 VPN_INTERFACE=tun0
My host (MAC OS) connects to public VPNs on any TCP port. But maybe whonix gateway or workstation blocks it?
Where can I see logs of connection attempts to VPN server? Maybe this will help me…
My config is -
auth-user-pass auth.txt
remote 126.25.194.75 1712
ca RiseupCA.pem
remote-cert-tls server
client
dev tun0
persist-tun
persist-key
script-security 2
up "/etc/openvpn/update-resolv-conf script_type=up dev=tun0"
down “/etc/openvpn/update-resolv-conf script_type=down dev=tun0”
user tunnel
iproute /usr/bin/ip_unpriv
proto tcp
VPN status error after minute of handshaking -
Jul 17 21:03:00 host ovpn-openvpn[1542]: TCPv4_CLIENT link remote: [AF_INET]126.25.194.75:1712
Jul 17 21:04:00 host ovpn-openvpn[1542]: TLS Error: TLS key negotiation failed to occur within 60 seconds…vity)
Jul 17 21:04:00 host ovpn-openvpn[1542]: TLS Error: TLS handshake failed
Jul 17 21:04:00 host ovpn-openvpn[1542]: Fatal TLS error (check_tls_errors_co), restarting
I don’t think that IP address belongs to riseup. And you probably should not have posted it for your own protection. With that IP, if you are not using riseup VPN, you should not use the RiseupCA.pem. And as documentation states:
Update: Riseup “legacy” VPN may have been discontinued. It did not work anymore for the author of these instructions. The riseup replacement service bitmask has not been tested.
Did anyone successfully connect setting up a VPN using Whonix TUNNEL_FIREWALL with hostnames rather than IP addresses on gateway and/or workstation?
On the host… Did you successfully connect using an IP address or hostname? If only hostname, try with an IP instead.
There might be certain kind of VPN providers / VPN configurations that require using hostnames rather than IP addresses. This is because they might be using public SSL / TLS certificate authorities for authentication. And TLS public CA verification works with hostnames, not IP addresses. Which then would contradict Whonix’s requirement to use IP addresses rather than hostnames. I don’t know if that is the case or a solution for this.
On the host I connect to VPN with IP address, the same as I try to connect on workstation.
“RiseupCA.pem” is just filename - I open it by sudo nano and paste CA certificate of corresponding (not Riseup) VPN server.
Patric, or anyone willing to help, can you please give me the name of public VPN provider with which your workstation successfully connects User -> TOR -> VPN ->WWW.
I’d like to be sure that problem not in VPN provider.
Generally, I would advise STARTING with the .ovpn file that your provider gives you and then making whonix specific changes to that (not the other way around). For example, your provider may provide .ovpn files that have ca/cert/key embedded in the config file itself.
Since you said that you connected to the (same?) VPN using your host, the only way that the VPN might be the issue is if either the VPN or the VPN’s ISP blocks connections from Tor. This would be highly unusual given the nature of a VPN’s business. (Why would anyone domicile a VPN in a heavily censored region?)
If public VPNs exist, I would question their reliability and/or security. If you need to find a VPN to test, look for free trials.
It don’t think any free VPN providers exist at the moment. In past the riseup VPN was used for exactly that reason. Free to sign up, free to use for ever (as long as it existed), no bullshit (no blocking of Tor, no public CA style authentication, no blocked ports, etc.).
I managed to configure it with Riseup.net public VPN server!!!
It works but:
IceWeasel works fine but TBB not connecting - why? How can I make it workong?
Still can not connect to my own OpenVPN server on Amazon.
I checked - server https://52.34.77.11:943/admin/ is accessible via TOR - no filtering TOR connections from Amazon.
My host connects to my VPN with IP address (no hostname)
But when Workstation try to connect with the same credentials it says:
“TCP connection established with [AF_INET]52.34.77.11:443”
“Connection reset, restarting [0]”
What configuration on my VPN server I must change to have it working?
How can I debug what is VPN daemon says why it reset connection?