OpenVpn issue Linux ip link set failed: external program exited with error status: 2

hi,

Since I updated whonx 13, the vpn is not working. So I take a new virtual image for the gateway (virtual box) and I followed the tutorial “https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor”

And I receive an error message in debug mode( as described in the documentation)


sudo -u tunnel openvpn /etc/openvpn/openvpn.conf


user@host:/etc/openvpn$ sudo -u tunnel openvpn /etc/openvpn/openvpn.conf
Sat Jun 4 14:21:28 2016 OpenVPN 2.3.4 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 19 2015
Sat Jun 4 14:21:28 2016 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Enter Auth Username: ****
Enter Auth Password: ********
Sat Jun 4 14:21:32 2016 Socket Buffers: R=[87380->131072] S=[16384->131072]
Sat Jun 4 14:21:32 2016 Attempting to establish TCP connection with [AF_INET]185.7.33.21:80 [nonblock]
Sat Jun 4 14:21:33 2016 TCP connection established with [AF_INET]185.7.33.21:80
Sat Jun 4 14:21:33 2016 TCPv4_CLIENT link local: [undef]
Sat Jun 4 14:21:33 2016 TCPv4_CLIENT link remote: [AF_INET]185.7.33.21:80
Sat Jun 4 14:21:33 2016 TLS: Initial packet from [AF_INET]185.7.33.21:80, sid=8510eb3c 52b05311
Sat Jun 4 14:21:33 2016 VERIFY OK: depth=2, C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
Sat Jun 4 14:21:33 2016 VERIFY OK: depth=1, O=AlphaSSL, CN=AlphaSSL CA - G2
Sat Jun 4 14:21:33 2016 Validating certificate key usage
Sat Jun 4 14:21:33 2016 ++ Certificate has key usage 00a0, expects 00a0
Sat Jun 4 14:21:33 2016 VERIFY KU OK
Sat Jun 4 14:21:33 2016 Validating certificate extended key usage
Sat Jun 4 14:21:33 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jun 4 14:21:33 2016 VERIFY EKU OK
Sat Jun 4 14:21:33 2016 VERIFY OK: depth=0, OU=Domain Control Validated, CN=.earthvpn.com
Sat Jun 4 14:21:33 2016 Data Channel Encrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Sat Jun 4 14:21:33 2016 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Sat Jun 4 14:21:33 2016 Data Channel Decrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
Sat Jun 4 14:21:33 2016 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Sat Jun 4 14:21:33 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Jun 4 14:21:33 2016 [
.earthvpn.com] Peer Connection Initiated with [AF_INET]185.7.33.21:80
Sat Jun 4 14:21:35 2016 SENT CONTROL [*.earthvpn.com]: ‘PUSH_REQUEST’ (status=1)
Sat Jun 4 14:21:37 2016 PUSH: Received control message: ‘PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.168.179.29 192.168.179.30,dhcp-option DOMAIN earthvpn.com,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 192.168.179.30,redirect-gateway def1’
Sat Jun 4 14:21:37 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jun 4 14:21:37 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jun 4 14:21:37 2016 OPTIONS IMPORT: route options modified
Sat Jun 4 14:21:37 2016 OPTIONS IMPORT: route-related options modified
Sat Jun 4 14:21:37 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jun 4 14:21:37 2016 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=eth0 HWADDR=08:00:27:b7:49:35
Sat Jun 4 14:21:37 2016 TUN/TAP device tun0 opened
Sat Jun 4 14:21:37 2016 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Sat Jun 4 14:21:37 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jun 4 14:21:37 2016 /sbin/ip link set dev tun0 up mtu 1500
RTNETLINK answers: Operation not permitted
Sat Jun 4 14:21:37 2016 Linux ip link set failed: external program exited with error status: 2
Sat Jun 4 14:21:37 2016 Exiting due to fatal error


In troubleshooting, the documentation said “Use ip_unpriv as documented above”. But I don’t understand, it’s not clear for me. what should I do with this instruction

ip_unpriv vs ip-unpriv[edit]
Note:
Whonix TUNNEL_FIREWALL uses ip_unpriv (underscore)
Standalone VPN-FIREWALL uses ip-unpriv (hyphen)

Do you have more instruction or détails?
Thank you for your help.

details openvpn.conf

client
dev tun0
proto tcp
remote 185.7.33.21 80
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/earthvpn.crt
auth-user-pass
auth-nocache
remote-cert-tls server
reneg-sec 0
verb 3
auth SHA1
cipher AES-256-CBC


50_user.conf

########################### ## VPN-Firewall Settings ##
`###########################

## Make sure Tor always connects through the VPN. ## Enable: 1
## Disable: 0 ## DISABELD BY DEFAULT, because it requires a VPN provider.`
VPN_FIREWALL=1

## For OpenVPN. #VPN_INTERFACE=tun0

## Destinations you don not want routed through the VPN. ## 10.0.2.2-10.0.2.24: VirtualBox DHCP
# LOCAL_NET="\ # 127.0.0.0-127.0.0.24
# 192.168.0.0-192.168.0.24 \ # 192.168.1.0-192.168.1.24
# 10.152.152.0-10.152.152.24 \ # 10.0.2.2-10.0.2.24
`# "


/etc/sudoers.d/tunnel_unpriv

## This file is part of Whonix. ## Copyright (C) 2012 - 2014 Patrick Schleizer adrelanos@riseup.net
`## See the file COPYING for copying conditions.

tunnel ALL=(ALL) NOPASSWD: /bin/ip
tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *
Defaults:tunnel !requiretty
~
~
~

Search the wiki page for ip_unpriv to see what is missing in your openvpn.conf.

I found my issue, I needed to add “iproute /usr/bin/ip_unpriv” without forgetting to modify “dev tun” to “dev tun0” and add the Unprivileged mode "iproute /usr/bin/ip_unpriv " in /etc/openvpn/openvpn.conf.

In fact, I thought that I could just do a copy the config from my vpn provider to /etc/openvpn/openvpn.conf”. it was my mistake.

Perhaps, you should add remark about that in documentation that will easier.

Ok.
Outline:

  1. Configure Firewall
  2. Configure User: tunnel
  3. Configure OpenVPN & DNS
    (Same as usual plus these changes. Sample config at the end.)
  4. Running OpenVPN
    (1. systemd, 2. command-line)
  5. Troubleshooting
  6. Sample Config
  7. Sample Scripts

Also, the entire tunnel section needs to provide the option of using ProxyVMs for Qubes users.

Zoltix:

Perhaps, you should add remark about that in documentation that will easier.

Where? Can you just edit it?

Isn’t the current approach where the whole walkthrough is an example already not good?

I don’t understand. Turning anon-whonix AppVM into a ProxyVM? I guess that is a bigger discussion. And non-trivial.

I think @Zoltix’s point is that users who are already familiar with openvpn will skip the vpn configuration section not realizing that there are tunnel-specific requirements in the .conf file. Might make more sense to provide Whonix-specific VPN configuration and leave the riseup.net example in a collapsed section. VPN configs are so provider-specific that users really should be directed to their provider for config assistance. As the intro says, “get it working in debian then put it in whonix and make these changes…”

No, not that involved. Just letting Whonix users know that tunneling scenarios can be replicated in Qubes by using non-Whonix ProxyVMs and then pointing them to appropriate docs on Qubes side. Advantage of using separate proxyVM: easily tunnel multiple whonix vm’s through one proxy. Advantage of not using proxyVM: less chance of de-anonymization through user error, especially for proxies intended for dedicated use with 1 vm.

Yes, that would be useful.

I see. I think the walkthrough currently using a a specific example, riseup, is fine. In my experience, most users have more difficult times with abstract walkthroughs followed by examples to a point where the abstract gets negligible.

As for skipping the VPN configuration chapter, perhaps there just should be an explanation or own chapter with a distinctive name that the VPN configuration chapter should not be totally skipped as it contains required changes.

I’ve improved Template:VPN-Firewall/Troubleshooting - Whonix for more clarity.

1 Like

I deleted that config, because you posted your private key. A bad mistake. Nevertheless you should now consider that vpn account compromised, since this is a public forum.