Problem for user->TOR->VPN

uishuihui · November 15, 2015, 7:44pm

Hello,

We are currently experiencing some difficulties to tunnel VPN through TOR.
After carefully read the documentation on the following links:

We have not managed to implement the scheme : user -> TOR -> VPN (OpenVPN VPN protocol), in fact after followed the instructions above, when we use “Check.torproject.org” it says “You are using Tor.”
We then made several searches on the internet and we have tried several configurations, without ever finding a solution.
Even using the configuration given here: https://www.whonix.org/wiki/TestVPN#securityKISS.com (having obviously creates an account with SecurityKISS), web traffic does not pass through the VPN tunnel.
Yet if we enter the following command line: “sudo service openvpn start”
followed by: “sudo service openvpn status”, a green message ensures that the VPN connection is OK.
Being out of ideas, we turn to you in the hope to solve this problem.

PS: WMs Whonix are current, TOR is up-to-date, OpenVPN is installed, all manipulations were carried out on the Workstation.

Best regards

Patrick · November 15, 2015, 7:44pm

Did you test the VPN with curl.anondist-real / whonixcheck? Does it work there?

Patrick · November 15, 2015, 7:44pm

Does the VPN work with a non-socksified-by-default browser such as iceweasel?

uishuihui · November 15, 2015, 7:44pm

Hello,

Thank you for your quick reply,

If i try with iceweasel, and check mi ip on whatmyipadress i have the following information:
ISP : *****
service : Tor exit nodes (if i use check.torproject obviously it’s say i use TOR)
country : anonymous proxy
…and my ip is not the VPN’s ip.

Can you detail a little more about the command anondist-real ?

Best regards

Patrick · November 15, 2015, 7:44pm

curl.anondist-orig --tlsv1 --proto =https -H 'Host: check.torproject.org' -k https://38.229.72.22 | grep IP

It’s similar to what whonixcheck does. Iceweasel as non-socksified-by-default browser accomplishes the same - using system DNS / TCP. (Tor TransPort)

So there is no reason to think yet it’s an issue with removing proxy settings from Tor Browser.

Using:

sudo openvpn --client --dev tun --auth-user-pass --remote vpn.riseup.net 1194 --ca RiseupCA.pem --proto tcp

works for me (whonixcheck detects non-Tor for TransPort).

What does your OpenVPN command line output say? Please redact and post.

uishuihui · November 15, 2015, 7:44pm

Well, I initially downloaded bitmask for debain7 then when I tried to run I have this error:

root@host:/home/user# bitmask
No protocol specified
bitmask: cannot connect to X server :0
root@host:/home/user# 2014-11-19 12:48:54,952 - CRITICAL - L#125 : leap.bitmask.backend.backend:_check_frontend_alive() - The frontend is down!

Even if i run in sudo or graphic.
So I create an account on the black.riseup site, then I downloaded the file RiseupCa.pem
Then I get into the folder where I put the RiseupCA.pem and I used your command line, here is the output :

user@host:~/riseup$ sudo openvpn --client --dev tun --auth-user-pass --remote vpn.riseup.net 1194 --ca RiseupCA.pem --proto tcp
Wed Nov 19 12:55:59 2014 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013
Enter Auth Username:*
Enter Auth Password:*
Wed Nov 19 12:56:16 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Nov 19 12:56:16 2014 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Wed Nov 19 12:56:16 2014 Attempting to establish TCP connection with [AF_INET]198.252.153.26:1194 [nonblock]
Wed Nov 19 12:56:17 2014 TCP connection established with [AF_INET]198.252.153.26:1194
Wed Nov 19 12:56:17 2014 TCPv4_CLIENT link local: [undef]
Wed Nov 19 12:56:17 2014 TCPv4_CLIENT link remote: [AF_INET]198.252.153.26:1194
Wed Nov 19 12:56:19 2014 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Wed Nov 19 12:56:27 2014 [vpn.riseup.net] Peer Connection Initiated with [AF_INET]198.252.153.26:1194
Wed Nov 19 12:56:30 2014 AUTH: Received AUTH_FAILED control message
Wed Nov 19 12:56:30 2014 SIGTERM[soft,auth-failure] received, process exiting

Patrick · November 15, 2015, 7:44pm

Bitmask / gui applications: never run them as root or using sudo. Use kdesudo. Just now added to documentation:

Maybe https://black.riseup.net/ accounts do not work with riseup “legacy” OpenVPN accounts.

Patrick · February 6, 2017, 7:53pm

See:
https://forums.whonix.org/t/bitmask

Problem for user->TOR->VPN

Well, I initially downloaded bitmask for debain7 then when I tried to run I have this error:

root@host:/home/user# bitmask No protocol specified bitmask: cannot connect to X server :0 root@host:/home/user# 2014-11-19 12:48:54,952 - CRITICAL - L#125 : leap.bitmask.backend.backend:_check_frontend_alive() - The frontend is down!

Even if i run in sudo or graphic. So I create an account on the black.riseup site, then I downloaded the file RiseupCa.pem Then I get into the folder where I put the RiseupCA.pem and I used your command line, here is the output :

root@host:/home/user# bitmask
No protocol specified
bitmask: cannot connect to X server :0
root@host:/home/user# 2014-11-19 12:48:54,952 - CRITICAL - L#125 : leap.bitmask.backend.backend:_check_frontend_alive() - The frontend is down!

Even if i run in sudo or graphic.
So I create an account on the black.riseup site, then I downloaded the file RiseupCa.pem
Then I get into the folder where I put the RiseupCA.pem and I used your command line, here is the output :