[Qubes 4.1] Tor -> OpenVPN issues

Hello,

I have successfully worked with a OpenVPN-over-Tor connection for quite a while with Qubes OS 4.0 and Whonix 15/16.
(NIC → Tor → VPN → Destination)

Unfortunately, with Qubes OS 4.1 there are issues. Other side effects can be excluded due to reproducible qubes installation.

The issue also has been discussed in the Qubes forum in multiple posts:

• User -> Tor -> VPN -> Internet - 4.1 broken? - General - Qubes OS Forum
• Networking Broken in 4.1 Default Templates - General - Qubes OS Forum
• Tor > VPN connection issues - only in 4.1 - multiple test configurations & vpn providers - General - Qubes OS Forum
• [R4.1-rc1] Openvpn issue after migration from R4.0 - General - Qubes OS Forum

Fortunately, a user has found a workaround:

TLDR: sudo sysctl -w net.ipv4.ip_forward=1 in your whonix gateway will resolve it, until reboot. In your template, you can edit /etc/sysctl.d/anonymizer-config-gateway.conf and comment out the line net.ipv4.ip_forward = 0, and this should fix ARP requests not getting replies.

Now here comes my actual question (besides promoting some discussion about potential error causes):

Do Whonix maintainers have any objections against this workaround from a privacy/security perspective?

If OK, we might add this to the documentation http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Tunnels/Connecting_to_Tor_before_a_VPN#Separate_VPN-Gateway for other users encountering same issue.

Thanks!

Don’t use IP forwarding inside Whonix-Gateway. It’s a milestone that IP forwarding isn’t required and immensely reduces the risk of IP leaks. Elaborated here: Security Overview, With more technical terms.

Thanks, this seems to be an important setting, if I understand you correctly.

mentions a manual approach

ip neigh show
arp -s IP -i eth0 fe:ff:ff:ff:ff:ff

, which gets the job done, but needs intervention on each restart / server change.

I’ll add a post, if I should find out a better solution.

Great finding!

You could report this issue on qubes-issues because nothing related in the Whonix configuration changed , no such issue with Non-Qubes-Whonix reported. Therefore some change between Qubes 4.0 and Qubes R4.1 might have caused this.

Might be a good idea to quote me on this so this doesn’t get assigned as a Qubes-Whonix specific bug.

Issue reported in Qubes 4.1 - VPN over Tor netvms: ARP request does not get resolved properly · Issue #7123 · QubesOS/qubes-issues · GitHub

Great research and bug report, thank you!

Hi, apparently “vpn over tor” works in qubes - just put a firewall-qube between the vpn-proxy and the whonix-gateway.
There was a post in the qubes-forum (Tor > VPN connection issues - only in 4.1 - multiple test configurations & vpn providers - #13 by qubesfan35267 - General - Qubes OS Forum).