I have successfully worked with a OpenVPN-over-Tor connection for quite a while with Qubes OS 4.0 and Whonix 15/16.
(NIC → Tor → VPN → Destination)
Unfortunately, with Qubes OS 4.1 there are issues. Other side effects can be excluded due to reproducible qubes installation.
The issue also has been discussed in the Qubes forum in multiple posts:
Fortunately, a user has found a workaround:
sudo sysctl -w net.ipv4.ip_forward=1in your whonix gateway will resolve it, until reboot. In your template, you can edit
/etc/sysctl.d/anonymizer-config-gateway.confand comment out the line
net.ipv4.ip_forward = 0, and this should fix ARP requests not getting replies.
Now here comes my actual question (besides promoting some discussion about potential error causes):
Do Whonix maintainers have any objections against this workaround from a privacy/security perspective?
If OK, we might add this to the documentation http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Tunnels/Connecting_to_Tor_before_a_VPN#Separate_VPN-Gateway for other users encountering same issue.