Recent whonix-gateway-17 Update Breaks VPN (and other) Passthrough Functionality

Beginning of problem (for me) on 24 June 2025, whonix-gateway-17 does not allow TCP-based VPN Qube to connect through it. This function was working for two years+.

I determine it is whonix-gateway-17 by testing these things:

  • tried a different VPN
  • tried a different VPN qube
  • tried a different internet connection
  • tried a new sys-whonix
  • finally changed sys-whonix template to an older back-up whonix gateway template. This works! (but of course is out of date so not secure)

Also, the problem occurred immediately after updating whonix-gateway-17 using Qubes update manager on 24 June 2025.

Some other passthrough functions I do not want to describe also fail.

Tor Browser on disposable app qube continues to function like normal.

Please, what information can I post to make this issue clear? Command line is OK. What do you want to see?

Where is changelog for whonix-gateway-17? Maybe I can read and see what maybe caused the problem.

1 Like

Could be very difficult to fix.

See the following. Different ticket but could be same root cause. It mentions an ARP related change causing an issue. The same solution mentioned in this ticket might be the cause here.

No information needed. No further action planned. Reason:

See announcements in news forum. Each announcement contains the changelog.

1 Like

Yes I looked there first. You mean this link right? News - Whonix Forum

I do not see a changelog for a whonix-gateway update from this week. The most recent one is from May 24, but I have updated whonix-gateway-17 a few times since then. Meaning there have been smaller changes that are not reflected in that feed.

Does whonix not keep a real changelog? Seems unlikely.

Thanks but I already read that but that seems unrelated. For one thing, a VPN works for that user. Also, marmarek’s response says “This looks to be related to arp_ignore=2 setting (/proc/sys/net/ipv4/all/arp_ignore and similar in per-interface directory).” However, the “all” directory does not exist in /proc/sys/net/ipv4 on whonix-gateway-17 as of today.

Well maybe, but since it’s literally the difference between being able to use a VPN after Whonix or not, I imagine it’s an important enough problem that the devs will actually work on it. This is basically the “Tor + VPN” from Combining Tunnels with Tor. If Whonix isn’t supporting that sort of thing anymore, the website wouldn’t talk about it like it does there (and elsewhere).

All of the devs who manage whonix networking have managed to made that decision since I posted my question? I doubt it. Are you trying to help or just to reply?

I’m happy to contribute to the cause, crypto and testing. It’s mission critical obviously that a VPN works after Tor/Whonix. Can you recommend next steps? I’m not sure if your job is to help people participate in the community or basically to close tickets. I guess we will learn!

1 Like

Okay I take everything back. You were correct on both counts, I was wrong.

(1) The update that is broken is actually the 14 May update.

(2) The link you sent leads to a workaround.

Here is the workaround:

  • Clone the whonix-gateway-17.

  • Open the Gateway

  • Edit /usr/lib/sysctl.d/990-security-misc.conf

  • Change (Line 478)
    net.ipv4.conf.*.arp_ignore=2 to …ignore=1

  • Reboot

  • Set this clone as template for sys-whonix.

Of course this is still a problem because default Whonix Gateway should support Tor + VPN (like in all the documentation, including Qubes VPN documentation). But for today, this solves the immediate problem.

I am sorry I was too quick to judge your help as not helpful. Please accept my apology.

1 Like