Setup Tor before a VPN (User -> Tor -> VPN -> Internet) issues On Qubes 4

Qubes-Whonix
1

Hi

I can imagine that this has been asked many a times and apologies for this but I am still unable to get this to work :frowning:

What I have done

Completed 1 & 2 from this guide

Guide For Tor → VPN → Internet

For point 3 ( I have created both an Appvm and a Standalone VM ) and using the debian-9-vpn with sys-whonix as instructed in the guide and both don’t work.

I was able to get a normal VPN setup VPN-gateway-Cli Scripts up and running and works flawlessly, with many netvm using my VPN. No issues at all but when I integrate these options to the VPN-Gateway it just fails.

I get no prompt that the VPN is up or working :frowning: which I do get on the standalone VPN setup.

Any ideas would be greatly welcomed and many thanks in advance.

2

Hi franco64

Do you know if sys-whonix is connect to Tor?

But before that you first have to get VPN-Gateway working before you involve Whonix. Its not a Whonix issue if you follow the Qubes instructions and the VPN does not connect.

Check, that your VPN-Gateway is fully functional. Test connectivity from inside the VPN-Gateway.
Add a non-Whonix VM behind your VPN-Gateway. For example, add a debian based AppVM behind your VPN-Gateway. Figure out if the VPN-Gateway works at all before involving Whonix.

Are you using proto TCP or UDP?

Note: UDP-style VPN connections are incompatible with Tor which requires that the VPN to be configured to use TCP.[8] To do that, add proto tcp to the VPN configuration file /rw/config/vpn/openvpn-client.ovpn. Most, but not all VPN providers support this configuration.

1 Like
3

This is indeed a good technical way (method of elimination) to debug things however caution here. Using a user → VPN will burn the VPN. It then should no longer be used for user → Tor → VPN. Burn here means the VPN is already tied to the user’s ISP assigned IP address.

Do we cover this in documentation somewhere? “Don’t reuse a VPN that has been used for user → Tor → VPN again for user → VPN → Tor.” Or more generally for a tunnel link?

1 Like
4

Hi

Thanks for the reply and I will answer your responses as follows

  1. Do you know if sys-whonix is connect to Tor?

Yes this works. I have tried both the main anon-whnox and disposable whonix and both work fine no issues what so ever

  1. Are you using proto TCP or UDP?

I am using NordVPN openvpn template which uses TCP port 443. As mentioned before this works brilliantly as a standalone VPN service and I use this on many of my AppVm and standalone network. The issue is when I combine the 2.

I also tried the following script

I tried many different steps using this process. Using a AppVM - If I enable the whonix without the vpn works fine and if I do it visa versa works fine as a VPN. When I put the network as sys-whonix and enable VPN it just won’t work. No connection at all :frowning: I really think it’s to do with the firewall settings and it getting blocked.

5

Hi

This is the case. I use a separate nordvpn config for VPN --> Tor configuration.

6

Very good point. The wiki currently does not have an easy way of checking just the setup part of VPN configuration. Meaning the currently provided testing VPNs are not usable by all users. For example Riseup. #Tunnels/Examples

I could add the provider that I myself use for testing and maintain that chapter. Has a paid and free service. But free only good for testing since it has capped bandwidth . But no registration required.

  • Drawback - This could be seen as Whonix endorsing the provider. Even if there was a warning “Whonix does not endorse any provider” just mentioning the provider would likely push many user to purchase a package. So I’m not going to name this provider unless you thought it would be an option.

I’ll check, if not I will add anything thats’ needed.

1 Like
7

@franco64

I saw your post but don’t have time to reply ATM but I’ll reply later on. :wink:

1 Like
8

0brand:

I could add the provider that I myself use for testing and maintain
that chapter. Has a paid and free service. But free only good for
testing since it has capped bandwidth . But no registration
required.

  • Drawback - This could be seen as Whonix endorsing the provider.
    Even if there was a warning “Whonix does not endorse any provider”
    just mentioning the provider would likely push many user to purchase
    a package. So I’m not going to name this provider unless you thought
    it would be an option.

Sounds ok to me. We can’t stop users from shooting their own feet. We
have VPN Tunnel Setup Examples in the wiki
for years already. No one ever complained. However, we can do better:

  • disclose relationship or better non-relationship with the provider,
    mention we don’t take any money or other kind of benefit from them
  • mention no contractual relationship with the provider exists
  • mention we only use the provider to document an example
  • mention we can switch to be using another provider at any time
  • mention this is not an endorsement
  • mention difficulties with anonymous payments, link to Money wiki page
  • mention that we may consider using another VPN provider as example if
    they pay to be listed in that spot and if they qualify (“quality VPN
    only”, not an easy task to review but we can think of something: crypto
    currency payments possible, bitcoin payments possible, monero payments
    possible, no log policy, good reputation, no known cases of malicious
    behavior, long term track record and perhaps other objective factors),
    but if someone pays to be in that spot, it will be disclosed as well

Recently a user posted a VPN provider who had documentation covering
Whonix and who provided a Whonix specific VPN setup script so Whonix is
getting more relevant.

9

I was able to connect with the following in a separate VPN-Gateway

Both took a very long time to connect because of the additional tunnel length. This can be compounded depending on the VPN server location, Tor Entry Guards (throughput), Tor circuit used and general Tor network congestion.

Current conection issue with Whonix seperate VPN-Gateway using Qubes iptables and cli scripts. Likely has to do with Tor network congestion since my connection is slow atm. I’ll test at a different time.

When you say the VPN is not connecting do you mean you checked VPN logs? Or is this based on no “VPN connection successful” message?

Could you please provide VPN logs from the VPN-Gateway. Basic logs will be enough for now. Let it run for a little while.

sudo journalctl -f

If you are able to connect with the VPN-Gateway be sure to Prevent Bypassing of the Tunnel-Link

10

I’ll start working on this as soon the “Don’t reuse VPN” documentation is completed.

Was reading that post not to long ago. Actually, its related to the upcoming VPN test documentation. No script setup though. I’ll just be using the providers openvpn.conf

1 Like
11

Thanks for that. I’ll try what you suggested and see what happens.

Not feeling great confidence though :frowning:

12

You also mentioned

When you say the VPN is not connecting do you mean you checked VPN logs? Or is this based on no “VPN connection successful” message?

Yes, I was waiting for the “VPN connection successful” message. Should that not be the case?

13

Thinking more along the lines of VPN is initionally connecting but keeps dropping the connection. Not sure of the criteria for Successful connection message. Regardless there is no way to tell without logs.

Even though this is not Whonix issue I’ll provide a little help if you can post the logs. Please redact any sensitive info such as IP addresses etc.

1 Like
14

Many thanks for the support guys, I think I have sorted this out :slight_smile: I was unsure what was the output, and what was expected so it seems to have worked.

As a point of reference here is what I did.

I followed this guide

Guide For Tor → VPN → Internet

The only difference I did was I cloned sys-whonix also.

sys-whonix clone

Now, I did do the VPN-gateway-Cli Scripts as mentioned in the guide.

All works, no issue, and got the following prompt.

VPN-Gateway Message

My setup so far was VPN-Gateway, Debian-9-VPN & Sys-whonix-vpn

Setup VPN-Gateway VPS

Now I opened the terminal window in VPN-Gateway VPS and typed sudo journalctl -f

This was very useful in seeing the log output.

So I created a new VPS as follows

New VPS setup

Looking at the terminal output on VPN-Gateway it shows that its working and starting up :slight_smile:

Terminal output on VPN-Gateway

Opening the Whonix Control panel (sys-whonix-vpn template) - Terminal (VPN-Gateway) and the Browser it shows the following

VPN - Whonix - Terminal outputs

So stopping Tor in the sys-whonix-vpn control panel I see the following terminal output

Output from terminal on VPN-Gateway

And no Internet connection from browser

No Internet shown on browser

Restart Tor, it should show in the terminal that it’s enabled, and also trying to connect to my VPN. This is what we want.

Connecting to VPN and Tor

Success, it works again.

Browser working again :slight_smile:

My only question is now the following

regarding Connecting to Tor before a VPN

Do I do ( I assume yes, but just waned to check )

Deactivate uwt Wrappers & Tor Browser Remove Proxy Settings & Deactivate Miscellaneous Proxy Settings

Thanks I hope that this might help others if they look at this post.

15

Hi franco64

Thanks for the detailed reply and glad to see you have your VPN up and running!

Yes. Recommended to prevent bypass of the tunnel-link.

1 Like