[Solved]Can't seem to get VPN functioning on Whonix Gateway

I have been wrestling with this for the past few days.
So, my host OS uses a VPN.
On that host I have a fully configured and functional KVM VM Whonix Gateway that I would like to install a VPN on. (It is better to install the VPN on the gateway rather than the Workstation correct? )
I have followed the documentation strictly, mainly using this as a guide/troubleshooter. I was able to set up this VPN on a different system(non Whonix) without issue. My .crt is updated, login info correct, firewall configured, and my config files seem spot on with what my VPN provider recommends, but alas there is something I am missing because whenever I try to start my VPN with:
“sudo service openvpn@vpnname start”

I get
"write UDPv4: Operation not permitted (code=1)"
“TLS Error: TLS key negotiation failed to occur within…ty”
“TLS Error: TLS handshake failed”

Any help at all would be appreciated.
Thanks in advance.

Completely different traffic flow. For:

user -> vpn -> tor -> internet: install on host or gateway
user -> vpn1 -> vpn2 -> tor -> internet: install on host and gateway
user -> tor -> vpn -> internet: install on workstation

should be sudo service openvpn@openvpn start


Ok that fix was able to get rid of the UDP code 1 error, but not the:
“TLS Error: TLS key negotiation failed to occur within…ty”
“TLS Error: TLS handshake failed”


dev tun
proto udp
resolv-retry infinite
ns-cert-type server

user tunnel
iproute /usr/bin/ip-unpriv

verb 3
tun-mtu 1500
fragment 0
mssfix 1400
cipher AES-256-CBC
remote xxx.xxx.xxx.xxx port
reneg-sec 0
auth-user-pass /etc/openvpn/vpnname.login
ca /etc/openvpn/ca.crt

Do I have to use tun instead of tap?

If you are using VPN_FIREWALL,
then its dev tun0
not dev tun


Changed it to dev tun0 in the .conf because I have the VPN_FIREWALL enabled in 50_user.conf as well as VPN_INTERFACE set to tun0. Also ip-unpriv is now ip_unpriv because I am not using the Standalone VPN_FIREWALL. I am using the firewall preinstalled with Whonix. I am still getting the same error.

EDIT* HOLD THE PHONE - It works, OMG it works! I just needed to do these above things and edit the remote IP in the conf. Thank you so much for your help entr0py.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]