[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

[SOLVED] tor+vpn and firewall issue

Hi

I have tor and vpn on my gateway.
I have followed theses instructions:
wiki/Tunnels/Connecting_to_a_VPN_before_Tor
section: " Inside Whonix-Gateway ™"

service openvpn@openvpn show me this error:
AUTH: received control message: AUTH_FAILED

if I try to run manually openvpn /etc/openvpn/openvpn.conf, I have this error
Write UDP: Operation denied

according to iptables, packets are rejected on last rules of iptables -vL

Here is my config files

cat /etc/whonix_firewall.d/50_user.conf
## Make sure Tor always connects through the VPN.
## Enable: 1
## Disable: 0
## DISABELD BY DEFAULT, because it requires a VPN provider.
VPN_FIREWALL=1

## For OpenVPN.
VPN_INTERFACE=tun0

## Destinations you don not want routed through the VPN.
## 10.0.2.2-10.0.2.24: VirtualBox DHCP
      LOCAL_NET="\
         127.0.0.0-127.0.0.24 \
         192.168.0.0-192.168.0.24 \
         192.168.1.0-192.168.1.24 \
         10.152.152.0-10.152.152.24 \
         10.0.2.2-10.0.2.24 \
      "



➜  ~ cat /etc/openvpn/openvpn.conf
client
dev tun
proto udp
remote 185.145.38.234 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

remote-cert-tls server

auth-user-pass /etc/openvpn/auth.txt
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

<ca>
-----BEGIN CERTIFICATE-----
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
... etc ....
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
... etc ....
-----END OpenVPN Static key V1-----
</tls-auth>

cat /etc/sudoers.d/tunnel_unpriv
tunnel ALL=(ALL) NOPASSWD: /bin/ip
tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *
Defaults:tunnel !requiretty
#Defaults:tunnel env_keep += script_type
#Defaults:tunnel env_keep += dev

Other modification I did:

 chown -R tunnel:tunnel /etc/openvpn
 chown -R tunnel:tunnel /var/run/openvpn
 cp /lib/systemd/system/openvpn@.service /lib/systemd/system/openvpn@openvpn.service

I also have a /etc/openvpn/auth.txt file with 2 lines. First line is my vpn login and 2nd line is the password

Thank you very much

I tried to run openvpn manually in background like that:
openvpn /etc/openvpn/openvpn.conf &

And now I have both, tor and vpn.

I can see it with tcpdump on eth1: I can see my http flow of site I m browsing.
tcpdump on eth0 show me openvpn flow
tcpdump on tun0 show tor flow

So it does work but I had to disable all FW rules … and I have to manually start openvpn

Hi Ifen

Welcome to the community.

Never flush the firewall rules in Whonix-Gateway. Thats’ asking for trouble and not necessary when troubleshooting a VPN.

Please submit a detailed support request as per: https://whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor#How_to_Submit_a_Support_Request

Also, please provide your openvpn.conf with sensitive information redacted.

1 Like

thank you for your answer
I have updated my 1st post.
Hopefully the post will be more clear, and I provided my config files (including openvpn.conf fille)
thank you

Hi Ifen

I don’t see the following to your openvpn.conf file which is required.

user tunnel
iproute /usr/bin/ip_unpriv

Do Not use “dev tun” in your openvpn.conf file. Use "dev tun0". This could cause a miss-match. See below VPN_INTERFACE=tun0.


Also you likely don’t need the following

For OpenVPN.
VPN_INTERFACE=tun0

LOCAL_NET="
[…]


You might want forcing Tor to wait for OpenVPN to connect.

sudo mkdir /etc/systemd/system/tor.service.d

sudo nano /etc/systemd/system/tor.service.d/50_user.conf

Add

[Unit] After=openvpn.service

Does that help?

2 Likes

Thank you very much.
I did what you said and … it’s working !
I checked with tcpdump and I have what I was expecting.
I spent so much time on something you solved in no time !
Thank you again

Glad I could help. :wink:

2 Likes
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]