Tor Browser not working - User --> Tor --> VPN --> Internet

Support
1

Hi,

Ive run into issues in setting up Tor before VPN and have run out of ideas. Hope someone here can help.

When I start Tor Browser and go to any site; I get no response at all. Pings to check torproject work from the terminal; so DNS resolution is fine and network traffic also looks fine - so something in the Tor Browser configuration is not right.

This is what I started with.

  • Installed Gateway and Workstation (Whonix-XFCE-15.0.1.5.1). I am not using Qubes. I am using VirtualBox on a Windows 10 host.

  • Updated packages using sudo apt-get command specified by whonixcheck

  • Verified that I am connected to Tor using check torproject

  • Verified that I can connect to my VPN using their provide .ovpn configuration and running “sudo openvpn openvpn.conf”. Changes I made to their provided configuration at this point in time.

    • Added username/password to auth.txt
    • Changed dev tun to dev tun0
    • Changed remote domain name to IP address

    Interestingly, even with OpenVPN running; when I go to check torproject; it still said I was connected to TOR with the message, “Congratulations. This browser is configured to use Tor.”. So; not sure if OpenVPN is even being used at this stage. The console logs when starting openvpn are as follows

Wed Oct 7 00:43:05 2020 OPTIONS IMPORT: route options modified
Wed Oct 7 00:43:05 2020 OPTIONS IMPORT: route-related options modified
Wed Oct 7 00:43:05 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Oct 7 00:43:05 2020 OPTIONS IMPORT: peer-id set
Wed Oct 7 00:43:05 2020 OPTIONS IMPORT: adjusting link_mtu to 1658
Wed Oct 7 00:43:05 2020 OPTIONS IMPORT: data channel crypto options modified
Wed Oct 7 00:43:05 2020 Data Channel: using negotiated cipher ‘AES-256-GCM’
Wed Oct 7 00:43:05 2020 Outgoing Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Wed Oct 7 00:43:05 2020 Incoming Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Wed Oct 7 00:43:05 2020 ROUTE_GATEWAY 10.152.152.10/255.255.192.0 IFACE=eth0 HWADDR=08:00:27:60:30:a3
Wed Oct 7 00:43:05 2020 TUN/TAP device tun0 opened
Wed Oct 7 00:43:05 2020 TUN/TAP TX queue length set to 100
Wed Oct 7 00:43:05 2020 /sbin/ip link set dev tun0 up mtu 1500
Wed Oct 7 00:43:05 2020 /sbin/ip addr add dev tun0 10.7.7.2/24 broadcast 10.7.7.255
Wed Oct 7 00:43:05 2020 /sbin/ip route add XX.XX.XX.XX/32 via 10.152.152.10
Wed Oct 7 00:43:05 2020 /sbin/ip route add 0.0.0.0/1 via 10.7.7.1
Wed Oct 7 00:43:05 2020 /sbin/ip route add 128.0.0.0/1 via 10.7.7.1
Wed Oct 7 00:43:05 2020 Initialization Sequence Completed

I am following the instructions at /wiki/Tunnels/Connecting_to_Tor_before_a_VPN and this is what I’ve done so far.
All changes were made on Workstation only. No changes on Gateway.

  • Disable uwtWrappers
  • Tor Browser Remove Proxy Settings
  • Reboot Workstation
  • Verified OpenVPN is still able to connect. However, check torproject is no longer able to connect. I’m thinking maybe DNS is no longer working since VPN can connect through IP
  • Deactivate Misc Proxy Settings (4 occurences in whonix file and 13 occurances in debian file)
  • Removed proxy settings for Tor Browser Downloader
  • OpenVPN still connects although Tor Browser no longer connects to anything

Next, I followed instructions for Inside Whonix-Workstation

  • Modified User Firewall Settings
  • Reloaded Firewall
  • Updated sudoers configuration (made sure it was _ underscore)
  • OpenVPN no longer connects (Connection Times out) - which points to the firewall as breaking something

Wed Oct 7 01:09:21 2020 NOTE: --fast-io is disabled since we are not using UDP
Wed Oct 7 01:09:21 2020 Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Wed Oct 7 01:09:21 2020 Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Wed Oct 7 01:09:21 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XX.XX.XX:1443
Wed Oct 7 01:09:21 2020 Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Oct 7 01:09:21 2020 Attempting to establish TCP connection with [AF_INET]XX.XX.XX.XX:1443 [nonblock]
Wed Oct 7 01:09:53 2020 TCP: connect to [AF_INET]XX.XX.XX.XX:1443 failed: Connection timed out
Wed Oct 7 01:09:53 2020 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Wed Oct 7 01:09:53 2020 Restart pause, 5 second(s)
Wed Oct 7 01:09:58 2020 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Wed Oct 7 01:09:58 2020 NOTE: --fast-io is disabled since we are not using UDP
Wed Oct 7 01:09:58 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XX.XX.XX:1443
Wed Oct 7 01:09:58 2020 Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Oct 7 01:09:58 2020 Attempting to establish TCP connection with [AF_INET]XX.XX.XX.XX:1443 [nonblock]

  • Anyway, continued on and updated openvpn.conf with following additions
	script-security 2
	up "/etc/openvpn/update-resolv-conf script_type=up dev=tun0"
	down "/etc/openvpn/update-resolv-conf script_type=down dev=tun0"

	user tunnel
	iproute /usr/bin/ip_unpriv
  • Skipped installation of resolvconf as at this point, I have no internet connection - so installation of packages are failing. In one of my attempts, I did install this upfront; but it did not change the behaviour.
  • Addition to 50_openvpn_unpriv not required as the two lines already existed in that file
  • Adjusted the permissions
  • Nothing to do in original.resolvconf. File was empty.
  • Set Configuration Folder Permissions
  • Create OpenVPN systemd service file
  • Enabled the systemd service file

Here, I then went into the troubleshooting debug start steps. Did a clean restart as I was getting Device or resource busy error message otherwise. Then on reboot, ran the status command and that is looking good (I think)

user@host:~$ sudo systemctl status openvpn@openvpn
openvpn@openvpn.service - OpenVPN connection to openvpn
Loaded: loaded (/lib/systemd/system/openvpn@openvpn.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/openvpn@openvpn.service.d
└─50_unpriv.conf
Active: active (running) since Wed 2020-10-07 01:17:28 UTC; 5min ago

Process: 677 ExecStartPre=/usr/bin/sudo --non-interactive /usr/sbin/openvpn --rmtun --dev tun0 (code=exited, status=0/SUCCESS)
Process: 716 ExecStartPre=/usr/bin/sudo --non-interactive /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group
Main PID: 732 (openvpn)
Status: “Initialization Sequence Completed”
Tasks: 1 (limit: 2355)
Memory: 4.4M
CGroup: /system.slice/system-openvpn.slice/openvpn@openvpn.service
└─732 /usr/sbin/openvpn --daemon ovpn-openvpn --status /run/openvpn/openvpn.status 10 --cd /etc/openvpn --config /etc/openv

Oct 07 01:17:34 host ovpn-openvpn[732]: /usr/bin/ip_unpriv route add 0.0.0.0/1 via 10.7.7.1
Oct 07 01:17:34 host sudo[1943]: tunnel : TTY=unknown ; PWD=/etc/openvpn ; USER=root ; COMMAND=/bin/ip route add 0.0.0.0/1 via 10.7.
Oct 07 01:17:34 host sudo[1943]: pam_unix(sudo:session): session opened for user root by (uid=0)
Oct 07 01:17:34 host sudo[1943]: pam_unix(sudo:session): session closed for user root
Oct 07 01:17:34 host ovpn-openvpn[732]: /usr/bin/ip_unpriv route add 128.0.0.0/1 via 10.7.7.1
Oct 07 01:17:34 host sudo[1945]: tunnel : TTY=unknown ; PWD=/etc/openvpn ; USER=root ; COMMAND=/bin/ip route add 128.0.0.0/1 via 10.
Oct 07 01:17:34 host sudo[1945]: pam_unix(sudo:session): session opened for user root by (uid=0)
Oct 07 01:17:34 host sudo[1945]: pam_unix(sudo:session): session closed for user root
Oct 07 01:17:34 host ovpn-openvpn[732]: UID set to tunnel
Oct 07 01:17:34 host ovpn-openvpn[732]: Initialization Sequence Completed

  • Restarted resolvconf (although probably not required since the whole Workstation was restarted)
  • Verified resolv.conf entries does not include local entries. It had two entries, I did not recognise. Assuming they are VPN providers DNS entries
  • Fix whonixcheck
  • Ping test worked
  • nslookup check torproject worked
  • DNS and IP address command returned no response

Leak Tests
Regular Application Test - PASSED
UWT Wrapped Application Test - PASSED

So,everything looks good - but Tor Browser is not working. Can’t access any site, clearnet or darknet.

Thank you in advance

Cheers,
MrHyde

2

In Tor Browser 10+ you will have to adjust a pref related to DNS to get it to connect in a transparent proxy environment. This is mentioned on the forum and on our wiki also I think.

TBB will connect to Tor normally, but the problem happens if you try to repurpose it to work with OpenVPN.

1 Like
3

Related documentation:
Prevent Bypassing of the Tunnel-Link

Related wiki template:
https://www.whonix.org/wiki/Template:Tor_Browser_Remove_Proxy_Settings

Updated just now:
Template:Tor Browser Remove Proxy Settings: Difference between revisions - Whonix

Tor Browser Settings Changes

Required since Tor Browser 10. Untested. Please report if this works.

Tor Browser → URL bar → search for network.dns.disabled → set to false

See also:

4

Brilliant that worked.

Also, can the documentation be slightly updated to be more clearer. I tried editting it myself; but am having trouble logging into the wiki.

Tor Browser → URL bar → about:config → search for network.dns.disabled → set to false

1 Like
5

Added.