User -> TOR -> VPN -> Internet no connection at all

I followed the instruction here:

and it doesn’t seem to be working at all.

After I create the /etc/whonix_firewall.d/50_user.conf file and reload the whonsix firewall, there is no connection at all.

For example,

PING ( 56(84) bytes of data.
ping: sendmsg: Operation not permitted

And apt-get also fails. I need to comment out the 2 lines in 50_user.conf and restart the workstation to get an internet connection again. Actually, I confirmed that TUNNEL_FIREWALL_ENABLE=true is enough to cause this behaviour.

I assume something is wrong, because I thought I should be able to connect directly through TOR even if the VPN is not setup correctly?

apt-get is preconfigured to use stream isolation, a Tor SocksPort - related to Connecting to Tor before a VPN

Tor does not support ICMP (ping).
Tor - Whonix

Might be an unrelated bug blocking all but TCP even in TUNNEL_FIREWALL_ENABLE=true mode.

Hi Patrick.

Shouldn’t apt-get still work through Tor if it is configured to use stream isolation, instead of being broken?

I applied the steps in your link “Prevent Bypassing the Tunnel-Link”, because it says “Apply the following steps to avoid unexpected results such as broken connectivity and/or traffic bypassing the tunnel-link and only going through Tor.”

However, apt-get now fails because it cannot resolve the DNS (e.g. of

I think something is wrong? I shouldn’t have to get the VPN up and running to have DNS?

So I guess the next step would be to confirm that I can get VPN working in a non-Whonix Debian VM, and submit a bug report?


I’m having trouble with my bittorrent client not being able to download metadata or connect to any trackers. Does the lack of ICMP and UDP break this?

allow UDP in Whonix-Workstation ™ firewall

Better Tor over VPN

Phrases such as “over Tor” are ambiguous. Please do not coin idiosyncratic words or phrases, otherwise this leads to confusion. Please use the same terms that are consistently referenced in documentation, such as:

Connect to a VPN Before Tor (User → VPN → Tor → Internet).
Connect to Tor Before a VPN (User → Tor → VPN → Internet).
And so on.

Always refer to the connection scheme when requesting support: User → VPN → Tor → Internet or User → Tor → VPN → Internet and so on.

1 Like

May be… May be…
Okay ))
Let’s take as a basis - TorPlusVPN · Wiki · Legacy / Trac · GitLab

Nice Tor through VPN services
“You -> VPN/SSH -> Tor”

@Patrick I tried following that guide and allowing UDP, and it still isn’t working, qBittorrent can’t download metadata or connect to any trackers. I also tried disabling the firewall and it still isn’t working.

I can actually send UDP and ICMP now, “ping” and “traceroute” don’t throw errors, however I am not getting any replies at all. Ping just gives no output, traceroute gives 30 lines with a number and “* * *”.

You still need to follow this wiki page:

Did you do that?

@Patrick So it seems the “VPN Method” is the only option, as the others are listed as undocumented/not working. Out of the VPNs, the options are RiseUp or USAIP. I tried to use RiseUp and was blocked because I don’t have an invite code, one would be greatly appreciated. I also tried to use USAIP and was stuck because the instructions seem to be out-of-date, it says to download “” but I can’t find this anywhere on the USAIP website. EDIT: I found the file, but all the ovpn files claim that there is an unrecognized option of line 7 called pull: “Options error: Unrecognized option or missing or extra parameter(s) in France_2.ovpn:7: pull (2.4.7)”

Is there a way that I can have UDP bypass Tor entirely, such that it would be similar to running it on my host system? And then I can just use Tor for TCP traffic? I only need the UDP traffic to briefly connect to the trackers and start the download.

Can someone document and test it?

Completely agree with this I have only seen this terminology used on one forum maybe clear to user but certainly open for interpretation