Hello. I am trying to set up OpenVPN on Whonix-Gateway (User → VPN → Tor → Internet), but I get a permission error when I try to start the service.
What I did was:
- Install Whonix on Kicksecure
- Start the Whonix-Gateway VM (as of writing this, I have never started Whonix-Workstation)
- Boot into “PERSISTENT Mode | USER Session”
- Close the initial systemcheck that was trying to bootstrap Tor
- Follow the Whonix Documentation instructions to set up OpenVPN on Whonix-Gateway as described below
I tried to use Start Menu → Applications → Settings → User Firewall Settings based on “Graphical Whonix-Gateway” instructions, but it didn’t open (due to user-sysmaint-split I guess). So I rebooted Whonix-Gateway into “PERSISTENT Mode | SYSMAINT Session” and ran
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
(had to create /usr/local/etc/whonix_firewall.d before that) and added:
## Make sure Tor always connects through the VPN.
## Enable: 1
## Disable: 0
## DISABELD BY DEFAULT, because it requires a VPN provider.
VPN_FIREWALL=1
## For OpenVPN.
#VPN_INTERFACE=tun0
## Destinations you don not want routed through the VPN.
## 10.0.2.2-10.0.2.24: VirtualBox DHCP
# LOCAL_NET="\
# 127.0.0.0-127.0.0.24 \
# 192.168.0.0-192.168.0.24 \
# 192.168.1.0-192.168.1.24 \
# 10.152.152.0-10.152.152.24 \
# 10.0.2.2-10.0.2.24 \
# "
Reloaded the firewall:
sudo whonix_firewall
Modified /etc/sudoers.d/tunnel_unpriv:
## Copyright (C) 2012-2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
tunnel ALL=(ALL) NOPASSWD: /bin/ip
tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *
Defaults:tunnel !requiretty
Defaults:tunnel env_keep += script_type
Defaults:tunnel env_keep += dev
(The last two lines were not in the instructions, but I uncommented them because it said to uncomment every line with single hashes)
Saved VPN Certificate as /etc/openvpn/CA.pem.
Saved VPN Credentials as /etc/openvpn/auth.txt.
Copied and modified /etc/openvpn/openvpn.conf. This is how it looks like:
client
dev tun0
proto tcp
remote <IP> <Port>
remote <IP> <Port>
remote <IP> <Port>
remote-random
resolv-retry infinite
nobind
cipher AES-256-GCM
setenv CLIENT_CERT 0
tun-mtu 1500
mssfix 0
persist-key
persist-tun
reneg-sec 0
remote-cert-tls server
auth-user-pass auth.txt
script-security 2
#up /etc/openvpn/update-resolv-conf
#down /etc/openvpn/update-resolv-conf
user tunnel
iproute /usr/bin/ip_unpriv
pull-filter igonre "dhcp-option DNS6"
pull-filter ignore "tun-ipv6"
pull-filter ignore "ifconfig-ipv6"
http-proxy <IP> <Port>
ca CA.pem
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
Compared to the configuration file I obtained from the VPN provider, these are the lines that I added/modified:
dev tun0
auth-user-pass auth.txt
#up /etc/openvpn/update-resolv-conf
#down /etc/openvpn/update-resolv-conf
user tunnel
iproute /usr/bin/ip_unpriv
pull-filter ignore "dhcp-option DNS6"
pull-filter ignore "tun-ipv6"
pull-filter ignore "ifconfig-ipv6"
http-proxy <IP> <Port>
ca CA.pem
(The certificate was embedded into the configuration and I made it a separate file, also I commented the “up” and “down” lines as the instructions said DNS configuration is not required for Whonix-Gateway, please tell me if I shouldn’t have done this)
And at the end I ran:
sudo chown -R tunnel:tunnel /etc/openvpn
sudo chown -R tunnel:tunnel /run/openvpn
sudo cp /lib/systemd/system/openvpn@.service /lib/systemd/system/openvpn@openvpn.service
sudo systemctl enable openvpn@openvpn
sudo systemctl start openvpn@openvpn
That’s when I got this as the output:
Job for openvpn@openvpn.service failed because the control process exited with error code.
See "systemctl status openvpn@openvpn.service" and "journalctl -xeu openvpn@openvpn.service" for details.
zsh: exit 1 sudo systemctl start openvpn@openvpn
Running sudo systemctl status openvpn@openvpn shows these relevant lines:
Loaded: loaded (/usr/lib/systemd/system/openvpn@openvpn.service; enabled; preset: enabled)
Drop-In: /usr/lib/systemd/system/openvpn@openvpn.service.d
50_unpriv.conf
Process: 101559 ExecStartPre=/usr/bin/sudo --non-interactive /usr/sbin/openvpn --rmtun --dev tun0 (code=exited, status=203/EXEC)
Process: 101568 ExecStopPost=/usr/bin/sudo --non-interactive /usr/sbin/openvpn --rmtun --dev tun0 (code=exited, status=203/EXEC)
zsh: exit 3 sudo systemctl status openvpn@openvpn
Running sudo journalctl -xeu openvpn@openvpn.service shows:
Jun 22 00:00:00 host (sudo)[130972]: openvpn@openvpn.service: Failed at step EXEC spawning /usr/bin/sudo: Permission denied
Subject: Process /usr/bin/sudo could not be executed
Defined-By: systemd
Support: https://www.debian.org/support
The process /usr/bin/sudo could not be executed and failed.
The error number returned by this process is 13.
Jun 22 00:00:00 host systemd[1]: openvpn@openvpn.service: Control process exited, code=exited, status=203/EXEC
Subject: Unit process exited
Defined-By: systemd
Support: https://www.debian.org/support
An ExecStartPre= process belonging to unit openvpn@openvpn.service has exited.
The process' exit code is 'exited' and its exit status is 203.
Jun 22 00:00:00 host (sudo)[130975]: openvpn@openvpn.service: Failed to execute /usr/bin/sudo: Permission denied
Jun 22 00:00:00 host (sudo)[130975]: openvpn@openvpn.service: Failed at step EXEC spawning /usr/bin/sudo: Permission denied
Subject: Process /usr/bin/sudo could not be executed
Defined-By: systemd
Support: https://www.debian.org/support
The process /usr/bin/sudo could not be executed and failed.
The error number returned by this process is 13.
Jun 22 00:00:00 host systemd[1]: openvpn@openvpn.service: Control process exited, code=exited, status=203/EXEC
Subject: Unit process exited
Defined-By: systemd
Support: https://www.debian.org/support
An ExecStopPost= process belonging to unit openvpn@openvpn.service has exited.
The process' exit code is 'exited' and its exit status is 203.
Jun 22 00:00:00 host systemd[1]: openvpn@openvpn.service: Failed with result 'exit-code'.
Subject: Unit failed
Defined-By: systemd
Support: https://www.debian.org/support
The unit openvpn@openvpn.service has entered the 'failed' state with result 'exit-code'.
Jun 22 00:00:00 host systemd[1]: Failed to start openvpn@openvpn.service - OpenVPN Connection to openvpn.
Subject: A start job for unit openvpn@openvpn.service has failed
Defined-By: systemd
Support: https://www.debian.org/support
A start job for unit openvpn@openvpn.service has finished with a failure.
The job identifier is 52484 and the job result is failed.
Running the commands from the debug start section seem to show a different new problem:
[gateway sysmaint ~]% sudo /usr/sbin/openvpn --rmtun --dev tun0
2026-06-22 00:10:00 Note: --mktun does not support DCO. Creating TUN interface.
2026-06-22 00:10:00 TUN/TAP device tun0 opened
2026-06-22 00:10:00 Persist state set to: OFF
[gateway sysmaint ~]% sudo /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel
2026-06-22 00:10:03 Note: --mktun does not support DCO. Creating TUN interface.
2026-06-22 00:10:03 TUN/TAP device tun0 opened
2026-06-22 00:10:03 Persist state set to: ON
[gateway sysmaint ~]% cd /etc/openvpn/
[gateway sysmaint /etc/openvpn]% sudo -u tunnel openvpn /etc/openvpn/openvpn.conf
Options error: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/openvpn.conf:31: iproute (2.6.14)
Use --help for more information.
zsh: exit 1 sudo -u tunnel openvpn /etc/openvpn/openvpn.conf
Is there something I’ve done wrong?
Also, a few notes/questions:
- The instructions for “Terminal Whonix-Gateway” say use
/usr/local/etc/whonix_firewall.d/50_user.confto modify firewall settings, but hovering overStart Menu→Applications→Settings→User Firewall Settingsand viewing/etc/whonix_firewall.d/30_whonix_gateway_default.confboth suggest that/etc/whonix_firewall.d/50_user.confshould be edit. I did the former, but also had to create the/usr/local/etc/whonix_firewall.ddirectory too. Is this the correct file? - In order to connect using OpenVPN (under normal conditions, outside Whonix, etc.) I always use
http-proxyin the OpenVPN configuration to connect to a proxy on my local network. Does this also work from inside Whonix-Gateway? - If it is necessary to uncomment the “up” and “down” lines in
/etc/openvpn/openvpn.conf, then I have to say that the VPN provider is instructing the users to installopenresolvand replace/etc/openvpn/update-resolv-confwith what they provide. Should I uncomment them? And should I listen to the VPN provider’s instruction?
I appreciate your help.