VPN Before Tor on Whonix Gateway

Hi, i try setting on whonix gateway
User → VPN → Tor → Internet
Use this manual

When i try connect to vpn, write:

Sat Mar 12 16:16:16 2016 UDPv4 link remote: [AF_INET]
Sat Mar 12 16:16:16 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Mar 12 16:16:16 2016 TLS Error: TLS handshake failed

ping with okey.

What is problem?

Assuming VirtualBox platform, clean Whonix images, OpenVPN.

3 possibilities come to mind:

  1. VPN is not configured correctly.
  2. Whonix Firewall (in Gateway) is not configured correctly.
  3. VPN IP or protocol is blocked by your ISP.

To rule out #1 & #3: Have you used a VPN before (outside of Whonix)? Do you know how to configure OpenVPN .conf files? You can set it up in your host to test (without firewall, without Whonix).

To rule out #2: Copy/paste contents of your /etc/whonix_firewall.d/50_user file. Redact anything private (shouldn’t be any).

IP in your log geolocates to HK which is great (in terms of internet freedom) but it’s registered to China Telecom which is highly yucky. Probably safe to say that PRC is tapped in to every line in/out of HK but still, no better choices? (Is everything forced through a mainland provider?)

1 Like

Maybe ssl verification fails because it works with hostnames, not IPs. In that case - if supported by the provider - try using openvpn certificates rather than ssl verification.

In that situation, I believe you can also use --verify-x509-name to pass the authorized server name. Not sure how that compares in terms of security though. (I’ve used before with a lazy/lax provider.)

  1. yes use on virtualbox, clean whonix after import
  2. this vpn work on host machine with openvpn
  3. /etc/whonix_firewall.d/50_user:
## Make sure Tor always connects through the VPN.
## Enable: 1
## Disable: 0
## DISABELD BY DEFAULT, because it requires a VPN provider.
## IP address of the VPN server.
## Get the IP using: nslookup vpn-example-server.org
## Example: seattle.vpn.riseup.net
## Some providers provide multiple VPN servers.
## You can enter multiple IP addresses, separated by spaces.
## For OpenVPN.
## Destinations you don not want routed through the VPN.
## VirtualBox DHCP
# \
# \
# \
# \
# \
# "
  1. vpn config :

dev tun
proto udp
remote 53
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
verb 3


This error (as it says) is usually a connectivity issue and not a problem with TLS configuration.

I would be inclined to think that you configured the server yourself and perhaps didn’t allow for proper incoming traffic. But we can rule that out since you said that the VPN works successfully from your host. (You tested it just now I hope?)

The config files look ok.

(IIUC You should uncomment at least
LOCAL_NET="\ \ \ "
This shouldn’t prevent you from connecting to VPN though.)

The only thing I can think of now is to test network connectivity from your Gateway. curl.anondist-orig will bypass Tor so it’s safe to use even if you’re trying to hide Tor usage. This command returns your real IP - don’t post.

In a Gateway Terminal:
curl.anondist-orig checkip.dyndns.org
(or if it’s safe to connect to torproject.org, you can use:
curl.anondist-orig -H 'Host: check.torproject.org' -k | grep IP)

(Since you edited 50_user, have you rebooted the Gateway or Reload Firewall?)

I don’t think using Port 53 is an issue with Gateway.
Other commands for checking network in Gateway:
sudo ifconfig
sudo route -n
OpenVPN won’t alter iptables.