Whonix 14 and TorGuard VPN

I was using Whonix 13 succesfully with TorGuard VPN. But since its deprecated and 32 bit i have to switch to Whonix 14. On 13 i just install TorGuard deb package and it worked out of the box for “Tor → VPN → Internet” connection that i need.

Now on Whonix 14 doing same is giving me interesting result:

• torbrowser works as expected(may be because it routes all traffic via tor and passes vpn)
• any other browser gives “ERR_NAME_RESOLUTION”

after looking into /etc/resolv.conf i found TorGuard DNS servers there. I tried changing them to Google or Whonix default and restarting “/etc/init.d/networking” - no change

Trying to follow this article - Connecting to Tor before a VPN

gives even worse results. I was not able to restore my standart tor connection as well as setting VPN connection. This article breaks everything badly. Please help me setup this kind of connection. I will give any console paste u need. Just tell me what to do.

Hi Denssss

Those instructions you linked are for a separate VPN Gatewary which can only be used in Qubes-Whonix and are not supported in Non-Qubes-Whonix. You will have to configure in Whonix-Workstation.

• First apply steps to prevent bypass of the Tunnel-link.
• Then follow these intructions to configure VPN inside Whonix-Workstation

Hello, thx for helping out. Sorry, but i provided incorrect link that lead to misunderstanding.
I was using instructions that u suggested in your answer.

I suggest, start with a fresh new VM.
Then apply the instructions above. Slowly, step by step. I’ve done this configuration in the past, it’s easy to mess things up.
If they don’t work, please describe the specific issue you encounter.

I also need to do those settings again, this time on Whonix 14.

I find the instructions hard to follow, took me over 3 hours last time.

I am working on a compact version of this page and will share if there is an interest.

Configure VPN as instructed in Connecting to Tor before a VPN

Run these commands and provide output.

ls -la /run/resolvconf

ls -l /etc/openvpn

ls -l /var/run/openvpn

Manually start the VPN and post output of last command. Remember to redact any sensitive information.

sudo /usr/sbin/openvpn --rmtun --dev tun0
sudo /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel
cd /etc/openvpn/
sudo -u tunnel openvpn /etc/openvpn/openvpn.conf

Note:

• Install TorGuard .deb package itself will work in Debian but support requests may not be taken on Whonix forum. Please ask your VPN service provider for help with that.
• Depending on information provided: https://whonix.org/wiki/FAQ#Non-Responsiveness_to_Concerns may apply.

I have reached step with header “VPN Setup”. It helps setup VPN Riseup provider. I am confused about this steps.

Do i need to do :

1. VPN Configuration File and below ?
2. Get VPN Certificate ?
3. VPN Credentials ?
4. install resolvconf ?
5. DNS Configuration

Yes, all steps. Quite often users have difficulties with VPN setup. If you get stuck, use the forum search engine to see if anyone has had the same problem as you in the past. Chances are you’ll find a thread that will help with the problem
.

Tor before VPN setup for Whonix 14 on VirtualBox

sudo nano /etc/uwt.d/50_user.conf

ADD:

uwtwrapper_global=“0”

–

sudo nano /etc/environment

ADD:

TOR_TRANSPROXY=1

–

sudo nano /etc/torbrowser.d/50_user.conf

ADD:

TB_NO_TOR_CON_CHECK=1
CURL_PROXY="–fail"

–

sudo nano /etc/whonix_firewall.d/50_user.conf

ADD:

WORKSTATION_FIREWALL=1
TUNNEL_FIREWALL_ENABLE=true

–

sudo whonix_firewall

–

sudo nano /etc/sudoers.d/tunnel_unpriv

EDIT THE FILE TO BE:

tunnel ALL=(ALL) NOPASSWD: /bin/ip
tunnel ALL=(ALL) NOPASSWD: /usr/sbin/openvpn *
Defaults:tunnel !requiretty
Defaults:tunnel env_keep += script_type
Defaults:tunnel env_keep += dev

–

sudo nano /etc/openvpn/auth.txt # Only if your provider uses auth-user-pass auth.txt in openvpn.conf

ADD (your VPN account credentials):

username
password

–

sudo nano /etc/openvpn/openvpn.conf

ADD (your VPN provider will have additional settings):

client
dev tun0
persist-tun
persist-key

script-security 2
up “/etc/openvpn/update-resolv-conf script_type=up dev=tun0”
down “/etc/openvpn/update-resolv-conf script_type=down dev=tun0”

user tunnel
iproute /usr/bin/ip_unpriv

proto tcp

–

sudo apt-get update
sudo apt-get install resolvconf
sudo aptitude keep-all

–

sudo nano /usr/lib/tmpfiles.d/50_openvpn_unpriv.conf

ADD:

d /run/resolvconf 0775 root tunnel - -
d /run/resolvconf/interface 0775 root tunnel - -

–

sudo chown --recursive root:tunnel /run/resolvconf
sudo chmod --recursive 775 /run/resolvconf

–

sudo nano /etc/resolvconf/run/interface/original.resolvconf

COMMENT THE FILE’S CONTENT (OR DELETE IT)

–

sudo chown -R tunnel:tunnel /etc/openvpn
sudo chown -R tunnel:tunnel /var/run/openvpn

–

sudo cp /lib/systemd/system/openvpn@.service /lib/systemd/system/openvpn@openvpn.service
sudo systemctl enable openvpn@openvpn
sudo systemctl start openvpn@openvpn
sudo systemctl status openvpn@openvpn # check status

–

sudo service resolvconf restart
sudo cat /etc/resolv.conf

MAKE SURE IT DOESNT INCLUDE ANY OF:

nameserver 10.152.152.10
nameserver 10.137.3.1
nameserver 10.137.3.254

SHOULD ONLY INCLUDE VPN PROVIDER’S DNS

–

sudo nano /etc/whonix.d/50_user.conf

ADD:

whonixcheck_skip_functions+=" check_tor_bootstrap "
whonixcheck_skip_functions+=" check_tor_socks_port_reachability "
whonixcheck_skip_functions+=" check_tor_socks_port "
whonixcheck_skip_functions+=" check_tor_trans_port "
whonixcheck_skip_functions+=" check_stream_isolation "
whonixcheck_skip_functions+=" download_whonix_news "

–

DONE!

I’d say a major difficulty here in providing a comprehensive recipe for this setup is that different VPN providers will have different format in configuration files (/etc/openvpn/openvpn.conf).

The example in the wiki refers to riseup but you will probably use another provider so first you need to make sure you understand how to setup openvpn with your provider on a non-whonix (say Debian) system, and then editing that file will be easier.

after applying all above settings my internet connection is down. i am unable to update/upgrade via apt

[08:54|10.12] root@host dir:(user)# apt-get update 0% [Connecting to SOCKS5h proxy (socks5h://localhost:9050)] [Connecting to secu
freezes for an hour

even launching torguard client and trying to connect fails…

Also,

Post your openvpn configuration file.

cat /etc/openvpn/openvpn.conf

Be sure to redact remote IP address port

Post file permissions.

ls -l /etc/openvpn

And post all error messages

I am unable to post images, dunno why. So here is links to information. I can paste plain text but it’s very hard to read with no color markup

$ sudo whonixcheck on GateWay:
(all good, green)
https://ibb.co/L5ds5nr

$ sudo whonixcheck on WS:
(error)
https://ibb.co/VSx9VhY

$ ls -la /run/resolvconf
https://ibb.co/RHq88MT

$ ls -l /etc/openvpn
https://ibb.co/42NGvLv

$ls -l /var/run/openvpn
total 0

sudo /usr/sbin/openvpn --rmtun --dev tun0

Tue Dec 11 09:57:25 2018 TUN/TAP device tun0 opened
Tue Dec 11 09:57:25 2018 Persist state set to: OFF

sudo /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel

Tue Dec 11 09:59:08 2018 TUN/TAP device tun0 opened
Tue Dec 11 09:59:08 2018 Persist state set to: ON

cd /etc/openvpn/
sudo -u tunnel openvpn /etc/openvpn/openvpn.conf

Options error: the --up directive should have at most 1 parameter. To pass a list of arguments as one of the parameters, try enclosing them in double quotes (“”).

openvpn.conf
client
dev tun0
persist-tun
persist-key

script-security 2
up “/etc/openvpn/update-resolv-conf script_type=up dev=tun0”
down “/etc/openvpn/update-resolv-conf script_type=down dev=tun0”
user tunnel
iproute /usr/bin/ip_unpriv

proto tcp

We don’t reference **sudo** whonixcheck anywhere in the wiki. But you’re lucky - that won’t cause an issue.

Did you apply Connecting to Tor before a VPN?

after applying what u suggested:

$ whonixcheck
https://ibb.co/pbqM9Tf

still no internet connection

The double quotes you used in

up “/etc/openvpn/update-resolv-conf script_type=up dev=tun0”
down “/etc/openvpn/update-resolv-conf script_type=down dev=tun0”

Are wrong. Looks like they got changed when I pasted the code here. Change “ to " in openvpn.conf and repeat the steps that follow editing the file.

" double quotes
“” get changed in this editor to a different character when they come in pairs (forward to Elon Musk. Dangers of AI)…
" " - no change if only a space in enclosed
“something something” - get changed when there is more content.

I’ve changed quotes to what is needed. Now my openvpn.conf looks like this:

client
dev tun0
persist-tun
persist-key

script-security 2
up "/etc/openvpn/update-resolv-conf script_type=up dev=tun0"
down "/etc/openvpn/update-resolv-conf script_type=down dev=tun0"

user tunnel
iproute /usr/bin/ip_unpriv

proto tcp

but still, i am unable to run apt-get update, since it freezes on fetching. GateWay connection works fine. I even tried reloading/starting /init.d/openvpn, but no help

during reboot i get error loading openvpn.service:
log from systemctl
● openvpn@openvpn.service loaded failed failed OpenVPN connection to openvpn

tried retastarting openvpn and run update:
https://ibb.co/nRnxr5h

How much RAM does the VM have?

Whonix KDE or Whonix XFCE? Latter needs less RAM.

Increase RAM?

Do you also have your VPN provider’s specific settings in the file?

Did you try a simple ping test first?