Whonix 14 and TorGuard VPN

Just a problem I encountered in the past. If you’re just running one Workstation, not relevant in your case.

I will try to complete the Tor before VPN setup on my side with Whonix 14 first and see if I experience same issue you do first. If it works for me I will be happy to assist.

First of all I can confirm that resolvconf needs to be installed first, as you did. Once you make the initial changes and run whonix_firewall you lose connection.

Second issue I encountered was when running

sudo aptitude keep-all

I get an error, aptitude is not installed (I don’t recall what was the situation in Whonix 13). Solved with

sudo apt-get install aptitude

Two other minor remarks:

As footnote 21 mentions, the following already exist in /usr/lib/tmpfiles.d/50_openvpn_unpri.conf so no changes are necessary

d /run/resolvconf 0775 root tunnel - -
d /run/resolvconf/interface 0775 root tunnel - -

Regarding commenting out the content of

sudo nano /etc/resolvconf/run/interface/original.resolvconf

The file does not exist so nothing to do here

Done. After reboot the machine I get:

  • ping works.
  • Tor browser connects to clearnet.
  • IPCheck (https://check.torproject.org/) shows “Sorry. You are not using Tor.” as expected.
  • VPN provider’s site identifies the connection is through them.
  • Tor browser does NOT connect to onion sites
  • wget works with clearnet but NOT with onion sites (“resolving… failed: Name or service not known. wget: unable to resolve host address”)
  • sudo apt-get update gives:

Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 Index of /debian stretch InRelease
Get:3 http://deb.whonix.org stretch InRelease [13.2 kB]
Hit:4 Index of /debian stretch Release
0% [Connecting to SOCKS5h proxy (socks5h://localhost:9050)] [Connecting to SOCKS5h proxy (socks5h://localhost:9050)] [Connecting to SsIgn:6 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
Ign:7 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch InRelease
Ign:8 tor+http://vwakviie2ienjx6t.onion/debian stretch InRelease
Err:9 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch Release
Read error - read (104: Connection reset by peer) Reading the greet back from SOCKS proxy socks5h://localhost:9050 failed [IP: 127.0.0.1 9050]
Err:10 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release
Read error - read (104: Connection reset by peer) Reading the greet back from SOCKS proxy socks5h://localhost:9050 failed [IP: 127.0.0.1 9050]
Err:11 tor+http://vwakviie2ienjx6t.onion/debian stretch Release
Read error - read (104: Connection reset by peer) Reading the greet back from SOCKS proxy socks5h://localhost:9050 failed [IP: 127.0.0.1 9050]
Reading package lists… Done
E: The repository ‘tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch Release’ does no longer have a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ‘tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release’ does no longer have a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ‘tor+http://vwakviie2ienjx6t.onion/debian stretch Release’ does no longer have a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Running sudo apt-get update from a standard whonix workstation completes in seconds.

Just same as i encounter. I can confirm 100% everything for me. What we do know ? How we solve it ?

If you are using User -> Tor -> VPN -> Internet it is expected that you cannot connect to onions.

1 Like

@Denssss

service fails to start since somewhy chown is reset every time vm is rebooted.

Probably related to systemd-tmpfiles / /usr/lib/tmpfiles.d/.

Perhaps package usability-misc isn’t installed?

Perhaps

Makes sense. Could you please explain how to change apt-get settings to use clearnet rather than the onion repositories? I think this is the only missing piece for me here.

dont u have any problems starting openvpn automatically after reboot like i do when i have to reset rigths to

sudo chown -R tunnel:tunnel /etc/openvpn
sudo chown -R tunnel:tunnel /var/run/openvpn

?

Also is there a way to use GUI-toguard client ? If i run it nothing works, it just cant connect at all. I tried shutting down openvpn prior to running. I need this for switching servers inside torguard network, in GUI-client its much more convinient rather than editing openvpn.conf everytime

Updated my previous post Whonix 14 and TorGuard VPN - #48 by Patrick.

No, I don’t have such a problem. Permissions stay as they are after reboot.

I started the configuration with a newly imported Whonix-Workstation, perhaps you should try that with no other installations beforehand?

I never used the GUI tool you describe.

After some digging I commented the onion lines in the files:

/etc/apt/sources.list.d/debian.list
/etc/apt/sources.list.d/whonix.list

Now the output from sudo apt-get update is:

Get:1 http://deb.whonix.org stretch InRelease [13.2 kB]
Hit:2 http://security.debian.org stretch/updates InRelease
Ign:3 Index of /debian stretch InRelease
Hit:4 Index of /debian stretch Release
Fetched 13.2 kB in 33s (387 B/s)
Reading package lists… Done

Is it ok or something missing?

Hi asd3333

That looks OK.

See:

https://whonix.org/wiki/Operating_System_Software_and_Updates#Non-functional_Onion_Services

If you wanted to enable .onion services again.

1 Like

So sick of setting it up…

After i commented every ‘top’-including like in whonix.list & debian.list and run sudo apt-get update

sudo apt-get update
Ign:1 http://security.debian.org stretch/updates InRelease                                                                                                      
Ign:2 http://ftp.us.debian.org/debian stretch InRelease                                                                                                         
Ign:3 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch InRelease                       
Ign:4 http://deb.whonix.org stretch InRelease

first it loads like 5-15 minutes at least…

Then i get this…

Err:5 http://security.debian.org stretch/updates Release                                                                                                        
  Something wicked happened resolving 'security.debian.org:http' (-4 - Non-recoverable failure in name resolution)
Err:6 http://ftp.us.debian.org/debian stretch Release                                                                                                           
  Something wicked happened resolving 'ftp.us.debian.org:http' (-4 - Non-recoverable failure in name resolution)
Err:7 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch Release                         
  Read error - read (104: Connection reset by peer) Reading the greet back from SOCKS proxy socks5h://localhost:9050 failed
Err:8 http://deb.whonix.org stretch Release                                                                                 
  Something wicked happened resolving 'deb.whonix.org:http' (-4 - Non-recoverable failure in name resolution)

What VPN provider are you using, asd3333?

what virtualbox version did u use ?

You still have the whonix onion address in your apt-get output so you probably skipped commenting a line in whonix.list and perhaps changed something that shouldn’t be changed in debian.list - can you post the content of those two files here?

5.2.22

Sorry, i probably run sudo apt-get update before editing or needed to restart firewall. My output now doesnt have tor in it. Its like this:

sudo apt-get update
Ign:1 http://security.debian.org stretch/updates InRelease                                             
Ign:2 http://deb.whonix.org stretch InRelease                                                          
Ign:3 http://ftp.us.debian.org/debian stretch InRelease                                                
Err:4 http://deb.whonix.org stretch Release                                                            
  Something wicked happened resolving 'deb.whonix.org:http' (-4 - Non-recoverable failure in name resolution)
Err:5 http://ftp.us.debian.org/debian stretch Release                                                  
  Something wicked happened resolving 'ftp.us.debian.org:http' (-4 - Non-recoverable failure in name resolution)
Err:6 http://security.debian.org stretch/updates Release                
  Something wicked happened resolving 'security.debian.org:http' (-4 - Non-recoverable failure in name resolution)
Reading package lists... Done         
E: The repository 'http://deb.whonix.org stretch Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://ftp.us.debian.org/debian stretch Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://security.debian.org stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Anyway here is content of debian.list:

# Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
# See the file COPYING for copying conditions.

# This is a default sources.list for Anonymity Linux Distributions,
# which are derivatives of Debian.

# If you want to see the example, which came with the upstream
# distribution, see: /usr/share/doc/apt/examples/sources.list

# Instead of directly editing this file,
# the user is advised to create the file /etc/apt/sources.list.d/user.list.
# This is because when this package gets updated,
# /etc/apt/sources.list.d/debian.list will be overwritten and may receive new
# new default values and comments. The entire folder /etc/apt/sources.list.d/
# gets scanned for additional sources.list files by apt-get.
# The user may keep their settings even after updating this package.
##
# Without graphical user interface, you can use for example:
#    sudo editor /etc/apt/sources.list.d/user.list
# With graphical user interface (KDE), you can use for example:
#    kdesudo xdg-open /etc/apt/sources.list.d/user.list

#deb tor+http://sgvtcaew4bxjd7ln.onion stretch/updates main contrib non-free
deb http://security.debian.org stretch/updates main contrib non-free

#deb tor+http://vwakviie2ienjx6t.onion/debian stretch main contrib non-free
deb http://ftp.us.debian.org/debian stretch main contrib non-free

#deb https://deb.debian.org/debian stretch main
#deb http://deb.debian.org/debian-security/ stretch/updates main

#deb-src tor+http://sgvtcaew4bxjd7ln.onion stretch/updates main contrib non-free
#deb-src http://security.debian.org stretch/updates main contrib non-free

#deb-src tor+http://vwakviie2ienjx6t.onion/debian stretch main contrib non-free
#deb-src http://ftp.us.debian.org/debian stretch main contrib non-free

# Technical notes:
# - Why is stretch-updates disabled by default?
#   See: http://wiki.debian.org/StableUpdates
# - Why are sources (deb-src) disabled by default?
#   Because those are not required by most users, to save time while
#   running "sudo apt-get update".
# - See also: http://www.debian.org/security/
# - See also: /etc/apt/sources.list.d/

and whonix.list:

# Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
# See the file COPYING for copying conditions.

# Whonix /etc/apt/sources.list.d/whonix.list

# This file has been automatically created by /usr/bin/whonix_repository.
# If you make manual changes to it, your changes get lost next time you run
# the whonix_repository tool.
# You can conveniently manage this file, using the whonix_repository tool.
# For any modifications (delete this file, use stable version, use testers
# version or use developers version), please use the whonix_repository tool.
# Run:
#    sudo whonix_repository

#deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch main contrib non-free
#deb-src tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch main contrib non-free

deb http://deb.whonix.org stretch main contrib non-free
#deb-src http://deb.whonix.org stretch main contrib non-free

# Leaving source line disabled by default to safe some time, it's not useful
# anyway, since it's better to get the source code from the git repository.

# End of /etc/apt/sources.list.d/whonix.list

my version is 5.2.4 portable

Those files look like mine.

I have found some bugs in my setup. Now after reload i don’t have to apply any setting over and over again. OpenVPN works out of the box and connects sucessfully. But i still unable to run apt-get update/install command.

asd3333, what are the DNS settings are there in your /etc/resolv.conf ? Instructions say it should contain my VPN DNS servers addresses, but i cant set that addresses. My resolv.conf has 1.1.1.1 and 1.0.0.1. If i change to my VPN DNS and try restarting resolv.conf via /etc/init.d/resolv restart - my DNS are still 1.1.1.1

My DNS are always 1.1.1.1 and 1.0.0.1 somewhy, i tried many different “how-tos” to set DNS, anyway after reboot my /etc/resolv.conf always 1.1.1.1 and 1.0.0.1
Why !?!?!?