Just a problem I encountered in the past. If you’re just running one Workstation, not relevant in your case.
I will try to complete the Tor before VPN setup on my side with Whonix 14 first and see if I experience same issue you do first. If it works for me I will be happy to assist.
First of all I can confirm that resolvconf needs to be installed first, as you did. Once you make the initial changes and run whonix_firewall you lose connection.
Second issue I encountered was when running
sudo aptitude keep-all
I get an error, aptitude is not installed (I don’t recall what was the situation in Whonix 13). Solved with
sudo apt-get install aptitude
Two other minor remarks:
As footnote 21 mentions, the following already exist in /usr/lib/tmpfiles.d/50_openvpn_unpri.conf so no changes are necessary
d /run/resolvconf 0775 root tunnel - -
d /run/resolvconf/interface 0775 root tunnel - -
Regarding commenting out the content of
sudo nano /etc/resolvconf/run/interface/original.resolvconf
The file does not exist so nothing to do here
Done. After reboot the machine I get:
- ping works.
- Tor browser connects to clearnet.
- IPCheck (https://check.torproject.org/) shows “Sorry. You are not using Tor.” as expected.
- VPN provider’s site identifies the connection is through them.
- Tor browser does NOT connect to onion sites
- wget works with clearnet but NOT with onion sites (“resolving… failed: Name or service not known. wget: unable to resolve host address”)
- sudo apt-get update gives:
Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 Index of /debian stretch InRelease
Get:3 http://deb.whonix.org stretch InRelease [13.2 kB]
Hit:4 Index of /debian stretch Release
0% [Connecting to SOCKS5h proxy (socks5h://localhost:9050)] [Connecting to SOCKS5h proxy (socks5h://localhost:9050)] [Connecting to SsIgn:6 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
Ign:7 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch InRelease
Ign:8 tor+http://vwakviie2ienjx6t.onion/debian stretch InRelease
Err:9 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch Release
Read error - read (104: Connection reset by peer) Reading the greet back from SOCKS proxy socks5h://localhost:9050 failed [IP: 127.0.0.1 9050]
Err:10 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release
Read error - read (104: Connection reset by peer) Reading the greet back from SOCKS proxy socks5h://localhost:9050 failed [IP: 127.0.0.1 9050]
Err:11 tor+http://vwakviie2ienjx6t.onion/debian stretch Release
Read error - read (104: Connection reset by peer) Reading the greet back from SOCKS proxy socks5h://localhost:9050 failed [IP: 127.0.0.1 9050]
Reading package lists… Done
E: The repository ‘tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch Release’ does no longer have a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ‘tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release’ does no longer have a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository ‘tor+http://vwakviie2ienjx6t.onion/debian stretch Release’ does no longer have a Release file.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Running sudo apt-get update from a standard whonix workstation completes in seconds.
Just same as i encounter. I can confirm 100% everything for me. What we do know ? How we solve it ?
If you are using User
-> Tor
-> VPN
-> Internet
it is expected that you cannot connect to onions.
- Chapter Combining Tunnels with Tor mentions that.
- The comparison table on Combining Tunnels with Tor mentions that.
service fails to start since somewhy chown is reset every time vm is rebooted.
Probably related to systemd-tmpfiles
/ /usr/lib/tmpfiles.d/
.
Perhaps package usability-misc
isn’t installed?
Perhaps
Makes sense. Could you please explain how to change apt-get settings to use clearnet rather than the onion repositories? I think this is the only missing piece for me here.
dont u have any problems starting openvpn automatically after reboot like i do when i have to reset rigths to
sudo chown -R tunnel:tunnel /etc/openvpn
sudo chown -R tunnel:tunnel /var/run/openvpn
?
Also is there a way to use GUI-toguard client ? If i run it nothing works, it just cant connect at all. I tried shutting down openvpn prior to running. I need this for switching servers inside torguard network, in GUI-client its much more convinient rather than editing openvpn.conf everytime
No, I don’t have such a problem. Permissions stay as they are after reboot.
I started the configuration with a newly imported Whonix-Workstation, perhaps you should try that with no other installations beforehand?
I never used the GUI tool you describe.
After some digging I commented the onion lines in the files:
/etc/apt/sources.list.d/debian.list
/etc/apt/sources.list.d/whonix.list
Now the output from sudo apt-get update is:
Get:1 http://deb.whonix.org stretch InRelease [13.2 kB]
Hit:2 http://security.debian.org stretch/updates InRelease
Ign:3 Index of /debian stretch InRelease
Hit:4 Index of /debian stretch Release
Fetched 13.2 kB in 33s (387 B/s)
Reading package lists… Done
Is it ok or something missing?
Hi asd3333
That looks OK.
See:
https://whonix.org/wiki/Operating_System_Software_and_Updates#Non-functional_Onion_Services
If you wanted to enable .onion services again.
So sick of setting it up…
After i commented every ‘top’-including like in whonix.list & debian.list and run sudo apt-get update
sudo apt-get update
Ign:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://ftp.us.debian.org/debian stretch InRelease
Ign:3 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch InRelease
Ign:4 http://deb.whonix.org stretch InRelease
first it loads like 5-15 minutes at least…
Then i get this…
Err:5 http://security.debian.org stretch/updates Release
Something wicked happened resolving 'security.debian.org:http' (-4 - Non-recoverable failure in name resolution)
Err:6 http://ftp.us.debian.org/debian stretch Release
Something wicked happened resolving 'ftp.us.debian.org:http' (-4 - Non-recoverable failure in name resolution)
Err:7 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch Release
Read error - read (104: Connection reset by peer) Reading the greet back from SOCKS proxy socks5h://localhost:9050 failed
Err:8 http://deb.whonix.org stretch Release
Something wicked happened resolving 'deb.whonix.org:http' (-4 - Non-recoverable failure in name resolution)
What VPN provider are you using, asd3333?
what virtualbox version did u use ?
You still have the whonix onion address in your apt-get output so you probably skipped commenting a line in whonix.list and perhaps changed something that shouldn’t be changed in debian.list - can you post the content of those two files here?
5.2.22
Sorry, i probably run sudo apt-get update before editing or needed to restart firewall. My output now doesnt have tor in it. Its like this:
sudo apt-get update
Ign:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://deb.whonix.org stretch InRelease
Ign:3 http://ftp.us.debian.org/debian stretch InRelease
Err:4 http://deb.whonix.org stretch Release
Something wicked happened resolving 'deb.whonix.org:http' (-4 - Non-recoverable failure in name resolution)
Err:5 http://ftp.us.debian.org/debian stretch Release
Something wicked happened resolving 'ftp.us.debian.org:http' (-4 - Non-recoverable failure in name resolution)
Err:6 http://security.debian.org stretch/updates Release
Something wicked happened resolving 'security.debian.org:http' (-4 - Non-recoverable failure in name resolution)
Reading package lists... Done
E: The repository 'http://deb.whonix.org stretch Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://ftp.us.debian.org/debian stretch Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://security.debian.org stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Anyway here is content of debian.list:
# Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
# See the file COPYING for copying conditions.
# This is a default sources.list for Anonymity Linux Distributions,
# which are derivatives of Debian.
# If you want to see the example, which came with the upstream
# distribution, see: /usr/share/doc/apt/examples/sources.list
# Instead of directly editing this file,
# the user is advised to create the file /etc/apt/sources.list.d/user.list.
# This is because when this package gets updated,
# /etc/apt/sources.list.d/debian.list will be overwritten and may receive new
# new default values and comments. The entire folder /etc/apt/sources.list.d/
# gets scanned for additional sources.list files by apt-get.
# The user may keep their settings even after updating this package.
##
# Without graphical user interface, you can use for example:
# sudo editor /etc/apt/sources.list.d/user.list
# With graphical user interface (KDE), you can use for example:
# kdesudo xdg-open /etc/apt/sources.list.d/user.list
#deb tor+http://sgvtcaew4bxjd7ln.onion stretch/updates main contrib non-free
deb http://security.debian.org stretch/updates main contrib non-free
#deb tor+http://vwakviie2ienjx6t.onion/debian stretch main contrib non-free
deb http://ftp.us.debian.org/debian stretch main contrib non-free
#deb https://deb.debian.org/debian stretch main
#deb http://deb.debian.org/debian-security/ stretch/updates main
#deb-src tor+http://sgvtcaew4bxjd7ln.onion stretch/updates main contrib non-free
#deb-src http://security.debian.org stretch/updates main contrib non-free
#deb-src tor+http://vwakviie2ienjx6t.onion/debian stretch main contrib non-free
#deb-src http://ftp.us.debian.org/debian stretch main contrib non-free
# Technical notes:
# - Why is stretch-updates disabled by default?
# See: http://wiki.debian.org/StableUpdates
# - Why are sources (deb-src) disabled by default?
# Because those are not required by most users, to save time while
# running "sudo apt-get update".
# - See also: http://www.debian.org/security/
# - See also: /etc/apt/sources.list.d/
and whonix.list:
# Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
# See the file COPYING for copying conditions.
# Whonix /etc/apt/sources.list.d/whonix.list
# This file has been automatically created by /usr/bin/whonix_repository.
# If you make manual changes to it, your changes get lost next time you run
# the whonix_repository tool.
# You can conveniently manage this file, using the whonix_repository tool.
# For any modifications (delete this file, use stable version, use testers
# version or use developers version), please use the whonix_repository tool.
# Run:
# sudo whonix_repository
#deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch main contrib non-free
#deb-src tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch main contrib non-free
deb http://deb.whonix.org stretch main contrib non-free
#deb-src http://deb.whonix.org stretch main contrib non-free
# Leaving source line disabled by default to safe some time, it's not useful
# anyway, since it's better to get the source code from the git repository.
# End of /etc/apt/sources.list.d/whonix.list
my version is 5.2.4 portable
Those files look like mine.
I have found some bugs in my setup. Now after reload i don’t have to apply any setting over and over again. OpenVPN works out of the box and connects sucessfully. But i still unable to run apt-get update/install command.
asd3333, what are the DNS settings are there in your /etc/resolv.conf ? Instructions say it should contain my VPN DNS servers addresses, but i cant set that addresses. My resolv.conf has 1.1.1.1 and 1.0.0.1. If i change to my VPN DNS and try restarting resolv.conf via /etc/init.d/resolv restart - my DNS are still 1.1.1.1
My DNS are always 1.1.1.1 and 1.0.0.1 somewhy, i tried many different “how-tos” to set DNS, anyway after reboot my /etc/resolv.conf always 1.1.1.1 and 1.0.0.1
Why !?!?!?