{{Header}}
{{Title|
title=Connecting to a VPN before Tor
}}
{{#seo:
|description=Instructions on how to connect to a VPN before Tor. (User → VPN → Tor → Internet)
|image=City-427640640.jpg
}}
[[image:City-427640640.jpg|thumb]]
{{intro|
Instructions on how to connect to a VPN before Tor.
'''User → VPN → Tor → Internet'''
}}
= Introduction =
Whonix does not "need" a VPN. However, users have the option to use Whonix with a VPN. See the [[Tunnels/Introduction]] to learn more if that is useful or harmful.
{{Tunnels_Introduction}}
= Connecting to a VPN before Tor (User → VPN → Tor → Internet) =
== Introduction ==
Platform specific.
* [[Qubes|{{q_project_name_short}}]] users have the option to use:
** '''A)''' a [[#Separate VPN-Gateway]] and/or
** '''B)''' could also install the VPN software [[#Inside {{project_name_gateway_short}}]].
* [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] users could install the VPN software
** '''A)''' [[#On the Host OS (host operating system, outside of any VMs)]] and/or
** '''B)''' [[#Inside {{project_name_gateway_short}}]].
What's the difference of installing a VPN on the host OS versus installing on {{project_name_gateway_short}}?
{{VPN_on_the_host_vs_on_Project-Gateway}}
== VPN Client Choice ==
* Use OpenVPN.
* Using bitmask with Qubes is [[unsupported]]. [
https://github.com/leapcode/bitmask_client/issues/1009
]
* Other VPN clients are [[unsupported]].
== Separate VPN-Gateway ==
[[Qubes|{{q_project_name_short}}]] only! [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] is [[unsupported]]!
A separate VPN-Gateway between {{project_name_gateway_short}} and sys-firewall, i.e.:
{{quotation|
quote=
{{project_name_workstation_short}} → {{project_name_gateway_short}} → sys-vpn → sys-firewall → sys-net
}}
'''User → VPN → Tor → Internet'''
These "Separate VPN-Gateway" instructions are new. You might be one of the first users. You might run into minor issues. Please test and [https://forums.{{project_clearnet}} report] how it went.
{{Box|text=
'''1.''' Clone a Template for example, debian-{{Stable_project_version_based_on_Debian_version_short}} and name the new template clone debian-{{Stable_project_version_based_on_Debian_version_short}}-vpn. [
At the time of writing Debian ]{{Stable_project_version_based_on_Debian_version_short}} {{Stable_project_version_based_on_Debian_codename}} was the stable release version.
Qube Manager → debian-{{Stable_project_version_based_on_Debian_version_short}} → Clone qube → Enter name for Qube clone: debian-{{Stable_project_version_based_on_Debian_version_short}}-vpn → Press: OK
'''2.''' Create a new ProxyVM based on the newly cloned template. Name the VM sys-vpn and set sys-firewall as NetVM. Make sure to check [✔] the box for provides_network.
{{Box|text=
Qube Manager → Qube → Create new qube
* Name and label: sys-vpn (Set any color)
* Type: AppVM
* Template: debian-{{Stable_project_version_based_on_Debian_version_short}}-vpn
* Networking: sys-firewall
* Advanced: [✔] Provides network
* Press: OK
}}
'''3.''' Setup the VPN-Gateway as per [https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md Qubes VPN documentation]. The instructions to configure the [https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md#proxyvm VPN gateway using iptables and CLI scripts] is preferred to prevent clearnet leaks when the VPN breaks down.
{{Box|text=
Without a fail closed configuration, if the VPN breaks down, all traffic (such as DNS queries) originating from {{project_name_gateway_short}} (commonly called {{project_name_gateway_vm}}) would only be forced through Tor. (User → Tor → Internet)
When a failed closed configuration is used and the VPN connection breaks down, no traffic would leave {{project_name_gateway_short}}. This is what you want if you are reading this documentation chapter.
}}
'''4.''' Check, that your sys-vpn is fully functional. Test connectivity from inside the sys-vpn as per:
[https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md Qubes VPN Documentation]
}}
Note: Both TCP and UDP VPN connections should work. System DNS should work out of the box so no DNS configuration is required for {{project_name_gateway_short}}. [Because {{project_name_gateway_short}} does not require any clearnet DNS anyhow.]
Done!
For troubleshooting, see footnote. [
* Check, that your VPN-Gateway is fully functional. Test connectivity from inside the VPN-Gateway.
* Add a non-{{project_name_long}} VM behind your VPN-Gateway. For example, add a debian based AppVM behind your VPN-Gateway. Figure out if the VPN-Gateway works at all before involving {{project_name_long}}.
]
== On the Host ==
Host in this context means the host operating system (outside any virtual machines).
[[Non-Qubes-Whonix|{{non_q_project_name_short}}]] only! (Because in Qubes, the host is non-networked by default. [[Qubes|{{q_project_name_short}}]] users have the option to use a [[#Separate VPN-Gateway]] but could also install the VPN software [[#Inside {{project_name_gateway_short}}]].)
User → VPN → Tor → Internet
When using a {{project_name_gateway_short}} virtual machine, connect to a VPN using software on the host operating system (and not on the {{project_name_workstation_short}} nor {{project_name_gateway_short}}).
Using software inside the host operating system may be more convenient if your more familiar with the host operating system than {{project_name_short}}. Additionally, your VPN provider might provide custom software with tools for connecting to their servers. However, there are issues that you must consider:
* A VPN on the host operating system will route all traffic originating from the host through the VPN, as well as {{project_name_short}} traffic. It is up to your preferences, if you like this or not.
* Your VPN software may not be designed or configured to "fail closed". That is, if your VPN session suddenly disconnects, your Tor connection will be automatically sent through your ISP without going through your VPN service.
==== How to add the VPN in Host OS ====
Use the host operating system's built-in tools connect to your VPN or use the software provided by your VPN service.
{{Anchor|Fail Closed Mechanism}}
==== Use a Fail Closed Mechanism ====
{{Fail_Closed_Mechanism}}
If you want to enforce, that the VPN always gets used, try [https://github.com/adrelanos/VPN-Firewall VPN-Firewall].
(Or if that works for you, install the VPN on the gateway instead, because it comes with an integrated TUNNEL_FIREWALL feature, i.e. stay away from the standalone VPN-Firewall when you set up a VPN on the gateway.)
{{Anchor|VPN Software on {{project_name_gateway_short}}}}
==== KVM VPN Killswitch ====
Platform specific notice:
* KVM: For a simplified option is only available for {{project_name_short}} [[KVM]] users, please press expand on the right side.
* Other platforms (such as VirtualBox or Qubes): Skip this chapter.
Optionally KVM users could also skip this chapter and use any of the other documentation on this wiki page.
{{KVM_VPN_killswitch}}
User → VPN → Tor → Internet
===== VPN Client Choice =====
Use OpenVPN.
Using bitmask inside {{project_name_gateway_short}} for this use case is [[unsupported]]. And discouraged. Because bitmask modifies the firewall. Perhaps that can be configured or is safe. Reaching that and documenting bitmask is TODO, [https://phabricator.whonix.org/T516 help welcome]!
Other VPN clients are [[unsupported]].
===== {{project_name_short}} TUNNEL_FIREWALL vs standalone VPN-Firewall =====
{{Whonix_TUNNEL_FIREWALL_vs_standalone_VPN-Firewall}}
===== Setup Time =====
If you are interested in [[Hide Tor from your Internet Service Provider|hide Tor and {{project_name_short}} from the ISP]] (read that page first)... After installing {{project_name_gateway_short}}, do the following steps before activating Tor in {{Code|{{project_name_short}} Setup Wizard}}.
===== Preparation =====
{{VPN/Setup/Preparation}}
===== Firewall Settings =====
{{Firewall_Settings}}
Add the following settings. You can skip comments (starting with {{Code|#}}). Don't use {{Code|;}} for comments. [That config file is a bash fragment.] Likely you do not need to either uncomment (removing the {{Code|#}} in front) or modify {{Code|VPN_INTERFACE}} / {{Code|LOCAL_NET}}.
## Make sure Tor always connects through the VPN.
## Enable: 1
## Disable: 0
## DISABELD BY DEFAULT, because it requires a VPN provider.
VPN_FIREWALL=1
## For OpenVPN.
#VPN_INTERFACE=tun0
## Destinations you don not want routed through the VPN.
## 10.0.2.2-10.0.2.24: VirtualBox DHCP
# LOCAL_NET="\
# 127.0.0.0-127.0.0.24 \
# 192.168.0.0-192.168.0.24 \
# 192.168.1.0-192.168.1.24 \
# 10.152.152.0-10.152.152.24 \
# 10.0.2.2-10.0.2.24 \
# "
Save.
===== Reload Firewall =====
{{Reload_Firewall}}
===== sudoers Configuration =====
Inside {{project_name_gateway_short}}.
{{VPN/Setup/sudoers_configuration}}
===== VPN Setup =====
====== Introduction ======
{{VPN/Setup/Introduction}}
====== Get VPN Certificate ======
TODO: Documentation bug fix required. Won't work without Tor being enabled. You need to get the certificate elsewhere and then [[File Transfer]] it into {{project_name_gateway_short}}.
{{VPN/Setup/Get VPN Certificate}}
====== VPN Credentials ======
Inside {{project_name_gateway_short}}.
{{VPN/Setup/VPN Credentials}}
====== VPN IP Address ======
This cannot be done inside {{project_name_gateway_short}} since it by default does not system default DNS for its own traffic.
{{VPN/Setup/VPN IP Address}}
====== VPN Configuration File ======
Inside {{project_name_gateway_short}}.
{{Open with root rights|filename=
/etc/openvpn/openvpn.conf
}}
Add.
Note: make sure to adjust the {{Code|remote 198.252.153.226 80}} variable in your config (unless you are using {{Code|nyc.vpn.riseup.net}} as your VPN service). Replace the IP ({{Code|198.252.153.226}}) and port ({{Code|80}}) to match your VPN service.
##############################
## VPN provider specific settings ##
##############################
auth-user-pass auth.txt
## using nyc.vpn.riseup.net 80
remote 198.252.153.226 80
ca RiseupCA.pem
remote-cert-tls server
####################################
## TUNNEL_FIREWALL specific settings ##
####################################
client
dev tun0
persist-tun
persist-key
script-security 2
#up "/etc/openvpn/update-resolv-conf script_type=up dev=tun0"
#down "/etc/openvpn/update-resolv-conf script_type=down dev=tun0"
user tunnel
iproute /usr/bin/ip_unpriv
# Disabling any possible ipv6 auto-configuration since we have ipv6 disabled on our Whonix-Gateway
pull-filter ignore "dhcp-option DNS6"
pull-filter ignore "tun-ipv6"
pull-filter ignore "ifconfig-ipv6"
Do not worry about TCP mode on {{project_name_gateway_short}}. Using the VPN in TCP mode may be possible depending the services provides by your VPN provider, but is not required on {{project_name_gateway_short}}. The VPN in UDP mode should work just fine. [
The Tor software cannot transport UDP yet, but it does not have to in this case. (Reference: [[Tor#UDP]].) Since the VPN connects over clearnet, UDP should just work as usual. Once the VPN is functional, Tor will have no issue to connect using it (without "knowing" it is over a VPN).
] Your pick.
[
The [https://github.com/{{project_name_short}}/usability-misc/blob/master/usr/bin/ip_unpriv /usr/bin/ip_unpriv] wrapper script is being provided by the [https://github.com/{{project_name_short}}/usability-misc usabilty-misc] package.
The [https://github.com/{{project_name_short}}/usability-misc/blob/master/etc/sudoers.d/tunnel_unpriv /etc/sudoers.d/tunnel_unpriv] wrapper script is being provided by the [https://github.com/{{project_name_short}}/usability-misc usabilty-misc] package.
The [https://github.com/{{project_name_short}}/usability-misc/blob/master/usr/lib/systemd/system/openvpn%40openvpn.service.d/50_unpriv.conf /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf] wrapper script is being provided by the [https://github.com/{{project_name_short}}/usability-misc usabilty-misc] package.
] [We must run OpenVPN as user 'tunnel', because that is the only user besides user {{Code2|clearnet}} that will be allowed to establish external connections when using {{project_name_short}} Firewall setting VPN_FIREWALL=1.]
Save.
====== DNS Configuration ======
DNS configuration, resolvconf, update-resolv-conf or similar is not required for {{project_name_gateway_short}}. [
Because {{project_name_gateway_short}} by default has no and needs no system DNS for its own traffic. See [[{{project_name_gateway_short}} System DNS]] if you would like to read an explanation why that is so.
]
====== Configuration Folder Permissions ======
Inside {{project_name_gateway_short}}.
({{q_project_name_short}}: In Template)
{{VPN/Setup/Configuration Folder Permissions}}
===== systemd setup =====
Inside {{project_name_gateway_short}}.
({{q_project_name_short}}: In Template. [
OpenVPN will not actually start there thanks to ]/lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf.
)
{{Template:VPN/Setup/Systemd}}
===== Enable Tor =====
({{q_project_name_short}}: If using a Template, shut down the Template and restart {{project_name_gateway_short}} ({{project_name_gateway_vm}}). )
Enable Tor using [[Anon Connection Wizard]].
= Troubleshooting =
{{VPN-Firewall/Troubleshooting}}
=== How to Submit a Support Request ===
{{VPN/Setup/Support Requests}}
== Additional Tweaks / Recommendations / Troubleshooting ==
'''If having problems with the connection / Tor is not fully bootstrapped''', please press on expand on the right.
You have may have to manually restart Tor. This is because the VPN may not be ready when Tor is attempting to connect, because the VPN connection initialization takes too long. Due to a bug in Tor, it won't keep trying to connect. To fix this, you may have to manually restart Tor after boot, if whonixcheck reports that Tor is not fully bootstrapped. The same may be necessary if your VPN software or connection temporarily broke down.
'''To Manually restart Tor:'''
{{Reload_Tor}}
'''Leak Tests'''
When you shut down the VPN, neither Tor, nor {{project_name_gateway_short}} whonixcheck/apt/etc. nor {{project_name_workstation_short}} should be able to connect anywhere anymore.
''' Force Tor to wait for OpenVPN '''
Create a folder /etc/systemd/system/tor.service.d.
{{CodeSelect2|code=
sudo mkdir /etc/systemd/system/tor.service.d
}}
Create a file /etc/systemd/system/tor.service.d/50_user.conf.
{{Open with root rights|filename=
/etc/systemd/system/tor.service.d/50_user.conf
}}
Add the following content.
{{CodeSelect2|code=
[Unit]
After=openvpn.service
}}
Save.
At next boot, the Tor daemon will be started after the OpenVPN daemon.
Debugging: [
Reload systemd.
{{CodeSelect2|code=
sudo systemctl daemon-reload
}}
Check Tor service status.
{{CodeSelect2|code=
sudo systemctl status tor
}}
{{CodeSelect2|code=
sudo systemctl status tor@default
}}
It should list the drop-in file {{Code2|/etc/systemd/system/tor.service.d/50_user.conf}}.
]
'''Limitations'''
* Only tested with OpenVPN. Most other VPNs have deficiencies anyway.
* DNS (IP address) of VPN server has to be manually resolved. There is technically no way to automatically resolve DNS without making the setup much more complex. The VPN server's IP address should not be resolved over Tor, because that's what you wanted to hide in the first place. Since outside observers will know, that you are connecting to the VPN IP anyway, it is probably safe to resolve the DNS over clearnet or by asking the VPN provider if they don't already document their IPs on their website anyway.
* No support for IPv6 yet.
'''Troubleshooting VPN → Tor'''
*If not connecting, see above to manually restart Tor
*Check your VPN software's logs.
*'''Test if you are able to connect using your VPN'''
1. Login as user {{Code|clearnet}}.
{{CodeSelect2|code=
sudo su clearnet
}}
2. Try connecting to check.tpo. Note, at time of writing, it looked like usaip free trial is probably blocking SSL, therefore it might not work.
{{Curl_Plain}} --silent {{Curl_Secure}} -H 'Host: check.torproject.org' -k https://{{Check.torproject.org IP}} | grep IP
Should show something along: {{Code2|Your IP address appears to be: xxx.xxx.xxx.xxx}}
3. Get back to normal user.
{{CodeSelect2|code=
exit
}}