User → Tor → VPN → Internet)
|image=Ball-443853640.jpg
}}
[[File:Ball-443853640.jpg|thumb]]
{{intro|
Instructions on how to connect to Tor before a VPN.
'''User → Tor → VPN → Internet'''
}}
= Introduction =
Whonix users have the option to use a VPN but in most cases it's not needed and there are other alternatives. Reading the [[Tunnels/Introduction]] wiki page beforehand is advice to learn more if using a VPN with Whonix is useful or harmful.
By design, a VPN routes all your applications -- those without any proxy settings -- through the VPN. This may be undesirable as explained below; for example, it increases the threat of identity correlation. To circumvent this possibility, only use this {{project_name_workstation_long}} for particular applications that should be routed through the tunnel-link. Refer to the [[Multiple Whonix-Workstation|Multiple {{project_name_workstation_long}}]] wiki chapter for further instructions.
{{Tunnels_Introduction}}
= Security Precautions =
== Prevent Bypassing of the Tunnel-Link ==
{{Prevent_Bypassing_the_Tunnel-Link}}
{{Anchor|Fail_Closed_Mechanism}}
== Use a Fail Closed Mechanism ==
{{Fail_Closed_Mechanism}}
Instructions below include a fail closed mechanism.
== VPN Client Choice ==
* It is recommended to utilize OpenVPN.
* Using [https://bitmask.net/en Bitmask VPN] for this use case is not possible.
https://0xacab.org/leap/bitmask-vpn
In other words, you cannot use user → Tor → bitmask → Internet.
Previously Bitmask did not support Tor. Broken link: {{project_name_workstation_short}} → VPN-Gateway → {{project_name_gateway_short}}.
User → Tor → VPN → Internet
There used to be a Qubes specific bug breaking this.
* https://github.com/QubesOS/qubes-issues/issues/7123#issuecomment-1245292312
* https://github.com/QubesOS/qubes-issues/issues/7261#issuecomment-1242979914
* https://github.com/QubesOS/qubes-core-agent-linux/blob/master/network/setup-ip
* in short: Contents of /usr/lib/qubes/setup-ip need to re replaced with [https://raw.githubusercontent.com/QubesOS/qubes-core-agent-linux/master/network/setup-ip setup-ip]
It has probably been fixed at least since Qubes R4.2. Please try and report if this worked for you so this notice can be removed.
{{Box|text=
'''1.''' Prerequisite knowledge: '''Qubes VPN Setup over Clearnet'''
"Forget" about {{project_name_short}} for a moment for this step 1. This is about Qubes only. This is [[unspecific|unspecific to {{project_name_short}}]].
The user needs to master setting up the VPN-Gateway as per [https://forum.qubes-os.org/t/configuring-a-proxyvm-vpn-gateway/19061 Qubes VPN Documentation] in context of a "normal" VPN using clearnet. Meaning, without involving, mentioning {{project_name_short}} in any way. Connection scheme: User → VPN → Internet
It is recommended to follow the [https://forum.qubes-os.org/t/configuring-a-proxyvm-vpn-gateway/19061#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts-5 ''Set up a ProxyVM as a VPN gateway using iptables and CLI scripts''] instructions because this prevents clearnet leaks if/when the VPN breaks down.
Two options. Choose one.
* '''A)''' If intending to use Qubes-vpn-support:
** Note regarding [https://github.com/tasket/Qubes-vpn-support Qubes-vpn-support]: See [https://github.com/tasket/Qubes-vpn-support/issues/72 Qubes-vpn-support broken in Qubes R4.2] status.
* '''B)''' If not using Qubes-vpn-support: No special notice.
Note:
* UDP: UDP-style VPN connections are incompatible with Tor because it requires the VPN to be configured to use TCP.
See [[Tor#UDP|UDP]].
This requires adding proto tcp to the VPN configuration file /rw/config/vpn/openvpn-client.ovpn. Nearly all VPN providers support this configuration.
* Support: Please do not contact {{project_name_short}} support for this step because mastering this skill is specific to Qubes only.
'''2.''' Clone a Template.
For example, clone debian-{{Stable_project_version_based_on_Debian_version_short}} and name the new template clone debian-{{Stable_project_version_based_on_Debian_version_short}}-vpn.
At the time of writing Debian 11 bullseye was the stable release version.
Qube Manager → debian-{{Stable_project_version_based_on_Debian_version_short}} → Clone qube → Enter name for Qube clone: debian-{{Stable_project_version_based_on_Debian_version_short}}-vpn → Press: OK
'''3.''' Create a new ProxyVM based on the newly cloned template.
Name the VM VPN-Gateway and set the {{project_name_gateway_short}} ProxyVM ({{project_name_gateway_vm}}) as NetVM. Make sure to check [✔] the box for "provides network".
{{Box|text=
Qube Manager → Qube → Create new qube
* Name and label: VPN-Gateway (Set the preferred color)
* Type: Qube based on a template (AppVM)
* Template: debian-{{Stable_project_version_based_on_Debian_version_short}}-vpn
* Networking: {{project_name_gateway_vm}}
* Advanced: [✔] Provides network
* Press: OK
}}
'''4.''' ''Torified VPN Setup''
Setup the VPN-Gateway. This will be similar to step 1. This will result in connection scheme User → Tor → VPN → Internet because in above step Networking: {{project_name_gateway_vm}} has been configured.
Notes:
* VPN Provider Choice: A VPN provider different from the VPN provider used in step 1 should be used. This is because the VPN provider from step 1 knows you real IP address. The VPN provider used for connection scheme User → Tor → VPN → Internet should only know your Tor exit relay IP address.
* Fail closed mechanism: Without configuring a fail closed configuration, all traffic originating from the {{project_name_workstation_short}} App Qube ({{project_name_workstation_vm}}) would only be forced through Tor if/when the VPN connection breaks down (User → Tor → Internet).
* UDP vs TCP: Reminder. Only TCP can be used as mentioned in step 1.
'''5.''' Check the VPN-Gateway is fully functional.
Test connectivity from inside the VPN-Gateway as per [https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md Qubes VPN Documentation].
'''6'''. ''Recommended:'' Prevent bypassing of the tunnel link.
In {{project_name_workstation_short}} ({{project_name_workstation_vm}}), apply instructions from the [[#Prevent Bypassing of the Tunnel-Link|Prevent Bypassing of the Tunnel-Link]] section.
'''7.''' ''Optional:'' Leak tests.
It is recommended to run the related [[#Leak_Tests|Leak Tests]].
'''8.''' Done.
The VPN-Gateway configuration is complete.
}}
Notes:
* No DNS configuration is required when using a separate VPN Gateway and system DNS should work out of the box.
This is because a properly configured Qubes VPN-Gateway will be able to resolve DNS.
* For troubleshooting, see footnote.
* Check the VPN-Gateway is fully functional. Test connectivity from inside the VPN-Gateway.
* When testing the VPN connection do not add any VMs that have been previously used for non-anonymous activities behind the VPN-Gateway. This will burn the VPN, making it unsuitable for use with {{project_name_short}}!
* Create a fresh, newly created VM if intending to use a non-{{project_name_short}} VM behind the VPN-Gateway for testing purposes.
* {{project_name_short}} user forum discussion: [https://forums.whonix.org/t/setup-a-vpn-in-proxyvm-over-{{project_name_gateway_vm}} Set up a VPN in ProxyVM over {{project_name_gateway_vm}}]
* Qubes users mailing list discussion: https://groups.google.com/g/qubes-users/c/AXOwf1f9jd0/m/UkHwQmKVQQAJ
* Qubes development ticket: https://github.com/QubesOS/qubes-issues/issues/2060
* The following warning will appear when using [[Tor Browser]] and is expected (see technical footnote):
This is because Tor Browser can no longer access Tor's ControlPort ([[Dev/onion-grater|onion-grater]]) on {{project_name_gateway_short}}.
Something Went Wrong! Tor is not working in this browser.== Inside {{project_name_workstation_short}} == This configuration will connect to the VPN using your preferred software inside the ({{project_name_short}}-)Workstation. {{VPN UDP Tor|/etc/openvpn/openvpn.conf}}
User → Tor → VPN → Internet
=== {{project_name_short}} TUNNEL_FIREWALL vs Standalone VPN-Firewall ===
{{Whonix_TUNNEL_FIREWALL_vs_standalone_VPN-Firewall}}
=== Preparation ===
'''NOTE: might be broken, see https://forums.whonix.org/t/user-tor-vpn-internet-doesnt-work-in-whonix-16/13786'''
{{VPN/Setup/Preparation}}
=== Prerequisite Knowledge ===
Before proceeding, it is strongly recommended to read and understand the [[Debian_Packages|{{project_name_short}} Debian Packages]] chapter.
=== Firewall Settings ===
{{Firewall_Settings_Workstation}}
Add the following settings.
WORKSTATION_FIREWALL=1 TUNNEL_FIREWALL_ENABLE=trueSave. === Reload Firewall === {{Reload_Firewall_ws}} === sudoers Configuration === {{VPN/Setup/Tor_Before_VPN/sudoers_configuration}} === VPN Setup === {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = Update: The Riseup "legacy" VPN appears to have been discontinued. The Riseup replacement service (Bitmask) has not been tested. If you do not have a Riseup invite code then tailor the instructions in this section to work with any other OpenVPN provider. }} ==== Introduction ==== {{VPN/Setup/Introduction}} ==== Get VPN Certificate ==== {{VPN/Setup/Get VPN Certificate}} ==== VPN Credentials ==== {{VPN/Setup/VPN Credentials}} ==== VPN IP Address ==== {{VPN/Setup/VPN_IP_Address}} ==== VPN Configuration File ==== {{Box|text= '''1.''' {{Open with root rights|filename= /etc/openvpn/openvpn.conf }} '''2.''' Add. Note: It is necessary to adjust the {{Code|remote 198.252.153.226 80}} variable in the configuration below unless you are using {{Code|nyc.vpn.riseup.net}} as the VPN service. Replace the IP ({{Code|198.252.153.226}}) and port ({{Code|80}}) to match your VPN service.
############################## ## VPN provider specific settings ## ############################## auth-user-pass auth.txt ## using nyc.vpn.riseup.net 80 remote 198.252.153.226 80 ca RiseupCA.pem remote-cert-tls server #################################### ## TUNNEL_FIREWALL specific settings ## #################################### client dev tun0 persist-tun persist-key script-security 2 up "/etc/openvpn/update-resolv-conf script_type=up dev=tun0" down "/etc/openvpn/update-resolv-conf script_type=down dev=tun0" user tunnel iproute /usr/bin/ip_unpriv ############################################ ## Connecting to Tor before a VPN specific settings # ############################################ proto tcp* The [https://github.com/{{project_name_short}}/usability-misc/blob/master/usr/bin/ip_unpriv /usr/bin/ip_unpriv] wrapper script is provided by the [https://github.com/{{project_name_short}}/usability-misc usabilty-misc] package. * The [https://github.com/{{project_name_short}}/usability-misc/blob/master/etc/sudoers.d/tunnel_unpriv /etc/sudoers.d/tunnel_unpriv] wrapper script is provided by the [https://github.com/{{project_name_short}}/usability-misc usabilty-misc] package. * The [https://github.com/{{project_name_short}}/usability-misc/blob/master/usr/lib/systemd/system/openvpn%40openvpn.service.d/50_unpriv.conf /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf] wrapper script is provided by the [https://github.com/{{project_name_short}}/usability-misc usabilty-misc] package. It is necessary to run OpenVPN as user 'tunnel' because that is the only user besides user
clearnet that is allowed to establish external connections when using {{project_name_short}} Firewall setting VPN_FIREWALL=1.
'''3.''' Save.
}}
==== Install resolvconf ====
{{VPN/Setup/install_resolvconf}}
==== DNS Configuration ====
{{Box|text=
'''1.''' {{Open with root rights|filename=
/usr/lib/tmpfiles.d/50_openvpn_unpriv.conf
}}
'''2.''' Add.
d /run/resolvconf 0775 root tunnel - - d /run/resolvconf/interface 0775 root tunnel - -Save the file. '''3.''' Adjust permissions. This is removeable since {{project_name_short}} 14 because it was merged in the
usablity-misc package.
{{CodeSelect|code=
sudo chown --recursive root:tunnel /run/resolvconf
}}
{{CodeSelect|code=
sudo chmod --recursive 775 /run/resolvconf
}}
'''4.''' {{VPN/Setup/DNS Configuration}}
}}
=== Additional Setup ===
==== Configuration Folder Permissions ====
{{VPN/Setup/Configuration Folder Permissions}}
==== systemd Setup ====
{{Template:VPN/Setup/Systemd}}
==== resolvconf Adjustments ====
{{VPN/Setup/resolvconf adjustments}}
==== Verify DNS Settings ====
{{Box|text=
'''1.''' Open the /etc/resolv.conf file.
{{CodeSelect|code=
sudo cat /etc/resolv.conf
}}
'''2.''' Check the current settings.
It should not include the following setting; this is the standard {{project_name_short}} DNS server.
nameserver 10.152.152.10It should also not include the following settings; these are the standard Qubes DNS servers.
nameserver 10.137.3.1 nameserver 10.137.3.254'''3.''' Confirm it only includes the DNS server of your DNS provider. For example.
nameserver 10.5.0.1}} ==== systemcheck ====
systemcheck configuration. systemcheck cannot work in this configuration out of the box. Perform the following steps to unbreak it.
{{Box|text=
'''1.''' {{Open with root rights|filename=
/etc/systemcheck.d/50_user.conf
}}
'''2.''' Add the following text.
{{CodeSelect|code=
systemcheck_skip_functions+=" check_tor_bootstrap "
systemcheck_skip_functions+=" check_tor_socks_port_reachability "
systemcheck_skip_functions+=" check_tor_socks_port "
systemcheck_skip_functions+=" check_tor_trans_port "
systemcheck_skip_functions+=" check_stream_isolation "
systemcheck_skip_functions+=" download_whonix_news "
## {{ Alternative to disabling check_tor_trans_port.
## Make the Tor TransPort test work by simulating the Tor SocksPort test succeeded.
#CHECK_TOR_RESULT_SOCKS_PORT=0
## Do not warn if Tor was not detected. (Will be the VPN.)
#SYSTEMCHECK_NO_EXIT_ON_TRANS_PORT_DETECTION_FAILURE=1
## }}
## {{ Alternative to download_whonix_news.
## Download news through system default.
#CURL_PROXY_WHONIX_NEWS="--fail"
## }}
}}
'''3.''' Save the file.
'''4.''' Done.
systemcheck configuration has been completed.
}}
==== Qubes-specific ====
binds+=( '/etc/sudoers.d/tunnel_unpriv' ) binds+=( '/etc/openvpn' ) binds+=( '/lib/systemd/system/openvpn@openvpn.service' ) binds+=( '/etc/systemd/system/multi-user.target.wants/openvpn@openvpn.service' )TODO: This does not work yet because the files need to exist first.
/usr/lib/qubes/bind-dirs.sh umount
/usr/lib/qubes/bind-dirs.sh}}
check.torproject.org or an alternative server of your choice.
{{CodeSelect|code=
nslookup check.torproject.org
}}
'''3.''' Test DNS and output IP address.
systemcheck_skip_functions="" \ CHECK_TOR_RESULT_SOCKS_PORT=0 \ WHONIXCHECK_NO_EXIT_ON_TRANS_PORT_DETECTION_FAILURE=1 \ whonixcheck --function check_tor_trans_port}} === Additional Information === The procedure is complete. If you have any issues, refer to the [[#Troubleshooting|Troubleshooting]] section below. Once the setup is functional, it is recommended to perform [[#Leak Tests|Leak Tests]]. = Troubleshooting = {{VPN-Firewall/Troubleshooting}} === How to Submit a Support Request === {{VPN/Setup/Support Requests}} = Leak Tests = == Introduction == It is important to verify the network traffic configuration enforces
User → Tor → VPN → Internet and not only User → Tor → Internet. Therefore, it is recommended to run the following related leak tests inside {{project_name_workstation_short}}. Test Tor Browser, a uwt wrapper deactivated application, as well as a regular application for leaks.
== Regular Application Test ==
Use curl without pre-configured [[Stream Isolation|stream isolation]].
{{CodeSelect|code=
{{Curl_Plain}} --silent {{Curl_Secure}} https://check.torproject.org {{!}} grep IP
}}
In the absence of functional system DNS, an alternative is to just test TCP.
The IP {{Check.torproject.org_IP}} might change. To discover the current one, run the following command inside a VM with functional system DNS. (Ideally inside a {{project_name_workstation_short}}.)
{{CodeSelect|code=
nslookup check.torproject.org
}}
{{CodeSelect|code=
{{Curl_Plain}} --silent {{Curl_Secure}} -H 'Host: check.torproject.org' -k https://{{Check.torproject.org IP}} {{!}} grep IP
}}
The output should show something similar to: {{Code2|Your IP address appears to be: xxx.xxx.xxx.xxx}}check.torproject.org.
{{CodeSelect|code=
curl --silent {{Curl_Secure}} https://check.torproject.org {{!}} grep IP
}}
{{CodeSelect|code=
curl --silent {{Curl_Secure}} -H 'Host: check.torproject.org' -k https://{{Check.torproject.org IP}} {{!}} grep IP
}}
== Browser IP Test ==
This test can be skipped if Tor Browser will not be used through the VPN.
If everything was configured correctly, test the setup. Open https://check.torproject.org in Tor Browser. It will state "{{Code2|You are not using Tor.}}" and the VPN's IP address will be visible. In fact this means the VPN was tunneled through Tor first because {{project_name_workstation_short}} can not make any non-Tor connections by design (everything is tunneled over Tor).
== DNS Leak Test ==
{{DNS_Leak_Tests_Online}}
== Other Leak Tests ==
Advanced users can also run a multiple additional, general leak tests that are unrelated to tunneling. However, these are more difficult to perform and are targeted at developers rather than general users. For further information, see: [[Dev/Leak_Tests|Leak Tests]].
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]