{{Header}}
{{Title|
title=Connecting to Tor before a VPN
}}
{{#seo:
|description=Instructions on how to connect to Tor before a VPN. (<code>User</code> &rarr; <code>Tor</code> &rarr; <code>VPN</code> &rarr; <code>Internet</code>)
|image=Ball-443853640.jpg
}}
[[File:Ball-443853640.jpg|thumb]]
{{intro|
Instructions on how to connect to Tor before a VPN.

'''<code>User</code> &rarr; <code>Tor</code> &rarr; <code>VPN</code> &rarr; <code>Internet</code>'''
}}
= Introduction =
Whonix users have the option to use a VPN but in most cases it's not needed and there are other alternatives. Reading the [[Tunnels/Introduction]] wiki page beforehand is advice to learn more if using a VPN with Whonix is useful or harmful.

By design, a VPN routes all your applications -- those without any proxy settings -- through the VPN. This may be undesirable as explained below; for example, it increases the threat of identity correlation. To circumvent this possibility, only use this {{project_name_workstation_long}} for particular applications that should be routed through the tunnel-link. Refer to the [[Multiple Whonix-Workstation|Multiple {{project_name_workstation_long}}]] wiki chapter for further instructions.

{{Tunnels_Introduction}}

= Security Precautions =

== Prevent Bypassing of the Tunnel-Link ==

{{Prevent_Bypassing_the_Tunnel-Link}}

{{Anchor|Fail_Closed_Mechanism}}

== Use a Fail Closed Mechanism ==

{{Fail_Closed_Mechanism}}

Instructions below include a fail closed mechanism.

== VPN Client Choice ==

* It is recommended to utilize OpenVPN.
* Using [https://bitmask.net/en Bitmask VPN] for this use case is not possible. <ref>
https://0xacab.org/leap/bitmask-vpn
</ref> In other words, you cannot use <code>user</code> &rarr; <code>Tor</code> &rarr; <code>bitmask</code> &rarr; <code>Internet</code>. <ref>
Previously Bitmask did not support Tor. Broken link: <nowiki>https://github.com/leapcode/bitmask_client/issues/1009</nowiki>
</ref>
* Other VPN clients are [[unsupported]].

= Set Up Tor before a VPN (User &rarr; Tor &rarr; VPN &rarr; Internet) =

== Introduction ==

Two configurations are available:

* [[Qubes|{{q_project_name_long}}]] users have the option of <u>either</u> using
** '''A)''' [[#Separate VPN-Gateway|Separate VPN-Gateway]], <u>or</u> alternatively could also use
** '''B)''' [[#Inside {{project_name_workstation_short}}|Inside {{project_name_workstation_short}}]] instructions.
* [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] users should prefer [[#Inside {{project_name_workstation_short}}|Inside {{project_name_workstation_short}}]] instructions.

== Separate VPN-Gateway ==

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = Platform specific notice.

* [[Qubes|{{q_project_name_short}}]]: Functional in principle but potentially broken due to Qubes bugs. See below.
* [[Non-Qubes-Whonix|{{non_q_project_name_short}}]]: [[Unsupported]].
}}

This configuration has a separate VPN-Gateway between {{project_name_gateway_short}} and {{project_name_workstation_short}}: <code>{{project_name_workstation_short}}</code> &rarr; <code>VPN-Gateway</code> &rarr; <code>{{project_name_gateway_short}}</code>.

<code>User</code> &rarr; <code>Tor</code> &rarr; <code>VPN</code> &rarr; <code>Internet</code>

There used to be a Qubes specific bug breaking this. <ref>
* https://github.com/QubesOS/qubes-issues/issues/7123#issuecomment-1245292312
* https://github.com/QubesOS/qubes-issues/issues/7261#issuecomment-1242979914
* https://github.com/QubesOS/qubes-core-agent-linux/blob/master/network/setup-ip
* in short: Contents of <code>/usr/lib/qubes/setup-ip</code> need to re replaced with [https://raw.githubusercontent.com/QubesOS/qubes-core-agent-linux/master/network/setup-ip <code>setup-ip</code>]
</ref> It has probably been fixed at least since Qubes R4.2. Please try and report if this worked for you so this notice can be removed.

{{Box|text=
'''1.''' <u>Prerequisite knowledge:</u> '''Qubes VPN Setup over Clearnet'''

"Forget" about {{project_name_short}} for a moment for this step 1. This is about Qubes only. This is [[unspecific|unspecific to {{project_name_short}}]].

The user needs to master setting up the VPN-Gateway as per [https://forum.qubes-os.org/t/configuring-a-proxyvm-vpn-gateway/19061 Qubes VPN Documentation] in context of a "normal" VPN using clearnet. Meaning, without involving, mentioning {{project_name_short}} in any way. Connection scheme: <code>User</code> &rarr; <code>VPN</code> &rarr; <code>Internet</code>

It is recommended to follow the [https://forum.qubes-os.org/t/configuring-a-proxyvm-vpn-gateway/19061#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts-5 ''Set up a ProxyVM as a VPN gateway using iptables and CLI scripts''] instructions because this prevents clearnet leaks if/when the VPN breaks down.

Two options. Choose one.

* '''A)''' If intending to use <code>Qubes-vpn-support</code>:
** Note regarding [https://github.com/tasket/Qubes-vpn-support Qubes-vpn-support]: See [https://github.com/tasket/Qubes-vpn-support/issues/72 Qubes-vpn-support broken in Qubes R4.2] status.
* '''B)''' If not using <code>Qubes-vpn-support</code>: No special notice.

<u>Note:</u>

* <u>UDP:</u> UDP-style VPN connections are incompatible with Tor because it requires the VPN to be configured to use TCP. <ref>
See [[Tor#UDP|UDP]].
</ref> This requires adding <code>proto tcp</code> to the VPN configuration file <code>/rw/config/vpn/openvpn-client.ovpn</code>. Nearly all VPN providers support this configuration.
* <u>Support:</u> Please do not contact {{project_name_short}} support for this step because mastering this skill is specific to Qubes only.

'''2.''' Clone a Template.

For example, clone <code>debian-{{Stable_project_version_based_on_Debian_version_short}}</code> and name the new template clone <code>debian-{{Stable_project_version_based_on_Debian_version_short}}-vpn</code>. <ref>
At the time of writing Debian 11 <code>bullseye</code> was the stable release version.
</ref>

<code>Qube Manager</code> &rarr; <code>debian-{{Stable_project_version_based_on_Debian_version_short}}</code> &rarr; <code><u>C</u>lone qube</code> &rarr; <i><code>Enter name for Qube clone:</i> debian-{{Stable_project_version_based_on_Debian_version_short}}-vpn</code> &rarr; <code>Press: OK</code>

'''3.''' Create a new ProxyVM based on the newly cloned template.

Name the VM VPN-Gateway and set the {{project_name_gateway_short}} ProxyVM (<code>{{project_name_gateway_vm}}</code>) as NetVM. Make sure to check [✔] the box for "provides network".

{{Box|text=
<code>Qube Manager</code> &rarr; <code><u>Q</u>ube</code> &rarr; <code>Create <u>n</u>ew qube</code>

* Name and label: <code>VPN-Gateway</code> (Set the preferred color)
* Type: <code>Qube based on a template (AppVM)</code>
* Template: <code>debian-{{Stable_project_version_based_on_Debian_version_short}}-vpn</code>
* Networking: <code>{{project_name_gateway_vm}}</code>
* Advanced:   [<code>✔</code>] Provides network
* Press: <code><u>O</u>K</code>
}}

'''4.''' ''Torified VPN Setup''

Setup the VPN-Gateway. This will be similar to step 1. This will result in connection scheme <code>User</code> &rarr; <code>Tor</code> &rarr; <code>VPN</code> &rarr; <code>Internet</code> because in above step Networking: <code>{{project_name_gateway_vm}}</code> has been configured.

<u>Notes:</u>

* <u>VPN Provider Choice:</u> A VPN provider different from the VPN provider used in step 1 should be used. This is because the VPN provider from step 1 knows you real IP address. The VPN provider used for connection scheme <code>User</code> &rarr; <code>Tor</code> &rarr; <code>VPN</code> &rarr; <code>Internet</code> should only know your Tor exit relay IP address.
* <u>Fail closed mechanism:</u> Without configuring a fail closed configuration, all traffic originating from the {{project_name_workstation_short}} App Qube (<code>{{project_name_workstation_vm}}</code>) would <u>only</u> be forced through Tor if/when the VPN connection breaks down (<code>User</code> &rarr; <code>Tor</code> &rarr; <code>Internet</code>).
* <u>UDP vs TCP</u>: Reminder. Only TCP can be used as mentioned in step 1.

'''5.''' Check the VPN-Gateway is fully functional.

Test connectivity from inside the VPN-Gateway as per [https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md Qubes VPN Documentation].

'''6'''. ''Recommended:'' Prevent bypassing of the tunnel link.

In {{project_name_workstation_short}} (<code>{{project_name_workstation_vm}}</code>), apply instructions from the [[#Prevent Bypassing of the Tunnel-Link|Prevent Bypassing of the Tunnel-Link]] section.

'''7.''' ''Optional:'' Leak tests.

It is recommended to run the related [[#Leak_Tests|Leak Tests]].

'''8.''' Done.

The VPN-Gateway configuration is complete.
}}

Notes:

* No DNS configuration is required when using a separate VPN Gateway and system DNS should work out of the box. <ref>
This is because a properly configured Qubes VPN-Gateway will be able to resolve DNS.
</ref>
* For troubleshooting, see footnote. <ref>
* Check the VPN-Gateway is fully functional. Test connectivity from inside the VPN-Gateway.
* When testing the VPN connection <u>do not</u> add any VMs that have been previously used for non-anonymous activities behind the VPN-Gateway. This will burn the VPN, making it unsuitable for use with {{project_name_short}}!
* Create a fresh, newly created VM if intending to use a non-{{project_name_short}} VM behind the VPN-Gateway for testing purposes.
</ref>
* {{project_name_short}} user forum discussion: [https://forums.whonix.org/t/setup-a-vpn-in-proxyvm-over-{{project_name_gateway_vm}} Set up a VPN in ProxyVM over {{project_name_gateway_vm}}] <ref>
* Qubes users mailing list discussion: https://groups.google.com/g/qubes-users/c/AXOwf1f9jd0/m/UkHwQmKVQQAJ
* Qubes development ticket: https://github.com/QubesOS/qubes-issues/issues/2060
</ref>
* The following warning will appear when using [[Tor Browser]] and is expected (see technical footnote): <ref>
This is because Tor Browser can no longer access Tor's ControlPort ([[Dev/onion-grater|onion-grater]]) on {{project_name_gateway_short}}.
</ref>

<i><pre>
Something Went Wrong!
Tor is not working in this browser.
</pre></i>

== Inside {{project_name_workstation_short}} ==

This configuration will connect to the VPN using your preferred software <u>inside</u> the ({{project_name_short}}-)Workstation.

{{VPN UDP Tor|/etc/openvpn/openvpn.conf}}

<code>User</code> &rarr; <code>Tor</code> &rarr; <code>VPN</code> &rarr; <code>Internet</code>

=== {{project_name_short}} TUNNEL_FIREWALL vs Standalone VPN-Firewall ===

{{Whonix_TUNNEL_FIREWALL_vs_standalone_VPN-Firewall}}

=== Preparation ===
'''NOTE: might be broken, see https://forums.whonix.org/t/user-tor-vpn-internet-doesnt-work-in-whonix-16/13786'''

{{VPN/Setup/Preparation}}

=== Prerequisite Knowledge ===

Before proceeding, it is strongly recommended to read and understand the [[Debian_Packages|{{project_name_short}} Debian Packages]] chapter.

=== Firewall Settings ===

{{Firewall_Settings_Workstation}}

Add the following settings.

<pre>
WORKSTATION_FIREWALL=1
TUNNEL_FIREWALL_ENABLE=true
</pre>

Save.

=== Reload Firewall ===

{{Reload_Firewall_ws}}

=== sudoers Configuration ===

{{VPN/Setup/Tor_Before_VPN/sudoers_configuration}}

=== VPN Setup ===

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = <u>Update</u>: The Riseup "legacy" VPN appears to have been discontinued. The Riseup replacement service (Bitmask) has not been tested. If you do not have a Riseup invite code then tailor the instructions in this section to work with any other OpenVPN provider.
}}

==== Introduction ====

{{VPN/Setup/Introduction}}

==== Get VPN Certificate ====

{{VPN/Setup/Get VPN Certificate}}

==== VPN Credentials ====

{{VPN/Setup/VPN Credentials}}

==== VPN IP Address ====

{{VPN/Setup/VPN_IP_Address}}

==== VPN Configuration File ====

{{Box|text=

'''1.''' {{Open with root rights|filename=
/etc/openvpn/openvpn.conf
}}

'''2.''' Add.

<u>Note</u>: It is necessary to adjust the {{Code|remote 198.252.153.226 80}} variable in the configuration below unless you are using {{Code|nyc.vpn.riseup.net}} as the VPN service. Replace the IP ({{Code|198.252.153.226}}) and port ({{Code|80}}) to match your VPN service.

<pre>
##############################
## VPN provider specific settings ##
##############################
auth-user-pass auth.txt

## using nyc.vpn.riseup.net 80
remote 198.252.153.226 80

ca RiseupCA.pem

remote-cert-tls server

####################################
## TUNNEL_FIREWALL specific settings ##
####################################
client
dev tun0
persist-tun
persist-key

script-security 2
up "/etc/openvpn/update-resolv-conf script_type=up dev=tun0"
down "/etc/openvpn/update-resolv-conf script_type=down dev=tun0"

user tunnel
iproute /usr/bin/ip_unpriv

############################################
## Connecting to Tor before a VPN specific settings #
############################################

proto tcp
</pre>

<ref>
* The [https://github.com/{{project_name_short}}/usability-misc/blob/master/usr/bin/ip_unpriv /usr/bin/ip_unpriv] wrapper script is provided by the [https://github.com/{{project_name_short}}/usability-misc usabilty-misc] package.
* The [https://github.com/{{project_name_short}}/usability-misc/blob/master/etc/sudoers.d/tunnel_unpriv /etc/sudoers.d/tunnel_unpriv] wrapper script is provided by the [https://github.com/{{project_name_short}}/usability-misc usabilty-misc] package.
* The [https://github.com/{{project_name_short}}/usability-misc/blob/master/usr/lib/systemd/system/openvpn%40openvpn.service.d/50_unpriv.conf /lib/systemd/system/openvpn@openvpn.service.d/50_unpriv.conf] wrapper script is provided by the [https://github.com/{{project_name_short}}/usability-misc usabilty-misc] package.
</ref> <ref>It is necessary to run OpenVPN as user 'tunnel' because that is the only user besides user <code>clearnet</code> that is allowed to establish external connections when using {{project_name_short}} Firewall setting VPN_FIREWALL=1.</ref>

'''3.''' Save.
}}

==== Install resolvconf ====

{{VPN/Setup/install_resolvconf}}

==== DNS Configuration ====

{{Box|text=
'''1.''' {{Open with root rights|filename=
/usr/lib/tmpfiles.d/50_openvpn_unpriv.conf
}}

'''2.''' Add. <ref name=Whonix14 />

<pre>
d       /run/resolvconf 0775    root      tunnel    -       -
d       /run/resolvconf/interface         0775      root    tunnel    -    -
</pre>

Save the file.

'''3.''' Adjust permissions. <ref name=Whonix14>This is removeable since {{project_name_short}} 14 because it was merged in the <code>usablity-misc</code> package.</ref>

{{CodeSelect|code=
sudo chown --recursive root:tunnel /run/resolvconf
}}

{{CodeSelect|code=
sudo chmod --recursive 775 /run/resolvconf
}}

'''4.''' {{VPN/Setup/DNS Configuration}}
}}

=== Additional Setup ===

==== Configuration Folder Permissions ====

{{VPN/Setup/Configuration Folder Permissions}}

==== systemd Setup ====

{{Template:VPN/Setup/Systemd}}

==== resolvconf Adjustments ====

{{VPN/Setup/resolvconf adjustments}}

==== Verify DNS Settings ====

{{Box|text=
'''1.''' Open the <code>/etc/resolv.conf</code> file.

{{CodeSelect|code=
sudo cat /etc/resolv.conf
}}

'''2.''' Check the current settings.

It should <u>not</u> include the following setting; this is the standard {{project_name_short}} DNS server.

<pre>
nameserver 10.152.152.10
</pre>

It should also <u>not</u> include the following settings; these are the standard Qubes DNS servers.

<pre>
nameserver 10.137.3.1
nameserver 10.137.3.254
</pre>

'''3.''' Confirm it <u>only</u> includes the DNS server of your DNS provider.

For example.

<pre>
nameserver 10.5.0.1
</pre>
}}

==== systemcheck ====

<code>systemcheck</code> configuration. <code>systemcheck</code> cannot work in this configuration out of the box. Perform the following steps to unbreak it.

{{Box|text=
'''1.''' {{Open with root rights|filename=
/etc/systemcheck.d/50_user.conf
}}

'''2.''' Add the following text.

{{CodeSelect|code=
systemcheck_skip_functions+=" check_tor_bootstrap "
systemcheck_skip_functions+=" check_tor_socks_port_reachability "
systemcheck_skip_functions+=" check_tor_socks_port "
systemcheck_skip_functions+=" check_tor_trans_port "
systemcheck_skip_functions+=" check_stream_isolation "
systemcheck_skip_functions+=" download_whonix_news "

## {{ Alternative to disabling check_tor_trans_port.

## Make the Tor TransPort test work by simulating the Tor SocksPort test succeeded.
#CHECK_TOR_RESULT_SOCKS_PORT=0

## Do not warn if Tor was not detected. (Will be the VPN.)
#SYSTEMCHECK_NO_EXIT_ON_TRANS_PORT_DETECTION_FAILURE=1

## }}

## {{ Alternative to download_whonix_news.

## Download news through system default.
#CURL_PROXY_WHONIX_NEWS="--fail"

## }}
}}

'''3.''' Save the file.

'''4.''' Done.

<code>systemcheck</code> configuration has been completed.
}}

==== Qubes-specific ====

<div class="toccolours mw-collapsible mw-collapsed">
{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = This is a placeholder; ignore this Qubes-specific section for now. TODO.
}}
<div class="mw-collapsible-content">
{{Box|text=
'''1.''' When using an App Qube, persistent changes require the Qubes bind dirs mechanism.

{{CodeSelect|code=
sudo mkdir /rw/config/qubes-bind-dirs.d
}}

'''2.''' {{Open with root rights|filename=
/rw/config/qubes-bind-dirs.d/50_user.conf
}}

'''3.''' Add the following content.

<pre>
binds+=( '/etc/sudoers.d/tunnel_unpriv' )
binds+=( '/etc/openvpn' )
binds+=( '/lib/systemd/system/openvpn@openvpn.service' )
binds+=( '/etc/systemd/system/multi-user.target.wants/openvpn@openvpn.service' )
</pre>

TODO: This does not work yet because the files need to exist first.

<pre>
/usr/lib/qubes/bind-dirs.sh umount
</pre>

<pre>
/usr/lib/qubes/bind-dirs.sh
</pre>
}}
</div>
</div>

==== Test ====

{{Box|text=
'''1.''' Test the ping functionality.

Utilize a suitable IP address such as Google's DNS server or an alternative server of your choice.

{{CodeSelect|code=
ping 8.8.8.8
}}

'''2.''' Test DNS to check it correctly resolves a suitable domain.

Utilize <code>check.torproject.org</code> or an alternative server of your choice.

{{CodeSelect|code=
nslookup check.torproject.org
}}

'''3.''' Test DNS and output IP address.

<pre>
systemcheck_skip_functions="" \
CHECK_TOR_RESULT_SOCKS_PORT=0 \
WHONIXCHECK_NO_EXIT_ON_TRANS_PORT_DETECTION_FAILURE=1 \
whonixcheck --function check_tor_trans_port
</pre>
}}

=== Additional Information ===

The procedure is complete. If you have any issues, refer to the [[#Troubleshooting|Troubleshooting]] section below. Once the setup is functional, it is recommended to perform [[#Leak Tests|Leak Tests]].

= Troubleshooting =

{{VPN-Firewall/Troubleshooting}}

=== How to Submit a Support Request ===

{{VPN/Setup/Support Requests}}

= Leak Tests =

== Introduction ==

It is important to verify the network traffic configuration enforces <code>User</code> &rarr; <code>Tor</code> &rarr; <code>VPN</code> &rarr; <code>Internet</code> and <u>not</u> only <code>User</code> &rarr; <code>Tor</code> &rarr; <code>Internet</code>. Therefore, it is recommended to run the following related leak tests inside {{project_name_workstation_short}}. Test Tor Browser, a uwt wrapper deactivated application, as well as a regular application for leaks.

== Regular Application Test ==

Use <code>curl</code> without pre-configured [[Stream Isolation|stream isolation]].

<!-- EDITORS NOTE: '{{!}}' is a magic word for '|'.-->
{{CodeSelect|code=
{{Curl_Plain}} --silent {{Curl_Secure}} https://check.torproject.org {{!}} grep IP
}}

<ref name=nodns>
In the absence of functional system DNS, an alternative is to just test TCP.

The IP <code>{{Check.torproject.org_IP}}</code> might change. To discover the current one, run the following command inside a VM with functional system DNS. (Ideally inside a {{project_name_workstation_short}}.)

{{CodeSelect|code=
nslookup check.torproject.org
}}
</ref> <ref>

<!-- EDITORS NOTE: '{{!}}' is a magic word for '|'.-->
{{CodeSelect|code=
{{Curl_Plain}} --silent {{Curl_Secure}} -H 'Host: check.torproject.org' -k https://{{Check.torproject.org IP}} {{!}} grep IP
}}
</ref>

The output should show something similar to: {{Code2|Your IP address appears to be: xxx.xxx.xxx.xxx}}<br />
It should also list the VPN's IP address.

== uwt-wrapped Application Test ==

Connect to <code>check.torproject.org</code>.

<!-- EDITORS NOTE: '{{!}}' is a magic word for '|'.-->
{{CodeSelect|code=
curl --silent {{Curl_Secure}} https://check.torproject.org {{!}} grep IP
}}

<ref name=nodns /> <ref>
<!-- EDITORS NOTE: '{{!}}' is a magic word for '|'.-->
{{CodeSelect|code=
curl --silent {{Curl_Secure}} -H 'Host: check.torproject.org' -k https://{{Check.torproject.org IP}} {{!}} grep IP
}}
</ref>

== Browser IP Test ==

This test can be skipped if Tor Browser will not be used through the VPN.

If everything was configured correctly, test the setup. Open <code>https://check.torproject.org</code> in Tor Browser. It will state "{{Code2|You are not using Tor.}}" and the VPN's IP address will be visible. In fact this means the VPN was tunneled through Tor first because {{project_name_workstation_short}} can not make any non-Tor connections by design (everything is tunneled over Tor).

== DNS Leak Test ==

{{DNS_Leak_Tests_Online}}

== Other Leak Tests ==

Advanced users can also run a multiple additional, general leak tests that are unrelated to tunneling. However, these are more difficult to perform and are targeted at developers rather than general users. For further information, see: [[Dev/Leak_Tests|Leak Tests]].

= Footnotes =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]