Can't setup VPN from Tor

Yorz · July 23, 2022, 9:38am

Hello.
I need to setup VPN connection after Tor, but it doesn’t work and I can’t understand why.
So, My current setup is:
[target-workstation] ← [anon-vpn] ← [sys-whonix] ← [sys-firewall] ← [sys-vpn] ← [sys-net]

[sys-vpn] always used for main non-anonymous work, so no problems with this VM.

Probably, no problems with VPN provider in [anon-vpn]. I tried several different providers, UDP and TCP config files, it doesn’t work.

Terminal output in [anon-vpn]:
sudo openvpn --config /rw/config/qtunnel/qtunnel.conf
2022-07-23 12:04:32 DEPRECATED OPTION: --cipher set to ‘AES-128-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-128-CBC’ to --data-ciphers or change --cipher ‘AES-128-CBC’ to --data-ciphers-fallback ‘AES-128-CBC’ to silence this warning.
2022-07-23 12:04:32 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2022-07-23 12:04:32 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
Enter Auth Username: [hidden]
Enter Auth Password: ******************
2022-07-23 12:05:56 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2022-07-23 12:05:56 WARNING: No server certificate verification method has been enabled. See How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN for more info.
2022-07-23 12:05:56 NOTE: --fast-io is disabled since we are not using UDP
2022-07-23 12:05:56 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2022-07-23 12:05:56 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2022-07-23 12:05:56 RESOLVE: Cannot resolve host address: [hidden]vpn.com:443 (Temporary failure in name resolution)
2022-07-23 12:05:56 RESOLVE: Cannot resolve host address: [hidden]vpn.com:443 (Temporary failure in name resolution)
2022-07-23 12:05:56 Could not determine IPv4/IPv6 protocol
2022-07-23 12:05:56 SIGUSR1[soft,init_instance] received, process restarting
2022-07-23 12:05:56 Restart pause, 5 second(s)
I don’t add any blocking rules in sys-whonix firewall.
Ping doesn’t work in [anon-vpn], and ping doesn’t work in [sys-vpn], but VPN connection in [sys-vpn] always works.

What I am doing wrong in [anon-vpn]?

enmus · July 24, 2022, 9:47pm

Before anything else I’d try to switch sys-firewall and sys-vpn at any cost. Also, I don’t know what “VPN from Tor” means.

AndyZ · July 26, 2022, 2:51am

Hello Yorz

I can’t tell which of the following you are aiming to do…

1: use a non-tor browser to connect through a vpn that connects through tor via whonix that connects through a second vpn to the outside world

OR

2: use a tor browser connecting via whonix to a vpn that connects to the outside world

If it is option 2, the setup I use is…

[whonix-ws-16-dvm] ← [sys-whonix] ← [sys-firewall-vpn] ← [sys-net]

I also have a [fedora-34-dvm] using the same [sys-firewall-vpn] as its network so I can connect through vpn only without tor.

[whonix-ws-16-dvm], [sys-whonix] and [sys-net] are as supplied with Qubes OS and un-modified.
[sys-firewall-vpn] is a clone of the original [sys-firewall] which has then had the vpn configuration and firewall rules added to it.

I also found the following topic useful…
VPN and Whonix WS Configuration

fsflover · July 26, 2022, 7:08am