Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN

[scurge1tl]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello all,

I would like to ask about proper setting of AppVM flow if using
Mullvad VPN. I would like to connect to the clearnet following way: Me
- -> Tor -> VPN -> clearnet.

When setting up mullvad in their web page, I set the parameters for
download here https://mullvad.net/en/download/openvpn-config/ in a
following way:
- - All countries (so that I can change my exit country as needed)
- - Port -> TCP 443 (Tor doesn't use UDP, right?)
- - tick Use IP addresses

To set the Mullvad VPN AppVM, I followed this guide from micahflee
https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with
mullvad is vpn-mullvad. All works fine and connects to the network.

How should I connect Me -> Tor -> VPN -> clearnet? Am I right with
this setup (I didn't launch it yet): anon-whonix -> sys-whonix ->
vpn-mullvad -> sys-firewall, or I should use different setup?

Are there any other steps to follow to prevent leaks?

This setup should serve me to connect to the services that are not Tor
unfriendly from a country of my choice, and remain anonymous.

Thank you all for your support!

p.s. micahflee doesn't mention any need to install the OpenVPN in his
guide. Should I install it or is it intended to work without it?

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEExlmPb5HoPUTt+CQT44JZDAWK6UwFAl59wTJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM2
NTk4RjZGOTFFODNENDRFREY4MjQxM0UzODI1OTBDMDU4QUU5NEMACgkQ44JZDAWK
6UwiXhAAivlJwfkjYv9ZQUQqEeYeQ+NsmrvpnETawv18blPjGJgNF6LTlfEwsr+L
S7liZfi9cdT3FfCMPBbl9mdESoFOhIubbru30cos4UGUHUzoCV6U0t/rVAYblugb
DhXAjGQk47VVcMmmUnhnY5Q7gm1DCpYb/yW9AUJPWrZWfhyK6CH58Zec892Q5iL2
FgHQo2yuJVxDVX4U/ZOWrWE3dmaxU8trfcw1VMtJDEEcKi33M4toHexsF34IwgKl
q/dNNhbtaPw/2ONmoTCmRElLCbShuiZDUEnQ+fg7fEkqraOlTYq/5LnLh0dTu57b
HcS1CQ7vwBErDr8ufoQpmTK9/4HEww6V4LLSZp/6QQoaej5nT/NNrMZ4iKOMjpuW
+hmnVLwVj3sKAmeOLOaLTW8LHgLOkMH0xohU06ZeNcvoQcfrK/Kw4J/JWZMoERtq
4kbHzmjDs50ZUpWGUppX/CsP/e9MCNO3uUcEGSRa3/NQEKPbUM/qzQFZe0bp9UOr
odoxUgWadY3hiKA2DXmhtY/+4k/ugpR6HdXRLuUrlDoysGsNU7VbGMj7Mpy/yhRQ
REr1h60jH6ZSZLRRK8EJkvY9kjhH6jIYyRikeB1mkbidDoi0ENCbB7UdLFzXqTlE
TU0eF9MVjCvdTY6XOJ5w6JgZo+DGMpfLt1ZlFGd4PpLrZXzaEiI=
=5OS5
-----END PGP SIGNATURE-----

[Chris Laprise]

On 3/27/20 5:02 AM, scurge1tl wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hello all,
>
> I would like to ask about proper setting of AppVM flow if using
> Mullvad VPN. I would like to connect to the clearnet following way: Me
> - -> Tor -> VPN -> clearnet.
>
> When setting up mullvad in their web page, I set the parameters for
> download here https://mullvad.net/en/download/openvpn-config/ in a
> following way:
> - - All countries (so that I can change my exit country as needed)
> - - Port -> TCP 443 (Tor doesn't use UDP, right?)
> - - tick Use IP addresses

Using TCP 443 for the connection helps only if you are running the VPN
on top of Tor. With Tor on top of VPN, you're probably better off with UDP.

>
> To set the Mullvad VPN AppVM, I followed this guide from micahflee
> https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with
> mullvad is vpn-mullvad. All works fine and connects to the network.
>
> How should I connect Me -> Tor -> VPN -> clearnet? Am I right with
> this setup (I didn't launch it yet): anon-whonix -> sys-whonix ->
> vpn-mullvad -> sys-firewall, or I should use different setup?

Whonix has a guide that examines the issues of combining Tor and a VPN.
However, I think its better as a 'what-if/why' guide than a Howto...

https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor

>
> Are there any other steps to follow to prevent leaks?

Yes.

The Qubes-vpn-support project is much easier to setup and should work
more smoothly, in addition to providing better protection against leaks:

https://github.com/tasket/Qubes-vpn-support

There is also a VPN setup guide on the Qubes doc page (this is the one
the Whonix page links to). FWIW, I wrote the scripts for both but the
idea for Qubes-vpn-support was to automate the setup and improve the
connection handling of Openvpn so re-connection doesn't take 5 minutes.
It also checks the firewall to make sure leak prevention is in place
before initiating connections.

--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[scurge1tl]

Chris Laprise:

> On 3/27/20 5:02 AM, scurge1tl wrote:

>>
>> Hello all,
>>
>> I would like to ask about proper setting of AppVM flow if using
>> Mullvad VPN. I would like to connect to the clearnet following way: Me
>> - -> Tor -> VPN -> clearnet.
>>
>> When setting up mullvad in their web page, I set the parameters for
>> download here https://mullvad.net/en/download/openvpn-config/ in a
>> following way:
>> - - All countries (so that I can change my exit country as needed)
>> - - Port -> TCP 443 (Tor doesn't use UDP, right?)
>> - - tick Use IP addresses
>
> Using TCP 443 for the connection helps only if you are running the VPN
> on top of Tor. With Tor on top of VPN, you're probably better off with UDP.

Would this mean, if I plan to go with Me -> Tor -> VPN -> clarnet, to go
with UDP mullvad settings? Just to clear the "on top of".

>
>>
>> To set the Mullvad VPN AppVM, I followed this guide from micahflee
>> https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with
>> mullvad is vpn-mullvad. All works fine and connects to the network.
>>
>> How should I connect Me -> Tor -> VPN -> clearnet? Am I right with
>> this setup (I didn't launch it yet): anon-whonix -> sys-whonix ->
>> vpn-mullvad -> sys-firewall, or I should use different setup?
>
> Whonix has a guide that examines the issues of combining Tor and a VPN.
> However, I think its better as a 'what-if/why' guide than a Howto...
>
> https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor

Thank you I will check it.

>
>>
>> Are there any other steps to follow to prevent leaks?
>
> Yes.
>
> The Qubes-vpn-support project is much easier to setup and should work
> more smoothly, in addition to providing better protection against leaks:
>
> https://github.com/tasket/Qubes-vpn-support
>
> There is also a VPN setup guide on the Qubes doc page (this is the one
> the Whonix page links to). FWIW, I wrote the scripts for both but the
> idea for Qubes-vpn-support was to automate the setup and improve the
> connection handling of Openvpn so re-connection doesn't take 5 minutes.
> It also checks the firewall to make sure leak prevention is in place
> before initiating connections.

I will try to set the additional AppVM for this and try this guide. What
would be the linking of the AppVMs, if I would like to go Me -> Tor ->
VPN -> clearnet? Is it like anon-whonix -> sys-whonix -> mullvad-AppVM
-> sys-firewall ?

Also I would like to use different exit countries of choice, so I
downloaded all countries from mullvad. Is there any simple way to switch
countries with this VPN settings?
Sorry for noob questions, I am new to the VPN stuff, just used Tor only
till now, but I need to use tor-unfriendly services from time to time
and even if it were tor-friendly, ExitNodes {xx} StrictNodes 1 doesn't
work in qubes-whonix and I therefore can't select exit country easily if
I need to. So I need to have the VPN country as a strict exit.

>

Thank you and I will let you know if it works!

[Chris Laprise]

On 3/29/20 5:16 AM, scurge1tl wrote:
>
>
> Chris Laprise:
>> On 3/27/20 5:02 AM, scurge1tl wrote:
>
>>>
>>> Hello all,
>>>
>>> I would like to ask about proper setting of AppVM flow if using
>>> Mullvad VPN. I would like to connect to the clearnet following way: Me
>>> - -> Tor -> VPN -> clearnet.
>>>
>>> When setting up mullvad in their web page, I set the parameters for
>>> download here https://mullvad.net/en/download/openvpn-config/ in a
>>> following way:
>>> - - All countries (so that I can change my exit country as needed)
>>> - - Port -> TCP 443 (Tor doesn't use UDP, right?)
>>> - - tick Use IP addresses
>>
>> Using TCP 443 for the connection helps only if you are running the VPN
>> on top of Tor. With Tor on top of VPN, you're probably better off with UDP.
>
> Would this mean, if I plan to go with Me -> Tor -> VPN -> clarnet, to go
> with UDP mullvad settings? Just to clear the "on top of".

To make it less ambiguous:

AppVM -> sys-whonix -> sys-vpn -> sys-net

The above connection is Tor on top of (or inside of) VPN, so UDP can be
used for the VPN. If sys-whonix and sys-vpn places were reversed, then
VPN should switch to TCP mode.

An easy way to remember this is that the sys-* VM attached to the AppVM
is the one the service sees on the other end.

There is no GUI way to do it when using the Qubes scripts. However, if
you use the Network Manager method on the Qubes vpn howto, then you can
import multiple configs (and cross your fingers that they can make
connections :) ).

For a non-GUI solution, you could create a small script that lets you
choose which ovpn config to use, and 'cp' or 'ln' that choice to the
config filename that the scripts use (then restart the vpn). Some people
have used simple random selection without a prompt, like 'ln -s $( ls
*ovpn | shuf | head -n1 ) vpn-client.conf'.

> Sorry for noob questions, I am new to the VPN stuff, just used Tor only
> till now, but I need to use tor-unfriendly services from time to time
> and even if it were tor-friendly, ExitNodes {xx} StrictNodes 1 doesn't
> work in qubes-whonix and I therefore can't select exit country easily if
> I need to. So I need to have the VPN country as a strict exit.

To use Tor-unfriendly services, the service has to see the VPN IP not
Tor exit node IP. Therefore...

AppVM -> sys-vpn -> sys-whonix -> sys-net

If you add sys-firewall (or similar proxyVM, as you probably don't want
to change sys-firewall netvm setting) in the mix, it just depends on
which VM you wish to add 'Qubes firewall' rules to.... it always goes
'to the right of' whichever VM you added rules. In my experience,
however, such rules are not required for securing a VPN link; The
internal (scripted) rules used by the VPN doc or Qubes-vpn-support
handle VPN security rather well. IOW, its better to forget placing
sys-firewall in the loop, at least until you're more used to Qubes
networking.

>
> Thank you and I will let you know if it works!
>

[scurge1tl]

Chris Laprise:

Thank you for your help. I have written an email to your address from
the PGP key in your signature, regarding hashes and pgp sig for the
files on github, not to spam it here in the forum.

[scurge1tl]

Chris Laprise:

I sent an email to your protonmail, as stated in your signature PGP
fingerprint BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 but I am
not sure if it arrived. So I ask here.

Is there any signed hash for the file from github and your PGP key sig
so that I can check the authenticity and integrity of the file?

Also, is the master the zip file to be downloaded?

Thank you!

[taran1s]

scurge1tl:

I try to set the VPN in my laest qubes with your guide on
https://github.com/tasket/Qubes-vpn-support. I use the version
1.4.3. and followed the guide.

My setting from mullvad is UDP (default) for Linux. No IPs.

When asked, I entered correct login. The link but doesn't go up,
no popup notification LINK IS UP when restarting the proxy VM.

I also added vpn-handler-openvpn to the proxy VM services as required.

Executing systemctl status returns this:

[user@ovpn ~]$ systemctl status qubes-vpn-handler
● qubes-vpn-handler.service - VPN Client for Qubes proxyVM
Loaded: loaded (/usr/lib/systemd/system/qubes-vpn-handler.service;
enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/qubes-vpn-handler.service.d
└─00_example.conf
Active: activating (auto-restart) (Result: exit-code) since Tue
2020-04-07 15:30:15 CEST; 4s ago
Process: 3098 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup
--check-firewall (code=exited, status=0/SUCCESS)
Process: 3105 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup
--pre-start (code=exited, status=0/SUCCESS)
Process: 3110 ExecStart=/usr/lib/qubes/qubes-vpn-setup --start-exec
(code=exited, status=1/FAILURE)
Process: 3111 ExecStartPost=/usr/lib/qubes/qubes-vpn-setup
--post-start (code=exited, status=0/SUCCESS)
Process: 3117 ExecStopPost=/usr/lib/qubes/qubes-vpn-setup
--post-stop (code=exited, status=0/SUCCESS)
Main PID: 3110 (code=exited, status=1/FAILURE)

Any idea how to set this up properly?

[Chris Laprise]

The one exception I can think of for setting up with a Mullvad account
is that they use a single-character "m" password for everyone. So if you
typed something into the password prompt other than "m" or left it
blank, then it won't connect.

To see a more detailed log you should use 'journalctl -u qubes-vpn-handler'.

[Catacombs]

I have never used Mullvad or a VPN under Qubes. However, I seem to recall having problems with udp, I think you want tls and tcp. If you DuckDuckGo the differences. You might see udp is not so great.

Also. Usually to get a VPN to work in Linux you must turn off IPv6. That is the one that goes to printers. IPv4 is for most all the internet.

Consider doing this to see if the whole concept of VPN is working. I think it is CyberGhost which offers a few free GBs every month. But I think that is the one I once used under another linux distro. And it was easy to set up and worked. Then you might see what settings need to be what.

Best wishes

[Catacombs]

Sorry memory better now. That was three years ago. Windscribe was the VPN that was easy to install, in a Debian based distro. Are you installing in the Template or a stand alone VM?

I obviously do not have the experience - knowledge you would want. But my experience with a VPN under Linux was different than where you were trying.

[taran1s]

Chris Laprise:

Yes Chris, mullvad uses the "m" for password and I put this in when
asked. I checked this in the pass file from mullvad.

I did the following. I downloaded the default UDP settings for "All
countries" from mullvad as adviced, without ticking the IPs. Than I took
one of the countries from the downloaded list and copied this particular
country to the vpn-client.conf with sudo cp whatver-country.ovpn
vpn-client.conf. But it doesn't connect.

Is this setup ok for me-tor-vpn situation?

I executed the command in the proxyVM (fedora-30 based) with following
results:

[user@ovpn ~]$ journalctl -u qubes-vpn-handler
Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm', 'systemd-journal', 'wheel' can see all
messages.
Pass -q to turn off this notice.
-- Logs begin at Tue 2020-02-18 14:58:55 CET, end at Thu 2020-04-09
09:21:21 CE>
-- No entries --
lines 1-2/2 (END)

I tried also the micahflee guide and it connects so the settings should
be ok.

[Chris Laprise]

Did you do the link testing suggested in Step 2?

>
> Is this setup ok for me-tor-vpn situation?

These network representations can easily get reversed in people's heads.
Best thing to do is look at your 'Networking' setting for your VPN VM.
If its set to 'sys-whonix' then UDP won't work.

>
> I executed the command in the proxyVM (fedora-30 based) with following
> results:
>
> [user@ovpn ~]$ journalctl -u qubes-vpn-handler
> Hint: You are currently not seeing messages from other users and the system.
> Users in groups 'adm', 'systemd-journal', 'wheel' can see all
> messages.
> Pass -q to turn off this notice.
> -- Logs begin at Tue 2020-02-18 14:58:55 CET, end at Thu 2020-04-09
> 09:21:21 CE>
> -- No entries --
> lines 1-2/2 (END)
>
> I tried also the micahflee guide and it connects so the settings should
> be ok.
>

Sorry, you need to put 'sudo' in front of the 'journalctl' command.

[taran1s]

Chris Laprise:

In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide
there is the cd Qubes-vpn-support command as the first one. This assumes
that the file is unzipped already, right? So I unzip it in the
/home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 and
execute sudo bash ./install. Than proceed to the restart. Is this how it
was meant?

This is the output from the sudo journalctl -u qubes-vpn-handler in teh
openvpn VM.

[user@ovpn ~]$ sudo journalctl -u qubes-vpn-handler
-- Logs begin at Tue 2020-02-18 14:58:45 CET, end at Wed 2020-04-15
12:22:55 CE>
Apr 15 12:22:12 ovpn systemd[1]: Starting VPN Client for Qubes proxyVM...
Apr 15 12:22:12 ovpn qubes-vpn-setup[789]: STARTED network forwarding!
Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: EXEC /usr/sbin/openvpn --cd
/rw/conf>
Apr 15 12:22:12 ovpn systemd[1]: Started VPN Client for Qubes proxyVM.
Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Wed Apr 15 12:22:12 2020
Note: optio>
Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Options error: --ca fails
with 'mull>
Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Options error: Please correct
these >
Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Use --help for more information.
Apr 15 12:22:12 ovpn systemd[1]: qubes-vpn-handler.service: Main process
exited>
Apr 15 12:22:12 ovpn qubes-vpn-setup[801]: STOPPED network forwarding!
Apr 15 12:22:12 ovpn systemd[1]: qubes-vpn-handler.service: Failed with
result >
Apr 15 12:22:23 ovpn systemd[1]: qubes-vpn-handler.service: Scheduled
restart j>
Apr 15 12:22:23 ovpn systemd[1]: Stopped VPN Client for Qubes proxyVM.
Apr 15 12:22:23 ovpn systemd[1]: Starting VPN Client for Qubes proxyVM...
Apr 15 12:22:23 ovpn qubes-vpn-setup[996]: EXEC /usr/sbin/openvpn --cd
/rw/conf>
Apr 15 12:22:23 ovpn qubes-vpn-setup[997]: STARTED network forwarding!
Apr 15 12:22:23 ovpn systemd[1]: Started VPN Client for Qubes proxyVM.
Apr 15 12:22:23 ovpn qubes-vpn-setup[996]: Wed Apr 15 12:22:23 2020
Note: optio>
Apr 15 12:22:23 ovpn qubes-vpn-setup[996]: Options error: --ca fails
with 'mull>
Apr 15 12:22:23 ovpn qubes-vpn-setup[996]: Options error: Please correct
these >
Apr 15 12:22:23 ovpn qubes-vpn-setup[996]: Use --help for more information.
Apr 15 12:22:23 ovpn systemd[1]: qubes-vpn-handler.service: Main process
exited>
lines 1-23

[Chris Laprise]

On 4/15/20 6:35 AM, taran1s wrote:
> In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide
> there is the cd Qubes-vpn-support command as the first one. This assumes
> that the file is unzipped already, right? So I unzip it in the
> /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 and
> execute sudo bash ./install. Than proceed to the restart. Is this how it
> was meant?

Yes, if you're installing it in the Proxy VM (VPN VM) itself. Otherwise,
installing it in a template means you have to do step 4 also.

>
> This is the output from the sudo journalctl -u qubes-vpn-handler in teh
> openvpn VM.
>
> [user@ovpn ~]$ sudo journalctl -u qubes-vpn-handler
> -- Logs begin at Tue 2020-02-18 14:58:45 CET, end at Wed 2020-04-15
> 12:22:55 CE>
> Apr 15 12:22:12 ovpn systemd[1]: Starting VPN Client for Qubes proxyVM...
> Apr 15 12:22:12 ovpn qubes-vpn-setup[789]: STARTED network forwarding!
> Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: EXEC /usr/sbin/openvpn --cd
> /rw/conf>
> Apr 15 12:22:12 ovpn systemd[1]: Started VPN Client for Qubes proxyVM.
> Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Wed Apr 15 12:22:12 2020
> Note: optio>
> Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Options error: --ca fails
> with 'mull>
> Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Options error: Please correct
> these >

Hmmm. Its not showing the full "Options error" lines. Try redirecting
the output to a text file instead:

sudo journalctl -u qubes-vpn-handler >log.txt

[taran1s]

Chris Laprise:

> On 4/15/20 6:35 AM, taran1s wrote:
>> In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide
>> there is the cd Qubes-vpn-support command as the first one. This assumes
>> that the file is unzipped already, right? So I unzip it in the
>> /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 and
>> execute sudo bash ./install. Than proceed to the restart. Is this how it
>> was meant?
>
> Yes, if you're installing it in the Proxy VM (VPN VM) itself. Otherwise,
> installing it in a template means you have to do step 4 also.

Yes, I install it in the ProxyVM. Is my procedure right? The

>
> Hmmm. Its not showing the full "Options error" lines. Try redirecting
> the output to a text file instead:
>
> sudo journalctl -u qubes-vpn-handler >log.txt
>

See the log attached please.

[Chris Laprise]

It doesn't look like the same error as before. This one says the config
has no "dev" specified. Can you check '/rw/config/vpn/vpn-client.conf'
to see if it has a line like "dev tun"?

[Chris Laprise]

On 4/20/20 8:12 AM, taran1s wrote:
>
>
> Chris Laprise:
>> On 4/17/20 7:12 AM, taran1s wrote:
>>>
>>>
>>> Chris Laprise:
>>>> On 4/15/20 6:35 AM, taran1s wrote:
>>>>> In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide
>>>>> there is the cd Qubes-vpn-support command as the first one. This
>>>>> assumes
>>>>> that the file is unzipped already, right? So I unzip it in the
>>>>> /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 and
>>>>> execute sudo bash ./install. Than proceed to the restart. Is this
>>>>> how it
>>>>> was meant?
>>>>
>>>> Yes, if you're installing it in the Proxy VM (VPN VM) itself. Otherwise,
>>>> installing it in a template means you have to do step 4 also.
>>>
>>> Yes, I install it in the ProxyVM. Is my procedure right? The
>>>
>>>>
>>>> Hmmm. Its not showing the full "Options error" lines. Try redirecting
>>>> the output to a text file instead:
>>>>
>>>> sudo journalctl -u qubes-vpn-handler >log.txt
>>>>
>>>
>>> See the log attached please.
>>>
>>
>> It doesn't look like the same error as before. This one says the config
>> has no "dev" specified. Can you check '/rw/config/vpn/vpn-client.conf'
>> to see if it has a line like "dev tun"?
>>
>

> If I go to the /rw/config/vpn/ there is no vpn-client.conf file but
> vpn-client.conf-example only. This is content of the
> vpn-client.conf-example:

OK, it looks like you skipped the part of Step 2 where you copy or link
your config file so that "vpn-client.conf" exists. For example:

sudo cp US_East.ovpn vpn-client.conf

[taran1s]

Chris Laprise:

I created another ProxyVM ovpn and do it from the scratch. Can you
please check if this is the right procedure?

[user@ovpn ~]$ sudo mkdir -p /rw/config/vpn
[user@ovpn ~]$ cd /rw/config/vpn
[user@ovpn vpn]$ ls
[user@ovpn vpn]$ sudo unzip ~/mullvad_openvpn_linux_all_all.zip
Archive: /home/user/mullvad_openvpn_linux_all_all.zip
creating: mullvad_config_linux/
extracting: mullvad_config_linux/mullvad_ae_all.conf
extracting: mullvad_config_linux/mullvad_al_all.conf
extracting: mullvad_config_linux/mullvad_at_all.conf
extracting: mullvad_config_linux/mullvad_au_all.conf
extracting: mullvad_config_linux/mullvad_be_all.conf
extracting: mullvad_config_linux/mullvad_bg_all.conf
extracting: mullvad_config_linux/mullvad_br_all.conf
extracting: mullvad_config_linux/mullvad_ca_all.conf
extracting: mullvad_config_linux/mullvad_ch_all.conf
extracting: mullvad_config_linux/mullvad_cz_all.conf
extracting: mullvad_config_linux/mullvad_de_all.conf
extracting: mullvad_config_linux/mullvad_dk_all.conf
extracting: mullvad_config_linux/mullvad_es_all.conf
extracting: mullvad_config_linux/mullvad_fi_all.conf
extracting: mullvad_config_linux/mullvad_fr_all.conf
extracting: mullvad_config_linux/mullvad_gb_all.conf
extracting: mullvad_config_linux/mullvad_gr_all.conf
extracting: mullvad_config_linux/mullvad_hk_all.conf
extracting: mullvad_config_linux/mullvad_hu_all.conf
extracting: mullvad_config_linux/mullvad_ie_all.conf
extracting: mullvad_config_linux/mullvad_il_all.conf
extracting: mullvad_config_linux/mullvad_it_all.conf
extracting: mullvad_config_linux/mullvad_jp_all.conf
extracting: mullvad_config_linux/mullvad_lu_all.conf
extracting: mullvad_config_linux/mullvad_lv_all.conf
extracting: mullvad_config_linux/mullvad_md_all.conf
extracting: mullvad_config_linux/mullvad_nl_all.conf
extracting: mullvad_config_linux/mullvad_no_all.conf
extracting: mullvad_config_linux/mullvad_nz_all.conf
extracting: mullvad_config_linux/mullvad_pl_all.conf
extracting: mullvad_config_linux/mullvad_pt_all.conf
extracting: mullvad_config_linux/mullvad_ro_all.conf
extracting: mullvad_config_linux/mullvad_rs_all.conf
extracting: mullvad_config_linux/mullvad_se_all.conf
extracting: mullvad_config_linux/mullvad_sg_all.conf
extracting: mullvad_config_linux/mullvad_us_all.conf
extracting: mullvad_config_linux/mullvad_userpass.txt
extracting: mullvad_config_linux/mullvad_ca.crt
extracting: mullvad_config_linux/update-resolv-conf
[user@ovpn vpn]$ sudo cp mullvad_config_linux/mullvad_ch_all.conf
vpn-client.conf
[user@ovpn vpn]$ sudo openvpn --cd /rw/config/vpn --config
vpn-client.conf --auth-user-pass mullvad_config_linux/mullvad_userpass.txt
Mon Apr 20 15:27:43 2020 Note: option tun-ipv6 is ignored because modern
operating systems do not need special IPv6 tun handling anymore.
Options error: --up script fails with '/etc/openvpn/update-resolv-conf':
No such file or directory (errno=2)
Options error: Please correct this error.

Use --help for more information.

[user@ovpn vpn]$ cd ~
[user@ovpn ~]$ sudo openvpn --cd /rw/config/vpn --config vpn-client.conf
--auth-user-pass mullvad_config_linux/mullvad_userpass.txt
Mon Apr 20 15:28:29 2020 Note: option tun-ipv6 is ignored because modern
operating systems do not need special IPv6 tun handling anymore.
Options error: --up script fails with '/etc/openvpn/update-resolv-conf':
No such file or directory (errno=2)
Options error: Please correct this error.

[Chris Laprise]

You'll need to put the files in the vpn directory, not a subdirectory
like "mullvad_config_linux".

That particular error, however, indicates that the config expects
"update-resolv-conf" to be in "/etc/openvpn". You can copy it there for
the test, but this part of the config is overridden by Qubes-vpn-support
so in the end you won't need it there.

[taran1s]

Chris Laprise:

Is there any particular comand, instead of unzip, to not create the
sub-directory but unzip it in the vpn directory directly?

>
> That particular error, however, indicates that the config expects
> "update-resolv-conf" to be in "/etc/openvpn". You can copy it there for
> the test, but this part of the config is overridden by Qubes-vpn-support
> so in the end you won't need it there.

Should the Qubes-vpn-support be unzipped and installed in /home/user/ or
an another path or it doesn't matter?

BTW this is the log from debian-10 based ProxyVM. The error seems to be
different:

user@open:~$ sudo mkdir -p /rw/config/vpn
user@open:~$ cd /rw/config/vpn
user@open:/rw/config/vpn$ sudo unzip ~/mullvad_openvpn_linux_all_all.zip

user@open:/rw/config/vpn$ sudo cp
mullvad_config_linux/mullvad_ch_all.conf vpn-client.conf
user@open:/rw/config/vpn$ sudo openvpn --cd /rw/config/vpn --config
vpn-client.conf --auth-user-pass mullvad_config_linux/mullvad_userpass.txt
Mon Apr 20 16:03:58 2020 Note: option tun-ipv6 is ignored because modern

operating systems do not need special IPv6 tun handling anymore.

Options error: --ca fails with 'mullvad_ca.crt': No such file or
directory (errno=2)
Mon Apr 20 16:03:58 2020 WARNING: file
'mullvad_config_linux/mullvad_userpass.txt' is group or others accessible
Options error: Please correct these errors.

[Chris Laprise]

On 4/20/20 3:01 PM, taran1s wrote:
>
> Chris Laprise:

>> You'll need to put the files in the vpn directory, not a subdirectory
>> like "mullvad_config_linux".
>
> Is there any particular comand, instead of unzip, to not create the
> sub-directory but unzip it in the vpn directory directly?
>
>>
>> That particular error, however, indicates that the config expects
>> "update-resolv-conf" to be in "/etc/openvpn". You can copy it there for
>> the test, but this part of the config is overridden by Qubes-vpn-support
>> so in the end you won't need it there.
>
> Should the Qubes-vpn-support be unzipped and installed in /home/user/ or
> an another path or it doesn't matter?

You can unzip it in any user directory and the installer will know where
to install the program files.

The 'No such file' error is the one to correct. As I said earlier, you
will need to move the files out of the "mullvad_config_linux"
subdirectory into the vpn dir. It can't find the .crt file because its
in the subdirectory.

[taran1s]

Chris Laprise:

So it seems like I will need to use the ProxyVM based on debian-10
template instead of fedora-30. In case of Fedora-30 ProxyVM, the error
is different for some mysterious reason, even the process was the same.

I try to unzip the files into the /rw/config/vpn directory, but whatever
I try, the unzip comand still creates the subdirectory. When I try to
get just the files there, without the subdirectory, I don't have enough
permissions. Is there any way how to unzip or somehow get the files into
/rw/config/vpn? Sorry for the noob questions :)

Btw is it enough to have the ProxyVM routed through sys-net instead of
sys-firewall?

[Chris Laprise]

On 4/21/20 7:03 AM, taran1s wrote:
>
>
> Chris Laprise:

>> The 'No such file' error is the one to correct. As I said earlier, you
>> will need to move the files out of the "mullvad_config_linux"
>> subdirectory into the vpn dir. It can't find the .crt file because its
>> in the subdirectory.
>>
> So it seems like I will need to use the ProxyVM based on debian-10
> template instead of fedora-30. In case of Fedora-30 ProxyVM, the error
> is different for some mysterious reason, even the process was the same.
>
> I try to unzip the files into the /rw/config/vpn directory, but whatever
> I try, the unzip comand still creates the subdirectory. When I try to
> get just the files there, without the subdirectory, I don't have enough
> permissions. Is there any way how to unzip or somehow get the files into
> /rw/config/vpn? Sorry for the noob questions :)

You could try 'sudo unzip -j' to extract without the subdirectory.

Or you could move the existing files with:

'sudo mv /rw/config/vpn/mullvad_config_linux/* /rw/config/vpn'

In any case, I suggest you look at an introduction to Linux command line
to get better acquainted with the OS.

>
> Btw is it enough to have the ProxyVM routed through sys-net instead of
> sys-firewall?
>

Yes.

[taran1s]

Chris Laprise:

> On 4/21/20 7:03 AM, taran1s wrote:
>>
>>
>> Chris Laprise:
>>> The 'No such file' error is the one to correct. As I said earlier, you
>>> will need to move the files out of the "mullvad_config_linux"
>>> subdirectory into the vpn dir. It can't find the .crt file because its
>>> in the subdirectory.
>>>
>> So it seems like I will need to use the ProxyVM based on debian-10
>> template instead of fedora-30. In case of Fedora-30 ProxyVM, the error
>> is different for some mysterious reason, even the process was the same.
>>
>> I try to unzip the files into the /rw/config/vpn directory, but whatever
>> I try, the unzip comand still creates the subdirectory. When I try to
>> get just the files there, without the subdirectory, I don't have enough
>> permissions. Is there any way how to unzip or somehow get the files into
>> /rw/config/vpn? Sorry for the noob questions :)
>
> You could try 'sudo unzip -j' to extract without the subdirectory.
>
> Or you could move the existing files with:
>
> 'sudo mv /rw/config/vpn/mullvad_config_linux/* /rw/config/vpn'
>
> In any case, I suggest you look at an introduction to Linux command line
> to get better acquainted with the OS.
>
>>
>> Btw is it enough to have the ProxyVM routed through sys-net instead of
>> sys-firewall?
>>
>
> Yes.
>

Thank you, this did the trick ^^ Link is up. I will test it with the
setup me -> sys-whonix -> ProxyVM setup ->
clearnet_Tor_unfriendly_services ;)

If I understand it well, I can select a new VPN country for the
particular session just by executing sudo cp any_country_I_need.ovpn
vpn-client.conf right?

[Chris Laprise]

On 4/21/20 11:30 AM, taran1s wrote:
> Thank you, this did the trick ^^ Link is up. I will test it with the
> setup me -> sys-whonix -> ProxyVM setup ->
> clearnet_Tor_unfriendly_services ;)
>
> If I understand it well, I can select a new VPN country for the
> particular session just by executing sudo cp any_country_I_need.ovpn
> vpn-client.conf right?
>

Yes, that will work. To change without restarting the VPN VM, you can do:

sudo service qubes-vpn-handler stop
sudo cp some_location.ovpn vpn-client.conf
sudo service qubes-vpn-handler start

[taran1s]

Chris Laprise:

> On 4/21/20 11:30 AM, taran1s wrote:
>> Thank you, this did the trick ^^ Link is up. I will test it with the
>> setup me -> sys-whonix -> ProxyVM setup ->
>> clearnet_Tor_unfriendly_services ;)
>>
>> If I understand it well, I can select a new VPN country for the
>> particular session just by executing sudo cp any_country_I_need.ovpn
>> vpn-client.conf right?
>>
>
> Yes, that will work. To change without restarting the VPN VM, you can do:
>
> sudo service qubes-vpn-handler stop
> sudo cp some_location.ovpn vpn-client.conf
> sudo service qubes-vpn-handler start
>

All is working well. Thank you very much Chris. At the end it is
actually very easy to set up and run. The point was my luck of
experience in basic commands related to Linux and most probably
selecting wrong mullvad setup files for my planned routing
(me->tor->vpn). Now it is much clearer.

You mention in your previous email "I suggest you look at an
introduction to Linux command line". Do you have any good resource for that?

Thank you again ;)

[taran1s]

taran1s:

Chris, I tried now to connect to the kraken.com, which seems to be tor
unfriendly through me->tor->VPN->kraken.com but it returns error on the
site "Disabled".

I learned now that despite I use the above connection model, using VPN
as an exit, I still exit from the tor exit not and not from the VPN. I
am not sure what broke.

Can you please try to connect through this setup to for example
kraken.com and click on Features if it returns the "Disabled" error too?

If you have any advice for me, would be very much appreciated. Thank you!

[unman]

On Fri, May 01, 2020 at 11:54:27AM +0000, taran1s wrote:
>
>
> taran1s:

> >
> >
> Chris, I tried now to connect to the kraken.com, which seems to be tor
> unfriendly through me->tor->VPN->kraken.com but it returns error on the
> site "Disabled".
>
> I learned now that despite I use the above connection model, using VPN
> as an exit, I still exit from the tor exit not and not from the VPN. I
> am not sure what broke.
>

If I understand your model: me->tor->VPN->kraken.com
you are running Tor *through* your VPN - this means that your service
provider sees your connection to the VPN, and your VPN provider sees
your connection to the first Tor hop.
Naturally, when you exit the VPN and set up the TOR circuit, it's a Tor
exit node that connects to kraken.
The VPN is NOT an exit in this model. Nothing has broken.

[taran1s]

unman:

I am actually using mullvad VPN. The idea is to have the possibility to
access websites or services (like kraken.com) that are not tor-friendly.
I would like to connect first to Tor through sys-whonix than connect to
the VPN through VPN AppVM and from that VPN to connect to the clearnet.

I set the AppVMs networking following way: anon-whonix networking set
to -> sys-whonix networking set to -> VPN-AppVM proxy that connects to
the clearnet. Is that right for my model?

[unman]

No.
Think about it.
anon-whonix creates a request.
sys-whonix takes that request, and builds a circuit.
VPN-AppVM sees the traffic to the first hop, and sends it down the VPN.
The VPN provider gets the Tor traffic, and sends it on to the first
hop.
Then it goes via Tor to the exit node and then to the target.
Your ISP sees traffic to the VPN; the VPN provider sees traffic from you
going to Tor; the target sees traffic coming from Tor network.

*Always* use check.torproject.org to confirm your exit IP in this sort of
case (always) so that actual matches expectations.

What you have built (in packet terms) is:
me - Tor - VPN - target.

What you seem to want is:
me - VPN - Tor - target

To do that you need to build the VPN traffic and send it down a Tor
circuit.
Your Qubes network configuration should be:
client - VPN qube - Tor qube - sys-firewall - sys-net

I have no idea if Whonix will let you do this.

unman

[taran1s]

taran1s:
>
>
> unman:

> Ah, omg I see. I thought about it in regards of seeing other AppVMs like
> sys-whonix -> sys-firewall -> sys-net. I am not experienced in
> networking and so just followed the logic of whats first gets first. But
> now I see that packet wise, it is vice versa. It is a bit confusing for
> me, but if it is working, I will be more than happy :)
>
> So if I understand it properly, I set the networking of the AppVMs
> following way:
>
> anon-whonix -> VPN-AppVM -> sys-whonix -> clearnet. In this case I use
> tor first, exit from tor-exit-node to the VPN and than exit from VPN to
> clearnet. Am I right?
>

I tried the setup, but in this case the the VPN proxy doesn't go to Link
UP and TB in anon-whonix isn't connected to the internet. Any ideas?

BTW I downloaded the default UDP setting package from mullvadVPN as
Chris mentioned. I know that tor is using TCP only. Could this be an
issue with this setup and I should get the TCP package instead of UDP?

Just to sum it up: I would like to first connect to the Tor, than exit
from Tor to the VPN and from VPN to the clearnet target.

[unman]

Yes. Your UDP traffic wont go through Tor.
You need a TCP VPN to route through Tor.

unman

[taran1s]

unman:

I downloaded the TCP port 443 (there is also TCP port 80?) file from
Mullvad and tried to go through, but the VPN Proxy AppVM cycles with
'Ready to start link' only and never goes to the 'Link is UP'.

Maybe there is something in the script from Chris that doesn't cooperate
with the whonix setup and something needs to be adjusted for this model
of connecting to VPN after Tor. But no idea what it could be.I am
unfortunately not able to check the script itself as I am not a programmer..

[Frank]

What exactly are you trying to accomplish with this kind of set-up? If you want to stay anonymous, your connection through the VPN should accomplish that already (if you make sure your browser doesn’t contain any information that can be traced back to you) and if not (because you didn’t pay with Bitcoin or cash and there is a possible paper-trail back to your person from your mullvad VPN account number) then using it through Tor doesn’t help either.

Maybe I am missing something here and I would love to be enlightened if that is the case...

Regards, Frank

>
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/450ea647-ba17-d0ec-71e6-d9599654f455%40mailbox.org.
> <0xA664B90BD3BE59B3.asc>

[unman]

On Mon, May 04, 2020 at 05:59:03AM +0000, taran1s wrote:
>
>
> > Yes. Your UDP traffic wont go through Tor.
> > You need a TCP VPN to route through Tor.
> >
> > unman
> >
>
> I downloaded the TCP port 443 (there is also TCP port 80?) file from
> Mullvad and tried to go through, but the VPN Proxy AppVM cycles with
> 'Ready to start link' only and never goes to the 'Link is UP'.
>
> Maybe there is something in the script from Chris that doesn't cooperate
> with the whonix setup and something needs to be adjusted for this model
> of connecting to VPN after Tor. But no idea what it could be.I am
> unfortunately not able to check the script itself as I am not a programmer..

I dont use that script or Whonix.
I suspect that you might get more help on Whonix mailing lists.

[taran1s]

Frank:

As I mentioned, I would like to use Tor before VPN to be able to connect
to the tor-unfriendly services like kraken.com. VPN itself is not
anonymous and so connect to the VPN from the Tor exit node helps.

[Chris Laprise]

A good rule of thumb is that whichever proxyVM is directly attached to
your appVM will be the type of network that the remote service sees.

>
> I have no idea if Whonix will let you do this.

This should work for most VPNs, as Patrick and I and others have tested
it (though I haven't tested Whonix specifically with Mullvad). The only
constraint is that the VPN use TCP instead of UDP.

[taran1s]

Chris Laprise:

Thank you for the hint with ProxyVM logic.

I tried both configurations from Mullvad with UDP and TCP 443, but
didn't get it work. The VPN-ProxyVM cycles at ready to start link but
never goes to the Link Up. Mullvad's options are Default (UDP), UDP 53,
TCP 80 and TCP 443.

Chris, if you have any chance to try the setup, would be very much
appreciated.

[taran1s]

taran1s:

Hello everyone, did anyone actually managed to make this setup run?
Posibly any aditional ideas how to acomplish the task of connecting in
the above configuration?