Re: [qubes-users] Re: ANN: Testing new VPN code for Qubes

2018-05-12 Thread JonHBit 
On Thursday, April 26, 2018 at 6:38:41 PM UTC-7, Chris Laprise wrote:
> On 04/26/2018 05:29 PM, JonHBit wrote:
> > On Wednesday, April 18, 2018 at 5:36:37 AM UTC-4, Chris Laprise wrote:
> >> On 04/17/2018 11:42 PM, Chris Laprise wrote:
> >>> On 04/17/2018 09:20 PM, JonHBit wrote:
> >>
> >>>> Worked well for me using a debian-9 template & commit 4e96ca8, only
> >>>> trouble was that my VPN provider's configs used
> >>>> /etc/update-resolv-conf and failed silently when it was missing - so
> >>>> shipping it with qubes-tunnel and installing it by default may be
> >>>> helpful.
> >>>
> >>> Thanks!
> >>>
> >>> This issue just became apparent to me when another user reported it. The
> >>> underlying problem is a bug (or several bugs) in openvpn's option parsing:
> >>>
> >>> https://github.com/tasket/Qubes-vpn-support/issues/19
> >>>
> >>> It only shows up when the config specifies its own scripts which is
> >>> rare. I'm trying out a workaround now which involves:
> >>>
> >>> 1. Removing the paths in the up & down options in the .service file.
> >>>
> >>> 2. Moving the up & down options to the beginning just after the openvpn
> >>> command.
> >>>
> >>> 3. Symlinking the up/down script from /usr/lib/qubes to the
> >>> /rw/config/qtunnel dir.
> >>>
> >>> Hopefully this will override the config's up/down settings as intended.
> >>
> >> I had to use a different approach but it should be fixed now. Update it
> >> by copying new version to template and running installer. Then you'll
> >> need to remove the 'qubes-tunnel' Qubes service for the proxyVM and add
> >> 'qubes-tunnel-openvpn' instead.
> >>
> >>
> >> -- 
> >>
> >> Chris Laprise, tas...@posteo.net
> >> https://github.com/tasket
> >> https://twitter.com/ttaskett
> >> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> > 
> > Hi Chris,
> > 
> > Good to see the update!
> > 
> > However I think that's a separate issue; what I'm referencing is these 
> > lines in my .ovpn config:
> > 
> > script-security 2
> > up /etc/openvpn/update-resolv-conf
> > down /etc/openvpn/update-resolv-conf
> > 
> > The VPN installer script will normally download this if it's missing - used 
> > to change the DNS server to the VPN-provided one.
> > 
> > The script is here: 
> > https://raw.githubusercontent.com/ProtonVPN/scripts/master/update-resolv-conf.sh
> > 
> > After adding it everything worked well.
> 
> The update will replace those lines because they should be overridden 
> with the Qubes-specific DNS handling. If dnat isn't setup for DNS then 
> those packets could get mis-routed.
> 
> You can check the dnat rules (which should have some address other than 
> 10.139.1.x after connecting) with this:
> 
> sudo iptables -v -t nat -L PR-QBS
> 
> My guess why it might work with incorrect dnat addresses is that your 
> VPN provider takes the step of re-assigning DNS destination addresses to 
> its own. But this is unorthodox so I wouldn't count on it.
> 
> 
> -- 
> 
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

I've updating to 1.4beta4 and switched templates from debian-9 to fedora-28, 
but I'm getting the same error - also it seems like openvpn flag defaults 
changed, as it now returns an error for the up and down arguments

Specifically, it parses /usr/lib/qubes/qtunnel-connect up as 2 arguments 
instead of 1; putting the whole phrase in double quotes fixes this, which I see 
you did but for some reason the quotes seem to be removed when ExecStart runs, 
i.e. checking systemctl status qubes-tunnel shows the command without the quotes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eeefbba3-565f-443b-b80f-04353cd975a7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Testing new VPN code for Qubes

2018-04-26 Thread JonHBit 
On Wednesday, April 18, 2018 at 5:36:37 AM UTC-4, Chris Laprise wrote:
> On 04/17/2018 11:42 PM, Chris Laprise wrote:
> > On 04/17/2018 09:20 PM, JonHBit wrote:
> 
> >> Worked well for me using a debian-9 template & commit 4e96ca8, only 
> >> trouble was that my VPN provider's configs used 
> >> /etc/update-resolv-conf and failed silently when it was missing - so 
> >> shipping it with qubes-tunnel and installing it by default may be 
> >> helpful.
> > 
> > Thanks!
> > 
> > This issue just became apparent to me when another user reported it. The 
> > underlying problem is a bug (or several bugs) in openvpn's option parsing:
> > 
> > https://github.com/tasket/Qubes-vpn-support/issues/19
> > 
> > It only shows up when the config specifies its own scripts which is 
> > rare. I'm trying out a workaround now which involves:
> > 
> > 1. Removing the paths in the up & down options in the .service file.
> > 
> > 2. Moving the up & down options to the beginning just after the openvpn 
> > command.
> > 
> > 3. Symlinking the up/down script from /usr/lib/qubes to the 
> > /rw/config/qtunnel dir.
> > 
> > Hopefully this will override the config's up/down settings as intended.
> 
> I had to use a different approach but it should be fixed now. Update it 
> by copying new version to template and running installer. Then you'll 
> need to remove the 'qubes-tunnel' Qubes service for the proxyVM and add 
> 'qubes-tunnel-openvpn' instead.
> 
> 
> -- 
> 
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

Hi Chris,

Good to see the update!

However I think that's a separate issue; what I'm referencing is these lines in 
my .ovpn config:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

The VPN installer script will normally download this if it's missing - used to 
change the DNS server to the VPN-provided one.

The script is here: 
https://raw.githubusercontent.com/ProtonVPN/scripts/master/update-resolv-conf.sh

After adding it everything worked well.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/08de9d8f-d104-4b46-b2e2-e7bc3abe976d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: ANN: Testing new VPN code for Qubes

2018-04-17 Thread JonHBit 
On Tuesday, April 17, 2018 at 2:13:29 PM UTC-7, Chris Laprise wrote:
> Hello fellow Qubes users:
> 
> Per issue 3503 the Qubes project would like to incorporate VPN features 
> from Qubes-vpn-support -- which a number of you are already using -- 
> into the Qubes 4.1 release.
> 
> I've set up a new project "qubes-tunnel" to act as a staging area for 
> testing and eventual forking into Qubes. It is nearly the same as 
> Qubes-vpn-support except some names & paths are different... and install 
> to template is required for obvious reasons :) .
> 
> 
> Project Link... https://github.com/tasket/qubes-tunnel
> 
> 
> Everyone with an available VPN service is welcome to try this out and 
> report here on your results!
> 
> -
> 
> PS - Some of you will wonder if installing qubes-tunnel into an existing 
> template already used for Qubes-vpn-support will cause a conflict; They 
> will not conflict as long as the two services aren't enabled for the 
> same ProxyVM(s).
> 
> -- 
> 
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

Worked well for me using a debian-9 template & commit 4e96ca8, only trouble was 
that my VPN provider's configs used /etc/update-resolv-conf and failed silently 
when it was missing - so shipping it with qubes-tunnel and installing it by 
default may be helpful.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d3ec91d2-2ab8-4467-8cc1-3a20fbb838ef%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Disk space--R4 lies through its teeth

2018-03-19 Thread JonHBit 
On Monday, March 19, 2018 at 11:22:38 AM UTC-7, Bill Wether wrote:
> On Monday, March 19, 2018 at 1:55:39 PM UTC-4, Unman wrote:
> > On Mon, Mar 19, 2018 at 10:34:05AM -0700, Bill Wether wrote:
> > > This has been mentioned before in 
> > > , but I 
> > > don't see anywhere that it's fixed.
> > > 
> > > In R3.2, df in Dom0 would show how much actual disk space remained.  
> > > That's a critical piece of data for production use, given the sheer 
> > > amount of breakage caused by running out of space.
> > > 
> > > I have a 1TB SSD with Qubes 4.0 RC5 and about 450GB of restored VMs, but 
> > > when I type 'df' in dom0 I get:
> > > 
> > > Use% Mounted on
> > > devtmpfs  1995976   0   1995976   0% /dev
> > > tmpfs 2009828   0   2009828   0% /dev/shm
> > > tmpfs 20098281612   2008216   1% /run
> > > tmpfs 2009828   0   2009828   0% 
> > > /sys/fs/cgroup
> > > /dev/mapper/qubes_dom0-root 935037724 3866076 883604596   1% /
> > > tmpfs 2009828   8   2009820   1% /tmp
> > > xenstore  2009828 416   2009412   1% 
> > > /var/lib/xenstored
> > > /dev/sda1  999320   79676850832   9% /boot
> > > tmpfs  401964   8401956   1% 
> > > /run/user/1000
> > > 
> > > You'd never know that the disk is actually half full or a little more. I 
> > > have no idea how to manage my disk space on Qubes 4.0.
> > > 
> > > Suggestions?
> 
> > 
> > Qubes 4.0 uses LVM thin pools.
> > Try using sudo lvs to see the actual data used in the pool.
> 
> Ah, okay, thanks.  When I do that, I get 
> 
> [billw@dom0 Desktop]$ sudo lvs
>   LVVG Attr   LSize   
> Pool   Origin  Data%  Meta%  Move Log Cpy%Sync Convert
>   pool00qubes_dom0 twi-aotz-- 906.96g 
>52.49  28.32   
>   root  qubes_dom0 Vwi-aotz-- 906.96g 
> pool00 2.14   
>   swap  qubes_dom0 -wi-ao   7.55g   
> 
> and so forth.
> 
> Does that mean that my drive is actually 81% full with only 450 GB of VMs?  I 
> sure hope not.  That's over 50% overhead! 
> 
> Cheers
> 
> BillW

81% is probably not accurate, since the metadata is stored in an LV that seems 
to start out at 16 GB [1]

If you want more precise info on used space, qvm-pool is useful (specifically, 
qvm-pool -i lvm)

The attached script will calculate free space in the main lvm pool and 
percentage used, and you can use it with a Xfce Generic Monitor to add its 
output to your panel.

Also, note that lvs shows the maximum sizes for the LVs assigned to TemplateVMs 
& AppVMs, not space used.

1 - https://github.com/QubesOS/qubes-issues/issues/3240

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c4606d82-a355-4642-af96-3c2b20ce0bcf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
#!/bin/sh
SIZE=$(qvm-pool -i lvm | awk '/^size/ {print $2}')
USAGE=$(qvm-pool -i lvm | awk '/^usage/ {print $2}')
FREE=$(($SIZE - $USAGE))
USEDCENT=$((100*$USAGE/$SIZE + 200*$USAGE/$SIZE % 2))
FREEGB=$(echo $FREE | cut -c 1-3)
FREEMB=$(echo $FREE | cut -c 4-5)
echo "$FREEGB.$FREEMB GB FREE"
echo "$USEDCENT"