Re: [qubes-users] Qubes: Unable to connect to VPN
On 6/12/19 10:14 AM, 'Crypto Carabao Group' via qubes-users wrote: We've also been trying for days to get a VPN to resolve on a brand new R4.0 install, to either one of 2 different VPN providers, using the iptables and cli scripts: https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts I've also set it up before on a 3.x cubes and it worked using the above. So far, what's pretty certain is that these instructions were carried over automatically, but actually don't work for the R4.0 version. BTW, there is no "/usr/lib/qubes/qubes-vpn-setup" in the Fedora 29 or Debian 9 templates. So, wherever that came from, it's not in the new installer version we got. There is no mention of a 'qubes-vpn-setup' in the vpn doc you linked to. That script is a part of my Qubes-vpn-support project on github. You might want to use that instead since the setup process is much simpler: https://github.com/tasket/Qubes-vpn-support Neither is there a path: /etc/openvpn/update-resolv-conf in the VMs based on Fedora 29. (Haven't tried Debian 9 for that yet.) That probably came from a particular VPN provider, and would have to be installed in the template anyway to persist, right? There is no mention of 'update-resolv-conf' in the vpn doc, either. One of the most frequent causes of failed vpn setups is when the user decides to mix or combine different instructions because 'more is better' or because they saw different people discussing the merits of different approaches. This does NOT work; you have to pick one and follow it. It seems that the update-resolve-conf is a default script that ships with some distros, such as Mint (attached), and works on our other machine, and does the function that the "|qubes-vpn-handler.sh|" does in the Qubes VPN instructions, but it doesn't work on Qubes in our case for the same VPN provider either. Seems to require a lot of modification and merge the two maybe, which will take us another several days to figure out, if ever. Updating resolv.conf is not required at all to get DNS working for downstream appVMs. The instructions avoid doing this to help keep the VPN VM in a locked-down state, so it doesn't inadvertently try to access the tunnel for its internal programs (i.e. only downstream VMs get to access the tunnel). What IS necessary is populating the DNAT rules in the firewall. Check the PR-QBS chain to see if your DNS server IPs were added: iptables -L -v -t nat PR-QBS -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/30080605-e0c5-4610-4279-1007b1e3b56f%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes: Unable to connect to VPN
We've also been trying for days to get a VPN to resolve on a brand new R4.0 install, to either one of 2 different VPN providers, using the iptables and cli scripts: https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts I've also set it up before on a 3.x cubes and it worked using the above. So far, what's pretty certain is that these instructions were carried over automatically, but actually don't work for the R4.0 version. BTW, there is no "/usr/lib/qubes/qubes-vpn-setup" in the Fedora 29 or Debian 9 templates. So, wherever that came from, it's not in the new installer version we got. Neither is there a path: /etc/openvpn/update-resolv-conf in the VMs based on Fedora 29. (Haven't tried Debian 9 for that yet.) That probably came from a particular VPN provider, and would have to be installed in the template anyway to persist, right? It seems that the update-resolve-conf is a default script that ships with some distros, such as Mint (attached), and works on our other machine, and does the function that the "`qubes-vpn-handler.sh`" does in the Qubes VPN instructions, but it doesn't work on Qubes in our case for the same VPN provider either. Seems to require a lot of modification and merge the two maybe, which will take us another several days to figure out, if ever. Openvpn actually does connect, but there's no DNS resolution, because the resolv.conf doesn't get updated. One thing we noticed is that in the resolvctl the 8.8.8.8 and 8.8.4.4 and a couple of IPv6 servers are listed as "Fallback DNS Servers". We can even resolve manually using them with dig. However, the systemd-resolved or whatever is doing the resolution in this systemd mess, actually doesn't use them as a "Fallback" to resolve. Don't know what to do next to fix this, except just more trial and error, and messy hack arounds... On Tuesday, November 20, 2018 at 7:38:17 PM UTC, Otto Kratik wrote: > Further update: I decided to try a completely different VPN provider's config > file, and to my surprise that one worked fine using the old simple method of > calling openvpn from the AppVM. > > Examining both files and looking for the difference between the two, it > appears the broken one did not ever invoke resolvconf include the following > lines: > > script-security 2 > up /etc/openvpn/update-resolv-conf > down /etc/openvpn/update-resolv-conf > > > Adding those lines to the non-functioning file and running it resulted in > success. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/J1cmNix8ygkshY3RKFWTEOuBvaV8rx7JRFEnnrurBo5JaFl-mRz9r9Osn1o3oh2vah8J4G7YPFcQ2ThmDp2U0TGQx7kV192unHv9mKU9H_M%3D%40protonmail.ch. For more options, visit https://groups.google.com/d/optout. update-resolv-conf Description: Binary data publickey - cryptocarabao@protonmail.ch - 0x3F7D5EFD.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Qubes: Unable to connect to VPN
Just reviving a thread of mine from a few months ago with a related follow-up question. When trying to connect to a VPN using openvpn from a Debian-9 AppVM within Qubes, I could connect but instantly lost DNS resolution which rendered the connection unusable. Installing he package 'resolvconf' and adding the following lines to the .ovpn script supplied by the VPN provider: script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf ...solved the issue and I was able to achieve full connectivity through the VPN. Now, when trying to *disconnect* from that VPN using Ctrl-C from command line (or any other method) I am able to end the connection, but the DNS assignment does not appear to automatically reverse/undo and revert to the default DNS servers provided by sys-net within Qubes, namely 10.139.1.1/2. And as a result I once again cannot connect to any websites due to lack of functioning DNS lookup. Having done a bit of research I've tried using commands like: sudo ifconfig tun0 down sudo ip link delete tun0 ..but in both cases I get a response that 'tun0 does not exist' or something similar. Is there any extra step needed to completely drop the VPN connection and revert to using normal sys-net connectivity, without requiring a restart of the AppVM itself? If I manually examine /etc/resolv.conf within the AppVM it still shows the default sys-net DNS entries as expected, so there must be some additional command needed to fully end the connection and revert to normal. What am I missing? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/19fac423-d6ef-4ae1-9ace-b8721552e44f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes: Unable to connect to VPN
Thanks...I am away from my Qubes but will try! Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/84169442-5ee0-4f7b-9148-905ca3e0f1ed%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes: Unable to connect to VPN
On Tuesday, November 20, 2018 at 3:56:22 PM UTC-5, 22...@tutamail.com wrote: > Interesting Otto...can you elaborate on the files you changed? I had this > working at one time but then broke...I never managed to get it working. > > What files did you change? The config files? > > Any specifics for a newbie would be appreciated and likely appreciated by > others. > > Thanks, > 22Rip In my case I had to change the config file supplied by the VPN provider itself, which ends with the extension ".ovpn" In that file, just before the certificate info section which starts with: -BEGIN CERTIFICATE- ..I had to add the lines: script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf That change, in combination with the package 'resolvconf' being installed in the template that the AppVM is based on (Debian 9, which did not have it installed by default), caused the VPN connection to work properly with functioning DNS lookup. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bdba428f-3533-4cee-8a3d-67f1f137c0f1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes: Unable to connect to VPN
Interesting Otto...can you elaborate on the files you changed? I had this working at one time but then broke...I never managed to get it working. What files did you change? The config files? Any specifics for a newbie would be appreciated and likely appreciated by others. Thanks, 22Rip -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0f04d11c-827b-4ebe-b678-90f4218d60f1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes: Unable to connect to VPN
Further update: I decided to try a completely different VPN provider's config file, and to my surprise that one worked fine using the old simple method of calling openvpn from the AppVM. Examining both files and looking for the difference between the two, it appears the broken one did not ever invoke resolvconf include the following lines: script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf Adding those lines to the non-functioning file and running it resulted in success. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/930b5080-4ba8-428f-bcf6-0eeaa1411c4b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes: Unable to connect to VPN
On Monday, November 19, 2018 at 3:55:19 PM UTC-5, Chris Laprise wrote: > Qubes 4 networking is re-written and functions somewhat differently than > Qubes 3.x. So it seems. After spending several days trying to get a VPN connection up and working via every possible method conceivable, I have been met with complete and utter failure and have finally given up. The results are always the same. Whether I connect manually with Openvpn, use qubes-vpn-support, qubes-tunnel, try from an AppVM, NetVM, ProxyVM, edit /etc/resolv.conf or any number of other files or scripts, it makes no difference. The VPN output reports successful connection (Initialization sequence completed) and I can ping any numerical IP address I specify without issue. But DNS resolution does not work, and nothing I try fixes it. Booting up Qubes 3.2, the same VPN connection works flawlessly and DNS is trouble-free. So I've decided to solve my problem in the simplest (and only) way available: by going back to Qubes 3.2. I appreciate all your attempts to help me with this. Thank you. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/81b7d62b-f4ca-45b1-9745-1030ebbd6530%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes: Unable to connect to VPN
On 11/19/2018 03:01 PM, Otto Kratik wrote: On Monday, November 19, 2018 at 12:27:40 PM UTC-5, Chris Laprise wrote: It could be as simple as editing your /etc/resolv.conf so it contains your VPN provider's DNS server (or other DNS server that you prefer) instead of the Qubes internal routing addresses. I'll give this a try, thanks. What mystifies me though is that I still have Qubes 3.2 installed on an older laptop and can confirm that on that version, none of these extra config steps are needed. I can activate and deactivate the VPN connection at will on the fly from an AppVM terminal, and it works flawlessly every time. Run openvpn and my IP address changes to the provider as expected. Hit ctrl-c to terminate the connection, and it goes back to my regular ISP-provided address as expected. Ideally I'd actually like to have this ability it switch it on and off as many times as desired during any given session, but maybe that's no longer possible in Qubes 4. Qubes 4 networking is re-written and functions somewhat differently than Qubes 3.x. Also, I tried the instructions here: https://github.com/tasket/Qubes-vpn-support/ ..and they did not work. Everything seems to go okay, but after copying/installing/linking everything as directed and then shutting down and restarting the ProxyVM, it pops up the message "Ready to start link", and then just repeatedly does that every 10 seconds or so. The link never actually goes up. Problem isn't with the provider's .ovpn config file, since it works fine on Qubes 3.2 as well as another mainstream Linux distro, with no issues at all. Not sure if it's significant, but the service "vpn-handler-openvpn" does not appear in the dropdown list of available services in the ProxyVM's settings screen, even though the template on which it is based (Debian 9) most definitely has Openvpn installed on it. I typed that service name in manually and it accepted it, but it also accepts any garbage text entered as well, so no idea whether it's actually functioning properly or not. All that's required for that step is that you type "vpn-handler-openvpn" correctly then click '+' and OK. You can go back to the list to make sure it is there and checked. Usually when "Ready to start" appears and there is no connection it means there is an auth problem. The username or password may have been mistyped, for instance. You can run 'sudo /usr/lib/qubes/qubes-vpn-setup --config' to re-enter it. To see what is happening check the log with 'sudo /usr/lib/qubes/qubes-vpn-setup --config'. I was also admittedly a bit confused about whether I needed to separately install the qubes-tunnel package first, but the instructions didn't seem to explicitly require it so I did not. Other than that, I followed them to the letter but cannot get the link up. qubes-tunnel is an alternate (re-named) version of Qubes-vpn-support; use one or the other. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba7c7865-7b83-6f24-8484-41518dd5f19a%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes: Unable to connect to VPN
On Monday, November 19, 2018 at 12:27:40 PM UTC-5, Chris Laprise wrote: > It could be as simple as editing your /etc/resolv.conf so it contains > your VPN provider's DNS server (or other DNS server that you prefer) > instead of the Qubes internal routing addresses. I'll give this a try, thanks. What mystifies me though is that I still have Qubes 3.2 installed on an older laptop and can confirm that on that version, none of these extra config steps are needed. I can activate and deactivate the VPN connection at will on the fly from an AppVM terminal, and it works flawlessly every time. Run openvpn and my IP address changes to the provider as expected. Hit ctrl-c to terminate the connection, and it goes back to my regular ISP-provided address as expected. Ideally I'd actually like to have this ability it switch it on and off as many times as desired during any given session, but maybe that's no longer possible in Qubes 4. Also, I tried the instructions here: https://github.com/tasket/Qubes-vpn-support/ ..and they did not work. Everything seems to go okay, but after copying/installing/linking everything as directed and then shutting down and restarting the ProxyVM, it pops up the message "Ready to start link", and then just repeatedly does that every 10 seconds or so. The link never actually goes up. Problem isn't with the provider's .ovpn config file, since it works fine on Qubes 3.2 as well as another mainstream Linux distro, with no issues at all. Not sure if it's significant, but the service "vpn-handler-openvpn" does not appear in the dropdown list of available services in the ProxyVM's settings screen, even though the template on which it is based (Debian 9) most definitely has Openvpn installed on it. I typed that service name in manually and it accepted it, but it also accepts any garbage text entered as well, so no idea whether it's actually functioning properly or not. I was also admittedly a bit confused about whether I needed to separately install the qubes-tunnel package first, but the instructions didn't seem to explicitly require it so I did not. Other than that, I followed them to the letter but cannot get the link up. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/77f93612-be60-4dbb-b8f5-f78e7af34e59%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes: Unable to connect to VPN
On 11/19/2018 12:27 PM, Chris Laprise wrote: It could be as simple as editing your /etc/resolv.conf so it contains your VPN provider's DNS server (or other DNS server that you prefer) instead of the Qubes internal routing addresses. Replace this: nameserver 10.139.1.1 nameserver 10.139.1.2 With this: nameserver Forgot to mention when you manually edit resolv.conf it should be _after_ the openvpn connection is started. Changing it before might prevent openvpn from starting the connection. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9683b1ba-43db-5317-1760-38cc735a2636%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes: Unable to connect to VPN
On 11/19/2018 09:05 AM, Otto Kratik wrote: On Monday, November 19, 2018 at 1:09:33 AM UTC-5, Chris Laprise wrote: The Qubes VPN doc has two methods for correct openvpn configuration: https://www.qubes-os.org/doc/vpn/ A better method is located here: https://github.com/tasket/Qubes-vpn-support/ The difference is more failsafe checks and much smoother setup & operation. Thanks for your reply. I'm entirely willing to consider using these better, more secure and effective methods in the long run. My first objective however is to determine why the simple method I used in Qubes 3.2 (running Openvpn from AppVM) does not successfully work the same way in Qubes 4.0. I would also try pinging known IP addresses (after connecting) to see if you can get a response. If you can, then the problem is likely with the DNS routing and dnat in the firewall. I've just tested this. After connecting to the VPN from within the AppVM, I can successfully ping known IP addresses from the terminal. However attempts to connect to websites in the browser fail and time out. What is my next step? How do I check or fix DNS routing and dnat in the firewall? It could be as simple as editing your /etc/resolv.conf so it contains your VPN provider's DNS server (or other DNS server that you prefer) instead of the Qubes internal routing addresses. Replace this: nameserver 10.139.1.1 nameserver 10.139.1.2 With this: nameserver Hopefully that's all you'll need. There are different ways to make this permanent. The best is probably to install the "resolvconf" package (if not already there) and then tell openvpn to use its update-resolv-conf script when you run it like this: sudo openvpn --config link.conf --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf If your VPN provider sends DNS info via DHCP at connection time (most do) the script will automatically send it to resolvconf. If you want to use a different DNS server you can manually set resolv.conf at connection time with your own script. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/69a52ada-ea39-8a56-38f2-0d8af8e54f49%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes: Unable to connect to VPN
On Monday, November 19, 2018 at 1:09:33 AM UTC-5, Chris Laprise wrote: > The Qubes VPN doc has two methods for correct openvpn configuration: > > https://www.qubes-os.org/doc/vpn/ > > A better method is located here: > > https://github.com/tasket/Qubes-vpn-support/ > > The difference is more failsafe checks and much smoother setup & operation. Thanks for your reply. I'm entirely willing to consider using these better, more secure and effective methods in the long run. My first objective however is to determine why the simple method I used in Qubes 3.2 (running Openvpn from AppVM) does not successfully work the same way in Qubes 4.0. > I would also try pinging known IP addresses (after connecting) to see if > you can get a response. If you can, then the problem is likely with the > DNS routing and dnat in the firewall. I've just tested this. After connecting to the VPN from within the AppVM, I can successfully ping known IP addresses from the terminal. However attempts to connect to websites in the browser fail and time out. What is my next step? How do I check or fix DNS routing and dnat in the firewall? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c80be580-203d-4228-b18b-9a980113d8ec%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes: Unable to connect to VPN
On 11/19/2018 01:09 AM, Chris Laprise wrote: On 11/18/2018 07:36 PM, Otto Kratik wrote: I realize it's possible to create a dedicated ProxyVM and use NetworkConfig to route VPN traffic, but that's not what I'm asking about. In Qubes 3.2 from any standard Debian AppVM connected to Sys-Net I am able to simply do from terminal: sudo openvpn --config ..and it connects, and from then on all traffic from that AppVM is correctly routed through the VPN, as evidenced by testing IP address from web browser etc. That approach might not work for DNS, however. Your DNS packets may be leaking through to your regular ISP. There is also no failsafe to prevent data leakage if openvpn for some reason decides to terminate. In Qubes 4, this does not seem to work. The same command from AppVM terminal works fine and reports successful connection to the VPN, but from that point all attempts to connect to any website or other remote host fail completely and just time out. As soon as I terminate the VPN by pressing ctrl-c from terminal, net connectivity resumes as normal. What has changed in Qubes 4, and what do I need to do different to make it work? The Qubes VPN doc has two methods for correct openvpn configuration: https://www.qubes-os.org/doc/vpn/ A better method is located here: https://github.com/tasket/Qubes-vpn-support/ The difference is more failsafe checks and much smoother setup & operation. For your specific question re: running openvpn in AppVMs, you may need to set the openvpn --verb level to 3 and look at the status messages. That will show you what routing commands openvpn is issuing (unfortunately it can vary a lot for different VPN services). I would also try pinging known IP addresses (after connecting) to see if you can get a response. If you can, then the problem is likely with the DNS routing and dnat in the firewall. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5e6d82d6-3c06-61bf-36da-31da74b84c6b%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes: Unable to connect to VPN
On 11/18/2018 07:36 PM, Otto Kratik wrote: I realize it's possible to create a dedicated ProxyVM and use NetworkConfig to route VPN traffic, but that's not what I'm asking about. In Qubes 3.2 from any standard Debian AppVM connected to Sys-Net I am able to simply do from terminal: sudo openvpn --config ..and it connects, and from then on all traffic from that AppVM is correctly routed through the VPN, as evidenced by testing IP address from web browser etc. That approach might not work for DNS, however. Your DNS packets may be leaking through to your regular ISP. There is also no failsafe to prevent data leakage if openvpn for some reason decides to terminate. In Qubes 4, this does not seem to work. The same command from AppVM terminal works fine and reports successful connection to the VPN, but from that point all attempts to connect to any website or other remote host fail completely and just time out. As soon as I terminate the VPN by pressing ctrl-c from terminal, net connectivity resumes as normal. What has changed in Qubes 4, and what do I need to do different to make it work? The Qubes VPN doc has two methods for correct openvpn configuration: https://www.qubes-os.org/doc/vpn/ A better method is located here: https://github.com/tasket/Qubes-vpn-support/ The difference is more failsafe checks and much smoother setup & operation. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/78e19f42-3600-4a68-018b-1753c143987e%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes: Unable to connect to VPN
I realize it's possible to create a dedicated ProxyVM and use NetworkConfig to route VPN traffic, but that's not what I'm asking about. In Qubes 3.2 from any standard Debian AppVM connected to Sys-Net I am able to simply do from terminal: sudo openvpn --config ..and it connects, and from then on all traffic from that AppVM is correctly routed through the VPN, as evidenced by testing IP address from web browser etc. In Qubes 4, this does not seem to work. The same command from AppVM terminal works fine and reports successful connection to the VPN, but from that point all attempts to connect to any website or other remote host fail completely and just time out. As soon as I terminate the VPN by pressing ctrl-c from terminal, net connectivity resumes as normal. What has changed in Qubes 4, and what do I need to do different to make it work? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6b4f93fe-f2b9-4f47-98a6-09674d593525%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.