On 08/16/2016 06:56 AM, kotot...@gmail.com wrote:
To test this theory, you could put a 7sec delay in qubes-vpn-handler.sh
right before the line 'iptables -t nat -F PR-QBS'. Then the right IPs
should appear in PR-QBS.
It did work. Thank you again!

I wonder what is changing the NAT rules. I only see one 'up' directive in the 
openvpn configuration, the one calling the qubes script. Maybe something from 
Qubes itself? It's correct that the ProxyVM should be connected to sys-firewall 
right?

That was going to be my next question: Is there anything in the vpn config that triggers it, such as any other references to scripts. Ideally, there should only be up and down.

If you're comfortable posting the configuration maybe I or someone else could see the cause. Also the parts of the log output near the end that deal with PUSH data, since that is a source of configuration directives.

I also wonder if your template might have an openvpn service configured to autostart... creating a second openvpn process? You can check that with ps, systemctl, etc.

Also, Network Manager should not be running in that vm.

Finally, you could disable the /usr/lib/qubes/qubes-setup-dnat-to-ns script by renaming it right before openvpn starts (but it does have to run once on vm start). That should prevent it from steamrolling over the vpn-specific IPs.

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1c702a72-f94b-f897-ee05-38b779a57b69%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to