On Mon, May 29, 2017 at 08:59:57AM -0700, [email protected] wrote: > I followed the procedure of setting 2 vpn proxyvm, one is openvpn and another > one is pptp. Both of them are working fine in Ubuntu 16.04 and Windows 10. > However, on Qubes OS 3.2, I have encountered the following problem. > > > 1) openvpn is working, but failed to connect to VPN automatically when "VM > uplink eth0" is connected. > > I did checked the "Automatically connect to VPN when using this connection" > on the GUI configuration tool and confirmed I saved the it many times. > > I rebooted the vm and even reboot the Qubes OS, but vpn didn't come up > automatically, and "Automatically connect to VPN when using this connection" > on the gui was uncheced by itself. > > > 2) For pptp vpn, it just failed to connect. As said the configuration is > working in Ubuntu and Windows. > > Is there anyone can help? And thank you for you help in advance. Picking up your second point, I suspect that the problem lies with your firewall rules. PPTP requires some specific rules that you will need to configure using iptables on the netvm upstream of your proxyvm, on the proxyvm itself, AND you will have to enable inbound routing from internet to the vpn proxyvm.
This may sound daunting, but if you take it methodically you should be fine. It is, (from memory) relatively simple to set up. I'm assuming that you have proxyvm attached direct to sys-net. If this isn't the case then you will have to make appropriate changes to intermediate vms also. First you need to allow INBOUND protocol 47: On sys-net: modprobe ip_conntrack_pptp modprobe ip_nat_pptp iptables -I FORWARD -p 47 -s <vpn server> -j ACCEPT On proxyVM: iptables -I INPUT -p 47 -s <vpn server> -j ACCEPT Now, zero the iptables counters, (using -Z), and try to start the vpn. You should see the counters incrementing both in sys-net and on the vpn proxy. If the connection fails look to see if any DROP rules are being triggered. By default PPTP uses tcp port 1723 so you could put in a rule to log that traffic : iptables -I FORWARD -p tcp --dport 1723 -j LOG Once you have this working you can place the necessary rules in rc.local and/or qubes-firewall-script in /rw/config, so that they are automatically set-up for you. Alternatively, put them in a simple script, and trigger it when you want to start the VPN: this may be better if you only have the VPN working some of the time. I hope there's enough here to get you started. If you hit further problems, let us know unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170529221907.GA13639%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
