Hello Chris
On 08/21/2017 06:28 PM, Chris Laprise wrote:
On 08/20/2017 05:38 PM, 'PhR' via qubes-users wrote:
Unfortunately the App-VM which uses the VPN Proxy VM can't connect.
The Setup:
sys-net <-- sys-firewall <-- my-vpn (Proxy VM) <-- my-work (App VM)
(...)
You could ping a known IP address from the appVM. If it works the
problem is likely limited to DNS.
Pinging a VPN-Adress from within my Proxy VPN (work-vpn) after
connecting via anyConnect VPN works.
But pinging from my work-AppVM doesn't work.
In the proxyVM, check the contents of /etc/resolv.conf after your
Cisco client connects. If its updated (not a 10.137.x.x number) you
can run /usr/lib/qubes/qubes-setup-dnat-to-ns to enable DNS forwarding
over the VPN.
Ihave checked /etc/resolv.conf:
[user@my-work-vpn ~]$ cat /etc/resolv.conf
domain intern.MYCOMPANY.de
nameserver 192.168.1.6
nameserver 192.168.1.11
nameserver 10.137.2.1
nameserver 10.137.2.254
search intern.MYCOMPANY.de
Another setting to check is /proc/sys/net/ipv4/ip_forward which should
contain a value of '1'. Also, the iptables 'POSTROUTING' chain should
have a masquerade target:
$ cat /proc/sys/net/ipv4/ip_forward
It is enabled (content: 1)
$ sudo iptables -L -t nat
[user@my-work-vpn ~]$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PR-QBS all -- anywhere anywhere
PR-QBS-SERVICES all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
MASQUERADE all -- anywhere anywhere
Chain PR-QBS (1 references)
target prot opt source destination
DNAT udp -- anywhere 10.137.5.1 udp
dpt:domain to:10.137.2.1
DNAT tcp -- anywhere 10.137.5.1 tcp
dpt:domain to:10.137.2.1
DNAT udp -- anywhere 10.137.5.254 udp
dpt:domain to:10.137.2.254
DNAT tcp -- anywhere 10.137.5.254 tcp
dpt:domain to:10.137.2.254
Chain PR-QBS-SERVICES (1 references)
target prot opt source destination
Do I need to tweak any other rules or setting in the ProxyVM or AppVM?
As the ProxyVM can perfectly connect to corporate servers, VPN is working.
If I switch the Net-VM in my work AppVM to the normal sys-firewall I can
connect to the internet.
As such it seems that both proxyVM and AppVM seem to work normaly but
not if I put everything together.
Any more ideas?
- PhR
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/a478774d-4ae0-7c17-dff5-5585855d707a%40googlemail.com.
For more options, visit https://groups.google.com/d/optout.