Re: [qubes-users] Problem connecting via VPN ProxyVM (VPN works, but AppVM can't connect)

['PhR' via qubes-users]

Hello Chris

On 08/21/2017 06:28 PM, Chris Laprise wrote:
On 08/20/2017 05:38 PM, 'PhR' via qubes-users wrote:
Unfortunately the App-VM which uses the VPN Proxy VM can't connect.
The Setup:
sys-net <-- sys-firewall <-- my-vpn (Proxy VM) <-- my-work (App VM)
(...)

You could ping a known IP address from the appVM. If it works the 
problem is likely limited to DNS.

Pinging a VPN-Adress from within my Proxy VPN (work-vpn) after 
connecting via anyConnect VPN works.
But pinging from my work-AppVM doesn't work.

In the proxyVM, check the contents of /etc/resolv.conf after your 
Cisco client connects. If its updated (not a 10.137.x.x number) you 
can run /usr/lib/qubes/qubes-setup-dnat-to-ns to enable DNS forwarding 
over the VPN.

Ihave checked /etc/resolv.conf:

[user@my-work-vpn ~]$ cat /etc/resolv.conf
domain intern.MYCOMPANY.de
nameserver 192.168.1.6
nameserver 192.168.1.11
nameserver 10.137.2.1
nameserver 10.137.2.254
search intern.MYCOMPANY.de

Another setting to check is /proc/sys/net/ipv4/ip_forward which should 
contain a value of '1'. Also, the iptables 'POSTROUTING' chain should 
have a masquerade target:

$ cat /proc/sys/net/ipv4/ip_forward

It is enabled (content: 1)

$ sudo iptables -L -t nat

[user@my-work-vpn ~]$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
PR-QBS     all  --  anywhere             anywhere
PR-QBS-SERVICES  all  --  anywhere             anywhere

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere

Chain PR-QBS (1 references)
target     prot opt source               destination
DNAT       udp  --  anywhere             10.137.5.1           udp 
dpt:domain to:10.137.2.1
DNAT       tcp  --  anywhere             10.137.5.1           tcp 
dpt:domain to:10.137.2.1
DNAT       udp  --  anywhere             10.137.5.254         udp 
dpt:domain to:10.137.2.254
DNAT       tcp  --  anywhere             10.137.5.254         tcp 
dpt:domain to:10.137.2.254

Chain PR-QBS-SERVICES (1 references)
target     prot opt source               destination

Do I need to tweak any other rules or setting in the ProxyVM or AppVM?
As the ProxyVM can perfectly connect to corporate servers, VPN is working.

If I switch the Net-VM in my work AppVM to the normal sys-firewall I can 
connect to the internet.
As such it seems that both proxyVM and AppVM seem to work normaly but 
not if I put everything together.

Any more ideas?

- PhR

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a478774d-4ae0-7c17-dff5-5585855d707a%40googlemail.com.
For more options, visit https://groups.google.com/d/optout.