On 04/26/2018 05:29 PM, JonHBit wrote:
On Wednesday, April 18, 2018 at 5:36:37 AM UTC-4, Chris Laprise wrote:
On 04/17/2018 11:42 PM, Chris Laprise wrote:
On 04/17/2018 09:20 PM, JonHBit wrote:
Worked well for me using a debian-9 template & commit 4e96ca8, only
trouble was that my VPN provider's configs used
/etc/update-resolv-conf and failed silently when it was missing - so
shipping it with qubes-tunnel and installing it by default may be
helpful.
Thanks!
This issue just became apparent to me when another user reported it. The
underlying problem is a bug (or several bugs) in openvpn's option parsing:
https://github.com/tasket/Qubes-vpn-support/issues/19
It only shows up when the config specifies its own scripts which is
rare. I'm trying out a workaround now which involves:
1. Removing the paths in the up & down options in the .service file.
2. Moving the up & down options to the beginning just after the openvpn
command.
3. Symlinking the up/down script from /usr/lib/qubes to the
/rw/config/qtunnel dir.
Hopefully this will override the config's up/down settings as intended.
I had to use a different approach but it should be fixed now. Update it
by copying new version to template and running installer. Then you'll
need to remove the 'qubes-tunnel' Qubes service for the proxyVM and add
'qubes-tunnel-openvpn' instead.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Hi Chris,
Good to see the update!
However I think that's a separate issue; what I'm referencing is these lines in
my .ovpn config:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
The VPN installer script will normally download this if it's missing - used to
change the DNS server to the VPN-provided one.
The script is here:
https://raw.githubusercontent.com/ProtonVPN/scripts/master/update-resolv-conf.sh
After adding it everything worked well.
The update will replace those lines because they should be overridden
with the Qubes-specific DNS handling. If dnat isn't setup for DNS then
those packets could get mis-routed.
You can check the dnat rules (which should have some address other than
10.139.1.x after connecting) with this:
sudo iptables -v -t nat -L PR-QBS
My guess why it might work with incorrect dnat addresses is that your
VPN provider takes the step of re-assigning DNS destination addresses to
its own. But this is unorthodox so I wouldn't count on it.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/4bc0ca96-848c-adf5-05e0-d5dcdb7eda68%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
