On Thursday, April 26, 2018 at 6:38:41 PM UTC-7, Chris Laprise wrote: > On 04/26/2018 05:29 PM, JonHBit wrote: > > On Wednesday, April 18, 2018 at 5:36:37 AM UTC-4, Chris Laprise wrote: > >> On 04/17/2018 11:42 PM, Chris Laprise wrote: > >>> On 04/17/2018 09:20 PM, JonHBit wrote: > >> > >>>> Worked well for me using a debian-9 template & commit 4e96ca8, only > >>>> trouble was that my VPN provider's configs used > >>>> /etc/update-resolv-conf and failed silently when it was missing - so > >>>> shipping it with qubes-tunnel and installing it by default may be > >>>> helpful. > >>> > >>> Thanks! > >>> > >>> This issue just became apparent to me when another user reported it. The > >>> underlying problem is a bug (or several bugs) in openvpn's option parsing: > >>> > >>> https://github.com/tasket/Qubes-vpn-support/issues/19 > >>> > >>> It only shows up when the config specifies its own scripts which is > >>> rare. I'm trying out a workaround now which involves: > >>> > >>> 1. Removing the paths in the up & down options in the .service file. > >>> > >>> 2. Moving the up & down options to the beginning just after the openvpn > >>> command. > >>> > >>> 3. Symlinking the up/down script from /usr/lib/qubes to the > >>> /rw/config/qtunnel dir. > >>> > >>> Hopefully this will override the config's up/down settings as intended. > >> > >> I had to use a different approach but it should be fixed now. Update it > >> by copying new version to template and running installer. Then you'll > >> need to remove the 'qubes-tunnel' Qubes service for the proxyVM and add > >> 'qubes-tunnel-openvpn' instead. > >> > >> > >> -- > >> > >> Chris Laprise, tas...@posteo.net > >> https://github.com/tasket > >> https://twitter.com/ttaskett > >> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 > > > > Hi Chris, > > > > Good to see the update! > > > > However I think that's a separate issue; what I'm referencing is these > > lines in my .ovpn config: > > > > script-security 2 > > up /etc/openvpn/update-resolv-conf > > down /etc/openvpn/update-resolv-conf > > > > The VPN installer script will normally download this if it's missing - used > > to change the DNS server to the VPN-provided one. > > > > The script is here: > > https://raw.githubusercontent.com/ProtonVPN/scripts/master/update-resolv-conf.sh > > > > After adding it everything worked well. > > The update will replace those lines because they should be overridden > with the Qubes-specific DNS handling. If dnat isn't setup for DNS then > those packets could get mis-routed. > > You can check the dnat rules (which should have some address other than > 10.139.1.x after connecting) with this: > > sudo iptables -v -t nat -L PR-QBS > > My guess why it might work with incorrect dnat addresses is that your > VPN provider takes the step of re-assigning DNS destination addresses to > its own. But this is unorthodox so I wouldn't count on it. > > > -- > > Chris Laprise, tas...@posteo.net > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
I've updating to 1.4beta4 and switched templates from debian-9 to fedora-28, but I'm getting the same error - also it seems like openvpn flag defaults changed, as it now returns an error for the up and down arguments Specifically, it parses /usr/lib/qubes/qtunnel-connect up as 2 arguments instead of 1; putting the whole phrase in double quotes fixes this, which I see you did but for some reason the quotes seem to be removed when ExecStart runs, i.e. checking systemctl status qubes-tunnel shows the command without the quotes -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eeefbba3-565f-443b-b80f-04353cd975a7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.