On 05/14/2018 06:23 PM, Evastar wrote:
Its important to know how you set up the VPN VM. If you used the Qubes
doc, that config can have problems recovering from a disconnected link.
If you used a recent version of Qubes-vpn-support or qubes-tunnel,
restarting the service is simple:
sudo systemctl restart qubes-vpn-handler
or
sudo systemctl restart qubes-tunnel
Thanks for your quick answer. I use my own vpn setup based not on openvpn, but
ethervpn. This qube come from 3.2. I use the same old code. I wrote it based on
old openvpn code. This code add routes on startup, then iptables fules for DNS
some other rules to prevent traffic leak. The same as UP handler from qubes-doc
do.
There are no "recovering setup". How to add this?
Need to delete rules added by this then execute this again? Is it recovery?
iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr
I re-checked qubes vpn doc. It's almost the same, but no up/down handler. I
setup rules at rc.local. At 3.2. I do not have this problem. When my VPN loss
connection then it always work after my VPN client reconnected.
Posting back to qubes-users...
Probably there is someone who is familiar with ethervpn who can better
help you.
My advice is to monitor the ethervpn log for warnings/errors when the
blockage occurs. Then perhaps a simpler solution will become clear.
If you are using the same firewall rules as the Qubes doc, try
commenting-out the parts for 'OUTPUT'.
As for the DNAT rules, delete & re-add should only be necessary if the
DNS server changes. Also, when blockage occurs you can try pinging a
known IP address (not domain name) from an appVM; if it doesn't work
then DNAT is probably not the issue.
Finally, if you find the solution involves restarting the ethervpn
client, you may want to run it with 'systemd-run --unit' to give you
better control over the process. You could even try running it with
qubes-tunnel using a drop-in file for the service (see 00_example.conf
and manpages for systemd.unit "overriding vendor settings").
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/f512bce3-685b-c21a-12d4-ba7fff4a0636%40posteo.net.
For more options, visit https://groups.google.com/d/optout.