On 11/19/2018 01:09 AM, Chris Laprise wrote:
On 11/18/2018 07:36 PM, Otto Kratik wrote:
I realize it's possible to create a dedicated ProxyVM and use
NetworkConfig to route VPN traffic, but that's not what I'm asking about.
In Qubes 3.2 from any standard Debian AppVM connected to Sys-Net I am
able to simply do from terminal:
sudo openvpn --config <VPN provider's ovpn config file>
..and it connects, and from then on all traffic from that AppVM is
correctly routed through the VPN, as evidenced by testing IP address
from web browser etc.
That approach might not work for DNS, however. Your DNS packets may be
leaking through to your regular ISP. There is also no failsafe to
prevent data leakage if openvpn for some reason decides to terminate.
In Qubes 4, this does not seem to work. The same command from AppVM
terminal works fine and reports successful connection to the VPN, but
from that point all attempts to connect to any website or other remote
host fail completely and just time out. As soon as I terminate the VPN
by pressing ctrl-c from terminal, net connectivity resumes as normal.
What has changed in Qubes 4, and what do I need to do different to
make it work?
The Qubes VPN doc has two methods for correct openvpn configuration:
https://www.qubes-os.org/doc/vpn/
A better method is located here:
https://github.com/tasket/Qubes-vpn-support/
The difference is more failsafe checks and much smoother setup & operation.
For your specific question re: running openvpn in AppVMs, you may need
to set the openvpn --verb level to 3 and look at the status messages.
That will show you what routing commands openvpn is issuing
(unfortunately it can vary a lot for different VPN services).
I would also try pinging known IP addresses (after connecting) to see if
you can get a response. If you can, then the problem is likely with the
DNS routing and dnat in the firewall.
--
Chris Laprise, [email protected]
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/5e6d82d6-3c06-61bf-36da-31da74b84c6b%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
