On 11/19/2018 09:05 AM, Otto Kratik wrote:
On Monday, November 19, 2018 at 1:09:33 AM UTC-5, Chris Laprise wrote:
The Qubes VPN doc has two methods for correct openvpn configuration:
https://www.qubes-os.org/doc/vpn/
A better method is located here:
https://github.com/tasket/Qubes-vpn-support/
The difference is more failsafe checks and much smoother setup & operation.
Thanks for your reply. I'm entirely willing to consider using these better,
more secure and effective methods in the long run. My first objective however
is to determine why the simple method I used in Qubes 3.2 (running Openvpn from
AppVM) does not successfully work the same way in Qubes 4.0.
I would also try pinging known IP addresses (after connecting) to see if
you can get a response. If you can, then the problem is likely with the
DNS routing and dnat in the firewall.
I've just tested this. After connecting to the VPN from within the AppVM, I can
successfully ping known IP addresses from the terminal. However attempts to
connect to websites in the browser fail and time out.
What is my next step? How do I check or fix DNS routing and dnat in the
firewall?
It could be as simple as editing your /etc/resolv.conf so it contains
your VPN provider's DNS server (or other DNS server that you prefer)
instead of the Qubes internal routing addresses.
Replace this:
nameserver 10.139.1.1
nameserver 10.139.1.2
With this:
nameserver <your DNS server>
Hopefully that's all you'll need.
There are different ways to make this permanent. The best is probably to
install the "resolvconf" package (if not already there) and then tell
openvpn to use its update-resolv-conf script when you run it like this:
sudo openvpn --config link.conf --script-security 2 --up
/etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf
If your VPN provider sends DNS info via DHCP at connection time (most
do) the script will automatically send it to resolvconf.
If you want to use a different DNS server you can manually set
resolv.conf at connection time with your own script.
--
Chris Laprise, [email protected]
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/69a52ada-ea39-8a56-38f2-0d8af8e54f49%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
