Hi, I followed the tutorial "Set up a ProxyVM as a VPN gateway using iptables and CLI scripts" [1], then I subscribed to NordVPN and configured OpenVPN over UDP (since my ISP blocks OpenVPN over TCP). --------------- My final architecture is the following: AppVM ----> VPN (ProxyVM) ----> Firewall VM ----> Network VM --------------- Firewall VM rules: Deny all but: Address | Service | Protocol * | OpenVPN | UDP * | OpenVPN | TCP * | HTTPS | TCP --------------- Problem: this is working for mostly all websites I use, except some ones, like Protonmail, Facebook, etc. These latter sites are either showing first some contents just after logging in, or the logging in is impossible, and then loading endlessly. It seems like a "Keep-alive connection issue". --------------- Investigation: 1) I allowed full access on the firewall for 5 minutes 2) I launched Wireshark on the VPN VM 3) I tried to log in to Protonmail Results: (excerpt) - 10.137.0.14 -> 82.221.139.122 OpenVPN 110 MessageType: P_DATA_V2 - 192.168.43.1 -> 10.137.0.14 ICMP 592 Destination unreachable (Fragmentation needed) - 185.70.40.151 -> 10.8.8.20 TCP 68 [TCP Dup ACK 711#1] 443 → 42938 [ACK] Seq=69096 Ack=1868 Win=66 Len=0 SLE=3193 SRE=3194 - 10.137.0.9 -> 185.70.40.151 TCP 1381 [TCP Retransmission] 42938 → 443 [ACK] Seq=1868 Ack=69096 Win=3261 Len=1325 [...] - 10.137.0.9 -> 185.70.40.151 TCP 56 [TCP Keep-Alive] 42954 → 443 [ACK] Seq=977 Ack=1262 Win=32640 Len=0 --------------- Do you know any solution to prevent this from happening? Maybe a configuration trick of OpenVPN or of the VPN VM ?
[1] https://www.qubes-os.org/doc/vpn/ Thanks, Christophe -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/tnICtqmC5EaPld_xdfXMzM6l5iTGP1CTzkhKtU74CV7LoII76MCDaE_PTftC5fB5warQZegcYqFJzSBljOdwGwf3mnwP1gH-E-b5CXbdRmk%3D%40pm.me. For more options, visit https://groups.google.com/d/optout.
