On 6/12/19 2:53 PM, Chris Laprise wrote:
On 6/12/19 10:14 AM, 'Crypto Carabao Group' via qubes-users wrote:
We've also been trying for days to get a VPN to  resolve on a brand new R4.0 install, to either one of 2 different VPN providers, using the iptables and cli scripts: https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts
I've also set it up before on a 3.x cubes and it worked using the above.
So far, what's pretty certain is that these instructions were carried over automatically, but actually don't work for the R4.0 version.

BTW, there is no "/usr/lib/qubes/qubes-vpn-setup" in the Fedora 29 or Debian 9  templates. So, wherever that came from, it's not in the new installer version we got.

There is no mention of a 'qubes-vpn-setup' in the vpn doc you linked to. That script is a part of my Qubes-vpn-support project on github. You might want to use that instead since the setup process is much simpler:


Neither is there a path: /etc/openvpn/update-resolv-conf in the VMs based on Fedora 29. (Haven't tried Debian 9 for that yet.) That probably came from a particular VPN provider, and would have to be installed in the template anyway to persist, right?

There is no mention of 'update-resolv-conf' in the vpn doc, either.

One of the most frequent causes of failed vpn setups is when the user decides to mix or combine different instructions because 'more is better' or because they saw different people discussing the merits of different approaches. This does NOT work; you have to pick one and follow it.

It seems that the update-resolve-conf is a default script that ships with some distros, such as Mint (attached), and works on our other machine, and does the function that the "|qubes-vpn-handler.sh|" does in the Qubes VPN instructions, but it doesn't work on Qubes in our case for the same VPN provider either. Seems to require a lot of modification and merge the two maybe, which will take us another several days to figure out, if ever.

Updating resolv.conf is not required at all to get DNS working for downstream appVMs. The instructions avoid doing this to help keep the VPN VM in a locked-down state, so it doesn't inadvertently try to access the tunnel for its internal programs (i.e. only downstream VMs get to access the tunnel).

What IS necessary is populating the DNAT rules in the firewall. Check the PR-QBS chain to see if your DNS server IPs were added: iptables -L -v -t nat PR-QBS

Install per the instructions for Mr.Laprise's excellent qubes-vpn-setup in an Template-based AppVM , don't miss any steps. ELSE

delete the AppVM and startover make sure openvpn is installed in the Template chosen , make sure to enable proxy in the created AppVM , and for services add the openvpn in the qubes manager tab

Which VPN provider are you using ?

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to