>
>
>
Thanks for quick response, see following replies.
> 'fedora-30' would be the name of a template VM, not a regular app VM.
> Templates are blocked from regular Internet access in Qubes.
>
Sorry for the confusion. The actual app VM is named 'work' and is based on
fedora-30 template. I also have two identical VMs named 'personal' and
'personal-vpn' based on ubuntu-18 template. The NetVM for 'personal' is
sys-firewall, and I have full Internet access (i.e. 'ping 8.8.8.8' is
success response). The NetVM for 'personal-vpn' is sys-vpn, and no Internet
traffic goes through ('ping 8.8.8.8' is 100% packet loss).
>
> If all you want fedora-30 to do is update or install software, it can be
> done if an update proxy is added to the system (the existing update
> proxy in sys-net can no longer see the template's requests bc its
> traffic is encrypted by sys-vpn). This could be done by enabling the
> Qubes service 'qubes-updates-proxy' for your sys-firewall-vpn VM.
> Alternately, you could make the templates update directly by adding
> 'updates-proxy-setup' to their Qubes services tab and then un-checking
> it (this has the effect of disabling the updates-proxy client).
>
Good to know, thanks. I did read this in the qubes documentation and had
played around with it a bit on test VMs, but have not needed to perform any
proxy updates as all the template updates are performing as expected, and I
only need to restart my app VMs and net VMs to inherit software updates
from the templates. I have not needed to add update proxy to any app VMs.
>
> A note about the firewall in qubes-vpn-support: If its configured
> correctly with the example settings (using the 'vpn-handler-openvpn'
> Qubes service) then you should not be able to browse Internet sites from
> inside sys-vpn. Also, you should see a popup notification stating that
> the VPN link is 'UP' when sys-vpn starts.
>
Great point. Initially I was having connection problems on sys-vpn. I was
only able to get the popup notification and Internet access after I added
'vpn-handler-egress' service (I had already added 'vpn-handler-openvpn'
when I created the VM).
>
> You can check on the VPN status in sys-vpn with 'sudo journalctl -u
> qubes-vpn-handler'. You can also check firewall settings with 'sudo
> iptables -L -v -t nat' and the 'Chain PR-QBS' should have ip addresses
> pointing to your VPN provider's DNS server in the rightmost column
> (traffic can appear to be blocked if this doesn't get set).
>
> I did use 'sudo journalctl -u qubes-vpn-handler' to troubleshoot problems
when I first tried to install qubes-vpn-suport. On my first go-around I
cloned sys-net and then installed the scripts as instructed. I had failures
reported in journalctl (sorry, I cannot remember what the errors were), so
I ended up deleting that VM and instead of cloning off sys-net, I created a
new VM based on fedora-30, added the 'vpn-handler-openvpn' service, and
installed qubes-vpn-support. This time no failures reported from
journalctl.
I verified that my VPN provider's DNS servers are listed correctly in
iptables.
Open to additional suggestions or insights, will perform any commands you
request for details. Thanks for your help
> --
>
> Chris Laprise, tas...@posteo.net <javascript:>
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
>
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/6f03041f-f927-4274-9563-57833caca9ba%40googlegroups.com.
