> > > Thanks for quick response, see following replies.
> 'fedora-30' would be the name of a template VM, not a regular app VM. > Templates are blocked from regular Internet access in Qubes. > Sorry for the confusion. The actual app VM is named 'work' and is based on fedora-30 template. I also have two identical VMs named 'personal' and 'personal-vpn' based on ubuntu-18 template. The NetVM for 'personal' is sys-firewall, and I have full Internet access (i.e. 'ping 8.8.8.8' is success response). The NetVM for 'personal-vpn' is sys-vpn, and no Internet traffic goes through ('ping 8.8.8.8' is 100% packet loss). > > If all you want fedora-30 to do is update or install software, it can be > done if an update proxy is added to the system (the existing update > proxy in sys-net can no longer see the template's requests bc its > traffic is encrypted by sys-vpn). This could be done by enabling the > Qubes service 'qubes-updates-proxy' for your sys-firewall-vpn VM. > Alternately, you could make the templates update directly by adding > 'updates-proxy-setup' to their Qubes services tab and then un-checking > it (this has the effect of disabling the updates-proxy client). > Good to know, thanks. I did read this in the qubes documentation and had played around with it a bit on test VMs, but have not needed to perform any proxy updates as all the template updates are performing as expected, and I only need to restart my app VMs and net VMs to inherit software updates from the templates. I have not needed to add update proxy to any app VMs. > > A note about the firewall in qubes-vpn-support: If its configured > correctly with the example settings (using the 'vpn-handler-openvpn' > Qubes service) then you should not be able to browse Internet sites from > inside sys-vpn. Also, you should see a popup notification stating that > the VPN link is 'UP' when sys-vpn starts. > Great point. Initially I was having connection problems on sys-vpn. I was only able to get the popup notification and Internet access after I added 'vpn-handler-egress' service (I had already added 'vpn-handler-openvpn' when I created the VM). > > You can check on the VPN status in sys-vpn with 'sudo journalctl -u > qubes-vpn-handler'. You can also check firewall settings with 'sudo > iptables -L -v -t nat' and the 'Chain PR-QBS' should have ip addresses > pointing to your VPN provider's DNS server in the rightmost column > (traffic can appear to be blocked if this doesn't get set). > > I did use 'sudo journalctl -u qubes-vpn-handler' to troubleshoot problems when I first tried to install qubes-vpn-suport. On my first go-around I cloned sys-net and then installed the scripts as instructed. I had failures reported in journalctl (sorry, I cannot remember what the errors were), so I ended up deleting that VM and instead of cloning off sys-net, I created a new VM based on fedora-30, added the 'vpn-handler-openvpn' service, and installed qubes-vpn-support. This time no failures reported from journalctl. I verified that my VPN provider's DNS servers are listed correctly in iptables. Open to additional suggestions or insights, will perform any commands you request for details. Thanks for your help > -- > > Chris Laprise, tas...@posteo.net <javascript:> > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6f03041f-f927-4274-9563-57833caca9ba%40googlegroups.com.