Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
Correction to instructions I followed: Create proxy using VPN template: sys-VPN Green Provides Network Checked connect to sys-net Launch settings - Checked Settings: Add files and Terminal to Applications Initial memmory = 500mb Max memory = 4500 Add “vpn-handler-openvpn” to services Open a terminal and file manager in new proxy appVM: cd “Then drag qubes4 file into terminal from tasket/github” sudo bash ./install Enter VPN name and password Close terminal Reopen terminal Transfer XXX PIA config files into your new VPN AppVM: Change your PIA config file to “openvpn-client” and add DNS if wanting to use a DNS service other then PIA setenv vpn_dns 'IP of DNS provider' Move PIA files by running this command: sudo mv “Then highlight the .pem, .crt and config file (renamed to “openvpn-client.ovpn) and drag them into the terminal” /rw/config/vpn Final terminal commands to create .conf file: cd /rw/config/vpn sudo ln -s openvpn-client.ovpn vpn-client.conf Restart VM!!! Wait for “Ready to Connect” and “Link is UP” -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ce3d2efe-dc10-472b-a9c2-3062d1fed894%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
Once again Tasket/Chris thanks for the help...got it working with both Debian and Fedora in 4.0 running as a Appvm. The issue was in the .conf file/password linking and the order I was doing this. I think my debian issue was not having openvpn in the debian template. Is Qubes4 still the file to use? Great work and thanks again. V I followed these specific directions (kinda of a hybrid between terminal and GUI...inline with your instructions on github): Create new appvm Qube: For Debian proxy, add OpenVPN package to your VPN template: su apt-get update && apt-get install openvpn unzip Create proxy using VPN template: sys-VPN Green Provides Network Checked connect to sys-net Launch settings - Checked Settings: Add files and Terminal to Applications Initial memmory = 500mb Max memory = 4500 Add “vpn-handler-openvpn” to services Open a terminal and file manager in new proxy appVM: cd “Then drag qubes4 file into terminal from tasket/github” sudo bash ./install Enter VPN name and password Close terminal Reopen terminal Transfer Tasket/Qubes4 file and PIA config files into your new VPN AppVM: Change your PIA config file to “openvpn-client” and add DNS if wanting to use a DNS service other then PIA setenv vpn_dns 'IP of DNS provider' Move PIA files by running this command: sudo mv “Then highlight the .pem, .crt and config file (renamed to “openvpn-client.ovpn) and drag them into the terminal” /rw/config/vpn Final terminal commands to create .conf file: cd /rw/config/vpn sudo ln -s openvpn-client.ovpn vpn-client.conf Restart VM!!! Wait for “Ready to Connect” and “Link is UP” -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/54bb1ca5-c093-47de-839b-0d4e822bdd02%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
On 04/06/2018 06:41 PM, vel...@tutamail.com wrote: Totally willing to try to "avoid the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local just before the first systemctl command; it will start quicker." Would you be open to sharing the commands for this? The command is just "sleep 2s". If I am launching a VM from the GUI when would I put "sleep 2s" into the terminal? I am learning but not there yet... This is not important as it only saves about 8 seconds at startup. I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL Restrictive Configuration: https://www.privateinternetaccess.com/pages/client-support/ I then move each of the 3 individual files mentioned above into the /rw/config/vpn folder. Thanks again for the help... Got your log... I think the real culprit shows up here: "AUTH: Received control message: AUTH_FAILED" This could mean the user/password weren't entered correctly. You can see how its stored by issuing this command: sudo cat /rw/config/vpn/userpassword.txt To fix it you can edit that file, or run the --config step again from the instructions. Thanks for that tip...the password is good. Tested it with another application and it is correct and working. The VPN proxy also had the correct password. What else could this be? I researched the error and it indicates there is a problem with the username or password. You could try running the --config step again to re-enter them. You could also try checking that /tmp/userpassword.txt has the login info as well... sudo cat /tmp/userpassword.txt If it doesn't have the info then there is something wrong with the startup script. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2f8048b4-cf7b-3c14-4fe3-08559247ea41%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
> > I pulled the logs, looked thru them, I didn't see any personal information. > > Seemed OK to past on the forum but sent them to you directly just in > > case...feel free to post any info for the greater good of the community. > > Thank you again for the help... > > > > I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file > > and put them into the VPN folder. > > Just FYI, putting all the configs (instead of selecting them) in /vpn is > easier. Thanks for that...I'll try that! > > Totally willing to try to "avoid > > the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local > > just before the first systemctl command; it will start quicker." Would you > > be open to sharing the commands for this? > > The command is just "sleep 2s". If I am launching a VM from the GUI when would I put "sleep 2s" into the terminal? I am learning but not there yet... > > I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL > > Restrictive Configuration: > > https://www.privateinternetaccess.com/pages/client-support/ > > I then move each of the 3 individual files mentioned above into the > > /rw/config/vpn folder. > > > > Thanks again for the help... > > Got your log... I think the real culprit shows up here: > > "AUTH: Received control message: AUTH_FAILED" > > This could mean the user/password weren't entered correctly. You can see > how its stored by issuing this command: > > sudo cat /rw/config/vpn/userpassword.txt > > To fix it you can edit that file, or run the --config step again from > the instructions. Thanks for that tip...the password is good. Tested it with another application and it is correct and working. The VPN proxy also had the correct password. What else could this be? What I know: * This worked with 3.2 in Fedora but I experienced the same error with Debian in 3.2 * This worked for a brief moment in 4.0(fedora), had saved the beta file and was using that when it worked. I lost that older github/tasket file, I downloaded the 4.0 file and have not got it working again. * I get the "Ready to start link" but then no connection * This is new infromation but I can connect to my phone wireless but when I try another AP it can't connect. I am not sure this is relevant but in my network connection I get the following messages: Ethernet Network (vif6.0) Device not managedmy connection works Ethernet Network (vif.20) Device not managedmy connection DOES NOT work Tasket my gut tells me I have something else missing, if you can get it to work, I am getting a ready to connect message, I had it working. Would a BIO setting have an impact? When I boot I get this error: ERROR parsing PCC subspaces from PCCT [Failed] Failed to start Load Kernel Modules - Followed by [OK] started Apply Kernel Variable/[OK] Started Setup Virtual Console The struggle I am having is a lack of knowledge about how to trouble shoot this although you have taught me a lot Tasket thank you. Any other thoughts? I don't want to go back to 3.2 but with out a VPN/kill switch I don't see I have a choice. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0ab23db-a923-4d81-a87c-a00df1055c7d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
On 04/06/2018 12:38 PM, vel...@tutamail.com wrote: I pulled the logs, looked thru them, I didn't see any personal information. Seemed OK to past on the forum but sent them to you directly just in case...feel free to post any info for the greater good of the community. Thank you again for the help... I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file and put them into the VPN folder. Just FYI, putting all the configs (instead of selecting them) in /vpn is easier. Totally willing to try to "avoid the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local just before the first systemctl command; it will start quicker." Would you be open to sharing the commands for this? The command is just "sleep 2s". I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL Restrictive Configuration: https://www.privateinternetaccess.com/pages/client-support/ I then move each of the 3 individual files mentioned above into the /rw/config/vpn folder. Thanks again for the help... Got your log... I think the real culprit shows up here: "AUTH: Received control message: AUTH_FAILED" This could mean the user/password weren't entered correctly. You can see how its stored by issuing this command: sudo cat /rw/config/vpn/userpassword.txt To fix it you can edit that file, or run the --config step again from the instructions. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b796e7b8-66ac-7272-d3f5-720e89f8bec4%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
I pulled the logs, looked thru them, I didn't see any personal information. Seemed OK to past on the forum but sent them to you directly just in case...feel free to post any info for the greater good of the community. Thank you again for the help... I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file and put them into the VPN folder. Totally willing to try to "avoid the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local just before the first systemctl command; it will start quicker." Would you be open to sharing the commands for this? I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL Restrictive Configuration: https://www.privateinternetaccess.com/pages/client-support/ I then move each of the 3 individual files mentioned above into the /rw/config/vpn folder. Thanks again for the help... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0416e045-f71f-4cf7-a99e-d64c8270b925%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
On 04/06/2018 09:08 AM, vel...@tutamail.com wrote: Thanks Chris...again thank you for the effort! This tool is great... Does it matter that Private internet access provides 3 seperate files (key, cert and client config)? Yes it matters. You should put all of them in the /rw/config/vpn folder or the config won't work. I have the proxy AppVM set up with "provides network"(proxy) checked, I have tried a setup in proxy only and a setup in Template/Proxy, PVH(tried PV...similar to 3.2)...I don't think it is the setup as much as the configuration of the template? No need to mess with virt type... default PVH is fine. I installed GNOME and Openvpn (Using those names specifically) in Debian, no additional packages installed in stock fedora... I feel like I am missing a very basic command or tweak, whonix works, wireless works, sys-firewall works...any help would be appreciated. It seems something releated to PIA VPN configuration or VPN-handler-openvpn I'm using Debian 9 also and just did a test with PIA. On my system the service fails initially then restarts 10sec later because the firewall rules take time to set up. It works fine this way. If you want to avoid the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local just before the first systemctl command; it will start quicker. Here are my logs/commands from your suggestions: root@sys-VPNb5:/home/user# ls -l /rw/config/qubes-firewall.d total 0 lrwxrwxrwx 1 root root 38 Apr 5 13:16 90_tunnel-restrict -> /usr/lib/qubes/proxy-firewall-restrict root@sys-VPNb5:/home/user# iptables -v -L FORWARD The iptables and qubes-firewall.d look correct. But the logs you added look garbled. Can you capture the following and attach it to a reply in tar format..? sudo journalctl -u qubes-vpn-handler >qvpn.log tar -czf qvpnlog.tgz qvpn.log qvm-copy qvpnlog.tgz -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/40ff2572-ed6c-e076-41e6-fa3209b83c63%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
Thanks Chris...again thank you for the effort! This tool is great... Does it matter that Private internet access provides 3 seperate files (key, cert and client config)? I have the proxy AppVM set up with "provides network"(proxy) checked, I have tried a setup in proxy only and a setup in Template/Proxy, PVH(tried PV...similar to 3.2)...I don't think it is the setup as much as the configuration of the template? I installed GNOME and Openvpn (Using those names specifically) in Debian, no additional packages installed in stock fedora... I feel like I am missing a very basic command or tweak, whonix works, wireless works, sys-firewall works...any help would be appreciated. It seems something releated to PIA VPN configuration or VPN-handler-openvpn Here are my logs/commands from your suggestions: root@sys-VPNb5:/home/user# ls -l /rw/config/qubes-firewall.d total 0 lrwxrwxrwx 1 root root 38 Apr 5 13:16 90_tunnel-restrict -> /usr/lib/qubes/proxy-firewall-restrict root@sys-VPNb5:/home/user# iptables -v -L FORWARD Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- eth0 any anywhere anywhere 0 0 DROP all -- anyeth0anywhere anywhere 0 0 ACCEPT all -- anyany anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 QBS-FORWARD all -- anyany anywhere anywhere 0 0 DROP all -- vif+ vif+anywhere anywhere 0 0 ACCEPT all -- vif+ any anywhere anywhere 0 0 DROP all -- anyany anywhere anywhere I copied errors when I run journalctl: Apr 06 02:09:52 sys-VPNb5 gnome-terminal-[966]: unable to open file '/etc/dconf/db/local': Failed to open file '/etc/dconf/db/local': open() failed: No such file or directory; expect degra Apr 06 02:09:50 sys-VPNb5 systemd[664]: pam_unix(systemd-user:session): session opened for user user by (uid=0) Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control process exited, code=exited status=1 Apr 06 02:09:50 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes proxyVM. Apr 06 02:09:46 localhost systemd[1]: Started Adjust root filesystem size. Apr 06 02:09:46 localhost kernel: Error: Driver 'pcspkr' is already registered, aborting... Apr 06 02:09:46 localhost mount-dirs.sh[351]: Private device management: fsck.ext4 of /dev/xvdb succeeded Apr 06 02:09:45 localhost kernel: xvdc: xvdc1 Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): couldn't mount as ext3 due to feature incompatibilities Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): couldn't mount as ext2 due to feature incompatibilities Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): mounted filesystem with ordered data mode. Opts: (null) Apr 06 02:09:45 localhost kernel: EXT4-fs (xvdd): mounting ext3 file system using the ext4 subsystem Apr 06 02:09:45 localhost kernel: dmi-sysfs: dmi entry is absent. Apr 06 02:09:50 sys-VPNb5 systemd[1]: Started Serial Getty on hvc0. Apr 06 02:09:50 sys-VPNb5 systemd[1]: Reached target Login Prompts. Apr 06 02:09:50 sys-VPNb5 systemd[664]: pam_unix(systemd-user:session): session opened for user user by (uid=0) Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control process exited, code=exited status=1 Apr 06 02:09:50 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes proxyVM. Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Unit entered failed state. Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'. Apr 06 02:09:50 sys-VPNb5 systemd[664]: Listening on GnuPG network certificate management daemon. Apr 06 02:09:50 sys-VPNb5 systemd[664]: Listening on GnuPG cryptographic agent (ssh-agent emulation). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dcabc134-6488-46c4-a359-bca31e0d365e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
On 04/05/2018 04:41 PM, vel...@tutamail.com wrote: Error: Firewall rule(s) not enabled! The service now checks if the firewall rules were added. In this case it seems they weren't. When you ran 'sudo /usr/lib/qubes/qubes-vpn-setup --config' in the proxyVM it should have added a symlink to the firewall script in /rw/config/qubes-firewall.d/90_tunnel-restrict. You can check it with 'ls -l /rw/config/qubes-firewall.d'. Also look at the FORWARD chain which is where the checked rules are added: $ sudo iptables -v -L FORWARD You should see a couple DROP eth0 rules at the top: DROP all -- eth0 any anywhere anywhere DROP all -- anyeth0anywhere anywhere -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3da0bfcc-945d-7c3a-3d16-830db40f0260%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
I thought I would start a new thread, I had Taskets VPN solution working like a charm with 3.2 but when I transitioned to Qubes 4.0 it no longer worked. I did manage to get it working but I didn't capture my steps:( 3.2 thread: https://groups.google.com/forum/#!topic/qubes-users/FUQaRPWXPj8 I have been trying this for a few days but admit I am stumped... How do I trouble shoot and get this up? Notes: I am trying to use Debian 9 for this I was experiencing similar issues with Fedora(I didn't capture the logs) I get a message that my VPN VM is "Ready to start link" message I have tried using the 4.0 VPN file and the Master file (similar results) When I run "Su journalctl" on my VPN-VM I find these errors: Apr 05 10:15:12 sys-VPNb5 systemd[1]: Reached target Network is Online. Apr 05 10:15:12 sys-VPNb5 systemd[1]: Starting keep memory of all UPnP devices that announced themselves... Apr 05 10:15:12 sys-VPNb5 systemd[1]: Starting /etc/rc.local Compatibility... Apr 05 10:15:12 sys-VPNb5 qrexec-agent[560]: executed user:QUBESRPC qubes.SetMonitorLayout dom0 pid 649 Apr 05 10:15:12 sys-VPNb5 qubes-vpn-setup[636]: iptables: Bad rule (does a matching rule exist in that chain?). Apr 05 10:15:12 sys-VPNb5 qubes-vpn-setup[636]: Error: Firewall rule(s) not enabled! Apr 05 10:15:12 sys-VPNb5 systemd[1]: Starting Permit User Sessions... Apr 05 10:15:12 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control process exited, code=exited status=1 Apr 05 10:15:12 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes proxyVM. Apr 05 10:15:12 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Unit entered failed state. Apr 05 10:15:12 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'. Apr 05 10:15:12 sys-VPNb5 su[633]: Successful su for user by root Apr 05 10:15:12 sys-VPNb5 su[633]: + ??? root:user Apr 05 10:15:12 sys-VPNb5 qrexec-agent[649]: pam_unix(qrexec:session): session opened for user user by (uid=0) Is there anybody who can help? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/36678578-6a53-49ad-a530-a68a7d85f548%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
