Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On Monday, July 11, 2016 at 11:57:04 AM UTC-7, gaikokuji...@gmail.com wrote: > On Wednesday, July 6, 2016 at 12:29:28 PM UTC+11:30, gaikokuji...@gmail.com > wrote: > > On Wednesday, July 6, 2016 at 9:50:10 AM UTC+12, Chris Laprise wrote: > > > On 07/06/2016 09:31 AM, gaikokujinkyofu...@gmail.com wrote: > > > > On Wednesday, July 6, 2016 at 5:40:20 AM UTC-4, Chris Laprise wrote: > > > >> On 07/05/2016 03:05 PM, gaikokujinkyofu...@gmail.com wrote: > > > >>> I renamed the file, and that seems to have gotten it, in that I am > > > >>> now prompted to login to the vpn but now I noticed that my VpnVM does > > > >>> not have network access? > > > >>> > > > >>> I don't know at what point this happened but perhaps this is related > > > >>> to what Chris was talking about with the firewall blocking openvpn? > > > >>> (though I am not even able to ping things like google.com etc, vpn > > > >>> running or not). I did not change the NetVM, it is still sys-firewall > > > >>> if that matters? > > > >> You will probably need to put your username and password in an > > > >> /rw/config/openvpn/auth.txt file, then add 'auth-user-pass filename' to > > > >> your ovpn config. This will allow openvpn to connect without user > > > >> input. > > > >> > > > >> Connecting the vpn vm to either sys-firewall or sys-net is fine. > > > >> > > > >> Once the qubes-firewall-user-script is running you can't ping or make > > > >> other connections from inside the vpn vm. You should connect an appvm > > > >> to > > > >> the vpn vm and test from there. > > > >> > > > >> BTW, I'll be submitting a revised doc that mentions when and where to > > > >> test the connection. > > > >> > > > >> Chris > > > > Thanks for that auth part, quite handy. As for not being able to > > > > connect from inside the vpn, ok I guess except shouldn't the vpn at > > > > least be able to connect? when I try to start up the vpn (now with the > > > > handy auth automatically put in) I get this: > > > > > > > > sudo openvpn --cd /rw/config/openvpn/ --config > > > > /rw/config/openvpn/openvpn-client.ovpn > > > > Wed Jul 6 09:10:59 2016 RESOLVE: Cannot resolve host address: > > > > vpnprovider.org: No address associated with hostname > > > > ^CWed Jul 6 09:11:06 2016 RESOLVE: signal received during DNS > > > > resolution attempt > > > > Wed Jul 6 09:11:06 2016 SIGINT[hard,init_instance] received, process > > > > exiting > > > > [user@VPN openvpn]$ > > > > > > Right... It should do that because with the firewall rules only programs > > > run under group 'qvpn' can access the net. You didn't run it with the > > > group there. > > > > > > And I guess you can also ping and stuff in the VPN VM, too, if you run > > > those programs under the group. But in general you should avoid it. > > > > > > Chris > > > > Hurrah! Happy to see that an error is actually a *good* thing. So, with > > your reminder I retried it with sg and it works! and using it as a proxyvm > > for other appvms works! > > > > I am going to let this soak in a bit, read up on (quite) a few things (like > > sg?) then try to figure some other aspects out like randomly (or somewhat > > randomly, or at least more easily than editing files each time) being able > > to switch vpn servers as my provider has a few to pick from. Thoughts? > > > > Thank you so *very* much for your help/patience, there is no way I would > > have been able to read my way through this. > > I am not sure if I should start a new thread or continue this one but will > continue this one for the time being I guess. > > The VPN setup was running fine and I had zipped up the /rw/config dir with > all the new properly setup files and such and backed it up (now wishing I had > backed up the VpnVM now). I later read that R3.2 will be depreciating KDE so > I decided to startover with just xfce installed. > > I reinstalled Qubes and unzipped the config dir backup and put the right > files in their place, tried to check permissions etc and then fired it up, > seemed to start up with no apparent errors. Catch is, when I try to use it as > a NetVM for other AppVMs it doesn't seem to work. > > The AppVMs kind of search for awhile then time out (as opposed to instantly > going to saying there is no connection). I also tried to redo it from > scratch, no backup files, same result. > > I was at least hoping for an error that I could do a search on but there > doesn't seem to be an obvious one here? Also, I did select, in the other AppVMs, the VpnVM and it doesn't work but then the same AppVM works fine when I go back to the default firewall. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On Wednesday, July 6, 2016 at 12:29:28 PM UTC+11:30, gaikokuji...@gmail.com wrote: > On Wednesday, July 6, 2016 at 9:50:10 AM UTC+12, Chris Laprise wrote: > > On 07/06/2016 09:31 AM, gaikokujinkyofu...@gmail.com wrote: > > > On Wednesday, July 6, 2016 at 5:40:20 AM UTC-4, Chris Laprise wrote: > > >> On 07/05/2016 03:05 PM, gaikokujinkyofu...@gmail.com wrote: > > >>> I renamed the file, and that seems to have gotten it, in that I am now > > >>> prompted to login to the vpn but now I noticed that my VpnVM does not > > >>> have network access? > > >>> > > >>> I don't know at what point this happened but perhaps this is related to > > >>> what Chris was talking about with the firewall blocking openvpn? > > >>> (though I am not even able to ping things like google.com etc, vpn > > >>> running or not). I did not change the NetVM, it is still sys-firewall > > >>> if that matters? > > >> You will probably need to put your username and password in an > > >> /rw/config/openvpn/auth.txt file, then add 'auth-user-pass filename' to > > >> your ovpn config. This will allow openvpn to connect without user input. > > >> > > >> Connecting the vpn vm to either sys-firewall or sys-net is fine. > > >> > > >> Once the qubes-firewall-user-script is running you can't ping or make > > >> other connections from inside the vpn vm. You should connect an appvm to > > >> the vpn vm and test from there. > > >> > > >> BTW, I'll be submitting a revised doc that mentions when and where to > > >> test the connection. > > >> > > >> Chris > > > Thanks for that auth part, quite handy. As for not being able to connect > > > from inside the vpn, ok I guess except shouldn't the vpn at least be able > > > to connect? when I try to start up the vpn (now with the handy auth > > > automatically put in) I get this: > > > > > > sudo openvpn --cd /rw/config/openvpn/ --config > > > /rw/config/openvpn/openvpn-client.ovpn > > > Wed Jul 6 09:10:59 2016 RESOLVE: Cannot resolve host address: > > > vpnprovider.org: No address associated with hostname > > > ^CWed Jul 6 09:11:06 2016 RESOLVE: signal received during DNS resolution > > > attempt > > > Wed Jul 6 09:11:06 2016 SIGINT[hard,init_instance] received, process > > > exiting > > > [user@VPN openvpn]$ > > > > Right... It should do that because with the firewall rules only programs > > run under group 'qvpn' can access the net. You didn't run it with the > > group there. > > > > And I guess you can also ping and stuff in the VPN VM, too, if you run > > those programs under the group. But in general you should avoid it. > > > > Chris > > Hurrah! Happy to see that an error is actually a *good* thing. So, with your > reminder I retried it with sg and it works! and using it as a proxyvm for > other appvms works! > > I am going to let this soak in a bit, read up on (quite) a few things (like > sg?) then try to figure some other aspects out like randomly (or somewhat > randomly, or at least more easily than editing files each time) being able to > switch vpn servers as my provider has a few to pick from. Thoughts? > > Thank you so *very* much for your help/patience, there is no way I would have > been able to read my way through this. I am not sure if I should start a new thread or continue this one but will continue this one for the time being I guess. The VPN setup was running fine and I had zipped up the /rw/config dir with all the new properly setup files and such and backed it up (now wishing I had backed up the VpnVM now). I later read that R3.2 will be depreciating KDE so I decided to startover with just xfce installed. I reinstalled Qubes and unzipped the config dir backup and put the right files in their place, tried to check permissions etc and then fired it up, seemed to start up with no apparent errors. Catch is, when I try to use it as a NetVM for other AppVMs it doesn't seem to work. The AppVMs kind of search for awhile then time out (as opposed to instantly going to saying there is no connection). I also tried to redo it from scratch, no backup files, same result. I was at least hoping for an error that I could do a search on but there doesn't seem to be an obvious one here? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c6036509-d43e-4298-98ca-18e18b4d9052%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On Wednesday, July 6, 2016 at 9:50:10 AM UTC+12, Chris Laprise wrote: > On 07/06/2016 09:31 AM, gaikokujinkyofu...@gmail.com wrote: > > On Wednesday, July 6, 2016 at 5:40:20 AM UTC-4, Chris Laprise wrote: > >> On 07/05/2016 03:05 PM, gaikokujinkyofu...@gmail.com wrote: > >>> I renamed the file, and that seems to have gotten it, in that I am now > >>> prompted to login to the vpn but now I noticed that my VpnVM does not > >>> have network access? > >>> > >>> I don't know at what point this happened but perhaps this is related to > >>> what Chris was talking about with the firewall blocking openvpn? (though > >>> I am not even able to ping things like google.com etc, vpn running or > >>> not). I did not change the NetVM, it is still sys-firewall if that > >>> matters? > >> You will probably need to put your username and password in an > >> /rw/config/openvpn/auth.txt file, then add 'auth-user-pass filename' to > >> your ovpn config. This will allow openvpn to connect without user input. > >> > >> Connecting the vpn vm to either sys-firewall or sys-net is fine. > >> > >> Once the qubes-firewall-user-script is running you can't ping or make > >> other connections from inside the vpn vm. You should connect an appvm to > >> the vpn vm and test from there. > >> > >> BTW, I'll be submitting a revised doc that mentions when and where to > >> test the connection. > >> > >> Chris > > Thanks for that auth part, quite handy. As for not being able to connect > > from inside the vpn, ok I guess except shouldn't the vpn at least be able > > to connect? when I try to start up the vpn (now with the handy auth > > automatically put in) I get this: > > > > sudo openvpn --cd /rw/config/openvpn/ --config > > /rw/config/openvpn/openvpn-client.ovpn > > Wed Jul 6 09:10:59 2016 RESOLVE: Cannot resolve host address: > > vpnprovider.org: No address associated with hostname > > ^CWed Jul 6 09:11:06 2016 RESOLVE: signal received during DNS resolution > > attempt > > Wed Jul 6 09:11:06 2016 SIGINT[hard,init_instance] received, process > > exiting > > [user@VPN openvpn]$ > > Right... It should do that because with the firewall rules only programs > run under group 'qvpn' can access the net. You didn't run it with the > group there. > > And I guess you can also ping and stuff in the VPN VM, too, if you run > those programs under the group. But in general you should avoid it. > > Chris Hurrah! Happy to see that an error is actually a *good* thing. So, with your reminder I retried it with sg and it works! and using it as a proxyvm for other appvms works! I am going to let this soak in a bit, read up on (quite) a few things (like sg?) then try to figure some other aspects out like randomly (or somewhat randomly, or at least more easily than editing files each time) being able to switch vpn servers as my provider has a few to pick from. Thoughts? Thank you so *very* much for your help/patience, there is no way I would have been able to read my way through this. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7a79da70-210d-458f-acdc-4ac2d3a215f9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On Tuesday, July 5, 2016 at 2:53:22 PM UTC-4, gaikokuji...@gmail.com wrote: > On Tuesday, July 5, 2016 at 2:14:39 PM UTC+4:30, Marek Marczykowski-Górecki > wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > On Tue, Jul 05, 2016 at 12:52:18PM -0400, Chris Laprise wrote: > > > On 07/05/2016 11:03 AM, gaikokujinkyofu...@gmail.com wrote: > > > > On Tuesday, July 5, 2016 at 10:44:03 AM UTC-4, Chris Laprise wrote: > > > > > On 07/05/2016 10:17 AM, gaikokujinkyofu...@gmail.com wrote: > > > > > > On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote: > > > > > > > On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote: > > > > > > > > No worries, honestly I should have thought of the sudo myself. > > > > > > > > > > > > > > > > Well, running it with sudo and it went swimmingly, it connected > > > > > > > > so that is good, another hurdle cleared. > > > > > > > > > > > > > > > > I am now back to one of your earlier posts in this thread, > > > > > > > > regarding the qubes-firewall-user-script. > > > > > > > > > > > > > > > > I have to admit that I am not totally clear on needing to run > > > > > > > > the groupadd (it seems to be run in the firewall script?) but I > > > > > > > > ran it (and it shows up in /etc/group so I guess thats good?) > > > > > > > > but then on the next line: > > > > > > > > > > > > > > > > sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config > > > > > > > > openvpn-client.ovpn > > > > > > > > > > > > > > > > I get an error saying: > > > > > > > > Options error: In [CMD-LINE]:1: Error opening configuration > > > > > > > > file:openvn-client.ovpn > > > > > > > > > > > > > > > > I don't understand groups and ids very well so am not sure > > > > > > > > where there breakdown is here, perhaps I need to set something > > > > > > > > regarding the openvpn-client.ovpn file? > > > > > > > Error message indicates that the filename has a typo: > > > > > > > 'openvn-client.ovpn' should be 'openvpn-client.ovpn'. > > > > > > > > > > > > > > File ids will be OK if you created them with sudo. Running > > > > > > > groupadd > > > > > > > multiple times with 'f' option is fine, too. > > > > > > > > > > > > > > Chris > > > > > > Thanks Chris & Eva. > > > > > > > > > > > > I rechecked what I typed (I was typing from one computer the error > > > > > > from another computer that time, logged in on the same comp so am > > > > > > c/p outputs now) and I actually had typed it correctly. > > > > > > > > > > > > I also tried adding the full paths to the openvpn-client.ovpn files > > > > > > as suggested (though I added ca.crt and crl.pem instead of ca.key > > > > > > and crl.key, assuming thats ok?). As for my openvpn.config > > > > > > (openvpn-client.ovpn right?) being stored in the wrong place, I > > > > > > have it in /rw/config/openvpn/ should it be somewhere else? > > > > > > > > > > > > Regardless, after doublechecking what I typed, and adding the full > > > > > > path in as suggested the below is what I got, this time a c/p :p > > > > > > > > > > > > [user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config > > > > > > /rw/config/openvpn/openvpn-client.ovpn > > > > > > Options error: In [CMD-LINE]:1: Error opening configuration file: > > > > > > /rw/config/openvpn/openvpn-client.ovpn > > > > > > Use --help for more information. > > > > > > [user@VPN openvpn]$ > > > > > > > > > > > > thoughts? > > > > > > > > > > > I have seen SELinux restrictions cause this error. But that shouldn't > > > > > be > > > > > a concern if you're using a regular fedora 23 or debian 8 template. > > > > > Did > > > > > you enable SELinux or Apparmor? > > > > > > > > > > http://unix.stackexchange.com/questions/94806/openvpn-options-error-in-cmd-line1-error-opening-configuration-file > > > > > > > > > > Can you do 'ls -lZ /rw/config/openvpn' and paste the output here? > > > > > > > > > > Chris > > > > I am vaugely familar with SElinux and apparmour (hardening?) but I have > > > > not enabled it, at least not intentionally (not tinkered with anything > > > > realted to it either). But as for output, absoulutely! here it is: > > > > > > > > [user@VPN openvpn]$ ls -lZ /rw/config/openvpn > > > > total 16 > > > > -rw-r--r-- 1 root root ? 1395 Jul 4 17:56 ca.crt > > > > -rw-r--r-- 1 root root ? 577 Jul 4 17:56 crl.pem > > > > -rw-r--r-- 1 user user ? 375 Jul 5 09:58 openvpn-client.opvn > > > > -rwxr-xr-x 1 root root ? 1088 Jul 3 20:45 qubes-vpn-handler.sh > > > > [user@VPN openvpn]$ > > > > > > That shows the problem, I think. Change the ownership of the ovpn file to > > > root... > > > sudo chown root:root /rw/config/openvpn/openvpn-client.opvn > > > > It shouldn't be a problem, as anyone can read the file anyway. And in > > above cmdline, openvpn is running as root, so just another hint it isn't > > permissions problem. > > > > It's a typo in file name: > > /rw/config/openvpn/openvpn-client.ovpn > > /rw/config/openvpn/openvpn-client.opvn
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Jul 05, 2016 at 12:52:18PM -0400, Chris Laprise wrote: > On 07/05/2016 11:03 AM, gaikokujinkyofu...@gmail.com wrote: > > On Tuesday, July 5, 2016 at 10:44:03 AM UTC-4, Chris Laprise wrote: > > > On 07/05/2016 10:17 AM, gaikokujinkyofu...@gmail.com wrote: > > > > On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote: > > > > > On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote: > > > > > > No worries, honestly I should have thought of the sudo myself. > > > > > > > > > > > > Well, running it with sudo and it went swimmingly, it connected so > > > > > > that is good, another hurdle cleared. > > > > > > > > > > > > I am now back to one of your earlier posts in this thread, > > > > > > regarding the qubes-firewall-user-script. > > > > > > > > > > > > I have to admit that I am not totally clear on needing to run the > > > > > > groupadd (it seems to be run in the firewall script?) but I ran it > > > > > > (and it shows up in /etc/group so I guess thats good?) but then on > > > > > > the next line: > > > > > > > > > > > > sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config > > > > > > openvpn-client.ovpn > > > > > > > > > > > > I get an error saying: > > > > > > Options error: In [CMD-LINE]:1: Error opening configuration > > > > > > file:openvn-client.ovpn > > > > > > > > > > > > I don't understand groups and ids very well so am not sure where > > > > > > there breakdown is here, perhaps I need to set something regarding > > > > > > the openvpn-client.ovpn file? > > > > > Error message indicates that the filename has a typo: > > > > > 'openvn-client.ovpn' should be 'openvpn-client.ovpn'. > > > > > > > > > > File ids will be OK if you created them with sudo. Running groupadd > > > > > multiple times with 'f' option is fine, too. > > > > > > > > > > Chris > > > > Thanks Chris & Eva. > > > > > > > > I rechecked what I typed (I was typing from one computer the error from > > > > another computer that time, logged in on the same comp so am c/p > > > > outputs now) and I actually had typed it correctly. > > > > > > > > I also tried adding the full paths to the openvpn-client.ovpn files as > > > > suggested (though I added ca.crt and crl.pem instead of ca.key and > > > > crl.key, assuming thats ok?). As for my openvpn.config > > > > (openvpn-client.ovpn right?) being stored in the wrong place, I have it > > > > in /rw/config/openvpn/ should it be somewhere else? > > > > > > > > Regardless, after doublechecking what I typed, and adding the full path > > > > in as suggested the below is what I got, this time a c/p :p > > > > > > > > [user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config > > > > /rw/config/openvpn/openvpn-client.ovpn > > > > Options error: In [CMD-LINE]:1: Error opening configuration file: > > > > /rw/config/openvpn/openvpn-client.ovpn > > > > Use --help for more information. > > > > [user@VPN openvpn]$ > > > > > > > > thoughts? > > > > > > > I have seen SELinux restrictions cause this error. But that shouldn't be > > > a concern if you're using a regular fedora 23 or debian 8 template. Did > > > you enable SELinux or Apparmor? > > > > > > http://unix.stackexchange.com/questions/94806/openvpn-options-error-in-cmd-line1-error-opening-configuration-file > > > > > > Can you do 'ls -lZ /rw/config/openvpn' and paste the output here? > > > > > > Chris > > I am vaugely familar with SElinux and apparmour (hardening?) but I have not > > enabled it, at least not intentionally (not tinkered with anything realted > > to it either). But as for output, absoulutely! here it is: > > > > [user@VPN openvpn]$ ls -lZ /rw/config/openvpn > > total 16 > > -rw-r--r-- 1 root root ? 1395 Jul 4 17:56 ca.crt > > -rw-r--r-- 1 root root ? 577 Jul 4 17:56 crl.pem > > -rw-r--r-- 1 user user ? 375 Jul 5 09:58 openvpn-client.opvn > > -rwxr-xr-x 1 root root ? 1088 Jul 3 20:45 qubes-vpn-handler.sh > > [user@VPN openvpn]$ > > That shows the problem, I think. Change the ownership of the ovpn file to > root... > sudo chown root:root /rw/config/openvpn/openvpn-client.opvn It shouldn't be a problem, as anyone can read the file anyway. And in above cmdline, openvpn is running as root, so just another hint it isn't permissions problem. It's a typo in file name: /rw/config/openvpn/openvpn-client.ovpn /rw/config/openvpn/openvpn-client.opvn ^^ - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXe/kIAAoJENuP0xzK19csyfAH/2RVQ3UFGtnpVtr68xTTTzTb kNxnpQ4cr1uIc77O772RajrztlD9ouBimahRtOHtZ+8PrMq8pKBjg0EnAvZx8WI3 n3C+rjjFsRcA3Mps4Yc2nf2ptGxWeCrSEUzQ9LX9gUXwofxA9rdbKH6PozF63Bqs f1WdBMEyOpDwtkJXIoUqtkmKMjrBHPNplUyRnyQ9O6fiZsCPaEbtwbdY8tQYj0px
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On 07/05/2016 11:03 AM, gaikokujinkyofu...@gmail.com wrote: On Tuesday, July 5, 2016 at 10:44:03 AM UTC-4, Chris Laprise wrote: On 07/05/2016 10:17 AM, gaikokujinkyofu...@gmail.com wrote: On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote: On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote: No worries, honestly I should have thought of the sudo myself. Well, running it with sudo and it went swimmingly, it connected so that is good, another hurdle cleared. I am now back to one of your earlier posts in this thread, regarding the qubes-firewall-user-script. I have to admit that I am not totally clear on needing to run the groupadd (it seems to be run in the firewall script?) but I ran it (and it shows up in /etc/group so I guess thats good?) but then on the next line: sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn I get an error saying: Options error: In [CMD-LINE]:1: Error opening configuration file:openvn-client.ovpn I don't understand groups and ids very well so am not sure where there breakdown is here, perhaps I need to set something regarding the openvpn-client.ovpn file? Error message indicates that the filename has a typo: 'openvn-client.ovpn' should be 'openvpn-client.ovpn'. File ids will be OK if you created them with sudo. Running groupadd multiple times with 'f' option is fine, too. Chris Thanks Chris & Eva. I rechecked what I typed (I was typing from one computer the error from another computer that time, logged in on the same comp so am c/p outputs now) and I actually had typed it correctly. I also tried adding the full paths to the openvpn-client.ovpn files as suggested (though I added ca.crt and crl.pem instead of ca.key and crl.key, assuming thats ok?). As for my openvpn.config (openvpn-client.ovpn right?) being stored in the wrong place, I have it in /rw/config/openvpn/ should it be somewhere else? Regardless, after doublechecking what I typed, and adding the full path in as suggested the below is what I got, this time a c/p :p [user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config /rw/config/openvpn/openvpn-client.ovpn Options error: In [CMD-LINE]:1: Error opening configuration file: /rw/config/openvpn/openvpn-client.ovpn Use --help for more information. [user@VPN openvpn]$ thoughts? I have seen SELinux restrictions cause this error. But that shouldn't be a concern if you're using a regular fedora 23 or debian 8 template. Did you enable SELinux or Apparmor? http://unix.stackexchange.com/questions/94806/openvpn-options-error-in-cmd-line1-error-opening-configuration-file Can you do 'ls -lZ /rw/config/openvpn' and paste the output here? Chris I am vaugely familar with SElinux and apparmour (hardening?) but I have not enabled it, at least not intentionally (not tinkered with anything realted to it either). But as for output, absoulutely! here it is: [user@VPN openvpn]$ ls -lZ /rw/config/openvpn total 16 -rw-r--r-- 1 root root ? 1395 Jul 4 17:56 ca.crt -rw-r--r-- 1 root root ? 577 Jul 4 17:56 crl.pem -rw-r--r-- 1 user user ? 375 Jul 5 09:58 openvpn-client.opvn -rwxr-xr-x 1 root root ? 1088 Jul 3 20:45 qubes-vpn-handler.sh [user@VPN openvpn]$ That shows the problem, I think. Change the ownership of the ovpn file to root... sudo chown root:root /rw/config/openvpn/openvpn-client.opvn Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/805c334c-8f46-b747-0956-8c410381287f%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On Tuesday, July 5, 2016 at 10:44:03 AM UTC-4, Chris Laprise wrote: > On 07/05/2016 10:17 AM, gaikokujinkyofu...@gmail.com wrote: > > On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote: > >> On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote: > >>> No worries, honestly I should have thought of the sudo myself. > >>> > >>> Well, running it with sudo and it went swimmingly, it connected so that > >>> is good, another hurdle cleared. > >>> > >>> I am now back to one of your earlier posts in this thread, regarding the > >>> qubes-firewall-user-script. > >>> > >>> I have to admit that I am not totally clear on needing to run the > >>> groupadd (it seems to be run in the firewall script?) but I ran it (and > >>> it shows up in /etc/group so I guess thats good?) but then on the next > >>> line: > >>> > >>> sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config > >>> openvpn-client.ovpn > >>> > >>> I get an error saying: > >>> Options error: In [CMD-LINE]:1: Error opening configuration > >>> file:openvn-client.ovpn > >>> > >>> I don't understand groups and ids very well so am not sure where there > >>> breakdown is here, perhaps I need to set something regarding the > >>> openvpn-client.ovpn file? > >> Error message indicates that the filename has a typo: > >> 'openvn-client.ovpn' should be 'openvpn-client.ovpn'. > >> > >> File ids will be OK if you created them with sudo. Running groupadd > >> multiple times with 'f' option is fine, too. > >> > >> Chris > > Thanks Chris & Eva. > > > > I rechecked what I typed (I was typing from one computer the error from > > another computer that time, logged in on the same comp so am c/p outputs > > now) and I actually had typed it correctly. > > > > I also tried adding the full paths to the openvpn-client.ovpn files as > > suggested (though I added ca.crt and crl.pem instead of ca.key and crl.key, > > assuming thats ok?). As for my openvpn.config (openvpn-client.ovpn right?) > > being stored in the wrong place, I have it in /rw/config/openvpn/ should it > > be somewhere else? > > > > Regardless, after doublechecking what I typed, and adding the full path in > > as suggested the below is what I got, this time a c/p :p > > > > [user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config > > /rw/config/openvpn/openvpn-client.ovpn > > Options error: In [CMD-LINE]:1: Error opening configuration file: > > /rw/config/openvpn/openvpn-client.ovpn > > Use --help for more information. > > [user@VPN openvpn]$ > > > > thoughts? > > > > I have seen SELinux restrictions cause this error. But that shouldn't be > a concern if you're using a regular fedora 23 or debian 8 template. Did > you enable SELinux or Apparmor? > > http://unix.stackexchange.com/questions/94806/openvpn-options-error-in-cmd-line1-error-opening-configuration-file > > Can you do 'ls -lZ /rw/config/openvpn' and paste the output here? > > Chris I am vaugely familar with SElinux and apparmour (hardening?) but I have not enabled it, at least not intentionally (not tinkered with anything realted to it either). But as for output, absoulutely! here it is: [user@VPN openvpn]$ ls -lZ /rw/config/openvpn total 16 -rw-r--r-- 1 root root ? 1395 Jul 4 17:56 ca.crt -rw-r--r-- 1 root root ? 577 Jul 4 17:56 crl.pem -rw-r--r-- 1 user user ? 375 Jul 5 09:58 openvpn-client.opvn -rwxr-xr-x 1 root root ? 1088 Jul 3 20:45 qubes-vpn-handler.sh [user@VPN openvpn]$ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/459f5ce8-9433-4b51-a340-78b8e4ff62fe%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On 07/05/2016 10:17 AM, gaikokujinkyofu...@gmail.com wrote: On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote: On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote: No worries, honestly I should have thought of the sudo myself. Well, running it with sudo and it went swimmingly, it connected so that is good, another hurdle cleared. I am now back to one of your earlier posts in this thread, regarding the qubes-firewall-user-script. I have to admit that I am not totally clear on needing to run the groupadd (it seems to be run in the firewall script?) but I ran it (and it shows up in /etc/group so I guess thats good?) but then on the next line: sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn I get an error saying: Options error: In [CMD-LINE]:1: Error opening configuration file:openvn-client.ovpn I don't understand groups and ids very well so am not sure where there breakdown is here, perhaps I need to set something regarding the openvpn-client.ovpn file? Error message indicates that the filename has a typo: 'openvn-client.ovpn' should be 'openvpn-client.ovpn'. File ids will be OK if you created them with sudo. Running groupadd multiple times with 'f' option is fine, too. Chris Thanks Chris & Eva. I rechecked what I typed (I was typing from one computer the error from another computer that time, logged in on the same comp so am c/p outputs now) and I actually had typed it correctly. I also tried adding the full paths to the openvpn-client.ovpn files as suggested (though I added ca.crt and crl.pem instead of ca.key and crl.key, assuming thats ok?). As for my openvpn.config (openvpn-client.ovpn right?) being stored in the wrong place, I have it in /rw/config/openvpn/ should it be somewhere else? Regardless, after doublechecking what I typed, and adding the full path in as suggested the below is what I got, this time a c/p :p [user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config /rw/config/openvpn/openvpn-client.ovpn Options error: In [CMD-LINE]:1: Error opening configuration file: /rw/config/openvpn/openvpn-client.ovpn Use --help for more information. [user@VPN openvpn]$ thoughts? I have seen SELinux restrictions cause this error. But that shouldn't be a concern if you're using a regular fedora 23 or debian 8 template. Did you enable SELinux or Apparmor? http://unix.stackexchange.com/questions/94806/openvpn-options-error-in-cmd-line1-error-opening-configuration-file Can you do 'ls -lZ /rw/config/openvpn' and paste the output here? Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/317c583a-f734-cdb1-aede-57932d57fe3f%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote: > On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote: > > > > No worries, honestly I should have thought of the sudo myself. > > > > Well, running it with sudo and it went swimmingly, it connected so that is > > good, another hurdle cleared. > > > > I am now back to one of your earlier posts in this thread, regarding the > > qubes-firewall-user-script. > > > > I have to admit that I am not totally clear on needing to run the groupadd > > (it seems to be run in the firewall script?) but I ran it (and it shows up > > in /etc/group so I guess thats good?) but then on the next line: > > > > sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config > > openvpn-client.ovpn > > > > I get an error saying: > > Options error: In [CMD-LINE]:1: Error opening configuration > > file:openvn-client.ovpn > > > > I don't understand groups and ids very well so am not sure where there > > breakdown is here, perhaps I need to set something regarding the > > openvpn-client.ovpn file? > > Error message indicates that the filename has a typo: > 'openvn-client.ovpn' should be 'openvpn-client.ovpn'. > > File ids will be OK if you created them with sudo. Running groupadd > multiple times with 'f' option is fine, too. > > Chris Thanks Chris & Eva. I rechecked what I typed (I was typing from one computer the error from another computer that time, logged in on the same comp so am c/p outputs now) and I actually had typed it correctly. I also tried adding the full paths to the openvpn-client.ovpn files as suggested (though I added ca.crt and crl.pem instead of ca.key and crl.key, assuming thats ok?). As for my openvpn.config (openvpn-client.ovpn right?) being stored in the wrong place, I have it in /rw/config/openvpn/ should it be somewhere else? Regardless, after doublechecking what I typed, and adding the full path in as suggested the below is what I got, this time a c/p :p [user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config /rw/config/openvpn/openvpn-client.ovpn Options error: In [CMD-LINE]:1: Error opening configuration file: /rw/config/openvpn/openvpn-client.ovpn Use --help for more information. [user@VPN openvpn]$ thoughts? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/67dc553b-0f50-4627-88df-20de45c27ad9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote: No worries, honestly I should have thought of the sudo myself. Well, running it with sudo and it went swimmingly, it connected so that is good, another hurdle cleared. I am now back to one of your earlier posts in this thread, regarding the qubes-firewall-user-script. I have to admit that I am not totally clear on needing to run the groupadd (it seems to be run in the firewall script?) but I ran it (and it shows up in /etc/group so I guess thats good?) but then on the next line: sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn I get an error saying: Options error: In [CMD-LINE]:1: Error opening configuration file:openvn-client.ovpn I don't understand groups and ids very well so am not sure where there breakdown is here, perhaps I need to set something regarding the openvpn-client.ovpn file? Error message indicates that the filename has a typo: 'openvn-client.ovpn' should be 'openvpn-client.ovpn'. File ids will be OK if you created them with sudo. Running groupadd multiple times with 'f' option is fine, too. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/36fac245-7549-00c2-9fa8-3c21ef2e5392%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On Monday, July 4, 2016 at 11:51:26 AM UTC+6, Chris Laprise wrote: > On 07/04/2016 11:33 AM, gaikokujinkyofu...@gmail.com wrote: > > On Sunday, July 3, 2016 at 11:32:53 PM UTC-3:30, Chris Laprise wrote: > >> On 07/03/2016 10:10 PM, gaikokujinkyofu...@gmail.com wrote: > >>> On Sunday, July 3, 2016 at 9:56:15 PM UTC+3, Chris Laprise wrote: > On 07/03/2016 09:14 PM, gaikokujinkyofu...@gmail.com wrote: > > Some things came up so I hadn't gotten around to trying it out until > > now. > > > > I created a new VM, VpnVM, and ran > > > > openvpn openvpn.ovpn > > > > and yeah! it connected and I opened firefox from VpnVM, and it was > > using the vpn, then ran PersonalVM using VpnVM as my NetVM and > > PersonalVM also showed up as using the VPN so first hurdle cleared? > Yes. > > > Lots more hurdles though as my understanding of it all drops off > > precipitously. > > > > I modified the /rw/config/openvpn/openvpn-client.ovpn file with the > > > > script-security 2 > > up 'qubes-vpn-handler.sh up' > > down 'qubes-vpn-handler.sh down' > > > > lines > > > > and I created the qubes-vpn-handler.sh and changed permissions. > > > > I then tried to start openvpn /rw/config/openvpn/openvpn-client.ovpn > > > > and no go. I get errors: > > > > Options error: --ca fails with ca.crt: No such file or directory > > Options error: --crl-verify failes crl.prm: no such file or dir > > Options error: please correct these errors > > > > I didn't get these errors before I added the qubes-vpn-handler.sh > > > > thoughts? > It looks like you switched to the example ovpn config from > https://github.com/ttasket/Qubes-vpn-support > > I'd recommend you use your original working ovpn and just add the 3 > script lines to that. > > Chris > >>> Actually I am using the ovpn that the vpn provider gives, and am just > >>> adding the 3 lines that step "2. Set up OpenVPN." of > >>> https://www.qubes-os.org/doc/vpn/ page suggest to the ovpn config file > >>> that the vpn provider gave. > >>> > >>> That file seems to work until I modify it with the 3 lines. While I don't > >>> understand the script I would assume there is something in the handler > >>> script that my setup doesn't like as the 3 lines are just invoking the > >>> qubes-vpn-handler.sh right? > >> Above, you switched from 'openvpn.ovpn' to... > >> '/rw/config/openvpn/openvpn-client.ovpn' so make sure they are the same. > >> > >> Changing the location of the files or your current directory while > >> omitting the '--cd' directive would cause the errors. Try starting it > >> with 'openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn'. > >> > >> Chris > > Ah sorry. Thanks. I guess, some of my lazy shorthand confused things. I can > > promise though I have been going off the https://www.qubes-os.org/doc/vpn/ > > doc, wasn't actually aware of the github one. > > > > When I try to execute it what dir should I be doing this from? I tried the > > line you suggested > > openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn > > > > but got the same options errors as before (just for the heck of it I tried > > from my home dir and from the /rw/config/openvpn dir) > > My bad, I should have said 'sudo openvpn --cd /rw/config/openvpn/ > --config openvpn-client.ovpn'. You want to run it with 'sudo'. > > It shouldn't matter where you start openvpn from as long as you use '--cd'. > > Also, verify that the two 'missing' files are in the /rw/config/openvpn > dir. Do an 'ls -l' there to check they are owned by root. > > Chris No worries, honestly I should have thought of the sudo myself. Well, running it with sudo and it went swimmingly, it connected so that is good, another hurdle cleared. I am now back to one of your earlier posts in this thread, regarding the qubes-firewall-user-script. I have to admit that I am not totally clear on needing to run the groupadd (it seems to be run in the firewall script?) but I ran it (and it shows up in /etc/group so I guess thats good?) but then on the next line: sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn I get an error saying: Options error: In [CMD-LINE]:1: Error opening configuration file:openvn-client.ovpn I don't understand groups and ids very well so am not sure where there breakdown is here, perhaps I need to set something regarding the openvpn-client.ovpn file? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2fdd853e-9e54-4c93-99ad-def7b03ace5c%40googlegroups.com. For
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On Sunday, July 3, 2016 at 11:32:53 PM UTC-3:30, Chris Laprise wrote: > On 07/03/2016 10:10 PM, gaikokujinkyofu...@gmail.com wrote: > > On Sunday, July 3, 2016 at 9:56:15 PM UTC+3, Chris Laprise wrote: > >> On 07/03/2016 09:14 PM, gaikokujinkyofu...@gmail.com wrote: > >>> > >>> Some things came up so I hadn't gotten around to trying it out until now. > >>> > >>> I created a new VM, VpnVM, and ran > >>> > >>> openvpn openvpn.ovpn > >>> > >>> and yeah! it connected and I opened firefox from VpnVM, and it was using > >>> the vpn, then ran PersonalVM using VpnVM as my NetVM and PersonalVM also > >>> showed up as using the VPN so first hurdle cleared? > >> Yes. > >> > >>> Lots more hurdles though as my understanding of it all drops off > >>> precipitously. > >>> > >>> I modified the /rw/config/openvpn/openvpn-client.ovpn file with the > >>> > >>> script-security 2 > >>> up 'qubes-vpn-handler.sh up' > >>> down 'qubes-vpn-handler.sh down' > >>> > >>> lines > >>> > >>> and I created the qubes-vpn-handler.sh and changed permissions. > >>> > >>> I then tried to start openvpn /rw/config/openvpn/openvpn-client.ovpn > >>> > >>> and no go. I get errors: > >>> > >>> Options error: --ca fails with ca.crt: No such file or directory > >>> Options error: --crl-verify failes crl.prm: no such file or dir > >>> Options error: please correct these errors > >>> > >>> I didn't get these errors before I added the qubes-vpn-handler.sh > >>> > >>> thoughts? > >> It looks like you switched to the example ovpn config from > >> https://github.com/ttasket/Qubes-vpn-support > >> > >> I'd recommend you use your original working ovpn and just add the 3 > >> script lines to that. > >> > >> Chris > > Actually I am using the ovpn that the vpn provider gives, and am just > > adding the 3 lines that step "2. Set up OpenVPN." of > > https://www.qubes-os.org/doc/vpn/ page suggest to the ovpn config file that > > the vpn provider gave. > > > > That file seems to work until I modify it with the 3 lines. While I don't > > understand the script I would assume there is something in the handler > > script that my setup doesn't like as the 3 lines are just invoking the > > qubes-vpn-handler.sh right? > > Above, you switched from 'openvpn.ovpn' to... > '/rw/config/openvpn/openvpn-client.ovpn' so make sure they are the same. > > Changing the location of the files or your current directory while > omitting the '--cd' directive would cause the errors. Try starting it > with 'openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn'. > > Chris Ah sorry. Thanks. I guess, some of my lazy shorthand confused things. I can promise though I have been going off the https://www.qubes-os.org/doc/vpn/ doc, wasn't actually aware of the github one. When I try to execute it what dir should I be doing this from? I tried the line you suggested openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn but got the same options errors as before (just for the heck of it I tried from my home dir and from the /rw/config/openvpn dir) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/392e3dc3-fbd1-492f-a9d2-2dc6771d0f81%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On 07/03/2016 09:14 PM, gaikokujinkyofu...@gmail.com wrote: On Wednesday, June 22, 2016 at 1:48:33 PM UTC-3:30, gaikokuji...@gmail.com wrote: On Monday, June 20, 2016 at 5:19:27 AM UTC+5:45, Chris Laprise wrote: On 06/19/2016 10:13 PM, gaikokujinkyofu...@gmail.com wrote: On Thursday, June 16, 2016 at 6:33:48 PM UTC+9, gaikokuji...@gmail.com wrote: I started trying to create a VPN VM following the https://www.qubes-os.org/doc/vpn/ page. I checked if openvm was installed, it was (using fedora/ using the "firewall" for the allow networking option not mentioned in the VPN page). There was not a /rw/config/openvm dir so I tried making one then went through the rest of the instructions. I am double checked what I did against the instructions and am fairly sure I followed them correctly. I tried setting my now "VPN" vm as the netvm, shutdown both then restarted vpn vm then the modified-to-use-vpn vm appvm and tried connecting to the internet, nada. I did go to the Fedora "establishing a VPN Connection" page but intimidating is a bit of an understatement. How can I go about diagnosing what is not working? I worked on this a bit more. Waded through the fedora establishing a VPN connection page, rather confusing, but I opened a Network settings window for my VPN VM and added a VPN by importing a openvpn config file via the VPN add a network connection's "import from file" option (and it seemed to import fine). Now I am not entirely sure what I have. I of course did everything outlined in the Qubes VPN page. I now have two network connection icons, one for my wifi and another showing the VPN VM's eth? problem is the VPN VM ethernet connection doesn't seem to be connected. When I go to network via *settings* it now shows me three connections: Wired, the VPN I setup, and Network Proxy. When I go via *Network Connections* it now shows me under Ethernet "VM uplink eth0" and under VPN "VPN Provider" (the provider whose openvpn config I imported). It shows the ethernet as having been used within the last few minutes but the VPN as never having been used. On the Fedora page it mentions setting an autoconnect (automatically connect to VPN when using this connection) option which I thought it was talking about for the VPN but as I couldn't find it on the VPN connection and could on the eth0 connection I tried setting the autoconnect to (and selected the VPN connection from the pull down menu) but while I can select it it does not stay selected if I restart the VPN VM. Now I am not able to connect to the internet on the VPN VM and def not from another AppVM trying to use the VPN as a proxy. I am just not sure where I have gone wrong here. Where would I look for a log to start trying to figure out the issue? (I saw a "run in debug mode" under VM settings... might that be a place to start?) Thanks! Hi again... You should create a separate proxy vm for each type of vpn configuration you're trying, otherwise they will interfere with each other. To get the openvpn + firewall method working, first try running openvpn manually with 'sudo openvpn [...]' before adding any scripts. Omit the --daemon option so it will display information you can use to troubleshoot the link. Once you have the link working, you can try adding script lines to your .ovpn file and the qubes-vpn-handler, then test manually again. Finally, add the qubes-firewall-user-script and reboot the vm, then test again. Keep in mind that once you add the firewall it will block openvpn unless the latter is run under group 'qvpn' so you would type the following: sudo groupadd -rf qvpn sudo sg qvpn -c 'openvpn [...]' NM connection... Try it in a fresh vm. The vpn autoconnect might not work, however; The last time I tried to use it, NM behaved erratically (and did not have appropriate firewall protections anyway). Chris Thanks I will try that out. Some things came up so I hadn't gotten around to trying it out until now. I created a new VM, VpnVM, and ran openvpn openvpn.ovpn and yeah! it connected and I opened firefox from VpnVM, and it was using the vpn, then ran PersonalVM using VpnVM as my NetVM and PersonalVM also showed up as using the VPN so first hurdle cleared? Yes. Lots more hurdles though as my understanding of it all drops off precipitously. I modified the /rw/config/openvpn/openvpn-client.ovpn file with the script-security 2 up 'qubes-vpn-handler.sh up' down 'qubes-vpn-handler.sh down' lines and I created the qubes-vpn-handler.sh and changed permissions. I then tried to start openvpn /rw/config/openvpn/openvpn-client.ovpn and no go. I get errors: Options error: --ca fails with ca.crt: No such file or directory Options error: --crl-verify failes crl.prm: no such file or dir Options error: please correct these errors I didn't get these errors before I added the qubes-vpn-handler.sh thoughts? It looks like you switched to the example ovpn config from
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On Wednesday, June 22, 2016 at 1:48:33 PM UTC-3:30, gaikokuji...@gmail.com wrote: > On Monday, June 20, 2016 at 5:19:27 AM UTC+5:45, Chris Laprise wrote: > > On 06/19/2016 10:13 PM, gaikokujinkyofu...@gmail.com wrote: > > > On Thursday, June 16, 2016 at 6:33:48 PM UTC+9, gaikokuji...@gmail.com > > > wrote: > > >> I started trying to create a VPN VM following the > > >> https://www.qubes-os.org/doc/vpn/ page. I checked if openvm was > > >> installed, it was (using fedora/ using the "firewall" for the allow > > >> networking option not mentioned in the VPN page). There was not a > > >> /rw/config/openvm dir so I tried making one then went through the rest > > >> of the instructions. I am double checked what I did against the > > >> instructions and am fairly sure I followed them correctly. > > >> > > >> I tried setting my now "VPN" vm as the netvm, shutdown both then > > >> restarted vpn vm then the modified-to-use-vpn vm appvm and tried > > >> connecting to the internet, nada. > > >> > > >> I did go to the Fedora "establishing a VPN Connection" page but > > >> intimidating is a bit of an understatement. > > >> > > >> How can I go about diagnosing what is not working? > > > I worked on this a bit more. Waded through the fedora establishing a VPN > > > connection page, rather confusing, but I opened a Network settings window > > > for my VPN VM and added a VPN by importing a openvpn config file via the > > > VPN add a network connection's "import from file" option (and it seemed > > > to import fine). > > > > > > Now I am not entirely sure what I have. I of course did everything > > > outlined in the Qubes VPN page. I now have two network connection icons, > > > one for my wifi and another showing the VPN VM's eth? problem is the VPN > > > VM ethernet connection doesn't seem to be connected. When I go to network > > > via *settings* it now shows me three connections: Wired, the VPN I setup, > > > and Network Proxy. > > > > > > When I go via *Network Connections* it now shows me under Ethernet "VM > > > uplink eth0" and under VPN "VPN Provider" (the provider whose openvpn > > > config I imported). It shows the ethernet as having been used within the > > > last few minutes but the VPN as never having been used. > > > > > > On the Fedora page it mentions setting an autoconnect (automatically > > > connect to VPN when using this connection) option which I thought it was > > > talking about for the VPN but as I couldn't find it on the VPN connection > > > and could on the eth0 connection I tried setting the autoconnect to (and > > > selected the VPN connection from the pull down menu) but while I can > > > select it it does not stay selected if I restart the VPN VM. > > > > > > Now I am not able to connect to the internet on the VPN VM and def not > > > from another AppVM trying to use the VPN as a proxy. > > > > > > I am just not sure where I have gone wrong here. Where would I look for a > > > log to start trying to figure out the issue? (I saw a "run in debug mode" > > > under VM settings... might that be a place to start?) > > > > > > Thanks! > > > > Hi again... > > > > You should create a separate proxy vm for each type of vpn configuration > > you're trying, otherwise they will interfere with each other. > > > > To get the openvpn + firewall method working, first try running openvpn > > manually with 'sudo openvpn [...]' before adding any scripts. Omit the > > --daemon option so it will display information you can use to > > troubleshoot the link. > > > > Once you have the link working, you can try adding script lines to your > > .ovpn file and the qubes-vpn-handler, then test manually again. Finally, > > add the qubes-firewall-user-script and reboot the vm, then test again. > > Keep in mind that once you add the firewall it will block openvpn unless > > the latter is run under group 'qvpn' so you would type the following: > > sudo groupadd -rf qvpn > > sudo sg qvpn -c 'openvpn [...]' > > > > NM connection... Try it in a fresh vm. The vpn autoconnect might not > > work, however; The last time I tried to use it, NM behaved erratically > > (and did not have appropriate firewall protections anyway). > > > > Chris > > Thanks I will try that out. Some things came up so I hadn't gotten around to trying it out until now. I created a new VM, VpnVM, and ran openvpn openvpn.ovpn and yeah! it connected and I opened firefox from VpnVM, and it was using the vpn, then ran PersonalVM using VpnVM as my NetVM and PersonalVM also showed up as using the VPN so first hurdle cleared? Lots more hurdles though as my understanding of it all drops off precipitously. I modified the /rw/config/openvpn/openvpn-client.ovpn file with the script-security 2 up 'qubes-vpn-handler.sh up' down 'qubes-vpn-handler.sh down' lines and I created the qubes-vpn-handler.sh and changed permissions. I then tried to start openvpn /rw/config/openvpn/openvpn-client.ovpn and no go. I
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On Monday, June 20, 2016 at 5:19:27 AM UTC+5:45, Chris Laprise wrote: > On 06/19/2016 10:13 PM, gaikokujinkyofu...@gmail.com wrote: > > On Thursday, June 16, 2016 at 6:33:48 PM UTC+9, gaikokuji...@gmail.com > > wrote: > >> I started trying to create a VPN VM following the > >> https://www.qubes-os.org/doc/vpn/ page. I checked if openvm was installed, > >> it was (using fedora/ using the "firewall" for the allow networking option > >> not mentioned in the VPN page). There was not a /rw/config/openvm dir so I > >> tried making one then went through the rest of the instructions. I am > >> double checked what I did against the instructions and am fairly sure I > >> followed them correctly. > >> > >> I tried setting my now "VPN" vm as the netvm, shutdown both then restarted > >> vpn vm then the modified-to-use-vpn vm appvm and tried connecting to the > >> internet, nada. > >> > >> I did go to the Fedora "establishing a VPN Connection" page but > >> intimidating is a bit of an understatement. > >> > >> How can I go about diagnosing what is not working? > > I worked on this a bit more. Waded through the fedora establishing a VPN > > connection page, rather confusing, but I opened a Network settings window > > for my VPN VM and added a VPN by importing a openvpn config file via the > > VPN add a network connection's "import from file" option (and it seemed to > > import fine). > > > > Now I am not entirely sure what I have. I of course did everything outlined > > in the Qubes VPN page. I now have two network connection icons, one for my > > wifi and another showing the VPN VM's eth? problem is the VPN VM ethernet > > connection doesn't seem to be connected. When I go to network via > > *settings* it now shows me three connections: Wired, the VPN I setup, and > > Network Proxy. > > > > When I go via *Network Connections* it now shows me under Ethernet "VM > > uplink eth0" and under VPN "VPN Provider" (the provider whose openvpn > > config I imported). It shows the ethernet as having been used within the > > last few minutes but the VPN as never having been used. > > > > On the Fedora page it mentions setting an autoconnect (automatically > > connect to VPN when using this connection) option which I thought it was > > talking about for the VPN but as I couldn't find it on the VPN connection > > and could on the eth0 connection I tried setting the autoconnect to (and > > selected the VPN connection from the pull down menu) but while I can select > > it it does not stay selected if I restart the VPN VM. > > > > Now I am not able to connect to the internet on the VPN VM and def not from > > another AppVM trying to use the VPN as a proxy. > > > > I am just not sure where I have gone wrong here. Where would I look for a > > log to start trying to figure out the issue? (I saw a "run in debug mode" > > under VM settings... might that be a place to start?) > > > > Thanks! > > Hi again... > > You should create a separate proxy vm for each type of vpn configuration > you're trying, otherwise they will interfere with each other. > > To get the openvpn + firewall method working, first try running openvpn > manually with 'sudo openvpn [...]' before adding any scripts. Omit the > --daemon option so it will display information you can use to > troubleshoot the link. > > Once you have the link working, you can try adding script lines to your > .ovpn file and the qubes-vpn-handler, then test manually again. Finally, > add the qubes-firewall-user-script and reboot the vm, then test again. > Keep in mind that once you add the firewall it will block openvpn unless > the latter is run under group 'qvpn' so you would type the following: > sudo groupadd -rf qvpn > sudo sg qvpn -c 'openvpn [...]' > > NM connection... Try it in a fresh vm. The vpn autoconnect might not > work, however; The last time I tried to use it, NM behaved erratically > (and did not have appropriate firewall protections anyway). > > Chris Thanks I will try that out. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d9469669-a914-4ff6-bfb3-43a808e8b166%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
