Re: [qubes-users] Re: Qubes: Unable to connect to VPN
> > Install per the instructions for Mr.Laprise's excellent > qubes-vpn-setup in an Template-based AppVM , don't miss any steps. > ELSE > > delete the AppVM and startover make sure openvpn is installed in > the Template chosen , make sure to enable proxy in the created AppVM > , and for services add the openvpn in the qubes manager tab > > Which VPN provider are you using ? > > Thanks. Turned out that we probably got it to work earlier, but didn't know how to test it properly. So, we spent days trying to figure out a problem that didn't exist. We were confused from Step 1 by fact that to create ProxyVM, one now has to know to create an AppVM, and check "provides network". Setting "vpn-handler-openvpn" in the the Services for that qubes, as some thread suggested, is still something we are not sure about. We've decided to move to a hardware device from the VPN provider. With so many manual steps and several different ways to set it up, on top of VPN provider script variations, a device seems the safest option to avoid making some mistake or misunderstanding, because we are not security experts or developers in the field. - > > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/ac3b7cc3-eede-c2f3-d368-7de333dd3c2a%40riseup.net. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ZMCpY0k63FxEEoDdmVtdC14qqJlZYEZTH-m9p7B5mUiIIKxzjT1TjRuQ8jSC0ONyt2DKRFHf0OC7XeDfTXd9J6TFdkjlamj967-cr97J1wM%3D%40protonmail.ch. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes: Unable to connect to VPN
On 6/12/19 2:53 PM, Chris Laprise wrote: On 6/12/19 10:14 AM, 'Crypto Carabao Group' via qubes-users wrote: We've also been trying for days to get a VPN to resolve on a brand new R4.0 install, to either one of 2 different VPN providers, using the iptables and cli scripts: https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts I've also set it up before on a 3.x cubes and it worked using the above. So far, what's pretty certain is that these instructions were carried over automatically, but actually don't work for the R4.0 version. BTW, there is no "/usr/lib/qubes/qubes-vpn-setup" in the Fedora 29 or Debian 9 templates. So, wherever that came from, it's not in the new installer version we got. There is no mention of a 'qubes-vpn-setup' in the vpn doc you linked to. That script is a part of my Qubes-vpn-support project on github. You might want to use that instead since the setup process is much simpler: https://github.com/tasket/Qubes-vpn-support Neither is there a path: /etc/openvpn/update-resolv-conf in the VMs based on Fedora 29. (Haven't tried Debian 9 for that yet.) That probably came from a particular VPN provider, and would have to be installed in the template anyway to persist, right? There is no mention of 'update-resolv-conf' in the vpn doc, either. One of the most frequent causes of failed vpn setups is when the user decides to mix or combine different instructions because 'more is better' or because they saw different people discussing the merits of different approaches. This does NOT work; you have to pick one and follow it. It seems that the update-resolve-conf is a default script that ships with some distros, such as Mint (attached), and works on our other machine, and does the function that the "|qubes-vpn-handler.sh|" does in the Qubes VPN instructions, but it doesn't work on Qubes in our case for the same VPN provider either. Seems to require a lot of modification and merge the two maybe, which will take us another several days to figure out, if ever. Updating resolv.conf is not required at all to get DNS working for downstream appVMs. The instructions avoid doing this to help keep the VPN VM in a locked-down state, so it doesn't inadvertently try to access the tunnel for its internal programs (i.e. only downstream VMs get to access the tunnel). What IS necessary is populating the DNAT rules in the firewall. Check the PR-QBS chain to see if your DNS server IPs were added: iptables -L -v -t nat PR-QBS Install per the instructions for Mr.Laprise's excellent qubes-vpn-setup in an Template-based AppVM , don't miss any steps. ELSE delete the AppVM and startover make sure openvpn is installed in the Template chosen , make sure to enable proxy in the created AppVM , and for services add the openvpn in the qubes manager tab Which VPN provider are you using ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ac3b7cc3-eede-c2f3-d368-7de333dd3c2a%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes: Unable to connect to VPN
On Friday, March 1, 2019 at 9:07:57 PM UTC-5, unman wrote: > Call it with --down to have a script run when the tunnel closes. > If you check the man page, there are a variety of different options for > running scripts/commands at different events, but I suspect that will > fit the bill. Thanks!! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/825c9f2c-afb1-4170-a289-7c48d24f3871%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes: Unable to connect to VPN
On Fri, Mar 01, 2019 at 01:47:22PM -0800, Otto Kratik wrote: > On Tuesday, February 19, 2019 at 2:53:22 PM UTC-5, Jon deps wrote: > > > https://www.qubes-os.org/doc/vpn/ > > > > I believe it would be helpful if you indicate which method you have > > used to create the VPNper the URL there > > > > > > perhaps it is more obvious to others > > > Thanks for your reply - sorry I somehow missed seeing it earlier. I managed > to sort of figure out what is going on and sort of fix it. > > I am using the super-simple method of just invoking "openvpn whatever.ovpn" > from terminal within an AppVM itself, rather than creating a dedicated proxy > or gateway as suggested in the docs. What is happening is the following.. > > Initially before connecting to the vpn, the file /etc/resolv.conf contains > the default Qubes sys-net dns entries, namely: > > nameserver 10.139.1.1 > nameserver 10.139.1.2 > > > When the vpn connects, it uses update-resolv-conf to overwrite the contents > of that file. It places some comment-text near the top and changes the > nameserver entries to its own, which is good and wanted of course. No > complaints. > > When terminating the vpn connection by any means available (I tried several > different ones), openvpn again automatically updates that /etc/resolv.conf > file, but *only* to remove the entries it placed there, nothing more. The > comment-text is left intact and the nameserver entries are simply deleted, > resulting in a more or less empty and useless file and no DNS resolution > whatsoever. The script does not seem to store and remember the previous > entries that were there before (sys-net defaults) and replace them when > finished. It just erases everything and leaves it like that. > > Thus after disconnecting the vpn I have to go back into that file and > manually re-add the sys-net entries to regain DNS resolution functionality. > Ultimately I'm just going to write a short bash script that puts the needed > entries back after disconnection, which I'll run at termination every time. > > I don't know enough about openvpn to instruct it to "always run this extra > script upon disconnection", though I'm sure there must be a relatively easy > way to do so. > Call it with --down to have a script run when the tunnel closes. If you check the man page, there are a variety of different options for running scripts/commands at different events, but I suspect that will fit the bill. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190302020753.fufcx25cdx2k5r6c%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes: Unable to connect to VPN
On Tuesday, February 19, 2019 at 2:53:22 PM UTC-5, Jon deps wrote: > https://www.qubes-os.org/doc/vpn/ > > I believe it would be helpful if you indicate which method you have > used to create the VPNper the URL there > > > perhaps it is more obvious to others Thanks for your reply - sorry I somehow missed seeing it earlier. I managed to sort of figure out what is going on and sort of fix it. I am using the super-simple method of just invoking "openvpn whatever.ovpn" from terminal within an AppVM itself, rather than creating a dedicated proxy or gateway as suggested in the docs. What is happening is the following.. Initially before connecting to the vpn, the file /etc/resolv.conf contains the default Qubes sys-net dns entries, namely: nameserver 10.139.1.1 nameserver 10.139.1.2 When the vpn connects, it uses update-resolv-conf to overwrite the contents of that file. It places some comment-text near the top and changes the nameserver entries to its own, which is good and wanted of course. No complaints. When terminating the vpn connection by any means available (I tried several different ones), openvpn again automatically updates that /etc/resolv.conf file, but *only* to remove the entries it placed there, nothing more. The comment-text is left intact and the nameserver entries are simply deleted, resulting in a more or less empty and useless file and no DNS resolution whatsoever. The script does not seem to store and remember the previous entries that were there before (sys-net defaults) and replace them when finished. It just erases everything and leaves it like that. Thus after disconnecting the vpn I have to go back into that file and manually re-add the sys-net entries to regain DNS resolution functionality. Ultimately I'm just going to write a short bash script that puts the needed entries back after disconnection, which I'll run at termination every time. I don't know enough about openvpn to instruct it to "always run this extra script upon disconnection", though I'm sure there must be a relatively easy way to do so. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2924a4fe-1416-43c6-b241-7b87c5b3476f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes: Unable to connect to VPN
On 2/14/19 5:55 PM, Otto Kratik wrote: Just reviving a thread of mine from a few months ago with a related follow-up question. When trying to connect to a VPN using openvpn from a Debian-9 AppVM within Qubes, I could connect but instantly lost DNS resolution which rendered the connection unusable. Installing he package 'resolvconf' and adding the following lines to the .ovpn script supplied by the VPN provider: script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf ...solved the issue and I was able to achieve full connectivity through the VPN. Now, when trying to *disconnect* from that VPN using Ctrl-C from command line (or any other method) I am able to end the connection, but the DNS assignment does not appear to automatically reverse/undo and revert to the default DNS servers provided by sys-net within Qubes, namely 10.139.1.1/2. And as a result I once again cannot connect to any websites due to lack of functioning DNS lookup. Having done a bit of research I've tried using commands like: sudo ifconfig tun0 down sudo ip link delete tun0 ..but in both cases I get a response that 'tun0 does not exist' or something similar. Is there any extra step needed to completely drop the VPN connection and revert to using normal sys-net connectivity, without requiring a restart of the AppVM itself? If I manually examine /etc/resolv.conf within the AppVM it still shows the default sys-net DNS entries as expected, so there must be some additional command needed to fully end the connection and revert to normal. What am I missing? https://www.qubes-os.org/doc/vpn/ I believe it would be helpful if you indicate which method you have used to create the VPNper the URL there perhaps it is more obvious to others -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/37bfa956-5206-a16f-1689-1321d4e78bec%40riseup.net. For more options, visit https://groups.google.com/d/optout.