no connection to email server through vpn firewall

[theman]

I can't get to my email server when trying to connect through my OpenVPN
firewall.

In the AppVM I have Deny except (my email server web addresses), as well
as Allow ICMP & DNS.

Connection works fine if I Allow full access for 5 mins, or use the
sys-net firewall.

Note, I think all DNS requests are going through my VPN

[mari...@openmailbox.org]

Hi,

Are there any firewall rules in your firewall openvpn? Which routerbox
are you using?
Are you sure there are no dataleak (on Qubes or your openvpn client).

Open a terminal and try to run these commands in both configuration:
deny except OR allow for 5 min

ping your.mail.server.ip

nslookup mail-server-hostname

traceroute mail server-ip/hostname


And see if you can learn where the problem is,
then we can help you better :)

[theman]

I'm using this setup (but I don't use the resolv.conf file - I use
Olivier's script later in the thread):

https://groups.google.com/forum/?hl=en#!searchin/qubes-users/OpenVPN$20setup$2C$20revisited/qubes-users/-9gR1Va3BnY/pJFTZXp2zzEJ

rc.local script has the following rules:

iptables -t mangle -I FORWARD 1 -o eth0 -j DROP
iptables -t mangle -I FORWARD 2 -i eth0 -j DROP

In answer to your questions,

Yes, I have firewall rules for the email server
Routerbox? Do you mean router? It's a wired router.
Dataleak? I'm not sure if I know how to check that but if I go to
dnsleaktest.com, the standard test results show the dns server of my vpn
provider.


I get the following with Full Access (and Deny Except in brackets):

1. ping - icmp_seq=1 ttl=54 time=372 ms (with Deny, I get "unknown host")
2. nslookup
Server: 10.137.4.1
Address: 10.137.4.1#53
(with Deny, I get "connection timed out; no servers could be reached")

3. I didn't understand the last command (I just get 'Name or service not
known Cannot handle "host" cmdline arg" But I get this on my working
firewall). Which hostname?

On 07/09/15 22:59, mari...@openmailbox.org wrote:
> On 2015-09-07 05:05, theman wrote:
>> I can't get to my email server when trying to connect through my
>> OpenVPN firewall.

>> Server: 10.137.4.1
>> Address: 10.137.4.1#53

[mari...@openmailbox.org]

On 08/09/15 02:19, theman wrote:
> In answer to your questions,
>
> Yes, I have firewall rules for the email server
> Routerbox? Do you mean router? It's a wired router.

It was just to know if you have firewall rules in the router

> I get the following with Full Access (and Deny Except in brackets):
>
> 1. ping - icmp_seq=1 ttl=54 time=372 ms (with Deny, I get "unknown
> host")
> 2. nslookup
> Server: 10.137.4.1
> Address: 10.137.4.1#53
> (with Deny, I get "connection timed out; no servers could be
> reached")
>
> 3. I didn't understand the last command (I just get 'Name or service
> not known Cannot handle "host" cmdline arg" But I get this on my
> working firewall). Which hostname?

It was the hostname of your mail server. For example mail.server.foo

Repeat this test when connected in vpn and where not, so you can know
where the block is.

First make sure that your mail server is not blocked from your vpn
provider.

[theman]

I don't think I have any firewall rules in my router.

Maybe I didn't use the right terminology, but when I said mail server, I
actually meant just the web address of my email provider, which is a
web-mail service only.

Using the vpn firewall I can get to the web-mail website address no
problem, when I have no firewall rules set (Allow network access
except...). However, if I put in Deny accept... with the firewall rules
set to my email webserver address, it doesn't connect.

Nope. Sorry, I still don't understand what you want me to enter for
"traceroute mail server-ip/hostname" (except for hostname which should
equal the web address? E.g. /gmail.com?

[marie4743]

On 08/09/15 12:46, theman wrote:
> Maybe I didn't use the right terminology, but when I said mail server,
> I actually meant just the web address of my email provider, which is a
> web-mail service only.

Ok

>
> Using the vpn firewall I can get to the web-mail website address no
> problem, when I have no firewall rules set (Allow network access
> except...). However, if I put in Deny accept... with the firewall
> rules set to my email webserver address, it doesn't connect.

Basically in your appvm you should deny traffic except for
IP_of_webmail, but since your will use dns to connect to webmail you
should allow dns request too or edit etc/host
You can use a custom dns server (example opennic ) or rely on qubes dns
proxy.

>
> Nope. Sorry, I still don't understand what you want me to enter for
> "traceroute mail server-ip/hostname" (except for hostname which should
> equal the web address? E.g. /gmail.com?
>

If you check your webmail from https://roundcube.net do
traceroute roundcube.net
it show you all the router and host that your browser use for reach this
address.
So you can learn when problem is.

[theman]

Thanks Marie for your help.

I have the AppVM set to deny traffic except for the IP-of_webmail (I
entered "roundcube.net" as a test) and also, Allow dns request and ICPM
traffic.

When I run "traceroute roundcube.net" I get:

roundcube.net: Name or service not known
Cannot handle "host" cmdline arg `roundcube.net' on position 1 (argc 1)

When I allow all for 5 mins I get:

traceroute to roundcube.net (104.27.159.146), 30 hops max, 60 byte packets
1 10.137.4.1 (10.137.4.1) 0.270 ms 0.198 ms 0.135 ms
2 172.16.0.1 (172.16.0.1) 266.388 ms 267.787 ms 269.392 ms
3 192.99.100.253 (192.99.100.253) 272.181 ms 274.915 ms 276.836 ms
4 bhs-g2-a9.qc.ca (198.27.73.99) 277.681 ms 279.619 ms
bhs-g1-a9.qc.ca (198.27.73.97) 282.042 ms
5 mtl-2-6k.qc.ca (198.27.73.6) 284.753 ms 286.703 ms mtl-2-6k.qc.ca
(198.27.73.4) 288.298 ms
6 * * *
7 xe-1-2-0.edge01.ord02.as13335.net (206.223.119.180) 286.532 ms
284.193 ms 285.161 ms
8 104.27.159.146 (104.27.159.146) 286.912 ms 289.352 ms 290.960 ms

[Unman]

So this suggests that your dns resolution is borked with the vpn.
For a quick and dirty solution just add this to /etc/hosts:
104.27.159.146 roundcube.net
To make it survive reboot, put that line in /rw/config/dns and add:
cat /rw/config/dns >> /etc/hosts
to /rw/config/rc.local

If you only use the VM to access your webmail you can turn off DNS
and ICMP.

Alternatively look at the iptables rules on the firewall and pay
attention to what you are doing with dns. You should be directing
traffic down the tunnel to a remore dns server: at the moment your
ruleset is blocking it.

unman

[theman]

Thanks unman. I did your "quick and dirty" - and it seems to be working
correctly!

However, I'd like to try to fix the route cause if possible. How do I,
"direct "traffic down the tunnel to a remote server"?

I have the below commands in the vpn firewall rc.local file. My
understanding is that they make sure everything goes through the vpn?

iptables -t mangle -I FORWARD 1 -o eth0 -j DROP
iptables -t mangle -I FORWARD 2 -i eth0 -j DROP

I also use the attach script - could that be causing the problem?

I set-up the vpn following this thread:
https://groups.google.com/forum/?hl=en#!searchin/qubes-users/OpenVPN$20setup$2C$20revisited/qubes-users/-9gR1Va3BnY/pJFTZXp2zzEJ

On 09/09/15 23:47, Unman wrote:
> On Wed, Sep 09, 2015 at 07:16:01PM +1000, theman wrote:
>> Thanks Marie for your help.
>>
>> I have the AppVM set to deny traffic except for the IP-of_webmail (I entered
>> "roundcube.net" as a test) and also, Allow dns request and ICPM traffic.
>>
>> When I run "traceroute roundcube.net" I get:
>>
>> roundcube.net: Name or service not known
>> Cannot handle "host" cmdline arg `roundcube.net' on position 1 (argc 1)
>>
>> When I allow all for 5 mins I get:
>>
>> traceroute to roundcube.net (104.27.159.146), 30 hops max, 60 byte packets
>> 1 10.137.4.1 (10.137.4.1) 0.270 ms 0.198 ms 0.135 ms

>> 2 172.16.0.1 (172.16.0.1) 266.388 ms 267.787 ms 269.392 msthe

> To make it survive reboot, put that line in /rw/config/dns and add:/rw/config/openvpn/vpn-setup.sh

[theman]

For some reason the "quick and dirty" fix is not working for my bank
website... (other sites are working though)

[cprise]

On 09/09/2015 09:47 AM, Unman wrote:
> On Wed, Sep 09, 2015 at 07:16:01PM +1000, theman wrote:
>> Thanks Marie for your help.
>>
>> I have the AppVM set to deny traffic except for the IP-of_webmail (I entered
>> "roundcube.net" as a test) and also, Allow dns request and ICPM traffic.
>>
>> When I run "traceroute roundcube.net" I get:
>>
>> roundcube.net: Name or service not known
>> Cannot handle "host" cmdline arg `roundcube.net' on position 1 (argc 1)
>>
>> When I allow all for 5 mins I get:
>>
>> traceroute to roundcube.net (104.27.159.146), 30 hops max, 60 byte packets
>> 1 10.137.4.1 (10.137.4.1) 0.270 ms 0.198 ms 0.135 ms
>> 2 172.16.0.1 (172.16.0.1) 266.388 ms 267.787 ms 269.392 ms
>> 3 192.99.100.253 (192.99.100.253) 272.181 ms 274.915 ms 276.836 ms
>> 4 bhs-g2-a9.qc.ca (198.27.73.99) 277.681 ms 279.619 ms bhs-g1-a9.qc.ca
>> (198.27.73.97) 282.042 ms
>> 5 mtl-2-6k.qc.ca (198.27.73.6) 284.753 ms 286.703 ms mtl-2-6k.qc.ca
>> (198.27.73.4) 288.298 ms
>> 6 * * *
>> 7 xe-1-2-0.edge01.ord02.as13335.net (206.223.119.180) 286.532 ms 284.193
>> ms 285.161 ms
>> 8 104.27.159.146 (104.27.159.146) 286.912 ms 289.352 ms 290.960 ms
>>

...

>
> So this suggests that your dns resolution is borked with the vpn.
> For a quick and dirty solution just add this to /etc/hosts:
> 104.27.159.146 roundcube.net
> To make it survive reboot, put that line in /rw/config/dns and add:
> cat /rw/config/dns >> /etc/hosts
> to /rw/config/rc.local
>
> If you only use the VM to access your webmail you can turn off DNS
> and ICMP.
>
> Alternatively look at the iptables rules on the firewall and pay
> attention to what you are doing with dns. You should be directing
> traffic down the tunnel to a remore dns server: at the moment your
> ruleset is blocking it.
>
> unman
>

Marek,

There appears to be a bug in Qubes firewall dns forwarding after
'qubes-setup-dnat-to-ns' is called to update the nat PR-QBS chain /and/
there are 'Deny except...' whitelist rules added from a connected
(downstream) appvm.

The destination addresses in the Qubes-generated dpt:domain rules in the
FORWARD chain remain their old direct-to-netvm values instead of getting
updated to the vpn addresses. So those nat'd dns packets keep hitting
the 'reject-with icmp-host-prohibited' rule since they are never matched
and accepted above.

The firewall might need to be fixed so that whatever new dns addresses
are picked up by 'qubes-setup-dnat-to-ns', the dpt:domain rules in
FORWARD are also changed to look for those addresses.

Would you agree?

[Marek Marczykowski]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Yes, it looks like the case here. Pasted here:
https://github.com/QubesOS/qubes-issues/issues/1183

In the meantime, the workaround would be to manually add appropriate
rule in VM firewall settings (as one of allowed destinations).

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJV8VJxAAoJENuP0xzK19cs2YkH/2iHdHIJDJ/QLj4QzlgpXW1q
DdqdSvF0VkgpjsI6JjzUczB8Na1d2TyKF694f/HSrnVl7rISXJoOteGizywAn6ij
XpLKsPRV0GcDpbTKLOY97GGO7Ga+1+ClEcDbQkrz0rzluTxL4grw9pYS77xvw1gS
YswEbXPKsH/kGYS3sgetDpeIGiDuBeXZBm6fiSw0bmZLgPnQo/ekrZuxjinmLfNF
HNjUXxugVFvpv1k8eaX1gKT/cRQRP+t5+MyccXXG8NeXVK0q0ltysGfYl4s+fljV
cCm5Cq8mkcFFR5XiMkQgcRXFTnwzKi2nSBspxi8zqSJd2g196N0YInU5JtR94aU=
=DGTJ
-----END PGP SIGNATURE-----

[theman]

How/where/what do I manually add the rule to the firewall vm?

Also, I tried adding /rw/config/openvpn/vpn-setup.sh to the rc.local
file in the appvm (not the vpn-firewall vm) - but I still couldn't get
to my bank's website (the others seem fine).

[cprise]

On 09/10/2015 06:13 AM, theman wrote:
> How/where/what do I manually add the rule to the firewall vm?
>
> Also, I tried adding /rw/config/openvpn/vpn-setup.sh to the rc.local
> file in the appvm (not the vpn-firewall vm) - but I still couldn't get
> to my bank's website (the others seem fine).
>

I think Marek meant in the appvm's firewall settings. You can add your
vpn dns server IPs with protocol 'any'. Or if you really want to be
specific, you can add 2 entries for each IP: One for TCP and one for
UDP, and specify 'domain' as the service for each.

[cprise]

I think the fix for this would have:

* Qubes firewall checks /etc/resolve.conf (or equivalent) each time it
updates the FORWARD chain
* Running 'qubes-setup-dnat-to-ns' triggers the Qubes firewall update

[theman]

Oh - I see. Of course. You mean in the Qubes VM Manager setting for the
appVM. Got it.

But I have no idea what my vpn's dns servers are. They seem to bounce
around as world with the vpn server location (which is random of a
number of locations).

And about dns servers generally - what's the best one to use - my vpn
provider's or another (more private?) one (example please).

[cprise]

On 09/10/2015 06:59 AM, theman wrote:
> Oh - I see. Of course. You mean in the Qubes VM Manager setting for the
> appVM. Got it.
>
> But I have no idea what my vpn's dns servers are. They seem to bounce
> around as world with the vpn server location (which is random of a
> number of locations).
>
> And about dns servers generally - what's the best one to use - my vpn
> provider's or another (more private?) one (example please).
>

Are you sure? Unlike the client IP address (which usually changes), DNS
addresses are often static. Even if your service is odd and the DNS
servers change, picking a couple and using them as static should work
fine; Just start your vpn connection from the vpn vm and peek at the
/etc/resolv.conf file. Then if the numbers change for each
re-connection, you may have to change Olivier's script (or use my
scripts) to use only the numbers you chose (in addition to entering
those numbers in the appvm's firewall settings).

(You could also alter Olivier's script in a different way, to add an
iptables rule near the start of FORWARD that simply accepts packets for
the current dns address.)

You might also try static dns numbers from level3 (4.2.2.2) or google
(8.8.8.8), if you trust them.

[theman]

Thanks again for your help cprise.

No. I'm not sure. Lol.

I just looked in the vpn vm resolv.conf and the nameserver IP listed is
different from the one I get from dnsleaktest.com - dnsleaktest.com
shows my IP address and my dns IP as identical

[cprise]

On 09/10/2015 08:03 AM, theman wrote:
> Thanks again for your help cprise.
>
> No. I'm not sure. Lol.
>
> I just looked in the vpn vm resolv.conf and the nameserver IP listed is
> different from the one I get from dnsleaktest.com - dnsleaktest.com
> shows my IP address and my dns IP as identical
>

The thing to look for with that test is whether the listed IP belongs to
your vpn provider or your isp. If the latter, then there is a leak.

[theman]

IP of the VPN provider and the dns (in dnsleaktest) are identical (and
dns is not my ISP's).

I added the dns server address into my bankng vm firewall rules as Marek
suggested but still does not resolve.