New to Qubes having issues logging into my vpn service despite following the Qubes instructions

[Wolf moon]

Hi guys New to Qubes ( which is an amazing feat of cyber security engineering ) all working fine and learning my way around it.

My only issue is logging into my vpn service.

I have followed the Qubes instructions ( which the images are different to Qubes 4.0 and after searching the net on this matter someone said that this is a shot of the previous Qubes so not helpful there ) I also contacted my vpn service on the matter. They read up on the Qubes instructions and emailed me back a step by step guide but still no joy.

My vpn service works well on my Raspberry Pi 3 in the command line ( which I found simple instructions for elsewhere on the internet ) and works fine on my windows 10 system as its got an app interface you download.

Its just Qubes I am having issues with. I am by no means a hardcore techy, I am learning and not afraid or unfamiliar using the command line in linux.

I have contacted the Qubes team after trying my best effort to resolve this on my own as I know they are a small team of 5 or so last time I checked.

Any help and advice would be greatly appreciated.

Best,

Wolf Moon

[awokd]

On Sat, September 15, 2018 3:21 am, Wolf moon wrote:
> Hi guys New to Qubes ( which is an amazing feat of cyber security
> engineering ) all working fine and learning my way around it.
>
> My only issue is logging into my vpn service.
>
>
> I have followed the Qubes instructions ( which the images are different
> to Qubes 4.0 and after searching the net on this matter someone said that
> this is a shot of the previous Qubes so not helpful there ) I also
> contacted my vpn service on the matter. They read up on the Qubes
> instructions and emailed me back a step by step guide but still no joy.
>
> My vpn service works well on my Raspberry Pi 3 in the command line (
> which I found simple instructions for elsewhere on the internet ) and
> works fine on my windows 10 system as its got an app interface you
> download.
>
> Its just Qubes I am having issues with. I am by no means a hardcore
> techy, I am learning and not afraid or unfamiliar using the command line
> in linux.

See updated instructions here:
https://github.com/tasket/qubes-doc/blob/tunnel/configuration/vpn.md, but
note that qubes-tunnel (available from the same author at
https://github.com/tasket/qubes-tunnel) has not yet been officially
blessed by the Qubes team.

> I have contacted the Qubes team after trying my best effort to resolve
> this on my own as I know they are a small team of 5 or so last time I
> checked.

There are others on this mailing list besides the Qubes core team that can
sometimes help, so ask away!

[unman]

Hi Wolf Man

Welcome to Qubes.

It would be easier to help if you gave some idea of what the problem is:
"still no joy" doesn't mean anything.

Also, "the Qubes instructions" cover a number of different approaches.
Which one did you try?
How did the instructions provided by your provider differ from the Qubes?

Can you say what provider is involved, and what flavour of vpn you are
trying to put in place.
Look in the log files for the service, and post relevant extracts - I
mean take some time to review the log yourself and then post.

The more relevant information you provide, the easier it will be to
help.

cheers

unman

[Chris Laprise]

Specifics are definitely needed for questions like this.

The thing that usually confuses people about the current (old) Qubes doc
is there is no button for "ProxyVM" on the R4.0 Create VM dialog. The
way to do this in R4.0 is to click on "Provides network" instead.

The newer (proposed) doc + qubes-tunnel as suggested by awokd are much
easier to install and run more smoothly, BTW.

https://github.com/tasket/qubes-doc/blob/tunnel/configuration/vpn.md

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[Stuart Perkins]

I have two different VPN's I use for different purposes. I have a cisco provided VPN for a client which I connect to via openconnect from within a dedicated appVM, and I run an OpenVPN server on my home network and connect to it through the OpenVPN client when not at home from a clone of sys-net for the purpose. I switch which sys-net I run based on if I need to connect to home or not, or I simply don't run the OpenVPN client if I'm using the sys-net with the OpenVPN client but don't need to connect. There are quite a few different ways to skin this cat.

[Wolf moon]

Hi guys sorry I didnt see the replies but I have now and thank you for them. Yes you are right of course I do need to add a lot more detail. I will go ahead and add as much detail of what has gone on so far and where I am at.

Best,

Wolf moon

[Wolf moon]

On Saturday, 15 September 2018 04:21:53 UTC+1, Wolf moon wrote:

To note. I am running my Raspberry pi on one monitor on my desk to reply to this forum whilst Qubes is up and running on a separate machine and monitor on my desk so I can live mutlitask today and/or when ever I receive a reply.

[Wolf moon]

On Saturday, 15 September 2018 04:21:53 UTC+1, Wolf moon wrote:

Okay guys so I am signed up to Nordvpn. ( To note: I always update everything in Qube manager )

I started off by google searching how to set up a vpn on qubes. I dont have every forum page be it google groups or reddit page saved I read unfortunately.

But they generally instructed me to do go through the steps to set up a vpn as Qubes instructs on their page https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-networkmanager

Specifically Set up a ProxyVM as a VPN gateway using iptables and CLI scripts

What I was referencing referring to the diagram/photo being outdated or of the old version of Qubes prior to 4.0 was the Dom0 create a new Vm. It just comes up looking different which is what one of the OPs mentioned on one of the how to guides I found.

Moving forward.

Certain commands didn't work like sudo which after googling one forum posted in Qubes you dont use sudo much, dnf ( what ever that is ) is used instead which is what I used.

I created a Qube named it Nordvpn > Template > Fedora-26 > Networking > sys-net
Appvm

From there the rest of the instructions didn't work on Qubes for me.

Apart from downloading the nord config files successfully which are in my nordvpn documents folder with all the server addresses as txt files eg uk648.nordvpn.comtcp443.ovpn

Also was instructed to download nano reader and a few other things.

My cd ls in my nordvpn terminal is as follows

Desktop Music Templates nano.save
Documents Pictures Videos openvpn-client.ovpn.txt
Downloads Public auth-user-pass pass.txt

( To note and jumping ahead: following tasket's Reddit page on Qubes vpn set up instructions I added vpn-handler-openvpn to services in the appvm I named Nordvpn )

So from there comes Nordvpns reply ( they were very helpful before helping me successfully setting up my vpn link on my Raspberry Pi )

I received this email:

Hello, Adam,

I have checked your OS documentation and it would be great if you could test out the following setup:
Disable any auto-starting service that comes with the software package. For example for OpenVPN.
sudo systemctl disable openvpn.service
You may also wish to install nano or another simple text editor for entering the scripts below. Now run the following command to create VPN directory:
sudo mkdir /rw/config/vpn
Enter the directory using the following command:
cd
/rw/config/vpn

Then our website - https://nordvpn.com/servers/#recommended , on the server picker you will see recommended server number. Then open https://nordvpn.com/ovpn/ website and download recommended server file. You can download directly to device and transfer to your VM or use command to download from the hyperlink:
sudo wget https://downloads.nordcdn.com/configs/files/ovpn_legacy/servers/us1310.nordvpn.com.udp1194.ovpn
(Change the last line of server name to download the correct file). Then rename downloaded file to client.ovpn
The VPN client may not be able to prompt you for credentials when connecting to the server. Create a file in the /rw/config/vpn folder with your credentials and using a directive. For example for OpenVPN, edit:
auth-user-pass
to:
auth-user-pass pass.txt

Save file /rw/config/vpn/client.ovpn. Make sure a /rw/config/vpn/pass.txt file actually exists.
sudo nano /rw/config/vpn/pass.txt
Add:
username
password
Replace username and password with your actual username and password.
Test your client configuration: Run the client from a CLI prompt in the ‘vpn’ folder, preferably as root. For example:
sudo openvpn --cd /rw/config/vpn --config client.ovpn
Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with ping.
ping 8.8.8.8
ping can be aborted by pressing the two keys ctrl + c at the same time. DNS may be tested at this point by replacing addresses in /etc/resolv.conf with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider. Proceed to the next step when you’re sure the basic VPN connection is working.

Set up the VPN’s autostart.
sudo nano /rw/config/rc.local
Clear out the existing lines and add:
#!/bin/bash
VPN_CLIENT='openvpn' VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'
su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user
groupadd -rf qvpn ; sleep 2s
sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS"
If you are using anything other than OpenVPN, change the VPN_CLIENT and VPN_OPTIONS variables to match your VPN software. Save the script. Make it executable.
sudo chmod +x /rw/config/rc.local
Restart the new VM! The link should then be established automatically with a popup notification to that effect.

Let us know how it will go!

But..starting out I fell over the first hurdle.

in the Nordvpn terminal I typed in Sudo systemctl disable openvpn.service

message back: Failed to disable unit: Unit file openvpn.service doesn not exist.

That is where I am now.

Any help and suggestions will be greatly appreciated.

Best,

Wolf moon

[Wolf moon]

HI Unman check my detailed reply at the bottom. Thank you for the reply. Hope this helps us get further!

[Антон Чехов]

You cannot disable something that does not exist. Just move on to the next point. Did you enable the "provides network" option while creating your VPN-App?

Creating a new VPN-app is looking like that for me, my apps stand for the country:

Name: sys-vpn-austria
Type: AppVM
Template: Debian (or course you can use Fedora, but it should be 28, 26 is outdated!)
Networking: default (sys-firewall)
provides network: enabled

The guide provided seems fine and you could check if the connection works but you should include the other scripts as well in order to make sure that all traffic is going through your vpn only.

[Wolf moon]

Yes I did enable provide network sys-net.

Okay switched to the same settings you have in your vpn.

Which particular guide are you referring to as there are a few.

I am lost when you say include other scripts as I do not know what scripts you are referring to.

[Антон Чехов]

I am used to this guide:
https://www.qubes-os.org/doc/vpn/
starting here:

Set up a ProxyVM as a VPN gateway using iptables and CLI scripts

There are scripts for DNS-handling, firewall and autostart included.

I do not rename my ovpn-client file but use the original name instead (uk648.nordvpn.comtcp443.ovpn). Just pay attention to insert it whenever "openvpn-client.ovpn" is mentioned.
This is important when creating the autostart script (point 6):

The script would look like this:

#!/bin/bash
VPN_CLIENT='openvpn'
VPN_OPTIONS='--cd /rw/config/vpn/ --config uk648.nordvpn.comtcp443.ovpn --daemon'

su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user
groupadd -rf qvpn ; sleep 2s
sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS"

This approach should be easier but I only tried it once. It did work fine for me:
https://github.com/tasket/Qubes-vpn-support

[Wolf moon]

Wow just had success and defeat in the same instance lol.

SO I'm trying everything and decided to go back to the nordvpn website, browse through and follow the linux tutorial page.

<I Deleted the old nordvpn proxy I set up and made an new one to start afresh>

see > https://nordvpn.com/tutorials/linux/openvpn/

Followed it to a T in both the nord appvm terminal and the disposable fedora 26 vm terminal an voila! both worked and completed the vpn link in the terminal just like on my raspberry pi!...However...On opening the firefox pages of both then googling ip tracker...well in the nord appvm it wont go onto the internet at all and that is with allowing network etc..on the disposable fedora 26 firefox it goes on the internet but still says exactly where I am even when I deleted history again ( which shouldnt matter as it deletes the who history and vm every time you close it )

So I am puzzled...

[Wolf moon]

On Tuesday, 18 September 2018 10:46:44 UTC+1, Антон Чехов wrote:

I have just found the command to update to fedora 28 via dom 0 on kushal das website

sudo qubes-dom0-update qubes-template-fedora-28

Updating now

[Stuart Perkins]

What that does is install the fedora-28 template. You can do that. I did. First I upgraded the fedora-26 template to 27 then 28 then I decided to redo with the clean 28 template.

[Chris Laprise]

On 09/18/2018 12:39 PM, Wolf moon wrote:

> see > https://nordvpn.com/tutorials/linux/openvpn/
>
> Followed it to a T in both the nord appvm terminal and the disposable fedora 26 vm terminal an voila! both worked and completed the vpn link in the terminal just like on my raspberry pi!...However...On opening the firefox pages of both then googling ip tracker...well in the nord appvm it wont go onto the internet at all and that is with allowing network etc..on the disposable fedora 26 firefox it goes on the internet but still says exactly where I am even when I deleted history again ( which shouldnt matter as it deletes the who history and vm every time you close it )
>
> So I am puzzled...
>

Its understandable that the NordVPN guide would connect but not route
traffic to your appVMs because there are no Qubes-specific steps.

A few points to make here:

1. Please try only one approach/guide at a time. It doesn't make sense
to mix them unless you're an expert and have unusual needs.

2. Qubes-vpn-support is the easiest and most complete guide for now.

3. NordVPN doesn't have a guide for Qubes and won't be able to help much
(if at all) in addressing special Qubes networking requirements. From
what I can tell, however, their service is very traditional (using
openvpn) so accessing it from Qubes should be the same as accessing
other VPN services from Qubes (i.e. following Qubes-specific
instructions is best).

What you do need NordVPN for is to supply the configs and you already
have those.

The point of Qubes guides like Qubes-vpn-support is to have the user
take their VPN's configs and add them to the Qubes-specific scripts. The
same is true for qubes-os.org/doc/vpn script guide, but with that guide
you'll also have to edit files manually and the result won't run as
smoothly as Qubes-vpn-support - you can trust me on this because I wrote
both of them. :)