Failed to connect PPTP VPN and failed to automatically connect to vpn when connect is available

[ande...@gmail.com]

I followed the procedure of setting 2 vpn proxyvm, one is openvpn and another one is pptp. Both of them are working fine in Ubuntu 16.04 and Windows 10. However, on Qubes OS 3.2, I have encountered the following problem.

1) openvpn is working, but failed to connect to VPN automatically when "VM uplink eth0" is connected.

I did checked the "Automatically connect to VPN when using this connection" on the GUI configuration tool and confirmed I saved the it many times.

I rebooted the vm and even reboot the Qubes OS, but vpn didn't come up automatically, and "Automatically connect to VPN when using this connection" on the gui was uncheced by itself.

2) For pptp vpn, it just failed to connect. As said the configuration is working in Ubuntu and Windows.

Is there anyone can help? And thank you for you help in advance.

[Chris Laprise]

If you're using Network Manager to run the VPN connections, be advised
that the auto-connect to VPN setting doesn't always work as intended.
When I used it a couple years ago it was buggy.

Also, a proxyVM can't directly tell when the physical network connection
changes state (connected/disconnected) because 'eth0' in this case is
just a virtual interface to sys-net. You could solve this by using NM in
sys-net, but that removes a layer of Qubes security for your VPN link.

Most people seem to opt for the second set of VPN instructions using
openvpn with scripts. Its more secure and openvpn will try to connect
whenever the proxyVM has access. A slightly fancier version that can be
controlled as a systemd service is here:
https://github.com/tasket/Qubes-vpn-support

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[Unman]

Picking up your second point, I suspect that the problem lies with your
firewall rules.
PPTP requires some specific rules that you will need to configure using
iptables on the netvm upstream of your proxyvm, on the proxyvm itself,
AND you will have to enable inbound routing from internet to the vpn
proxyvm.

This may sound daunting, but if you take it methodically you should be
fine. It is, (from memory) relatively simple to set up.

I'm assuming that you have proxyvm attached direct to sys-net. If this
isn't the case then you will have to make appropriate changes to
intermediate vms also.

First you need to allow INBOUND protocol 47:
On sys-net:
modprobe ip_conntrack_pptp
modprobe ip_nat_pptp
iptables -I FORWARD -p 47 -s <vpn server> -j ACCEPT


On proxyVM:
iptables -I INPUT -p 47 -s <vpn server> -j ACCEPT

Now, zero the iptables counters, (using -Z), and try to start the vpn.
You should see the counters incrementing both in sys-net and on the
vpn proxy.
If the connection fails look to see if any DROP rules are being
triggered.
By default PPTP uses tcp port 1723 so you could put in a rule to log
that traffic :
iptables -I FORWARD -p tcp --dport 1723 -j LOG

Once you have this working you can place the necessary rules in rc.local
and/or qubes-firewall-script in /rw/config, so that they are
automatically set-up for you.
Alternatively, put them in a simple script, and trigger it when you want
to start the VPN: this may be better if you only have the VPN working
some of the time.

I hope there's enough here to get you started.
If you hit further problems, let us know

unman