Qubes 4.0 and Private Internet Access? Tasket VPN solution...
vel...@tutamail.com
3.2 thread:
https://groups.google.com/forum/#!topic/qubes-users/FUQaRPWXPj8
I have been trying this for a few days but admit I am stumped...
How do I trouble shoot and get this up?
Notes:
I am trying to use Debian 9 for this
I was experiencing similar issues with Fedora(I didn't capture the logs)
I get a message that my VPN VM is "Ready to start link" message
I have tried using the 4.0 VPN file and the Master file (similar results)
When I run "Su journalctl" on my VPN-VM I find these errors:
Apr 05 10:15:12 sys-VPNb5 systemd[1]: Reached target Network is Online.
Apr 05 10:15:12 sys-VPNb5 systemd[1]: Starting keep memory of all UPnP devices that announced themselves...
Apr 05 10:15:12 sys-VPNb5 systemd[1]: Starting /etc/rc.local Compatibility...
Apr 05 10:15:12 sys-VPNb5 qrexec-agent[560]: executed user:QUBESRPC qubes.SetMonitorLayout dom0 pid 649
Apr 05 10:15:12 sys-VPNb5 qubes-vpn-setup[636]: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 05 10:15:12 sys-VPNb5 qubes-vpn-setup[636]: Error: Firewall rule(s) not enabled!
Apr 05 10:15:12 sys-VPNb5 systemd[1]: Starting Permit User Sessions...
Apr 05 10:15:12 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control process exited, code=exited status=1
Apr 05 10:15:12 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes proxyVM.
Apr 05 10:15:12 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Unit entered failed state.
Apr 05 10:15:12 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'.
Apr 05 10:15:12 sys-VPNb5 su[633]: Successful su for user by root
Apr 05 10:15:12 sys-VPNb5 su[633]: + ??? root:user
Apr 05 10:15:12 sys-VPNb5 qrexec-agent[649]: pam_unix(qrexec:session): session opened for user user by (uid=0)
Is there anybody who can help?
Chris Laprise
seems they weren't.
When you ran 'sudo /usr/lib/qubes/qubes-vpn-setup --config' in the
proxyVM it should have added a symlink to the firewall script in
/rw/config/qubes-firewall.d/90_tunnel-restrict. You can check it with
'ls -l /rw/config/qubes-firewall.d'.
Also look at the FORWARD chain which is where the checked rules are added:
$ sudo iptables -v -L FORWARD
You should see a couple DROP eth0 rules at the top:
DROP all -- eth0 any anywhere anywhere
DROP all -- any eth0 anywhere anywhere
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
vel...@tutamail.com
Does it matter that Private internet access provides 3 seperate files (key, cert and client config)?
I have the proxy AppVM set up with "provides network"(proxy) checked, I have tried a setup in proxy only and a setup in Template/Proxy, PVH(tried PV...similar to 3.2)...I don't think it is the setup as much as the configuration of the template?
I installed GNOME and Openvpn (Using those names specifically) in Debian, no additional packages installed in stock fedora...
I feel like I am missing a very basic command or tweak, whonix works, wireless works, sys-firewall works...any help would be appreciated. It seems something releated to PIA VPN configuration or VPN-handler-openvpn
Here are my logs/commands from your suggestions:
root@sys-VPNb5:/home/user# ls -l /rw/config/qubes-firewall.d
total 0
lrwxrwxrwx 1 root root 38 Apr 5 13:16 90_tunnel-restrict -> /usr/lib/qubes/proxy-firewall-restrict
root@sys-VPNb5:/home/user# iptables -v -L FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 any anywhere anywhere
0 0 DROP all -- any eth0 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 QBS-FORWARD all -- any any anywhere anywhere
0 0 DROP all -- vif+ vif+ anywhere anywhere
0 0 ACCEPT all -- vif+ any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere
I copied errors when I run journalctl:
Apr 06 02:09:52 sys-VPNb5 gnome-terminal-[966]: unable to open file '/etc/dconf/db/local': Failed to open file '/etc/dconf/db/local': open() failed: No such file or directory; expect degra
Apr 06 02:09:50 sys-VPNb5 systemd[664]: pam_unix(systemd-user:session): session opened for user user by (uid=0)
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control process exited, code=exited status=1
Apr 06 02:09:50 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes proxyVM.
Apr 06 02:09:46 localhost systemd[1]: Started Adjust root filesystem size.
Apr 06 02:09:46 localhost kernel: Error: Driver 'pcspkr' is already registered, aborting...
Apr 06 02:09:46 localhost mount-dirs.sh[351]: Private device management: fsck.ext4 of /dev/xvdb succeeded
Apr 06 02:09:45 localhost kernel: xvdc: xvdc1
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): couldn't mount as ext3 due to feature incompatibilities
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): couldn't mount as ext2 due to feature incompatibilities
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): mounted filesystem with ordered data mode. Opts: (null)
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvdd): mounting ext3 file system using the ext4 subsystem
Apr 06 02:09:45 localhost kernel: dmi-sysfs: dmi entry is absent.
Apr 06 02:09:50 sys-VPNb5 systemd[1]: Started Serial Getty on hvc0.
Apr 06 02:09:50 sys-VPNb5 systemd[1]: Reached target Login Prompts.
Apr 06 02:09:50 sys-VPNb5 systemd[664]: pam_unix(systemd-user:session): session opened for user user by (uid=0)
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control process exited, code=exited status=1
Apr 06 02:09:50 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes proxyVM.
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Unit entered failed state.
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'.
Apr 06 02:09:50 sys-VPNb5 systemd[664]: Listening on GnuPG network certificate management daemon.
Apr 06 02:09:50 sys-VPNb5 systemd[664]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Chris Laprise
> Thanks Chris...again thank you for the effort! This tool is great...
>
> Does it matter that Private internet access provides 3 seperate files (key, cert and client config)?
or the config won't work.
>
> I have the proxy AppVM set up with "provides network"(proxy) checked, I have tried a setup in proxy only and a setup in Template/Proxy, PVH(tried PV...similar to 3.2)...I don't think it is the setup as much as the configuration of the template?
>
> I installed GNOME and Openvpn (Using those names specifically) in Debian, no additional packages installed in stock fedora...
>
> I feel like I am missing a very basic command or tweak, whonix works, wireless works, sys-firewall works...any help would be appreciated. It seems something releated to PIA VPN configuration or VPN-handler-openvpn
service fails initially then restarts 10sec later because the firewall
rules take time to set up. It works fine this way. If you want to avoid
the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local
just before the first systemctl command; it will start quicker.
> Here are my logs/commands from your suggestions:
>
>
> root@sys-VPNb5:/home/user# ls -l /rw/config/qubes-firewall.d
> total 0
> lrwxrwxrwx 1 root root 38 Apr 5 13:16 90_tunnel-restrict -> /usr/lib/qubes/proxy-firewall-restrict
>
>
> root@sys-VPNb5:/home/user# iptables -v -L FORWARD
look garbled. Can you capture the following and attach it to a reply in
tar format..?
sudo journalctl -u qubes-vpn-handler >qvpn.log
tar -czf qvpnlog.tgz qvpn.log
qvm-copy qvpnlog.tgz
vel...@tutamail.com
I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file and put them into the VPN folder.
Totally willing to try to "avoid
the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local
just before the first systemctl command; it will start quicker." Would you be open to sharing the commands for this?
I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL Restrictive Configuration: https://www.privateinternetaccess.com/pages/client-support/
I then move each of the 3 individual files mentioned above into the /rw/config/vpn folder.
Thanks again for the help...
Chris Laprise
> I pulled the logs, looked thru them, I didn't see any personal information. Seemed OK to past on the forum but sent them to you directly just in case...feel free to post any info for the greater good of the community. Thank you again for the help...
>
> I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file and put them into the VPN folder.
easier.
>
> Totally willing to try to "avoid
> the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local
> just before the first systemctl command; it will start quicker." Would you be open to sharing the commands for this?
> I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL Restrictive Configuration: https://www.privateinternetaccess.com/pages/client-support/
> I then move each of the 3 individual files mentioned above into the /rw/config/vpn folder.
>
> Thanks again for the help...
"AUTH: Received control message: AUTH_FAILED"
This could mean the user/password weren't entered correctly. You can see
how its stored by issuing this command:
sudo cat /rw/config/vpn/userpassword.txt
To fix it you can edit that file, or run the --config step again from
the instructions.
vel...@tutamail.com
> > I pulled the logs, looked thru them, I didn't see any personal information. Seemed OK to past on the forum but sent them to you directly just in case...feel free to post any info for the greater good of the community. Thank you again for the help...
> >
> > I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file and put them into the VPN folder.
>
> Just FYI, putting all the configs (instead of selecting them) in /vpn is
> easier.
Thanks for that...I'll try that!
> > Totally willing to try to "avoid
> > the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local
> > just before the first systemctl command; it will start quicker." Would you be open to sharing the commands for this?
>
> The command is just "sleep 2s".
If I am launching a VM from the GUI when would I put "sleep 2s" into the terminal? I am learning but not there yet...
> > I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL Restrictive Configuration: https://www.privateinternetaccess.com/pages/client-support/
> > I then move each of the 3 individual files mentioned above into the /rw/config/vpn folder.
> >
> > Thanks again for the help...
>
> Got your log... I think the real culprit shows up here:
>
> "AUTH: Received control message: AUTH_FAILED"
>
> This could mean the user/password weren't entered correctly. You can see
> how its stored by issuing this command:
>
> sudo cat /rw/config/vpn/userpassword.txt
>
> To fix it you can edit that file, or run the --config step again from
> the instructions.
Thanks for that tip...the password is good. Tested it with another application and it is correct and working. The VPN proxy also had the correct password.
What else could this be?
What I know:
* This worked with 3.2 in Fedora but I experienced the same error with Debian in 3.2
* This worked for a brief moment in 4.0(fedora), had saved the beta file and was using that when it worked. I lost that older github/tasket file, I downloaded the 4.0 file and have not got it working again.
* I get the "Ready to start link" but then no connection
* This is new infromation but I can connect to my phone wireless but when I try another AP it can't connect. I am not sure this is relevant but in my network connection I get the following messages:
Ethernet Network (vif6.0)
Device not managed............my connection works
Ethernet Network (vif.20)
Device not managed............my connection DOES NOT work
Tasket my gut tells me I have something else missing, if you can get it to work, I am getting a ready to connect message, I had it working. Would a BIO setting have an impact?
When I boot I get this error:
ERROR parsing PCC subspaces from PCCT
[Failed] Failed to start Load Kernel Modules
- Followed by [OK] started Apply Kernel Variable/[OK] Started Setup Virtual Console
The struggle I am having is a lack of knowledge about how to trouble shoot this although you have taught me a lot Tasket thank you.
Any other thoughts?
I don't want to go back to 3.2 but with out a VPN/kill switch I don't see I have a choice.
Chris Laprise
>>> Totally willing to try to "avoid
>>> the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local
>>> just before the first systemctl command; it will start quicker." Would you be open to sharing the commands for this?
>>
>> The command is just "sleep 2s".
>
> If I am launching a VM from the GUI when would I put "sleep 2s" into the terminal? I am learning but not there yet...
>
>>> I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL Restrictive Configuration: https://www.privateinternetaccess.com/pages/client-support/
>>> I then move each of the 3 individual files mentioned above into the /rw/config/vpn folder.
>>>
>>> Thanks again for the help...
>>
>> Got your log... I think the real culprit shows up here:
>>
>> "AUTH: Received control message: AUTH_FAILED"
>>
>> This could mean the user/password weren't entered correctly. You can see
>> how its stored by issuing this command:
>>
>> sudo cat /rw/config/vpn/userpassword.txt
>>
>> To fix it you can edit that file, or run the --config step again from
>> the instructions.
>
> Thanks for that tip...the password is good. Tested it with another application and it is correct and working. The VPN proxy also had the correct password.
>
> What else could this be?
username or password. You could try running the --config step again to
re-enter them.
You could also try checking that /tmp/userpassword.txt has the login
info as well...
sudo cat /tmp/userpassword.txt
If it doesn't have the info then there is something wrong with the
startup script.
vel...@tutamail.com
Is Qubes4 still the file to use?
Great work and thanks again.
V
I followed these specific directions (kinda of a hybrid between terminal and GUI...inline with your instructions on github):
Create new appvm Qube:
For Debian proxy, add OpenVPN package to your VPN template:
su
apt-get update && apt-get install openvpn unzip
Create proxy using VPN template:
sys-VPN
Green
Provides Network Checked
connect to sys-net
Launch settings - Checked
Settings:
Add files and Terminal to Applications
Initial memmory = 500mb
Max memory = 4500
Add “vpn-handler-openvpn” to services
Open a terminal and file manager in new proxy appVM:
cd “Then drag qubes4 file into terminal from tasket/github”
sudo bash ./install
Enter VPN name and password
Close terminal
Reopen terminal
Transfer Tasket/Qubes4 file and PIA config files into your new VPN AppVM:
Change your PIA config file to “openvpn-client” and add DNS if wanting to use a DNS service other then PIA
setenv vpn_dns 'IP of DNS provider'
Move PIA files by running this command:
sudo mv “Then highlight the .pem, .crt and config file (renamed to “openvpn-client.ovpn) and drag them into the terminal” /rw/config/vpn
Final terminal commands to create .conf file:
cd /rw/config/vpn
sudo ln -s openvpn-client.ovpn vpn-client.conf
Restart VM!!! Wait for “Ready to Connect” and “Link is UP”
vel...@tutamail.com
Create proxy using VPN template:
sys-VPN
Green
Provides Network Checked
connect to sys-net
Launch settings - Checked
Settings:
Add files and Terminal to Applications
Initial memmory = 500mb
Max memory = 4500
Add “vpn-handler-openvpn” to services
Open a terminal and file manager in new proxy appVM:
cd “Then drag qubes4 file into terminal from tasket/github”
sudo bash ./install
Enter VPN name and password
Close terminal
Reopen terminal
john
https://github.com/tasket/Qubes-vpn-support
I have 3 geolocations, but setup is somewhat time consuming, for more,
be nice if this was stable, Seems like it does say "beta"
Chris Laprise
change from qubes4 is just code streamlining. The qubes4 branch is no
longer used.
It should work fine in Qubes 4.0.
vel...@tutamail.com
I tried the Master and it didn't work, following your guidleines(and trying mine above). The Qubes4.0 version does work...
Using a Debian template, setup entirely in a AppVM, using 4.0, I follow the instructions on Github: https://github.com/tasket/Qubes-vpn-support.
After step 2 in your instructions, I am not prompted for username and password.
I have tried running:
sudo /usr/lib/qubes/qubes-vpn-setup --config
after step 2 with out shutting down. No luck...
When I shutdown and restart the proxy I am prompted for username and password in a terminal that doesn't allow me to copy username and password(I didn't try manually entering username/password). I close this terminal try running again:
sudo /usr/lib/qubes/qubes-vpn-setup --config
I tried changing the order of my steps with no luck....I think it connected 1 time but have not been able to reproduce.
Qubes4 works fine as a proxy...is qubes4.0 OK? Seems to work great...
Chris Laprise
> sudo /usr/lib/qubes/qubes-vpn-setup --config
>
> I tried changing the order of my steps with no luck....I think it connected 1 time but have not been able to reproduce.
The correct step to update with the new prerelease is simply:
cd Qubes-vpn-support
sudo bash ./install
socks
On 04/09/2018 03:25 AM, john wrote:
Is this utility available in 4.0 now? Or how would I obtain it ?
https://github.com/tasket/Qubes-vpn-support
I have 3 geolocations, but setup is somewhat time consuming, for more, be nice if this was stable, Seems like it does say "beta"
The latest (beta3) was just updated in the main 'master' branch... main change from qubes4 is just code streamlining. The qubes4 branch is no longer used.
It should work fine in Qubes 4.0.
forgive me but I don't understand step #2 in Q4.0 :
--
-
Transfer Qubes-vpn-support folder to the template or proxy VM of your choice, then run install. This will also prompt for your VPN login credentials either in this step (proxyVM) or next step (template):
-
cd Qubes-vpn-support sudo bash ./install
--
I see no dir Qubes-vpn-support anywhere, "transfer" ? mv it
from where to where ; if it were in dom0 my understand is files
don't moved out of dom0
further, on step 1 ; the way the AppVM(proxyVMs) seem now one no longer see's choices, though I got that far :)
Chris Laprise
> On 04/09/2018 03:28 AM, Chris Laprise wrote:
>> On 04/09/2018 03:25 AM, john wrote:
>>> Is this utility available in 4.0 now? Or how would I obtain it ?
>>>
>>> https://github.com/tasket/Qubes-vpn-support
>>>
>>>
>>> I have 3 geolocations, but setup is somewhat time consuming, for
>>> more, be nice if this was stable, Seems like it does say "beta"
>>>
>>
>> The latest (beta3) was just updated in the main 'master' branch...
>> main change from qubes4 is just code streamlining. The qubes4 branch
>> is no longer used.
>>
>> It should work fine in Qubes 4.0.
>>
> forgive me but I don't understand step #2 in Q4.0 :
>
>
> --
>
> Transfer Qubes-vpn-support folder to the template or proxy VM of
> your choice, then run install. This will also prompt for your VPN
> login credentials either in this step (proxyVM) or next step (template):
>
> |cd Qubes-vpn-support sudo bash ./install |
>
> --
>
>
> I see no dir Qubes-vpn-support anywhere, "transfer" ? mv it from
> where to where ; if it were in dom0 my understand is files don't moved
> out of dom0
somehow. You could download it with a browser in another VM and then
copy it to the proxyVM, or you could download it direct to the proxyVM:
wget https://github.com/tasket/Qubes-vpn-support/archive/master.zip
unzip master.zip
cicero
looks like
sudo wget foo
unzip foo
cd Qubes-vpn-support-master
sudo chmod u+x install
./install
just checking :)
cicero
in Q4 AppVM with netvm sys-firewall & vpn-handler-openvpn in services
No appropriate VM type; Exiting
:)
Chris Laprise
installer to see it as a proxyVM. It will not install into a plain appVM.
john
> On 04/09/2018 06:11 PM, cicero wrote:
>> chmod a+x; sudo bash ./install
>> in Q4 AppVM with netvm sys-firewall & vpn-handler-openvpn in services
>>
>> No appropriate VM type; Exiting
>>
>> :)
>>
>
> You will need to create the VM with "provides network" in order for the
> installer to see it as a proxyVM. It will not install into a plain appVM.
>
vel...@tutamail.com
Below are my abreviated steps:
Using Master File from Tasket
Create proxy using VPN template:
sys-VPN
Green
Provides Network Checked
connect to sys-net
Launch settings - Checked
Settings:
Add files and Terminal to Applications
Optional-Change DNS in your PIA config: setenv vpn_dns '208.67.222.222 208.67.220.220'
sudo mkdir /rw/config/vpn
sudo mv “highlight all 3 vpn files and drag to terminal here” /rw/config/vpn
cd “Then drag master4 file into terminal from tasket”
sudo bash ./install
Close terminal, open new terminal:
cd /rw/config/vpn
sudo ln -s this_vpn.ovpn vpn-client.conf
Restart new proxy vm
Tasket...I needed to create the "/rw/config/vpn" file first, add my PIA files before I could get the Tasket file to "link".
Thanks again for this solution...is there an ETA when this will be built into 4.0/4.1?
Chris Laprise
> Thanks again for this solution...is there an ETA when this will be built into 4.0/4.1?
>
People can start testing it now by downloading it from:
https://github.com/tasket/qubes-tunnel
And you can get instructions here:
https://github.com/tasket/qubes-doc/blob/tunnel/configuration/vpn.md
This is intended for installation into templates... there is no option
for proxyVM only install.