On 05/14/2018 06:23 PM, Evastar wrote:
>> Its important to know how you set up the VPN VM. If you used the Qubes
>>
>> doc, that config can have problems recovering from a disconnected link.
>> If you used a recent version of Qubes-vpn-support or qubes-tunnel,
>> restarting the service is simple:
>> sudo systemctl restart qubes-vpn-handler
>> or
>> sudo systemctl restart qubes-tunnel
>
> Thanks for your quick answer. I use my own vpn setup based not on openvpn, but ethervpn. This qube come from 3.2. I use the same old code. I wrote it based on old openvpn code. This code add routes on startup, then iptables fules for DNS some other rules to prevent traffic leak. The same as UP handler from qubes-doc do.
>
> There are no "recovering setup". How to add this?
>
> Need to delete rules added by this then execute this again? Is it recovery?
> iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
> iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr
>
> I re-checked qubes vpn doc. It's almost the same, but no up/down handler. I setup rules at rc.local. At 3.2. I do not have this problem. When my VPN loss connection then it always work after my VPN client reconnected.
>
Posting back to qubes-users...
Probably there is someone who is familiar with ethervpn who can better
help you.
My advice is to monitor the ethervpn log for warnings/errors when the
blockage occurs. Then perhaps a simpler solution will become clear.
If you are using the same firewall rules as the Qubes doc, try
commenting-out the parts for 'OUTPUT'.
As for the DNAT rules, delete & re-add should only be necessary if the
DNS server changes. Also, when blockage occurs you can try pinging a
known IP address (not domain name) from an appVM; if it doesn't work
then DNAT is probably not the issue.
Finally, if you find the solution involves restarting the ethervpn
client, you may want to run it with 'systemd-run --unit' to give you
better control over the process. You could even try running it with
qubes-tunnel using a drop-in file for the service (see 00_example.conf
and manpages for systemd.unit "overriding vendor settings").