3.2 thread:
https://groups.google.com/forum/#!topic/qubes-users/FUQaRPWXPj8
I have been trying this for a few days but admit I am stumped...
How do I trouble shoot and get this up?
Notes:
I am trying to use Debian 9 for this
I was experiencing similar issues with Fedora(I didn't capture the logs)
I get a message that my VPN VM is "Ready to start link" message
I have tried using the 4.0 VPN file and the Master file (similar results)
When I run "Su journalctl" on my VPN-VM I find these errors:
Apr 05 10:15:12 sys-VPNb5 systemd[1]: Reached target Network is Online.
Apr 05 10:15:12 sys-VPNb5 systemd[1]: Starting keep memory of all UPnP devices that announced themselves...
Apr 05 10:15:12 sys-VPNb5 systemd[1]: Starting /etc/rc.local Compatibility...
Apr 05 10:15:12 sys-VPNb5 qrexec-agent[560]: executed user:QUBESRPC qubes.SetMonitorLayout dom0 pid 649
Apr 05 10:15:12 sys-VPNb5 qubes-vpn-setup[636]: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 05 10:15:12 sys-VPNb5 qubes-vpn-setup[636]: Error: Firewall rule(s) not enabled!
Apr 05 10:15:12 sys-VPNb5 systemd[1]: Starting Permit User Sessions...
Apr 05 10:15:12 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control process exited, code=exited status=1
Apr 05 10:15:12 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes proxyVM.
Apr 05 10:15:12 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Unit entered failed state.
Apr 05 10:15:12 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'.
Apr 05 10:15:12 sys-VPNb5 su[633]: Successful su for user by root
Apr 05 10:15:12 sys-VPNb5 su[633]: + ??? root:user
Apr 05 10:15:12 sys-VPNb5 qrexec-agent[649]: pam_unix(qrexec:session): session opened for user user by (uid=0)
Is there anybody who can help?
Does it matter that Private internet access provides 3 seperate files (key, cert and client config)?
I have the proxy AppVM set up with "provides network"(proxy) checked, I have tried a setup in proxy only and a setup in Template/Proxy, PVH(tried PV...similar to 3.2)...I don't think it is the setup as much as the configuration of the template?
I installed GNOME and Openvpn (Using those names specifically) in Debian, no additional packages installed in stock fedora...
I feel like I am missing a very basic command or tweak, whonix works, wireless works, sys-firewall works...any help would be appreciated. It seems something releated to PIA VPN configuration or VPN-handler-openvpn
Here are my logs/commands from your suggestions:
root@sys-VPNb5:/home/user# ls -l /rw/config/qubes-firewall.d
total 0
lrwxrwxrwx 1 root root 38 Apr 5 13:16 90_tunnel-restrict -> /usr/lib/qubes/proxy-firewall-restrict
root@sys-VPNb5:/home/user# iptables -v -L FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 any anywhere anywhere
0 0 DROP all -- any eth0 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 QBS-FORWARD all -- any any anywhere anywhere
0 0 DROP all -- vif+ vif+ anywhere anywhere
0 0 ACCEPT all -- vif+ any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere
I copied errors when I run journalctl:
Apr 06 02:09:52 sys-VPNb5 gnome-terminal-[966]: unable to open file '/etc/dconf/db/local': Failed to open file '/etc/dconf/db/local': open() failed: No such file or directory; expect degra
Apr 06 02:09:50 sys-VPNb5 systemd[664]: pam_unix(systemd-user:session): session opened for user user by (uid=0)
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control process exited, code=exited status=1
Apr 06 02:09:50 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes proxyVM.
Apr 06 02:09:46 localhost systemd[1]: Started Adjust root filesystem size.
Apr 06 02:09:46 localhost kernel: Error: Driver 'pcspkr' is already registered, aborting...
Apr 06 02:09:46 localhost mount-dirs.sh[351]: Private device management: fsck.ext4 of /dev/xvdb succeeded
Apr 06 02:09:45 localhost kernel: xvdc: xvdc1
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): couldn't mount as ext3 due to feature incompatibilities
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): couldn't mount as ext2 due to feature incompatibilities
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): mounted filesystem with ordered data mode. Opts: (null)
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvdd): mounting ext3 file system using the ext4 subsystem
Apr 06 02:09:45 localhost kernel: dmi-sysfs: dmi entry is absent.
Apr 06 02:09:50 sys-VPNb5 systemd[1]: Started Serial Getty on hvc0.
Apr 06 02:09:50 sys-VPNb5 systemd[1]: Reached target Login Prompts.
Apr 06 02:09:50 sys-VPNb5 systemd[664]: pam_unix(systemd-user:session): session opened for user user by (uid=0)
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control process exited, code=exited status=1
Apr 06 02:09:50 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes proxyVM.
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Unit entered failed state.
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'.
Apr 06 02:09:50 sys-VPNb5 systemd[664]: Listening on GnuPG network certificate management daemon.
Apr 06 02:09:50 sys-VPNb5 systemd[664]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file and put them into the VPN folder.
Totally willing to try to "avoid
the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local
just before the first systemctl command; it will start quicker." Would you be open to sharing the commands for this?
I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL Restrictive Configuration: https://www.privateinternetaccess.com/pages/client-support/
I then move each of the 3 individual files mentioned above into the /rw/config/vpn folder.
Thanks again for the help...
Thanks for that...I'll try that!
> > Totally willing to try to "avoid
> > the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local
> > just before the first systemctl command; it will start quicker." Would you be open to sharing the commands for this?
>
> The command is just "sleep 2s".
If I am launching a VM from the GUI when would I put "sleep 2s" into the terminal? I am learning but not there yet...
> > I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL Restrictive Configuration: https://www.privateinternetaccess.com/pages/client-support/
> > I then move each of the 3 individual files mentioned above into the /rw/config/vpn folder.
> >
> > Thanks again for the help...
>
> Got your log... I think the real culprit shows up here:
>
> "AUTH: Received control message: AUTH_FAILED"
>
> This could mean the user/password weren't entered correctly. You can see
> how its stored by issuing this command:
>
> sudo cat /rw/config/vpn/userpassword.txt
>
> To fix it you can edit that file, or run the --config step again from
> the instructions.
Thanks for that tip...the password is good. Tested it with another application and it is correct and working. The VPN proxy also had the correct password.
What else could this be?
What I know:
* This worked with 3.2 in Fedora but I experienced the same error with Debian in 3.2
* This worked for a brief moment in 4.0(fedora), had saved the beta file and was using that when it worked. I lost that older github/tasket file, I downloaded the 4.0 file and have not got it working again.
* I get the "Ready to start link" but then no connection
* This is new infromation but I can connect to my phone wireless but when I try another AP it can't connect. I am not sure this is relevant but in my network connection I get the following messages:
Ethernet Network (vif6.0)
Device not managed............my connection works
Ethernet Network (vif.20)
Device not managed............my connection DOES NOT work
Tasket my gut tells me I have something else missing, if you can get it to work, I am getting a ready to connect message, I had it working. Would a BIO setting have an impact?
When I boot I get this error:
ERROR parsing PCC subspaces from PCCT
[Failed] Failed to start Load Kernel Modules
- Followed by [OK] started Apply Kernel Variable/[OK] Started Setup Virtual Console
The struggle I am having is a lack of knowledge about how to trouble shoot this although you have taught me a lot Tasket thank you.
Any other thoughts?
I don't want to go back to 3.2 but with out a VPN/kill switch I don't see I have a choice.
Using a Debian template, setup entirely in a AppVM, using 4.0, I follow the instructions on Github: https://github.com/tasket/Qubes-vpn-support.
After step 2 in your instructions, I am not prompted for username and password.
I have tried running:
sudo /usr/lib/qubes/qubes-vpn-setup --config
after step 2 with out shutting down. No luck...
When I shutdown and restart the proxy I am prompted for username and password in a terminal that doesn't allow me to copy username and password(I didn't try manually entering username/password). I close this terminal try running again:
sudo /usr/lib/qubes/qubes-vpn-setup --config
I tried changing the order of my steps with no luck....I think it connected 1 time but have not been able to reproduce.
Qubes4 works fine as a proxy...is qubes4.0 OK? Seems to work great...
On 04/09/2018 03:25 AM, john wrote:
Is this utility available in 4.0 now? Or how would I obtain it ?
https://github.com/tasket/Qubes-vpn-support
I have 3 geolocations, but setup is somewhat time consuming, for more, be nice if this was stable, Seems like it does say "beta"
The latest (beta3) was just updated in the main 'master' branch... main change from qubes4 is just code streamlining. The qubes4 branch is no longer used.
It should work fine in Qubes 4.0.
forgive me but I don't understand step #2 in Q4.0 :
--
Transfer Qubes-vpn-support folder to the template or proxy VM of your choice, then run install. This will also prompt for your VPN login credentials either in this step (proxyVM) or next step (template):
cd Qubes-vpn-support
sudo bash ./install
--
I see no dir Qubes-vpn-support anywhere, "transfer" ? mv it
from where to where ; if it were in dom0 my understand is files
don't moved out of dom0
further, on step 1 ; the way the AppVM(proxyVMs) seem now one no longer see's choices, though I got that far :)