Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
gaikokuji...@gmail.com
I tried setting my now "VPN" vm as the netvm, shutdown both then restarted vpn vm then the modified-to-use-vpn vm appvm and tried connecting to the internet, nada.
I did go to the Fedora "establishing a VPN Connection" page but intimidating is a bit of an understatement.
How can I go about diagnosing what is not working?
gaikokuji...@gmail.com
I worked on this a bit more. Waded through the fedora establishing a VPN connection page, rather confusing, but I opened a Network settings window for my VPN VM and added a VPN by importing a openvpn config file via the VPN add a network connection's "import from file" option (and it seemed to import fine).
Now I am not entirely sure what I have. I of course did everything outlined in the Qubes VPN page. I now have two network connection icons, one for my wifi and another showing the VPN VM's eth? problem is the VPN VM ethernet connection doesn't seem to be connected. When I go to network via *settings* it now shows me three connections: Wired, the VPN I setup, and Network Proxy.
When I go via *Network Connections* it now shows me under Ethernet "VM uplink eth0" and under VPN "VPN Provider" (the provider whose openvpn config I imported). It shows the ethernet as having been used within the last few minutes but the VPN as never having been used.
On the Fedora page it mentions setting an autoconnect (automatically connect to VPN when using this connection) option which I thought it was talking about for the VPN but as I couldn't find it on the VPN connection and could on the eth0 connection I tried setting the autoconnect to (and selected the VPN connection from the pull down menu) but while I can select it it does not stay selected if I restart the VPN VM.
Now I am not able to connect to the internet on the VPN VM and def not from another AppVM trying to use the VPN as a proxy.
I am just not sure where I have gone wrong here. Where would I look for a log to start trying to figure out the issue? (I saw a "run in debug mode" under VM settings... might that be a place to start?)
Thanks!
Chris Laprise
You should create a separate proxy vm for each type of vpn configuration
you're trying, otherwise they will interfere with each other.
To get the openvpn + firewall method working, first try running openvpn
manually with 'sudo openvpn [...]' before adding any scripts. Omit the
--daemon option so it will display information you can use to
troubleshoot the link.
Once you have the link working, you can try adding script lines to your
.ovpn file and the qubes-vpn-handler, then test manually again. Finally,
add the qubes-firewall-user-script and reboot the vm, then test again.
Keep in mind that once you add the firewall it will block openvpn unless
the latter is run under group 'qvpn' so you would type the following:
sudo groupadd -rf qvpn
sudo sg qvpn -c 'openvpn [...]'
NM connection... Try it in a fresh vm. The vpn autoconnect might not
work, however; The last time I tried to use it, NM behaved erratically
(and did not have appropriate firewall protections anyway).
Chris
gaikokuji...@gmail.com
Thanks I will try that out.
gaikokuji...@gmail.com
Some things came up so I hadn't gotten around to trying it out until now.
I created a new VM, VpnVM, and ran
openvpn openvpn.ovpn
and yeah! it connected and I opened firefox from VpnVM, and it was using the vpn, then ran PersonalVM using VpnVM as my NetVM and PersonalVM also showed up as using the VPN so first hurdle cleared?
Lots more hurdles though as my understanding of it all drops off precipitously.
I modified the /rw/config/openvpn/openvpn-client.ovpn file with the
script-security 2
up 'qubes-vpn-handler.sh up'
down 'qubes-vpn-handler.sh down'
lines
and I created the qubes-vpn-handler.sh and changed permissions.
I then tried to start openvpn /rw/config/openvpn/openvpn-client.ovpn
and no go. I get errors:
Options error: --ca fails with ca.crt: No such file or directory
Options error: --crl-verify failes crl.prm: no such file or dir
Options error: please correct these errors
I didn't get these errors before I added the qubes-vpn-handler.sh
thoughts?
Chris Laprise
> Lots more hurdles though as my understanding of it all drops off precipitously.
>
> I modified the /rw/config/openvpn/openvpn-client.ovpn file with the
>
> script-security 2
> up 'qubes-vpn-handler.sh up'
> down 'qubes-vpn-handler.sh down'
>
> lines
>
> and I created the qubes-vpn-handler.sh and changed permissions.
>
> I then tried to start openvpn /rw/config/openvpn/openvpn-client.ovpn
>
> and no go. I get errors:
>
> Options error: --ca fails with ca.crt: No such file or directory
> Options error: --crl-verify failes crl.prm: no such file or dir
> Options error: please correct these errors
>
> I didn't get these errors before I added the qubes-vpn-handler.sh
>
> thoughts?
https://github.com/ttasket/Qubes-vpn-support
I'd recommend you use your original working ovpn and just add the 3
script lines to that.
Chris
gaikokuji...@gmail.com
Actually I am using the ovpn that the vpn provider gives, and am just adding the 3 lines that step "2. Set up OpenVPN." of https://www.qubes-os.org/doc/vpn/ page suggest to the ovpn config file that the vpn provider gave.
That file seems to work until I modify it with the 3 lines. While I don't understand the script I would assume there is something in the handler script that my setup doesn't like as the 3 lines are just invoking the qubes-vpn-handler.sh right?
Chris Laprise
'/rw/config/openvpn/openvpn-client.ovpn' so make sure they are the same.
Changing the location of the files or your current directory while
omitting the '--cd' directive would cause the errors. Try starting it
with 'openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn'.
Chris
gaikokuji...@gmail.com
Ah sorry. Thanks. I guess, some of my lazy shorthand confused things. I can promise though I have been going off the https://www.qubes-os.org/doc/vpn/ doc, wasn't actually aware of the github one.
When I try to execute it what dir should I be doing this from? I tried the line you suggested
openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn
but got the same options errors as before (just for the heck of it I tried from my home dir and from the /rw/config/openvpn dir)
Chris Laprise
--config openvpn-client.ovpn'. You want to run it with 'sudo'.
It shouldn't matter where you start openvpn from as long as you use '--cd'.
Also, verify that the two 'missing' files are in the /rw/config/openvpn
dir. Do an 'ls -l' there to check they are owned by root.
Chris
gaikokuji...@gmail.com
No worries, honestly I should have thought of the sudo myself.
Well, running it with sudo and it went swimmingly, it connected so that is good, another hurdle cleared.
I am now back to one of your earlier posts in this thread, regarding the qubes-firewall-user-script.
I have to admit that I am not totally clear on needing to run the groupadd (it seems to be run in the firewall script?) but I ran it (and it shows up in /etc/group so I guess thats good?) but then on the next line:
sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn
I get an error saying:
Options error: In [CMD-LINE]:1: Error opening configuration file:openvn-client.ovpn
I don't understand groups and ids very well so am not sure where there breakdown is here, perhaps I need to set something regarding the openvpn-client.ovpn file?
Eva Star
No worries, honestly I should have thought of the sudo myself.
Well, running it with sudo and it went swimmingly, it connected so that is good, another hurdle cleared.
I am now back to one of your earlier posts in this thread, regarding the qubes-firewall-user-script.
I have to admit that I am not totally clear on needing to run the groupadd (it seems to be run in the firewall script?) but I ran it (and it shows up in /etc/group so I guess thats good?) but then on the next line:
sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn
I get an error saying:
Options error: In [CMD-LINE]:1: Error opening configuration file:openvn-client.ovpnI don't understand groups and ids very well so am not sure where there breakdown is here, perhaps I need to set something regarding the openvpn-client.ovpn file?
Chris Laprise
>
> No worries, honestly I should have thought of the sudo myself.
>
> Well, running it with sudo and it went swimmingly, it connected so that is good, another hurdle cleared.
>
> I am now back to one of your earlier posts in this thread, regarding the qubes-firewall-user-script.
>
> I have to admit that I am not totally clear on needing to run the groupadd (it seems to be run in the firewall script?) but I ran it (and it shows up in /etc/group so I guess thats good?) but then on the next line:
>
> sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn
>
> I get an error saying:
> Options error: In [CMD-LINE]:1: Error opening configuration file:openvn-client.ovpn
>
> I don't understand groups and ids very well so am not sure where there breakdown is here, perhaps I need to set something regarding the openvpn-client.ovpn file?
'openvn-client.ovpn' should be 'openvpn-client.ovpn'.
File ids will be OK if you created them with sudo. Running groupadd
multiple times with 'f' option is fine, too.
Chris
gaikokuji...@gmail.com
Thanks Chris & Eva.
I rechecked what I typed (I was typing from one computer the error from another computer that time, logged in on the same comp so am c/p outputs now) and I actually had typed it correctly.
I also tried adding the full paths to the openvpn-client.ovpn files as suggested (though I added ca.crt and crl.pem instead of ca.key and crl.key, assuming thats ok?). As for my openvpn.config (openvpn-client.ovpn right?) being stored in the wrong place, I have it in /rw/config/openvpn/ should it be somewhere else?
Regardless, after doublechecking what I typed, and adding the full path in as suggested the below is what I got, this time a c/p :p
[user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config /rw/config/openvpn/openvpn-client.ovpn
Options error: In [CMD-LINE]:1: Error opening configuration file: /rw/config/openvpn/openvpn-client.ovpn
Use --help for more information.
[user@VPN openvpn]$
thoughts?
Chris Laprise
a concern if you're using a regular fedora 23 or debian 8 template. Did
you enable SELinux or Apparmor?
http://unix.stackexchange.com/questions/94806/openvpn-options-error-in-cmd-line1-error-opening-configuration-file
Can you do 'ls -lZ /rw/config/openvpn' and paste the output here?
Chris
gaikokuji...@gmail.com
I am vaugely familar with SElinux and apparmour (hardening?) but I have not enabled it, at least not intentionally (not tinkered with anything realted to it either). But as for output, absoulutely! here it is:
[user@VPN openvpn]$ ls -lZ /rw/config/openvpn
total 16
-rw-r--r-- 1 root root ? 1395 Jul 4 17:56 ca.crt
-rw-r--r-- 1 root root ? 577 Jul 4 17:56 crl.pem
-rw-r--r-- 1 user user ? 375 Jul 5 09:58 openvpn-client.opvn
-rwxr-xr-x 1 root root ? 1088 Jul 3 20:45 qubes-vpn-handler.sh
[user@VPN openvpn]$
Chris Laprise
to root...
sudo chown root:root /rw/config/openvpn/openvpn-client.opvn
Chris
Marek Marczykowski-Górecki
Hash: SHA256
above cmdline, openvpn is running as root, so just another hint it isn't
permissions problem.
It's a typo in file name:
/rw/config/openvpn/openvpn-client.ovpn
/rw/config/openvpn/openvpn-client.opvn
^^
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXe/kIAAoJENuP0xzK19csyfAH/2RVQ3UFGtnpVtr68xTTTzTb
kNxnpQ4cr1uIc77O772RajrztlD9ouBimahRtOHtZ+8PrMq8pKBjg0EnAvZx8WI3
n3C+rjjFsRcA3Mps4Yc2nf2ptGxWeCrSEUzQ9LX9gUXwofxA9rdbKH6PozF63Bqs
f1WdBMEyOpDwtkJXIoUqtkmKMjrBHPNplUyRnyQ9O6fiZsCPaEbtwbdY8tQYj0px
vsUM5/KxQ3pxKDI+GcbEvgggr5GjEC8N1sWzt1p2TIZXoQuVM7n8/x20M7yjRbyD
RF10Db297SSLdOA3k+je709+xCUeEvI1ilV8bO+9RdlObUHTyMrVFQBt5GxgdEc=
=xpPu
-----END PGP SIGNATURE-----
gaikokuji...@gmail.com
I do usually type+TAB out comands as much as possible so I guess most of the time when I was typing it out it I was tabbing the rest out and it was "taking care of" my typo.
I am really sorry to have taken everyone time on such a silly mistake.
gaikokuji...@gmail.com
I don't know at what point this happened but perhaps this is related to what Chris was talking about with the firewall blocking openvpn? (though I am not even able to ping things like google.com etc, vpn running or not). I did not change the NetVM, it is still sys-firewall if that matters?
Chris Laprise
>
> I renamed the file, and that seems to have gotten it, in that I am now prompted to login to the vpn but now I noticed that my VpnVM does not have network access?
>
> I don't know at what point this happened but perhaps this is related to what Chris was talking about with the firewall blocking openvpn? (though I am not even able to ping things like google.com etc, vpn running or not). I did not change the NetVM, it is still sys-firewall if that matters?
/rw/config/openvpn/auth.txt file, then add 'auth-user-pass filename' to
your ovpn config. This will allow openvpn to connect without user input.
Connecting the vpn vm to either sys-firewall or sys-net is fine.
Once the qubes-firewall-user-script is running you can't ping or make
other connections from inside the vpn vm. You should connect an appvm to
the vpn vm and test from there.
BTW, I'll be submitting a revised doc that mentions when and where to
test the connection.
Chris
gaikokuji...@gmail.com
Thanks for that auth part, quite handy. As for not being able to connect from inside the vpn, ok I guess except shouldn't the vpn at least be able to connect? when I try to start up the vpn (now with the handy auth automatically put in) I get this:
sudo openvpn --cd /rw/config/openvpn/ --config /rw/config/openvpn/openvpn-client.ovpn
Wed Jul 6 09:10:59 2016 RESOLVE: Cannot resolve host address: vpnXXXXprovider.org: No address associated with hostname
^CWed Jul 6 09:11:06 2016 RESOLVE: signal received during DNS resolution attempt
Wed Jul 6 09:11:06 2016 SIGINT[hard,init_instance] received, process exiting
[user@VPN openvpn]$
I tested the unmodified version of the ovpn (same vpn provider/server) in another VPN and it worked fine, that is sudo openvpn --config vpnprovider.ovpn but when I try to start it in the VpnVM I get the above?
I thought i'd try to connect another VM using the VpnVM even though I was getting errors in the VpnVM but alas, no go.
Chris Laprise
On 07/06/2016 09:31 AM, gaikokuji...@gmail.com wrote:
> On Wednesday, July 6, 2016 at 5:40:20 AM UTC-4, Chris Laprise wrote:
>> On 07/05/2016 03:05 PM, gaikokuji...@gmail.com wrote:
>>> I renamed the file, and that seems to have gotten it, in that I am now prompted to login to the vpn but now I noticed that my VpnVM does not have network access?
>>>
>>> I don't know at what point this happened but perhaps this is related to what Chris was talking about with the firewall blocking openvpn? (though I am not even able to ping things like google.com etc, vpn running or not). I did not change the NetVM, it is still sys-firewall if that matters?
>> You will probably need to put your username and password in an
>> /rw/config/openvpn/auth.txt file, then add 'auth-user-pass filename' to
>> your ovpn config. This will allow openvpn to connect without user input.
>>
>> Connecting the vpn vm to either sys-firewall or sys-net is fine.
>>
>> Once the qubes-firewall-user-script is running you can't ping or make
>> other connections from inside the vpn vm. You should connect an appvm to
>> the vpn vm and test from there.
>>
>> BTW, I'll be submitting a revised doc that mentions when and where to
>> test the connection.
>>
>> Chris
> Thanks for that auth part, quite handy. As for not being able to connect from inside the vpn, ok I guess except shouldn't the vpn at least be able to connect? when I try to start up the vpn (now with the handy auth automatically put in) I get this:
>
> sudo openvpn --cd /rw/config/openvpn/ --config /rw/config/openvpn/openvpn-client.ovpn
> Wed Jul 6 09:10:59 2016 RESOLVE: Cannot resolve host address: vpnXXXXprovider.org: No address associated with hostname
> ^CWed Jul 6 09:11:06 2016 RESOLVE: signal received during DNS resolution attempt
> Wed Jul 6 09:11:06 2016 SIGINT[hard,init_instance] received, process exiting
> [user@VPN openvpn]$
run under group 'qvpn' can access the net. You didn't run it with the
group there.
And I guess you can also ping and stuff in the VPN VM, too, if you run
those programs under the group. But in general you should avoid it.
Chris
gaikokuji...@gmail.com
Hurrah! Happy to see that an error is actually a *good* thing. So, with your reminder I retried it with sg and it works! and using it as a proxyvm for other appvms works!
I am going to let this soak in a bit, read up on (quite) a few things (like sg?) then try to figure some other aspects out like randomly (or somewhat randomly, or at least more easily than editing files each time) being able to switch vpn servers as my provider has a few to pick from. Thoughts?
Thank you so *very* much for your help/patience, there is no way I would have been able to read my way through this.
gaikokuji...@gmail.com
I am not sure if I should start a new thread or continue this one but will continue this one for the time being I guess.
The VPN setup was running fine and I had zipped up the /rw/config dir with all the new properly setup files and such and backed it up (now wishing I had backed up the VpnVM now). I later read that R3.2 will be depreciating KDE so I decided to startover with just xfce installed.
I reinstalled Qubes and unzipped the config dir backup and put the right files in their place, tried to check permissions etc and then fired it up, seemed to start up with no apparent errors. Catch is, when I try to use it as a NetVM for other AppVMs it doesn't seem to work.
The AppVMs kind of search for awhile then time out (as opposed to instantly going to saying there is no connection). I also tried to redo it from scratch, no backup files, same result.
I was at least hoping for an error that I could do a search on but there doesn't seem to be an obvious one here?
gaikokuji...@gmail.com
Also, I did select, in the other AppVMs, the VpnVM and it doesn't work but then the same AppVM works fine when I go back to the default firewall.