I tried setting my now "VPN" vm as the netvm, shutdown both then restarted vpn vm then the modified-to-use-vpn vm appvm and tried connecting to the internet, nada.
I did go to the Fedora "establishing a VPN Connection" page but intimidating is a bit of an understatement.
How can I go about diagnosing what is not working?
I worked on this a bit more. Waded through the fedora establishing a VPN connection page, rather confusing, but I opened a Network settings window for my VPN VM and added a VPN by importing a openvpn config file via the VPN add a network connection's "import from file" option (and it seemed to import fine).
Now I am not entirely sure what I have. I of course did everything outlined in the Qubes VPN page. I now have two network connection icons, one for my wifi and another showing the VPN VM's eth? problem is the VPN VM ethernet connection doesn't seem to be connected. When I go to network via *settings* it now shows me three connections: Wired, the VPN I setup, and Network Proxy.
When I go via *Network Connections* it now shows me under Ethernet "VM uplink eth0" and under VPN "VPN Provider" (the provider whose openvpn config I imported). It shows the ethernet as having been used within the last few minutes but the VPN as never having been used.
On the Fedora page it mentions setting an autoconnect (automatically connect to VPN when using this connection) option which I thought it was talking about for the VPN but as I couldn't find it on the VPN connection and could on the eth0 connection I tried setting the autoconnect to (and selected the VPN connection from the pull down menu) but while I can select it it does not stay selected if I restart the VPN VM.
Now I am not able to connect to the internet on the VPN VM and def not from another AppVM trying to use the VPN as a proxy.
I am just not sure where I have gone wrong here. Where would I look for a log to start trying to figure out the issue? (I saw a "run in debug mode" under VM settings... might that be a place to start?)
Thanks!
Thanks I will try that out.
Some things came up so I hadn't gotten around to trying it out until now.
I created a new VM, VpnVM, and ran
openvpn openvpn.ovpn
and yeah! it connected and I opened firefox from VpnVM, and it was using the vpn, then ran PersonalVM using VpnVM as my NetVM and PersonalVM also showed up as using the VPN so first hurdle cleared?
Lots more hurdles though as my understanding of it all drops off precipitously.
I modified the /rw/config/openvpn/openvpn-client.ovpn file with the
script-security 2
up 'qubes-vpn-handler.sh up'
down 'qubes-vpn-handler.sh down'
lines
and I created the qubes-vpn-handler.sh and changed permissions.
I then tried to start openvpn /rw/config/openvpn/openvpn-client.ovpn
and no go. I get errors:
Options error: --ca fails with ca.crt: No such file or directory
Options error: --crl-verify failes crl.prm: no such file or dir
Options error: please correct these errors
I didn't get these errors before I added the qubes-vpn-handler.sh
thoughts?
Actually I am using the ovpn that the vpn provider gives, and am just adding the 3 lines that step "2. Set up OpenVPN." of https://www.qubes-os.org/doc/vpn/ page suggest to the ovpn config file that the vpn provider gave.
That file seems to work until I modify it with the 3 lines. While I don't understand the script I would assume there is something in the handler script that my setup doesn't like as the 3 lines are just invoking the qubes-vpn-handler.sh right?
Ah sorry. Thanks. I guess, some of my lazy shorthand confused things. I can promise though I have been going off the https://www.qubes-os.org/doc/vpn/ doc, wasn't actually aware of the github one.
When I try to execute it what dir should I be doing this from? I tried the line you suggested
openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn
but got the same options errors as before (just for the heck of it I tried from my home dir and from the /rw/config/openvpn dir)
No worries, honestly I should have thought of the sudo myself.
Well, running it with sudo and it went swimmingly, it connected so that is good, another hurdle cleared.
I am now back to one of your earlier posts in this thread, regarding the qubes-firewall-user-script.
I have to admit that I am not totally clear on needing to run the groupadd (it seems to be run in the firewall script?) but I ran it (and it shows up in /etc/group so I guess thats good?) but then on the next line:
sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn
I get an error saying:
Options error: In [CMD-LINE]:1: Error opening configuration file:openvn-client.ovpn
I don't understand groups and ids very well so am not sure where there breakdown is here, perhaps I need to set something regarding the openvpn-client.ovpn file?
No worries, honestly I should have thought of the sudo myself.
Well, running it with sudo and it went swimmingly, it connected so that is good, another hurdle cleared.
I am now back to one of your earlier posts in this thread, regarding the qubes-firewall-user-script.
I have to admit that I am not totally clear on needing to run the groupadd (it seems to be run in the firewall script?) but I ran it (and it shows up in /etc/group so I guess thats good?) but then on the next line:
sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn
I get an error saying:
Options error: In [CMD-LINE]:1: Error opening configuration file:openvn-client.ovpnI don't understand groups and ids very well so am not sure where there breakdown is here, perhaps I need to set something regarding the openvpn-client.ovpn file?
Thanks Chris & Eva.
I rechecked what I typed (I was typing from one computer the error from another computer that time, logged in on the same comp so am c/p outputs now) and I actually had typed it correctly.
I also tried adding the full paths to the openvpn-client.ovpn files as suggested (though I added ca.crt and crl.pem instead of ca.key and crl.key, assuming thats ok?). As for my openvpn.config (openvpn-client.ovpn right?) being stored in the wrong place, I have it in /rw/config/openvpn/ should it be somewhere else?
Regardless, after doublechecking what I typed, and adding the full path in as suggested the below is what I got, this time a c/p :p
[user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config /rw/config/openvpn/openvpn-client.ovpn
Options error: In [CMD-LINE]:1: Error opening configuration file: /rw/config/openvpn/openvpn-client.ovpn
Use --help for more information.
[user@VPN openvpn]$
thoughts?
I am vaugely familar with SElinux and apparmour (hardening?) but I have not enabled it, at least not intentionally (not tinkered with anything realted to it either). But as for output, absoulutely! here it is:
[user@VPN openvpn]$ ls -lZ /rw/config/openvpn
total 16
-rw-r--r-- 1 root root ? 1395 Jul 4 17:56 ca.crt
-rw-r--r-- 1 root root ? 577 Jul 4 17:56 crl.pem
-rw-r--r-- 1 user user ? 375 Jul 5 09:58 openvpn-client.opvn
-rwxr-xr-x 1 root root ? 1088 Jul 3 20:45 qubes-vpn-handler.sh
[user@VPN openvpn]$
Thanks for that auth part, quite handy. As for not being able to connect from inside the vpn, ok I guess except shouldn't the vpn at least be able to connect? when I try to start up the vpn (now with the handy auth automatically put in) I get this:
sudo openvpn --cd /rw/config/openvpn/ --config /rw/config/openvpn/openvpn-client.ovpn
Wed Jul 6 09:10:59 2016 RESOLVE: Cannot resolve host address: vpnXXXXprovider.org: No address associated with hostname
^CWed Jul 6 09:11:06 2016 RESOLVE: signal received during DNS resolution attempt
Wed Jul 6 09:11:06 2016 SIGINT[hard,init_instance] received, process exiting
[user@VPN openvpn]$
I tested the unmodified version of the ovpn (same vpn provider/server) in another VPN and it worked fine, that is sudo openvpn --config vpnprovider.ovpn but when I try to start it in the VpnVM I get the above?
I thought i'd try to connect another VM using the VpnVM even though I was getting errors in the VpnVM but alas, no go.
Hurrah! Happy to see that an error is actually a *good* thing. So, with your reminder I retried it with sg and it works! and using it as a proxyvm for other appvms works!
I am going to let this soak in a bit, read up on (quite) a few things (like sg?) then try to figure some other aspects out like randomly (or somewhat randomly, or at least more easily than editing files each time) being able to switch vpn servers as my provider has a few to pick from. Thoughts?
Thank you so *very* much for your help/patience, there is no way I would have been able to read my way through this.
I am not sure if I should start a new thread or continue this one but will continue this one for the time being I guess.
The VPN setup was running fine and I had zipped up the /rw/config dir with all the new properly setup files and such and backed it up (now wishing I had backed up the VpnVM now). I later read that R3.2 will be depreciating KDE so I decided to startover with just xfce installed.
I reinstalled Qubes and unzipped the config dir backup and put the right files in their place, tried to check permissions etc and then fired it up, seemed to start up with no apparent errors. Catch is, when I try to use it as a NetVM for other AppVMs it doesn't seem to work.
The AppVMs kind of search for awhile then time out (as opposed to instantly going to saying there is no connection). I also tried to redo it from scratch, no backup files, same result.
I was at least hoping for an error that I could do a search on but there doesn't seem to be an obvious one here?
Also, I did select, in the other AppVMs, the VpnVM and it doesn't work but then the same AppVM works fine when I go back to the default firewall.