Re: [qubes-users] OpenVPN Setup, revisited

[theman]

Trying to follow your set-up. From my provider I have 5 files:
ca.crt
user.crt
user.key
ta.key
user.opvn

My user.opvn file entries look very different to the ones listed...

There's none of the following:

reneg-sec 0
crl-verify crl.perm

And I have (and others):

ns-cert-type server

Should I still create the follow entries and files?:

route-up resolve.sh
up up.sh
down down.sh

In the etc/openvpn/ folder I have no "resolv.conf" file, but instead
"update-resolv-conf" (which I have moved to /rw/config/openvpn)

[cprise]

As long as the user.ovpn is able to get the connection started it should
be OK to add the .sh entries at the bottom. Or if you want to try
something more streamlined, Olivier's script in the same thread should
be a good substitute for my 3; If you use his script you won't have to
setup resolv.conf manually.

If you are using Debian, the line near the start of each .sh script that
begins "SPID=" should be changed to "SPID=$(pgrep -U user -f
dconf-service)" so on-screen notifications will work. (The change should
also work with Fedora 21 but I have only tested with 20.)

BTW, I think you mentioned DNS leaks in another thread. I specifically
created the VPN setup to avoid leaks, so you shouldn't see them anymore
once you get it going. The important part that handles DNS properly is
where qubes-setup-dnat-to-ns.sh is called.

[theman]

Making progress I think...

I attempted omitting the following files in favour of Olivier's
vpn-setup.sh (and changed my "user.opvn" file entries to refer to the
new script as instructed by Olivier):

route-up resolve.sh
up up.sh
down down.sh

Since I'm using debian VM I changed the vpn-setup.sh file to read:

"SPID=$(pgrep -U user -f dconf-service)"

I copied the posted "resolv.conf" file unchanged (do I even need this file?)

Testing
I tested connectivity using the supplied commands (changing where is
reads "openvpn-client" to the name of my *.opvn file):
$ sudo openvpn --writepid /var/run/openvpn/openvpn-client.pid --cd
/rw/config/openvpn/ --config openvpn-client.ovpn

Results
I seem to be getting the occasional notification the VPN is up/down and
vpn connectivity, but with errors.

Edited output reads:

Parsing DHCP option: dhcp-option DNS 172.16.1.1
chown: invalid user: 'openvpn'
chown: invalid user: 'openvpn'
RTNETLINK answers: File exists
Mon Aug 24 12:05:58 2015 ERROR: Linux route add command failed: external
program exited with error status: 2
RTNETLINK answers: File exists
Mon Aug 24 12:05:58 2015 ERROR: Linux route add command failed: external
program exited with error status: 2
Mon Aug 24 12:05:58 2015 Initialization Sequence Completed
Mon Aug 24 12:08:32 2015 [server] Inactivity timeout (--ping-restart),
restarting


I am getting vpn connection but still getting dns leak initially, which
after a short period of time seems to a change to same VPN ipaddress
(which I presume is what I want).

I also have downloaded the "openvpn-client.service" and "rc.local"
files. For the file names and inside the files, wherever it reads
"openvpn-client" I have changed to read the same as my "user" ovpn file.
eg.changed "openvpn-client.service" to "user.service", as my *.ovpn file
is named "user.opvn". Is this correct?

Thanks!

[cprise]

Seems Olivier's script assumes an 'openvpn' user is present in the
system. I'm not sure what the best way is to add an openvpn user (maybe
openvpn docs show the way).

I would try using my original scripts for now, as they don't use this
approach; If so, you will have to look up your VPN provider's DNS
addresses and put them in resolv.conf (replace the ones I included as an
example).

The inactivity timeout is what causes the link to go up and down
repeatedly. Without seeing your .ovpn file its hard to say what exactly
may be causing it (maybe the ping-restart default of 120 seconds, which
gets triggered when you stop using the link for 2 minutes). Adding a
"keepalive 20 120" line to the .ovpn may solve this problem.

(Also make sure "script-security 2" is present in the .ovpn so the
scripts run correctly.)

> I am getting vpn connection but still getting dns leak initially, which
> after a short period of time seems to a change to same VPN ipaddress
> (which I presume is what I want).

Since both the openvpn-client.service and rc-local files help setup the
initial conditions for containing the link, you may see some leaks until
the whole thing is in place.

>
> I also have downloaded the "openvpn-client.service" and "rc.local"
> files. For the file names and inside the files, wherever it reads
> "openvpn-client" I have changed to read the same as my "user" ovpn file.
> eg.changed "openvpn-client.service" to "user.service", as my *.ovpn file
> is named "user.opvn". Is this correct?
>
> Thanks!

That last bit about changing the name of the .service file is incorrect.
References to "openvpn-client.service" should remain that way, because
it relates to the openvpn program's identity in the system (whereas no
other programs except openvpn use the .ovpn file, so it can be named
anything you like).

[theman]

Okay, when I test manually from the terminal things appear more stable
and I don't think I'm getting and dns leaks. VPN is up notification appears.

$ sudo openvpn --writepid /var/run/openvpn/openvpn-client.pid --cd

/rw/config/openvpn/ --config user.ovpn

Note, I changed the command slightly at the end from " --config
openvpn-client.ovpn" to, " --config user.ovpn" because that is the name
of my *.ovpn file (in the /rw/config/openvpn folder). Is that correct?
And I'm still using Olivier's "vpn-setup.sh" file. I'm reluctant to user
the resolv.conf as I think my nameservers change as my servers are
random? My "user.ovpn" file supplied by my vpn provider lists several
remote servers and has the entries;
remote-random
ns-cert-type server

(and also has "script-security 2")

I changed "keepalive 3 10" to "keepalive 20 120"

Everything appears to be running stable the past hour or so, no dns
leaks, no drop-outs.

Inactivity timeouts have gone, but I'm still getting the other two
errors, including:
chown: invalid user: 'openvpn'

I have found this link but it's beyond my comprehension:

https://community.openvpn.net/openvpn/wiki/UnprivilegedUser

Automatic test:
Trying to use the downloaded "openvpn-client.service" and "rc.local" -
result: the vpn gets up, without notification and dns is wrong (my
ISPs). Before testing I reverted back to the original name of the
"openvpn-client.service" file, however, I did change the latter part of
the script inside the file to align with the command I used in per my
manual test (from " --config openvpn-client.ovpn" to, " --config
user.ovpn"). Is that correct?

Question: I entered and ticked "openvpn-client" as a service in the VM
manager GUI under the service tabs? Is that correct?

[Connor Page]

running as an unprivileged user openvpn doesn't really add any security In case it's all confined to one proxyvm. so you either create an openpvn user or comment that line out in the config file. that is if you believe in the Qubes axiom that there can't possibly be a hard security border within a vm.
adding a new service in qubes manager does nothing unless the .service file explicitly checks for the file that it creates. in cprise's setup the service is enabled in rc.local so qubes manager has no power over the service.

[cprise]

On 08/24/2015 06:35 AM, theman wrote:
> Okay, when I test manually from the terminal things appear more stable
> and I don't think I'm getting and dns leaks. VPN is up notification
> appears.
>
> $ sudo openvpn --writepid /var/run/openvpn/openvpn-client.pid --cd
> /rw/config/openvpn/ --config user.ovpn
>
> Note, I changed the command slightly at the end from " --config
> openvpn-client.ovpn" to, " --config user.ovpn" because that is the name
> of my *.ovpn file (in the /rw/config/openvpn folder). Is that correct?

Yes, that's right.

> And I'm still using Olivier's "vpn-setup.sh" file. I'm reluctant to user
> the resolv.conf as I think my nameservers change as my servers are
> random? My "user.ovpn" file supplied by my vpn provider lists several
> remote servers and has the entries;
> remote-random
> ns-cert-type server

My provider's (gateway) servers are also random. But nameservers always
stay static in my experience, and some providers might not add
nameserver info to their DHCP handshake.

Continuing to use Olivier's script without an openvpn user may be a
problem as those routing commands that aren't completing may be
necessary to ensure link security or efficiency. But using it /with/ the
openvpn user may also present problems... I think Olivier would need to
chime in here and describe the preconditions for its proper operation.

One important precondition is adding a "user openvpn" line to your .ovpn
file.

> (and also has "script-security 2")
>
> I changed "keepalive 3 10" to "keepalive 20 120"

That's probably for the better. The "3 10" timing looks rather aggressive.

> Everything appears to be running stable the past hour or so, no dns
> leaks, no drop-outs.
>
> Inactivity timeouts have gone, but I'm still getting the other two
> errors, including:
> chown: invalid user: 'openvpn'
>
> I have found this link but it's beyond my comprehension:
>
> https://community.openvpn.net/openvpn/wiki/UnprivilegedUser

The 'User' section has six commands that should get the openvpn user
configured properly *after* you create it with "sudo useradd -M openvpn"
though in the VM you'll have to precede each command with "sudo":

> [root@hostname ~]# mkdir /var/lib/openvpn
> [root@hostname ~]# chown openvpn:openvpn /var/lib/openvpn
> [root@hostname ~]# usermod -d /var/lib/openvpn -s /sbin/nologin openvpn
> [root@hostname ~]# mkdir /var/log/openvpn
> [root@hostname ~]# chown openvpn:openvpn /var/run/openvpn /var/log/openvpn /etc/openvpn -R
> [root@hostname ~]# chmod u+w /var/run/openvpn /var/log/openvpn -R

Since we use a different working dir for openvpn, one more command:

sudo chown openvpn:openvpn /rw/config/openvpn

> Automatic test:
> Trying to use the downloaded "openvpn-client.service" and "rc.local" -
> result: the vpn gets up, without notification and dns is wrong (my
> ISPs). Before testing I reverted back to the original name of the
> "openvpn-client.service" file, however, I did change the latter part of
> the script inside the file to align with the command I used in per my
> manual test (from " --config openvpn-client.ovpn" to, " --config
> user.ovpn"). Is that correct?

Yes, that's right.

The lack of notification may stem from running the script as
(unprivileged) openvpn user. Try changing the 2 instances of this:

su -c 'notify-send -i /usr/share/pixmaps/faces/tennis-ball.png "VPN IS
UP"' user

...to this:

notify-send -i /usr/share/pixmaps/faces/tennis-ball.png "VPN IS UP"

> Question: I entered and ticked "openvpn-client" as a service in the VM
> manager GUI under the service tabs? Is that correct?

No, I didn't do it this way because the VM doesn't know what the
openvpn-client.service is until the rc.local script runs. Its done this
way so that you don't have to configure your template (and thus all
other VMs that use it) with a new service -- so the template is
untouched by the VPN setup which runs only in the VPN VM.

[theman]

Manual launch working (with errors), auto not.

I made all your suggested changes, including adding "user openvpn" to my *.ovpn filr.

Manual launch I get the following error:
    Wed Aug 26 19:19:39 2015 failed to find UID for user openvpn
    Wed Aug 26 19:19:39 2015 Exiting due to fatal error
 
I did notice however, that the directory I created when running the 6+1 commands to get the openvpn user configured, was gone (/var/lib/openvpn). Is that okay? I ran the commands in sudo - should I have changed to root? I also noticed that the openvpn documentation referred to an OPENVPN_USER="openvpn", whereas Olivier's script refers to an UNPRIVILEGED_USER="openvpn". Is that important? I also notice that the openvpn docs state that I need to modify my config file (I actually don't think I have one). I didn't do that.

If I remove "user openvpn" that I get the same errors as before:
    Parsing DHCP option: dhcp-option DNS 172.16.0.1

    chown: invalid user: 'openvpn'
    chown: invalid user: 'openvpn'

    Wed Aug 26 19:30:43 2015 Initialization Sequence Completed

    I receive no notifications (note, they were working before when I launched manually). However, vpn appears to be working without DNS leaks!

Automatic launch:
    No notifications
    vpn not lauched
    dns leaks (obviously)

[Connor Page]

changes to /var/lib are not persistent. you must keep all your config files and scripts in /rw/config!!!

[cprise]

On 08/26/2015 07:21 AM, Connor Page wrote:
> changes to /var/lib are not persistent. you must keep all your config files and scripts in /rw/config!!!
>

Correct. This is a classic Qubes wrinkle that I missed... that stuff
will be deleted when the vm shuts down so we should assume it doesn't
work. Also, I think Olivier uses the Arch template? You need more info
from him to get it working, theman.

Openvpn doesn't require an openvpn user for correct operation. The user
is a security sandbox, but your Qubes VM is already a sandbox that's 10X
stronger. So I'd still suggest setting it up the way I originally
described it for now.

[Qubed One]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 08/26/2015 11:03 AM, theman wrote:
> Manual launch working (with errors), auto not.
>
> I made all your suggested changes, including adding "user openvpn"
> to my *.ovpn filr.
>
> Manual launch I get the following error: Wed Aug 26 19:19:39 2015
> failed to find UID for user openvpn Wed Aug 26 19:19:39 2015
> Exiting due to fatal error

Did you run 'sudo useradd -M openvpn' first to create that user? The
error is telling you that the user 'openvpn' is not found on the system.

> I did notice however, that the directory I created when running the
> 6+1 commands to get the openvpn user configured, was gone
> (/var/lib/openvpn). Is that okay? I ran the commands in sudo -
> should I have changed to root? I also noticed that the openvpn
> documentation referred to an OPENVPN_USER="openvpn", whereas
> Olivier's script refers to an UNPRIVILEGED_USER="openvpn". Is that
> important?

It's the same thing. As cprise wrote, not really necessary (in Qubes)
but it doesn't harm anything.

> I also notice that the openvpn docs state that I need to modify my
> config file (I actually don't think I have one). I didn't do that.

The docs are probably referring to the .ovpn file. What modifications
are suggested there?

> If I remove "user openvpn" that I get the same errors as before:
> Parsing DHCP option: dhcp-option DNS 172.16.0.1 chown: invalid
> user: 'openvpn' chown: invalid user: 'openvpn' Wed Aug 26 19:30:43
> 2015 Initialization Sequence Completed
>
> I receive no notifications (note, they were working before when I

> launched manually). However, vpn appears to be working _/without
> DNS leaks!/_

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJV3gnWXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2N0FGNkY4NTIxMzYxNjI1REE1MjY1QTcw
MUNBRjYzOTFBQkM0OTgzAAoJEAHK9jkavEmDGroP/17oGEfhNxl+/+Nb/n3mhAEL
abZZBRmm3UUD7F8RiD6aNYk1Lyk67DJWMBQi3ChCrn6c7waHOpLpDg2yrJ9caPm0
eXK+Rv41X1NT4YI/WcDc7Mhdk/vfF8+pi0RPFnszHWrFvMrWwKGQKaG0ZUiANGSo
h7q4d8McOtCBZrYKNZRu4ldLAmXjjy2nPS0tNGROrqK8AdmyIZcVrSPIW5ledPQv
im09cGboR9I5tPszGpkyaQsJpeHIhMiosSoxIsy6kz5Cf2YM+a9E1FYeCyAqK/sP
QGzOekb7kd8NMAxNyrTsfKwNeJhG6H+5VJImV2k2pb5GvqeFH8uXaDVCEXhYyoSn
ku+D6KMUOXZkp5kC5GcvPF+1wcM+o9/RkfobW5KsU2yTdscnDynK6jq93J91P0Kz
GwiKOAX6jGzkm03e0kB3sbhn1LSxg2yQuE1UXHgB+vVqedP3gj0MmB9kt5s+EONf
wibeqNcIUe/TrOpgGpRBscoTNGNbQeXdT3UCF+0vsSaTSpwcd9/uO0/tfGkEEi/0
ugV/cSJJFQb4KQLD4zU6By8X96fLHks8Shk3pKIKV6ykjebKJUE2xIcWArL5Ygbg
SwwzyhEO7y0FURcje0mxpmSi+WUA2fGMu7bmoRpKa9QSCB1Gp+P/QZTet8ARHeQA
Bu9WUMlTXG+NC9sw7SeG
=sDlW
-----END PGP SIGNATURE-----

[cprise]

On 08/26/2015 02:47 PM, Qubed One wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 08/26/2015 11:03 AM, theman wrote:
>> Manual launch working (with errors), auto not.
>>
>> I made all your suggested changes, including adding "user openvpn"
>> to my *.ovpn filr.
>>
>> Manual launch I get the following error: Wed Aug 26 19:19:39 2015
>> failed to find UID for user openvpn Wed Aug 26 19:19:39 2015
>> Exiting due to fatal error
>
>
> Did you run 'sudo useradd -M openvpn' first to create that user? The
> error is telling you that the user 'openvpn' is not found on the system.
>

The problem is: Running it in the VPN VM will modify files in /etc,
which will revert when that VM shuts down. OTOH, if its done in the
template VM, then the user and dirs persist (and will appear to work)
but any data openvpn tries to put in /var will disappear on shutdown.

[theman]

I tried running the commands to create an opnvpn user in the underlying
debian vm template, using the 1+6 commands listed by cprise
I also put the su c- commands back into all scripts in the firewall appVM.

Manual launch:
No errors! vpn and notification working
dns = vpn providers (ie. no leaks)

Comments:
Thu Aug 27 13:38:27 2015 WARNING: you are using
user/group/chroot/setcon without persist-tun -- this may cause restarts
to fail
Thu Aug 27 13:38:27 2015 NOTE: UID/GID downgrade will be delayed
because of --client, --pull, or --up-delay
Parsing DHCP option: dhcp-option DNS 172.16.3.1
Thu Aug 27 13:38:45 2015 UID set to openvpn
Thu Aug 27 13:38:45 2015 Initialization Sequence Completed

If I revert to using cprise's scripts the manual launch vpn works with
no errors but uses the pia nameservers.

Auto launch, in both cases:
no vpn or notifications

Suggestions?

[cprise]

On 08/26/2015 11:57 PM, theman wrote:
> I tried running the commands to create an opnvpn user in the underlying
> debian vm template, using the 1+6 commands listed by cprise
> I also put the su c- commands back into all scripts in the firewall appVM.
>
> Manual launch:
> No errors! vpn and notification working
> dns = vpn providers (ie. no leaks)
>
> Comments:
> Thu Aug 27 13:38:27 2015 WARNING: you are using
> user/group/chroot/setcon without persist-tun -- this may cause restarts
> to fail
> Thu Aug 27 13:38:27 2015 NOTE: UID/GID downgrade will be delayed
> because of --client, --pull, or --up-delay
> Parsing DHCP option: dhcp-option DNS 172.16.3.1
> Thu Aug 27 13:38:45 2015 UID set to openvpn
> Thu Aug 27 13:38:45 2015 Initialization Sequence Completed
>
> If I revert to using cprise's scripts the manual launch vpn works with
> no errors but uses the pia nameservers.
>
> Auto launch, in both cases:
> no vpn or notifications
>
> Suggestions?

I'm surprised you're not getting notifications with my scripts (of
course, without the 'user openvpn' setting). The only time that happens
to me is when the VPN VM comes up but never reaches the 'green dot'
state - the status dot in Qubes Manager stays yellow. This is an
intermittent bug that prevents GUI interaction with a VM, and a
workaround is to run something like Terminal in the VM that produces a
window (then the status will turn green and notifications, systray
widgets, etc will work).

It looks like your provider uses a DNS of 172.16.3.1 so you could put
that in the /rw/config/openvpn/resolv.conf file.

[theman]

Thanks cprise.

Actually, I am getting notifications with your scripts, but only when
testing manually. I don't know why, but neither yours nor Oliver's
scripts are working when I run the automatic launch (i.e. - the
connected vm using the vpn-firewall) - no errors (no yellow dots) - it
just seems like there's nothing happening. But they both seem to work as
expected when tested manually - the only difference is that Olivier's
script uses the vpn provider's nameservers (which align with the current
random server being used), whereas your scripts use the pia server
(since I just used your downloaded script). So it's the
openvpn-client.service and the rc.local aren't doing anything - what
have I ruined?

[Qubed One]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 08/27/2015 06:17 AM, theman wrote:
> Thanks cprise.
>
> Actually, I am getting notifications with your scripts, but only
> when testing manually. I don't know why, but neither yours nor
> Oliver's scripts are working when I run the automatic launch (i.e.
> - the connected vm using the vpn-firewall) - no errors (no yellow
> dots) - it just seems like there's nothing happening. But they both
> seem to work as expected when tested manually - the only difference
> is that Olivier's script uses the vpn provider's nameservers (which
> align with the current random server being used), whereas your
> scripts use the pia server (since I just used your downloaded
> script). So it's the openvpn-client.service and the rc.local aren't
> doing anything - what have I ruined?
>

Have you checked that /rw/config/rc.local is executable (+x)?
Next, have you checked 'systemctl status openvpn-client'?

I have been running a VPN proxy-vm since before cprise's thread,
though my setup is pretty similiar. Everything works automatically
(and a little better now thanks to cprise). It sounds like rc.local
isn't being executed at startup...

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJV30a6XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2N0FGNkY4NTIxMzYxNjI1REE1MjY1QTcw
MUNBRjYzOTFBQkM0OTgzAAoJEAHK9jkavEmDCS0QAKMiZb9Bu61gxO1iWMNl0oIS
rAG5Q0AJobeB//3pmcVGtktXDxL75oTK+eGNhiw60iUF8Mx32+nnoeACEqwiY15W
73WCAzu64BOXJLGZI4Fx+tHPLIkB/9fn2Gg2jXLnUkurd0anBHuCniyKawGvpLav
3MWf7YW1r34dH4ZfaPg4U4vptoOKp7JA78lqLk6JvqNx9NHpuztcNwEXjgISnTkv
hrXgvD66kdcG0ANWFymdTnPFn8i9XGXLm9fYCIDQZHOg4z5ESeUt8q6uDGqRS2RN
I9BTTXud45fSBauZBhCvAJmcpXWFEYbFxcqQqXxP6U2ji8XHY7vm1blHNBswSAes
Vq+P5w6WFZ9DpkFmbToWf2112z5o6uevyzBJLNh0ZmVunmyVsb9CoMHcrn5uyelO
Itz0UnFdAMFIX29u03DgFL9un1ls7oeuiaJ9eEN0KeZC3FQmniiesG32odvWSYX0
75+IrIze8JRfOWV3Qy3htrRvgdTZfuXWnzJ+x28HLjiwew+MCDdaNeOjNjsAYrm9
TJ/CWC9T/Raee47cfm4b9fyiSUg1uzZIaF6Q1CjRhqawHlSCDQKEyviP79laHduy
gWA+Q/6lTX7zFc3u2TLesauXlW3pGhTwFOzAFACpbvnZjX61xKRNBOZ3DkQLlHkJ
ZyASfmNM7gLu9SpdUuLh
=84xa
-----END PGP SIGNATURE-----

[theman]

I have the following permissions:

-rwxr-xr-x 1 root root 390 Aug 24 10:22 rc.local

~$ sudo systemctl status openvpn-client.service
● openvpn-client.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)

[Connor Page]

On Friday, 28 August 2015 11:59:36 UTC+1, theman wrote:
> I have the following permissions:
>
> -rwxr-xr-x 1 root root 390 Aug 24 10:22 rc.local
>
> ~$ sudo systemctl status openvpn-client.service
> ● openvpn-client.service
> Loaded: not-found (Reason: No such file or directory)
> Active: inactive (dead)
>
>

your rc.local must be wrong.

[theman]

It's cprise's file, verbatim. I downloaded it again and tested but still
no go.

[Qubed One]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 08/28/2015 12:00 PM, theman wrote:
> It's cprise's file, verbatim. I downloaded it again and tested but
> still no go.
>
> On 28/08/15 21:24, Connor Page wrote:
>> On Friday, 28 August 2015 11:59:36 UTC+1, theman wrote:
>>> I have the following permissions:
>>>
>>> -rwxr-xr-x 1 root root 390 Aug 24 10:22 rc.local
>>>
>>> ~$ sudo systemctl status openvpn-client.service ●
>>> openvpn-client.service Loaded: not-found (Reason: No such file
>>> or directory) Active: inactive (dead)
>>>
>>>

Does your /rw/config/rc.local contain a line like this:

cp /rw/config/openvpn-client.service /etc/systemd/system

The error '(Reason: No such file or directory)' is a pretty good
starting point to diagnose the issue. I don't have a copy of cprise's
script available, but given the error, I would check that the files
are named correctly and in the correct (starting) places.

iQJ8BAEBCgBmBQJV4IsaXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2N0FGNkY4NTIxMzYxNjI1REE1MjY1QTcw
MUNBRjYzOTFBQkM0OTgzAAoJEAHK9jkavEmDrLQP/3Q92PKE0VJ8Fpz6sr+RV41F
ens4EK0zeHPp2e8KTh0bzszb4TcrX/DpIbwUG96GfO6jhryRCTYD1zlvwdh+c2EX
ngAG/9LrrMesi0HjPKUaQo9I47KYJcXDHRLWAzgp6nJcXIuSHnqfJWan0HzC3sJJ
uQfpkuQGsQO8LZCYE7l6b0shVRIpuchYAzG8Sf2Hmzbzyz+jEtT4QlobfesFwaIv
mbpvLtGlBl7FBM+W05kdQMKafcHOJhv5pQ+/aMzgK5sNYhmHgsObKCmFTLsocB7P
3GIAPA1a94GtbTLT5pFje+eY4z8nWfu33wEoj1126nP2dskNKgPQL9sl/iKP/13T
vaF/4bJ4aCvdgvFlw9pUV0N5HFyIadPJqIBd1r49PHh+YnUhsbl2Ak+eF/mT/hFN
QDKshsGu5o019tGcqIR8HLin1TQGWjeOG4IpJXlS7fI20ORwY+je5NocnqMwIHax
s2i1NtfucbZ5ac9W/HHDnEKwaU0B8mogmbfL7203qPU5psoxuE5gEBtXd6vBMuQU
1/oW+LonhBS7Lg12VhBytSiWjugKi7IJZf8LuTldpZRxens+rF7uBQBliIjidSKc
nNsPh0Xh++VcxIV7pTeGWm/hasb/0ufFkHAEB7sXNZpLZf2/Bn/3LROKfCHJMftl
+2TlYa2g/gpPHCBgoxFQ
=/iSo
-----END PGP SIGNATURE-----

[theman]

Here's the file:

#!/bin/sh

## Prevent any routing directly to outside (must go through openvpn):
iptables -t mangle -I FORWARD 1 -o eth0 -j DROP
iptables -t mangle -I FORWARD 2 -i eth0 -j DROP

## Add openvpn to systemd
cp /rw/config/openvpn-client.service /etc/systemd/system/
sleep 1; sync
systemctl --no-block enable openvpn-client.service
systemctl --no-block start openvpn-client.service

[cprise]

On 08/28/2015 05:43 PM, theman wrote:
> Here's the file:
>
> #!/bin/sh
>
> ## Prevent any routing directly to outside (must go through openvpn):
> iptables -t mangle -I FORWARD 1 -o eth0 -j DROP
> iptables -t mangle -I FORWARD 2 -i eth0 -j DROP
>
> ## Add openvpn to systemd
> cp /rw/config/openvpn-client.service /etc/systemd/system/
> sleep 1; sync
> systemctl --no-block enable openvpn-client.service
> systemctl --no-block start openvpn-client.service
>

Does /rw/config/openvpn-client.service exist?

[theman]

Yes. It's in /rw/config/

The only thing I've changed in it is the name of the *ovpn file (to
align with the name of my user.ovpn file)

Could I have installed something in the underlying template that is
overriding the firewall vm?

By the way - really appreciate everyone's help with all this - I'm
learning lots!

[cprise]

On 08/28/2015 07:11 PM, theman wrote:
> Yes. It's in /rw/config/
>
> The only thing I've changed in it is the name of the *ovpn file (to
> align with the name of my user.ovpn file)
>
> Could I have installed something in the underlying template that is
> overriding the firewall vm?
>
> By the way - really appreciate everyone's help with all this - I'm
> learning lots!
>

How about /etc/systemd/system/openvpn-client.service ?

And if you manually type "sudo systemctl --no-block enable
openvpn-client.service" does it print an error?

[theman]

"sudo systemctl --no-block enable openvpn-client.service" gives error:

Failed to execute operation: No such file or directory

Also, the is no /etc/systemd/system/openvpn-client.service

[cprise]

On 08/28/2015 07:51 PM, theman wrote:
> "sudo systemctl --no-block enable openvpn-client.service" gives error:
>
> Failed to execute operation: No such file or directory
>
> Also, the is no /etc/systemd/system/openvpn-client.service
>
>

The rc.local isn't executing. Is "#!/bin/sh" the very first line?

[theman]

yes

[theman]

Not sure if it's relevant, but I notice that I also have an rc.local
(original/unchanged) file in /etc

[cprise]

On 08/28/2015 10:27 PM, theman wrote:
> Not sure if it's relevant, but I notice that I also have an rc.local
> (original/unchanged) file in /etc
>

That's expected.

Maybe you could try creating a new proxyvm, and create a simple
/rw/config/rc.local consisting of this:

#!/bin/sh
touch /HELLO


Make it executable then reboot. If you see HELLO when you do 'ls /' then
the script was executed (and you can move your vpn config over to this
vm). If you don't see HELLO... you have found a Qubes bug.

[theman]

I created 2 new proxysms from templates; one from the original pure
debian, and another from the modified debian (with the created openvpn
user).

Both seem to be working.

user@test-firewall:~$ ls /
bin etc home.orig lib64 mnt root sbin tmp
boot HELLO home_volatile lost+found opt run srv usr
dev home lib media proc rw sys var

I also went right back to the beginning:
1. cloned original debian template
2. Installed openvpn
3. Created proxyvm from that template
3. Copied and configured cprise's files/scripts (not using
Olivier's) into new proxyvm
4. Tested manually = everything okay
5. Tested automatically = vpn not launched

:O(

[cprise]

On 08/29/2015 08:45 PM, theman wrote:
> I created 2 new proxysms from templates; one from the original pure
> debian, and another from the modified debian (with the created openvpn
> user).
>
> Both seem to be working.
>
> user@test-firewall:~$ ls /
> bin etc home.orig lib64 mnt root sbin tmp
> boot HELLO home_volatile lost+found opt run srv usr
> dev home lib media proc rw sys var
>
> I also went right back to the beginning:
> 1. cloned original debian template
> 2. Installed openvpn
> 3. Created proxyvm from that template
> 3. Copied and configured cprise's files/scripts (not using
> Olivier's) into new proxyvm
> 4. Tested manually = everything okay
> 5. Tested automatically = vpn not launched
>
> :O(
>

You could take it a step further: First, run the rc.local manually with
'sudo -H /rw/config/rc.local' then do a 'systemctl status
openvpn-client' and test if the link is up (or note any error messages).

Also, you could try putting 'rm /HELLO && touch /HELLO' in various spots
(one at a time) of the rc.local script, starting with the line right
below '/bin/sh'. This is another way to tell if the script is running
and if its stopping at any point.

[theman]

Trying to run rc.local manually I get:

root@test3-firewall:/rw/config# sudo -H /rw/config/rc.local
sudo: unable to execute /rw/config/rc.local: No such file or directory

[Unman]

On Mon, Aug 31, 2015 at 09:23:44AM +1000, theman wrote:
> Trying to run rc.local manually I get:
>
> root@test3-firewall:/rw/config# sudo -H /rw/config/rc.local
> sudo: unable to execute /rw/config/rc.local: No such file or directory
>
>
>

Well there's your problem. ;-)

Check the file exists, check permissions.
You need to fix this before trying cprise's debug strategy?

[Connor Page]

either without sudo if root or with sudo as user.

[theman]

As user I get the same:

user@test3-firewall:/rw/config$ sudo -H /rw/config/rc.local

sudo: unable to execute /rw/config/rc.local: No such file or directory

user@test3-firewall:/rw/config$

And I'm looking right at the file!!! Lol.

user@test3-firewall:/rw/config$ ls -l
total 24
drwxrwxr-x 4 1001 1001 4096 Aug 30 10:02 openvpn
-rw-r--r-- 1 root root 521 Aug 30 10:06 openvpn-client.service
-rw-r--r-- 1 root root 520 Aug 24 10:21 openvpn-client.service~
-rw-r--r-- 1 root root 393 Aug 17 23:13 qubes-firewall-user-script
-rwxr-xr-x 1 root root 390 Aug 28 21:53 rc.local
-rw-r--r-- 1 root root 192 Aug 17 23:13 suspend-module-blacklist

[cprise]

I tested the command on my system; works fine.

See this help page:

http://unix.stackexchange.com/questions/144718/sudo-unable-to-execute-script-sh-no-such-file-or-directory

[theman]

Unbelievably good news - fixed!!! I have no idea how I managed to
corrupt the rc.local file. But I fixed it by installing and using
dos2unix via terminal.

I'm using Olivier's script. proxyVM starts vpn at startup. No dns leaks
(dns alignes with random server)!

Thanks everyone for your assistance, patience and perseverance!

[theman]

And I should say that I'm obviously using your scripts too cprise - I
could not have achieved success without you/them.

[Connor Page]

On Tuesday, 1 September 2015 13:12:53 UTC+1, theman wrote:

Unbelievably good news - fixed!!! I have no idea how I managed to
corrupt the rc.local file. But I fixed it by installing and using
dos2unix via terminal.

I'm using Olivier's script. proxyVM starts vpn at startup. No dns leaks
(dns alignes with random server)!

Thanks everyone for your assistance, patience and perseverance!

Congratulations! I was right, there was something wrong with rc.local all the way.