sys-net and VPN

[wim...@gmail.com]

Hi all,

Having a confusing time setting up VPN in Qubes. I've done it the 'simple' way and just clicked NetworkManager applet in tray > VPN connections > configure VPN > added VPN settings. I know they're correct because they work on my Windows laptop and Ubuntu server. Everything appears to work fine - it connects with the wifi connection and I'm running VPNdemon so that it kills NetworkManager if the VPN drops.

Problem is, I was going through things like ipleak.net etc so make sure everything appeared as it should from the outside, and if I go to sys-net > Firefox and head to ipleak.net, smack bang in the middle of the page is my ISP IP. On both other machines it shows the VPN server, as it should.

I cannot for the life of me figure out why it's showing that. I'm no Linux pro but competent enough to have given it a decent go. VPNdemon runs from a terminal in the sys-net VM and successfully kills the internet connection, so that confirmed for me that sys-net was where NetworkManager was running from and where the VPN info should go. I also edited the VM and added both network-manager and NetworkManager to the services tab, but that didn't help either.

Stumped.

Thanks

[wim...@gmail.com]

I should also add that I created a random AppVM just to test with sys-firewall set as the NetVM (which in turn has sys-net set as its NetVM) and using firefox on the test AppVM also yielded the same result.

[Unman]

If you look at the routing on sys-net you'll probably see all traffic going down
external connection, and forwarded traffic being pushed down the vpn.
You can either change routing to ensure that locally generated traffic
runs down the VPN(excluding of course, the VPN control connection), or
just stop using sys-net. For simplicity I would do the latter.

I find it much more straightforward to think of net and proxy VMs as part of
the infrastructure. You wouldn't expect to log in to your router to do
browsing: dont do the equivalent in Qubes. ( Same can be said for using a
TorVM.)
Personally I block all OUTPUT traffic from sys-net, and restrict
FORWARD.

HTH

unman

[Unman]

On Sun, Nov 15, 2015 at 07:15:17AM -0800, wim...@gmail.com wrote:

> I should also add that I created a random AppVM just to test with sys-firewall set as the NetVM (which in turn has sys-net set as its NetVM) and using firefox on the test AppVM also yielded the same result.
>

I'm sorry - in my reply which crossed with this I assumed that it was
working in appVMs but not from sys-net. What you're saying is that it
isnt working at all.
Check the status of the VPN to start.
Then you need to route the forwarded traffic down the VPN.
There has been extensive discusson on the list of doing this using
openvpn and useful gudance here:
https://www.qubes-os.org/doc/vpn/

Check that the vpn is up and running and then look at iptables, both nat
and filter.

[wim...@gmail.com]

I managed to fix it although it's slightly embarrassing. Because sys-net is Fedora based as opposed to Ubuntu and wget is missing I had to manually set up the VPN connection rather than downloading config file. I realised after a google search that the VPN provider has their own DNS and so changed the VPN settings and adapter settings to reflect that - now everything is as it should be.

Thanks for taking the time to reply, much appreciated.