proxy vm as a vpn gateway (problem)
252 views
Skip to first unread message
ipet...@gmail.com
Sep 20, 2014, 4:43:23 PM9/20/14
to qubes...@googlegroups.com
Hi Everyone!
I tried to set up my proxy vm as a vpn gateway. I followed the "How to setup a Proxy VM as a VPN Gateway" (step by step). The proxyvm (called vpnvm) successfully established the vpn connection to the server. Unfortunatelly the trusted vm didn't use the vpn tunnel. (on the trusted vm the network vm is vpnvm)
What is the problem? What did I do wrong?
topology:
server ------------------ net vm ------------ firewall vm ----------------- vpn vm (proxyvm) ----------------- trusted vm
|<------------------------------------------------------------------------->|
I tried to set up my proxy vm as a vpn gateway. I followed the "How to setup a Proxy VM as a VPN Gateway" (step by step). The proxyvm (called vpnvm) successfully established the vpn connection to the server. Unfortunatelly the trusted vm didn't use the vpn tunnel. (on the trusted vm the network vm is vpnvm)
What is the problem? What did I do wrong?
topology:
server ------------------ net vm ------------ firewall vm ----------------- vpn vm (proxyvm) ----------------- trusted vm
|<------------------------------------------------------------------------->|
tunnel
7v5w7go9ub0o
Sep 20, 2014, 7:07:15 PM9/20/14
to qubes...@googlegroups.com
After starting the proxy VM an icon will appear in the (KDE) tray -
but that is the vm only.
You need to rt-click that icon and direct it to connect to the VPN server. When properly connected, a "padlock" will appear within the icon window- indicating both the functioning VM and the VPN connection.
HTH
You need to rt-click that icon and direct it to connect to the VPN server. When properly connected, a "padlock" will appear within the icon window- indicating both the functioning VM and the VPN connection.
HTH
ipet...@gmail.com
Sep 21, 2014, 6:36:42 AM9/21/14
to qubes...@googlegroups.com
Yes I did it. The vpn connection established and the connection information was correct. I saw the "padlock".... My problem is the traffic of the trusted vm is not routed to the vpn tunnel.
7v5w7go9ub0o
Sep 21, 2014, 8:18:14 AM9/21/14
to qubes...@googlegroups.com
On 09/21/14 06:36, ipet...@gmail.com wrote:
> Yes I did it. The vpn connection established and the connection information
> was correct. I saw the "padlock".... My problem is the traffic of the
> trusted vm is not routed to the vpn tunnel.
>
> 2014. szeptember 21., vasárnap 1:07:15 UTC+2 időpontban 7v5w7go9ub0o a
> következőt írta:
>>
>> On 09/20/14 16:43, ipet...@gmail.com <javascript:> wrote:
>>> Hi Everyone!
>>>
>>> I tried to set up my proxy vm as a vpn gateway. I followed the "How
>>> to setup a Proxy VM as a VPN Gateway" (step by step). The proxyvm
>>> (called vpnvm) successfully established the vpn connection to the
>>> server. Unfortunatelly the trusted vm didn't use the vpn tunnel. (on
>>> the trusted vm the network vm is vpnvm)
>>>
>>> What is the problem? What did I do wrong?
>>>
>>> topology:
>>>
>>> server ------------------ net vm ------------ firewall vm
>>> ----------------- vpn vm (proxyvm) ----------------- trusted vm
>>>
>>>
>> |<------------------------------------------------------------------------->|
>>>
>> tunnel
>>
>>
>> After starting the proxy VM an icon will appear in the (KDE) tray - but
>> that is the vm only.
>>
>> You need to rt-click that icon and direct it to connect to the VPN server.
>> When properly connected, a "padlock" will appear within the icon window-
>> indicating both the functioning VM and the VPN connection.
>>
>> HTH
>>
>>
>>
IIUC, the padlock means that the VPN - as configured - is functioning
>>> Hi Everyone!
>>>
>>> I tried to set up my proxy vm as a vpn gateway. I followed the "How
>>> to setup a Proxy VM as a VPN Gateway" (step by step). The proxyvm
>>> (called vpnvm) successfully established the vpn connection to the
>>> server. Unfortunatelly the trusted vm didn't use the vpn tunnel. (on
>>> the trusted vm the network vm is vpnvm)
>>>
>>> What is the problem? What did I do wrong?
>>>
>>> topology:
>>>
>>> server ------------------ net vm ------------ firewall vm
>>> ----------------- vpn vm (proxyvm) ----------------- trusted vm
>>>
>>>
>> |<------------------------------------------------------------------------->|
>>>
>> tunnel
>>
>>
>> After starting the proxy VM an icon will appear in the (KDE) tray - but
>> that is the vm only.
>>
>> You need to rt-click that icon and direct it to connect to the VPN server.
>> When properly connected, a "padlock" will appear within the icon window-
>> indicating both the functioning VM and the VPN connection.
>>
>> HTH
>>
>>
>>
properly, which suggests that it is misconfigured!? Perhaps left-click
the icon; follow the vpn connections to configure vpn; validate or
delete and re-add info.
I suspect you may have done all of this, in which case I can not help.
If deleting and replacing fails, you might want to ping Marek.
mihaig...@gmail.com
Sep 21, 2014, 8:45:36 AM9/21/14
to qubes...@googlegroups.com
Try pinging server from your vpnvm, see if it replies.
If it does not, tunnel does not even work. If it does, try pinging server from trusted vm. If no reply, remove default masquerade rule on proxyvm and manually add masque/snat rule via vpn interface (meaning all packets coming from trusted vm going via internal net(where server is) should use as source ip the address of the vpn interface on proxyvm, not the address of trustedvm)).
If you have a different problem, you can always use tcpdump, wireshark to see exactly what the problem is.
Zrubi
Sep 21, 2014, 1:10:32 PM9/21/14
to qubes...@googlegroups.com, ipet...@gmail.com
- What kind of VPN are You using?
- after successful connected do you see the new routing in the VPN GW?
route -n
- did you get DNS info from the VPN server?
- the VPN plugin handle it correctly?
cat /etc/resolv.conf
- the qubes related DNS masquerading correct (in the VPN GW)?
iptables -L -n -t nat
usually the #1 problem is the missing DNS info, so first try to ping (or
reach) the server by IP instead of DNS. first from the VPN GW, if it
works, do the same check from the trusted VM...
--
Zrubi
Message has been deleted
ipet...@gmail.com
Sep 21, 2014, 1:48:15 PM9/21/14
to qubes...@googlegroups.com, ipet...@gmail.com, ma...@zrubi.hu
Connection information (vpn vm)
VPN type openvpn
VPN Gateway gw.vpn.autistici.org
IPV4
IP address 10.19.47.10
Broadcast Address 10.19.47.10
Subent Mask 255.255.255.255
Default route 91.121.204.114
Primary DNS 10.19.0.1
route -n
[user@vpn ~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.137.2.1 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 10.19.47.9 0.0.0.0 UG 1024 0 0 tun0
10.19.0.1 10.19.47.9 255.255.255.255 UGH 1024 0 0 tun0
10.19.47.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.137.3.1 0.0.0.0 255.255.255.255 UH 1024 0 0 eth0
10.137.3.7 0.0.0.0 255.255.255.255 UH 32746 0
cat /etc/resolv.conf
[user@vpn ~]$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.19.0.1
VPN type openvpn
VPN Gateway gw.vpn.autistici.org
IPV4
IP address 10.19.47.10
Broadcast Address 10.19.47.10
Subent Mask 255.255.255.255
Default route 91.121.204.114
Primary DNS 10.19.0.1
route -n
[user@vpn ~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.137.2.1 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 10.19.47.9 0.0.0.0 UG 1024 0 0 tun0
10.19.0.1 10.19.47.9 255.255.255.255 UGH 1024 0 0 tun0
10.19.47.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.137.3.1 0.0.0.0 255.255.255.255 UH 1024 0 0 eth0
10.137.3.7 0.0.0.0 255.255.255.255 UH 32746 0
cat /etc/resolv.conf
[user@vpn ~]$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.19.0.1
iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PR-QBS all -- 0.0.0.0/0 0.0.0.0/0
PR-QBS-SERVICES all -- 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain PR-QBS (1 references)
target prot opt source destination
DNAT udp -- 0.0.0.0/0 10.137.3.1 udp dpt:53 to:10.19.0.1
Chain PR-QBS-SERVICES (1 references)
target prot opt source destination
vpn vm
[user@vpn ~]$ ping 91.121.204.114
PING 91.121.204.114 (91.121.204.114) 56(84) bytes of data.
64 bytes from 91.121.204.114: icmp_seq=1 ttl=51 time=34.2 ms
64 bytes from 91.121.204.114: icmp_seq=2 ttl=51 time=46.8 ms
64 bytes from 91.121.204.114: icmp_seq=3 ttl=51 time=39.0 ms
64 bytes from 91.121.204.114: icmp_seq=4 ttl=51 time=35.2 ms
^C
--- 91.121.204.114 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 34.265/38.845/46.831/4.955 ms
trusted vm
[user@trusted ~]$ ping 91.121.204.114
PING 91.121.204.114 (91.121.204.114) 56(84) bytes of data.
64 bytes from 91.121.204.114: icmp_seq=1 ttl=50 time=42.0 ms
64 bytes from 91.121.204.114: icmp_seq=2 ttl=50 time=34.6 ms
64 bytes from 91.121.204.114: icmp_seq=3 ttl=50 time=32.7 ms
64 bytes from 91.121.204.114: icmp_seq=4 ttl=50 time=253 ms
64 bytes from 91.121.204.114: icmp_seq=5 ttl=50 time=36.4 ms
^X^C
--- 91.121.204.114 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 32.708/79.857/253.467/86.860 ms
target prot opt source destination
PR-QBS all -- 0.0.0.0/0 0.0.0.0/0
PR-QBS-SERVICES all -- 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain PR-QBS (1 references)
target prot opt source destination
DNAT udp -- 0.0.0.0/0 10.137.3.1 udp dpt:53 to:10.19.0.1
Chain PR-QBS-SERVICES (1 references)
target prot opt source destination
vpn vm
[user@vpn ~]$ ping 91.121.204.114
PING 91.121.204.114 (91.121.204.114) 56(84) bytes of data.
64 bytes from 91.121.204.114: icmp_seq=1 ttl=51 time=34.2 ms
64 bytes from 91.121.204.114: icmp_seq=2 ttl=51 time=46.8 ms
64 bytes from 91.121.204.114: icmp_seq=3 ttl=51 time=39.0 ms
64 bytes from 91.121.204.114: icmp_seq=4 ttl=51 time=35.2 ms
^C
--- 91.121.204.114 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 34.265/38.845/46.831/4.955 ms
trusted vm
[user@trusted ~]$ ping 91.121.204.114
PING 91.121.204.114 (91.121.204.114) 56(84) bytes of data.
64 bytes from 91.121.204.114: icmp_seq=1 ttl=50 time=42.0 ms
64 bytes from 91.121.204.114: icmp_seq=2 ttl=50 time=34.6 ms
64 bytes from 91.121.204.114: icmp_seq=3 ttl=50 time=32.7 ms
64 bytes from 91.121.204.114: icmp_seq=4 ttl=50 time=253 ms
64 bytes from 91.121.204.114: icmp_seq=5 ttl=50 time=36.4 ms
^X^C
--- 91.121.204.114 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 32.708/79.857/253.467/86.860 ms
Zrubi
Sep 21, 2014, 1:59:56 PM9/21/14
to ipet...@gmail.com, qubes...@googlegroups.com, marm...@invisiblethingslab.com
On 09/21/14 19:44, ipet...@gmail.com wrote:
> *Connection information (vpn vm)*
> *
.
.
.
The only 'problem' is that your server try to route everything trough
the VPN (try to set a new default gw) and this (pretty normal anyway)
situation is not handled correctly due to Qubes Proxy VMs are using
double default route (for some reason) which is incompatible with the
NetworkManager VPN plugins.
Please confirm this double routing by this command:
route -n
BEFORE You connecting your VPN.
For a workaround:
You can try to remove that remaining bad default route in the Proxy VM
by this command:
sudo route del default gw 10.137.2.1
@Marek
Can You tell me why we need that double default route please?
--
Zrubi
> *Connection information (vpn vm)*
>
> VPN type openvpn
> VPN Gateway gw.vpn.autistici.org
>
> IPV4
>
> IP address 10.19.47.10
> Broadcast Address 10.19.47.10
> Subent Mask 255.255.255.255
> Default route 91.121.204.114
> Primary DNS 10.19.0.1
>
> *route -n
> VPN type openvpn
> VPN Gateway gw.vpn.autistici.org
>
> IPV4
>
> IP address 10.19.47.10
> Broadcast Address 10.19.47.10
> Subent Mask 255.255.255.255
> Default route 91.121.204.114
> Primary DNS 10.19.0.1
>
> *
> [user@vpn ~]$ route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 0.0.0.0 10.137.2.1 0.0.0.0 UG 0 0 0 eth0
> 0.0.0.0 10.19.47.9 0.0.0.0 UG 1024 0 0 tun0
> 10.19.0.1 10.19.47.9 255.255.255.255 UGH 1024 0 0 tun0
> 10.19.47.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> 10.137.3.1 0.0.0.0 255.255.255.255 UH 1024 0 0 eth0
> 10.137.3.7 0.0.0.0 255.255.255.255 UH 32746 0
>
> *cat /etc/resolv.conf*
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 0.0.0.0 10.137.2.1 0.0.0.0 UG 0 0 0 eth0
> 0.0.0.0 10.19.47.9 0.0.0.0 UG 1024 0 0 tun0
> 10.19.0.1 10.19.47.9 255.255.255.255 UGH 1024 0 0 tun0
> 10.19.47.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> 10.137.3.1 0.0.0.0 255.255.255.255 UH 1024 0 0 eth0
> 10.137.3.7 0.0.0.0 255.255.255.255 UH 32746 0
>
>
> [user@vpn ~]$ cat /etc/resolv.conf
> # Generated by NetworkManager
> nameserver 10.19.0.1
>
> *iptables -L -n -t nat *
> [user@vpn ~]$ cat /etc/resolv.conf
> # Generated by NetworkManager
> nameserver 10.19.0.1
>
.
.
.
>
> Chain PR-QBS (1 references)
> target prot opt source destination
> DNAT udp -- 0.0.0.0/0 10.137.3.1 udp dpt:53
> to:10.19.0.1
It seem all fine.
> Chain PR-QBS (1 references)
> target prot opt source destination
> DNAT udp -- 0.0.0.0/0 10.137.3.1 udp dpt:53
> to:10.19.0.1
The only 'problem' is that your server try to route everything trough
the VPN (try to set a new default gw) and this (pretty normal anyway)
situation is not handled correctly due to Qubes Proxy VMs are using
double default route (for some reason) which is incompatible with the
NetworkManager VPN plugins.
Please confirm this double routing by this command:
route -n
BEFORE You connecting your VPN.
For a workaround:
You can try to remove that remaining bad default route in the Proxy VM
by this command:
sudo route del default gw 10.137.2.1
@Marek
Can You tell me why we need that double default route please?
--
Zrubi
Zrubi
Sep 21, 2014, 2:03:21 PM9/21/14
to ipet...@gmail.com, qubes...@googlegroups.com
On 09/21/14 19:44, ipet...@gmail.com wrote:
> *vpn vm*
>
> [user@vpn ~]$ ping 91.121.204.114
> PING 91.121.204.114 (91.121.204.114) 56(84) bytes of data.
> 64 bytes from 91.121.204.114: icmp_seq=1 ttl=51 time=34.2 ms
> 64 bytes from 91.121.204.114: icmp_seq=2 ttl=51 time=46.8 ms
> 64 bytes from 91.121.204.114: icmp_seq=3 ttl=51 time=39.0 ms
> 64 bytes from 91.121.204.114: icmp_seq=4 ttl=51 time=35.2 ms
> ^C
> --- 91.121.204.114 ping statistics ---
> 4 packets transmitted, 4 received, 0% packet loss, time 3005ms
> rtt min/avg/max/mdev = 34.265/38.845/46.831/4.955 ms
>
> *trusted vm
> [user@vpn ~]$ ping 91.121.204.114
> PING 91.121.204.114 (91.121.204.114) 56(84) bytes of data.
> 64 bytes from 91.121.204.114: icmp_seq=1 ttl=51 time=34.2 ms
> 64 bytes from 91.121.204.114: icmp_seq=2 ttl=51 time=46.8 ms
> 64 bytes from 91.121.204.114: icmp_seq=3 ttl=51 time=39.0 ms
> 64 bytes from 91.121.204.114: icmp_seq=4 ttl=51 time=35.2 ms
> ^C
> --- 91.121.204.114 ping statistics ---
> 4 packets transmitted, 4 received, 0% packet loss, time 3005ms
> rtt min/avg/max/mdev = 34.265/38.845/46.831/4.955 ms
>
> *
> [user@trusted ~]$ ping 91.121.204.114
> PING 91.121.204.114 (91.121.204.114) 56(84) bytes of data.
> 64 bytes from 91.121.204.114: icmp_seq=1 ttl=50 time=42.0 ms
> 64 bytes from 91.121.204.114: icmp_seq=2 ttl=50 time=34.6 ms
> 64 bytes from 91.121.204.114: icmp_seq=3 ttl=50 time=32.7 ms
> 64 bytes from 91.121.204.114: icmp_seq=4 ttl=50 time=253 ms
> 64 bytes from 91.121.204.114: icmp_seq=5 ttl=50 time=36.4 ms
> ^X^C
> --- 91.121.204.114 ping statistics ---
> 5 packets transmitted, 5 received, 0% packet loss, time 4005ms
> rtt min/avg/max/mdev = 32.708/79.857/253.467/86.860 ms
>
While your VPN is really fine, you are ping the wrong address.
> PING 91.121.204.114 (91.121.204.114) 56(84) bytes of data.
> 64 bytes from 91.121.204.114: icmp_seq=1 ttl=50 time=42.0 ms
> 64 bytes from 91.121.204.114: icmp_seq=2 ttl=50 time=34.6 ms
> 64 bytes from 91.121.204.114: icmp_seq=3 ttl=50 time=32.7 ms
> 64 bytes from 91.121.204.114: icmp_seq=4 ttl=50 time=253 ms
> 64 bytes from 91.121.204.114: icmp_seq=5 ttl=50 time=36.4 ms
> ^X^C
> --- 91.121.204.114 ping statistics ---
> 5 packets transmitted, 5 received, 0% packet loss, time 4005ms
> rtt min/avg/max/mdev = 32.708/79.857/253.467/86.860 ms
>
Try to ping the given DNS server:
10.19.0.1
and see if its works.
--
Zrubi
Marek Marczykowski-Górecki
Sep 21, 2014, 2:06:05 PM9/21/14
to Zrubi, ipet...@gmail.com, qubes...@googlegroups.com
doesn't notice that it is already configured). I'll look at it closer.
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
ipet...@gmail.com
Sep 21, 2014, 3:37:51 PM9/21/14
to qubes...@googlegroups.com, ipet...@gmail.com, ma...@zrubi.hu
I tried to ping the 10.0.19.1 with two gw and after with one. It didn't work. When I set up the vpn on the netvm it works fine!
Reply all
Reply to author
Forward
0 new messages