ANN: Testing new VPN code for Qubes

912 views
Skip to first unread message

Chris Laprise

unread,
Apr 17, 2018, 5:13:29 PM4/17/18
to qubes-users, Patrick Schleizer
Hello fellow Qubes users:

Per issue 3503 the Qubes project would like to incorporate VPN features
from Qubes-vpn-support -- which a number of you are already using --
into the Qubes 4.1 release.

I've set up a new project "qubes-tunnel" to act as a staging area for
testing and eventual forking into Qubes. It is nearly the same as
Qubes-vpn-support except some names & paths are different... and install
to template is required for obvious reasons :) .


Project Link... https://github.com/tasket/qubes-tunnel


Everyone with an available VPN service is welcome to try this out and
report here on your results!

-

PS - Some of you will wonder if installing qubes-tunnel into an existing
template already used for Qubes-vpn-support will cause a conflict; They
will not conflict as long as the two services aren't enabled for the
same ProxyVM(s).

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

JonHBit

unread,
Apr 17, 2018, 9:20:02 PM4/17/18
to qubes-users

Worked well for me using a debian-9 template & commit 4e96ca8, only trouble was that my VPN provider's configs used /etc/update-resolv-conf and failed silently when it was missing - so shipping it with qubes-tunnel and installing it by default may be helpful.

Chris Laprise

unread,
Apr 17, 2018, 11:42:05 PM4/17/18
to JonHBit, qubes-users
Thanks!

This issue just became apparent to me when another user reported it. The
underlying problem is a bug (or several bugs) in openvpn's option parsing:

https://github.com/tasket/Qubes-vpn-support/issues/19

It only shows up when the config specifies its own scripts which is
rare. I'm trying out a workaround now which involves:

1. Removing the paths in the up & down options in the .service file.

2. Moving the up & down options to the beginning just after the openvpn
command.

3. Symlinking the up/down script from /usr/lib/qubes to the
/rw/config/qtunnel dir.

Hopefully this will override the config's up/down settings as intended.

Chris Laprise

unread,
Apr 18, 2018, 5:36:37 AM4/18/18
to JonHBit, qubes-users
I had to use a different approach but it should be fixed now. Update it
by copying new version to template and running installer. Then you'll
need to remove the 'qubes-tunnel' Qubes service for the proxyVM and add
'qubes-tunnel-openvpn' instead.

john

unread,
Apr 19, 2018, 7:27:05 PM4/19/18
to qubes...@googlegroups.com
I installed this in a App/proxy 4.0 VM, as I am familiar with the 3.2
CLI VPN creation.

I don't really understand how installing it in a Template or The
Template(not cloning it 1st) would allow me to swich between
geolocations ...

So, I used the AppVM, then I simply cloned the 1st one created with
the script and went into the PIA config file area ....and did rm -f ln
-s to the network manager thing.

and then recreated the ln -s to a new config file, which works , and
Even wakes up from suspend (where in 3.2 it never did) ; However,

If the AppVM using one of the VPN-foo as a netvm, and it is started,
and I want to switch to another VPN-foo1 it doesn't work on the fly, I
have to go and qvm-shutdown the AppVM and open it again, which is a
big pain. I am often running out of RAM, and so try to just use one
App-proxy-vpnVM , however ,

is this the expected behavior no switching vpn appvms on the fly ?

Chris Laprise

unread,
Apr 19, 2018, 8:04:41 PM4/19/18
to john, qubes...@googlegroups.com
IIRC this is a bug in the versions of Linux kernel that Qubes 4.0 uses.
There is an issue but I can't locate it at the moment.

cicero

unread,
Apr 20, 2018, 2:03:27 AM4/20/18
to Chris Laprise, qubes...@googlegroups.com
On 04/19/18 14:04, Chris Laprise wrote:
> On 04/19/2018 07:26 PM, john wrote:
>> I installed this in a App/proxy 4.0 VM,  as I am familiar with the 3.2
>> CLI  VPN creation.
>>
>> I don't really understand how installing it in a Template or The
>> Template(not cloning it 1st)  would allow me to swich between
>> geolocations ...
>>
>> So, I used the AppVM,  then I simply  cloned the 1st one created with
>> the script and went into the PIA config file area ....and did rm -f ln
>> -s  to the network manager thing.
>>
>> and then recreated the ln -s  to a new config file,  which works , and
>> Even  wakes up  from  suspend  (where in 3.2 it never did) ;  However,
>>
>> If the AppVM using one of the VPN-foo as a netvm,  and it is started,
>> and I want to switch to another VPN-foo1  it doesn't work on the fly,
>> I have to go and qvm-shutdown the  AppVM and open it again,  which is
>> a big pain.    I am often running out of RAM, and so try to just use
>> one App-proxy-vpnVM , however ,
>>
>> is this the expected behavior  no switching vpn appvms on the fly ?
>
> IIRC this is a bug in the versions of Linux kernel that Qubes 4.0 uses.
> There is an issue but I can't locate it at the moment.
>
>
So, I guess I'll learn to live with it , and try not to change VPNs buy
buying some more expensive RAM :)

But, I'm curious , If I install the new script in the Template/s , how
would I switch VPN locations?

Or would every AppVM based on that Template be locked into whatever
geolocation's config file was symlinked to ?



Chris Laprise

unread,
Apr 20, 2018, 9:12:58 AM4/20/18
to cicero, qubes...@googlegroups.com
Templates don't affect your ability to set a custom location script.
This is because the link that points from qtunnel.conf to any particular
config is stored in each proxyVM under /rw/config/qtunnel.

You can of course do one proxyVM setup, then clone it and change the
link in each clone.

BTW, thanks for trying it out!

cicero

unread,
Apr 20, 2018, 10:04:26 AM4/20/18
to Chris Laprise, qubes...@googlegroups.com
Chris, what I'm trying to say is, if it is recommended to install it in
the Template or a cloned Template ; how then do I change the geolocation
to two different locations, one for each of , say, two AppVMs ?

I could create symlinks in /rw/config/qtunnel? in the AppVMs ? or


I understand that if this is integrated later, then I probably need to
learn to use it in the Template now, to avoid more issues down the road,
I don't really like cloning the Template too much, as Qubes, is already
a challenge in its complexity


eg: my current dracut emergency shell situation PS: seems I had an old
Q3.2 in an enclosure, I was going to reformat but hadn't yet, and during
a reboot it was in the USB drive, and this seems to have caused Q4.0 in
efi installation to dump it's init to boot ; so do I go make a
fedora live usb drive and try to mount and save it ? and lose all the
configuration and restoring of 3.2 VMs or just reinstall Q4.0?


I have read some folks on here , whom when trying to go back to Q3.2 are
having big issues, I don't really understand how efi works, my UEFI
still says Qubes 3.1 for some reason (I think there are some
gymnastics to try to get the EFI to update it's names but fear I'll lose
the windows 10 install on the 2nd HD, etc etc .....


Strangely windows 10 "just works", but I digress .....

Chris Laprise

unread,
Apr 20, 2018, 10:59:02 AM4/20/18
to cicero, qubes...@googlegroups.com
Since there's no connection information in the template -- only the VPN
scripts & the OS are there -- templates don't affect configuration
issues like different locations. In any case, you have a proxyVM which
contains configurations for the connections to various sites, but each
proxyVM connects to only one VPN remote site at a time. So to have two
AppVMs routed through two different VPN sites, you need two proxyVMs
(one for each AppVM).

This is not an absolute rule BTW. Its just how our current tools are
most logically and safely configured. Conceivably you could rig a single
proxyVM to safely handle more than one VPN connection.

>
> I could create symlinks in /rw/config/qtunnel?   in the AppVMs  ?  or
>
>
> I understand that if this is integrated later, then I probably need to
> learn to use it in the Template now, to avoid more issues down the road,
> I don't really like cloning the Template too much, as Qubes, is already
> a challenge in its complexity

To clarify...

Cloning the template is recommended because the VPN software is still
being tested. Its just a way to backup in case something in the modified
template gets damaged.

Cloning a proxyVM is a quick way to make additional VPN VMs that can
connect to different VPN sites.

>
>
> eg: my current dracut emergency shell situation PS: seems I had an old
> Q3.2 in an enclosure, I was going to reformat but hadn't yet, and during
> a reboot it was in the USB drive, and this seems to have caused  Q4.0 in
> efi installation  to dump  it's  init   to boot  ; so do I go make a
> fedora live usb drive and try to mount and save it ?   and lose all the
> configuration and restoring of 3.2 VMs   or just reinstall Q4.0?

Boot issues aren't my strong suit, but this sounds serious enough to
start a separate thread for it.

>
>
> I have read some folks on here , whom when trying to go back to Q3.2 are
> having big issues, I don't really understand how efi works,  my UEFI
> still  says  Qubes 3.1 for some reason (I think there are some
> gymnastics to try to get the EFI to update it's names but fear I'll lose
> the windows 10 install on the 2nd HD,  etc etc .....
>
>
> Strangely windows 10 "just works", but I digress .....
>


cicero

unread,
Apr 20, 2018, 11:14:24 AM4/20/18
to Chris Laprise, qubes...@googlegroups.com
On 04/20/18 04:58, Chris Laprise wrote:
> Since there's no connection information in the template -- only the VPN
> scripts & the OS are there -- templates don't affect configuration
> issues like different locations. In any case, you have a proxyVM which
> contains configurations for the connections to various sites, but each
> proxyVM connects to only one VPN remote site at a time. So to have two
> AppVMs routed through two different VPN sites, you need two proxyVMs
> (one for each AppVM).

hmm, so I guess by installing the script in the Template(cloned), it
would save me from having to re-run the script in the AppProxyVMs,
that's it ?

But, if I'm just cloning the Original AppProxyVMs , to make a 2nd
geolocation, doesn't seem like saves me any work by not having to
re-run the script, as it is already in the cloned AppProxyVM ?

Do I have this correct?


But, sometime in the future, a possible newer version will only run in a
Template, but then the rest is about the same on configuration, ( a
separate AppProxyVM for each location wanted , unless one wanted to
manually change the symlink to change locations ?

Chris Laprise

unread,
Apr 25, 2018, 11:24:21 PM4/25/18
to cicero, qubes...@googlegroups.com
On 04/20/2018 11:14 AM, cicero wrote:
> On 04/20/18 04:58, Chris Laprise wrote:
>> Since there's no connection information in the template -- only the
>> VPN scripts & the OS are there -- templates don't affect configuration
>> issues like different locations. In any case, you have a proxyVM which
>> contains configurations for the connections to various sites, but each
>> proxyVM connects to only one VPN remote site at a time. So to have two
>> AppVMs routed through two different VPN sites, you need two proxyVMs
>> (one for each AppVM).
>
> hmm, so I guess by installing the script in the Template(cloned), it
> would save me from having to re-run the script in the AppProxyVMs,
> that's it ?

You wouldn't have to install it into proxyVMs. But there is still one
script-running step when configuring a proxyVM with qubes-tunnel.

https://github.com/tasket/qubes-tunnel

>
> But, if I'm just cloning the Original AppProxyVMs , to make a 2nd
> geolocation,  doesn't seem like  saves me any work  by  not having to
> re-run the script, as it is already in the cloned AppProxyVM  ?

If you clone an already configured proxyVM, no further configuration is
required for the clone to connect to the same site. To change the site,
you will only need to change the qtunnel.conf link.

>
> Do I have this correct?
>
>
> But, sometime in the future, a possible newer version will only run in a
> Template, but then the rest is about the same on configuration, ( a
> separate AppProxyVM for each location wanted , unless one wanted to
> manually change the symlink to change locations ?

That's the intention, to make qubes-tunnel (child of Qubes-vpn-support)
already available for use in the templates. This simplifies the setup
process for users.

JonHBit

unread,
Apr 26, 2018, 5:29:50 PM4/26/18
to qubes-users

Hi Chris,

Good to see the update!

However I think that's a separate issue; what I'm referencing is these lines in my .ovpn config:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

The VPN installer script will normally download this if it's missing - used to change the DNS server to the VPN-provided one.

The script is here: https://raw.githubusercontent.com/ProtonVPN/scripts/master/update-resolv-conf.sh

After adding it everything worked well.

Chris Laprise

unread,
Apr 26, 2018, 9:38:41 PM4/26/18
to JonHBit, qubes-users
The update will replace those lines because they should be overridden
with the Qubes-specific DNS handling. If dnat isn't setup for DNS then
those packets could get mis-routed.

You can check the dnat rules (which should have some address other than
10.139.1.x after connecting) with this:

sudo iptables -v -t nat -L PR-QBS

My guess why it might work with incorrect dnat addresses is that your
VPN provider takes the step of re-assigning DNS destination addresses to
its own. But this is unorthodox so I wouldn't count on it.

vel...@tutamail.com

unread,
Apr 29, 2018, 5:56:24 PM4/29/18
to qubes-users
Chris/Tasket,
I am currently using this version: https://github.com/tasket/Qubes-vpn-support

"Master version"

I have this running in a proxy AppVM (Not in a template)

Using PIA VPN service

OpenDNS checks out OK

I just tried this version in 4.0 in the template. Some notes feedback:

1) When I tried changing the DNS to OpenDNS in my config file:
setenv vpn_dns '208.67.222.222 208.67.220.220'


I then went to:
http://welcome.opendns.com/

It failed and informed me I was not using OpenDNS.


2) The step 3. in the abbreviated instructions say to run:
/usr/lib/qubes/qtunnel-setup --config

However I had to run:
sudo /usr/lib/qubes/qtunnel-setup --config

I was able to get to the internet....I didn't do any further testing. If you want me to try some things more then happy to help...

Thanks again for the work.

V


vel...@tutamail.com

unread,
Apr 29, 2018, 10:14:34 PM4/29/18
to qubes-users
Using debian 9, link indicates "Link is up", I get internet connection, https://www.dnsleaktest.com/ indicates my VPNs IP(despite "setenv vpn_dns '208.67.222.222 208.67.220.220'" in my vpn configuration) when I use this configuration...


V


Chris Laprise

unread,
Apr 30, 2018, 6:18:20 AM4/30/18
to vel...@tutamail.com, qubes-users
On 04/29/2018 10:14 PM, vel...@tutamail.com wrote:
> I just tried this version in 4.0 in the template. Some notes feedback:
>
> 1) When I tried changing the DNS to OpenDNS in my config file:
> setenv vpn_dns '208.67.222.222 208.67.220.220'
>
>
> I then went to:
> http://welcome.opendns.com/
>
> It failed and informed me I was not using OpenDNS.

--

> Using debian 9, link indicates "Link is up", I get internet connection, https://www.dnsleaktest.com/ indicates my VPNs IP(despite "setenv vpn_dns '208.67.222.222 208.67.220.220'" in my vpn configuration) when I use this configuration...


Its working when I try it. On dnsleaktest.com, your VPN provider IP
should always appear on the first page. Then when you click on a test
button it should show "OpenDNS, LLC" in the ISP column. The OpenDNS
addresses will also show up in the log alongside "Using DNS servers...".

The problem is you're mixing instructions from the two different
projects. This thread is for testing qubes-tunnel but you said you were
using Qubes-vpn-support (...but said you were using qtunnel* commands
which belong to qubes-tunnel and are not correct for Qubes-vpn-support).

If using 'qubes-tunnel-openvpn' service for your VPN VM, your configs
should reside in /rw/config/qtunnel and the setenv line that you add
will be:

setenv tunnel_dns '208.67.222.222 208.67.220.220'

-

It would be nice, however, if you made the switch to qubes-tunnel to
give us some testing feedback. :)

vel...@tutamail.com

unread,
Apr 30, 2018, 7:44:25 AM4/30/18
to qubes-users
Adding this to my config:
setenv tunnel_dns '208.67.222.222 208.67.220.220'

instead of:
setenv vpn_dns '208.67.222.222 208.67.220.220'

worked.

Both http://welcome.opendns.com/ and https://www.dnsleaktest.com/ show that OpenDNS are being used.


I am more then happy to help test, I was planning to make the shift but my DNS wasn't working...all good now. Thanks for the help...

I'll move my sys-VPNs to this new project...I was just reluctant to make the move as my DNS was not showing correct. All good now!

Thanks again...if anything comes up I'll report back. If you want me to try something more then happy to help...

Thx


vel...@tutamail.com

unread,
Apr 30, 2018, 8:28:23 AM4/30/18
to qubes-users
Here are my notes/instructions I made based on yours, I drag and drop some files into terminal(vs purely command lines):

Using qTunnel:

For Debian proxy, add OpenVPN package to your VPN template:
su
apt-get update && apt-get install openvpn unzip

Download and transfer file to template
https://github.com/tasket/qubes-tunnel.git

cd “Then drag downloaded file into terminal from tasket”
sudo bash ./install

Create proxy AppVM using VPN template: sys-VPN
Colour: Green
Provides Network Checked
connect to sys-net
Launch settings - Checked

Settings:
Add files and Terminal to Applications
Add “qubes-tunnel-openvpn” to services

Move VPN config files to new proxy AppVM

Open proxy AppVM terminal:
sudo mkdir /rw/config/qtunnel

sudo /usr/lib/qubes/qtunnel-setup --config

Enter VPN name and password

sudo mv “Then highlight the .pem, .crt and config file (renamed to “openvpn-client.ovpn)” /rw/config/qtunnel

Optional - Change config DNS:
setenv tunnel_dns '208.67.222.222 208.67.220.220'

cd /rw/config/qtunnel
sudo ln -s xx.ovpn qtunnel.conf
(xx is the VPN client config)

Restart AppVM...look for “Links is up” pop-up

https://github.com/tasket/qubes-tunnel

vel...@tutamail.com

unread,
Apr 30, 2018, 11:33:22 AM4/30/18
to qubes-users
Sorry correction to my notes:


Using qTunnel:

For Debian proxy, add OpenVPN package to your VPN template:
su
apt-get update && apt-get install openvpn unzip

Download and transfer file to template
https://github.com/tasket/qubes-tunnel.git

cd “Then drag downloaded file into terminal from tasket”
sudo bash ./install

Create proxy AppVM using VPN template: sys-VPN
Colour: Green
Provides Network Checked
connect to sys-net
Launch settings - Checked

Settings:
Add files and Terminal to Applications
Add “qubes-tunnel-openvpn” to services

Move VPN config files to new proxy AppVM

Open proxy AppVM terminal:
sudo mkdir /rw/config/qtunnel

sudo /usr/lib/qubes/qtunnel-setup --config

Enter VPN name and password

sudo mv “Then highlight the .pem, .crt and config file (renamed to xx.ovpn)” /rw/config/qtunnel

vel...@tutamail.com

unread,
May 5, 2018, 10:32:31 AM5/5/18
to qubes-users
Strangest thing, I did a fresh installation of Qubes and now I can't get this to work again?

Sorry for the basic question but is there something I need to do to the fresh debian template after installation?

I am trying to eliminate all possible issues but to install OpenVPN to the debian template:

1) I simply allow access to TOR or a network to get OpneVPN
2) Type : sudo apt-get install openvpn

I am having the same issue with Fedora as well, could there be another reason for this not connecting?

I get the "Waiting for connection" message but I don't get the "Link is up"...

Thanks for any thoughts...

V

morlan...@gmail.com

unread,
May 6, 2018, 5:24:41 PM5/6/18
to qubes-users
On Tuesday, April 17, 2018 at 2:13:29 PM UTC-7, Chris Laprise wrote:

Worked great for me with Qubes 4.0 and Fedora 26.

I'm unclear on how to use sys-firewall now though. Should it be sys-net -> sys-firewall -> VPN -> App?

Thanks.

john

unread,
May 6, 2018, 6:01:06 PM5/6/18
to qubes...@googlegroups.com
you seem to be confusing things.

1)
can you update your templates otherwise?

2)
sudo apt-get install openvpn should have nothing to do with the later
step of install the tasket scrip-let ..... (not the tunnel) just
the VPN script on GitHub

3)
if you Not talking about the "tunnel" script just the VPN tasket
script, why not leave the Template out of the equation and just
install the script in a fresh App-ProxyVM that "allows networking"
(proxy)


and just leave Tor out of the whole puzzle IMO

vel...@tutamail.com

unread,
May 7, 2018, 5:00:38 PM5/7/18
to qubes-users

>
> 1)
> can you update your templates otherwise?

Yes I can update my templates

> 2)
> sudo apt-get install openvpn should have nothing to do with the later
> step of install the tasket scrip-let ..... (not the tunnel) just
> the VPN script on GitHub

I was just hoping to make sure I haven't missed a basic step. It is my understanding the stock Debian-9 template that comes with 4.0 does not have OpenVPN installed. "sudo apt-get install openvpn" is all thats needed? Is there additional commands to install any dependencies?


> 3)
> if you Not talking about the "tunnel" script just the VPN tasket
> script, why not leave the Template out of the equation and just
> install the script in a fresh App-ProxyVM that "allows networking"
> (proxy)

Whats strange is I had the "Tunnel" script working prior to my fresh 4.0 install. The "VPN Tasket" also worked but moved to the "Tunnel" prior to my fresh install.

I tried going back to the "App-ProxyVM" only(i.e. no template configuration) but it too didn't work....

>
> and just leave Tor out of the whole puzzle IMO

I'll try with out TOR to see if that changes anything...

Thanks,
V

(Morlan - I used to connect my VPN proxy via sys-net -> VPN -> AppVM when I had this running...I would defer to other more seasoned Q users but consider multiple VPNs configured for different IPs, TOR over VPN...my thought was VPN thru sys-firewall consumed resources and wasn't sure it provided additional security...I would be open to being corrected if that is wrong)

dangm...@gmail.com

unread,
May 12, 2018, 1:54:43 PM5/12/18
to qubes-users
On Tuesday, April 17, 2018 at 2:13:29 PM UTC-7, Chris Laprise wrote:


I can get my browser to connect in the ProxyVM only after I manually change /etc/resolv.conf to NordVPN DNS servers.

But nothing that uses the ProxyVM as a NetVM can access the internet in any way. Cannot ping 8.8.8.8. Can't do anything. Doesn't matter what I do to /etc/resolv.conf in the AppVM.

get

unread,
May 12, 2018, 2:10:27 PM5/12/18
to qubes-users
среда, 18 апреля 2018 г., 0:13:29 UTC+3 пользователь Chris Laprise написал:
Hi. script not working more on debian-9/fedora-26. Please fix it.

Tested vpn's : mullvad, privateinternetaccess, expressvpn and multiple random openvpn.

Guides:
https://github.com/tasket/Qubes-vpn-support
https://github.com/tasket/qubes-doc/blob/tunnel/configuration/vpn.md#set-up-a-proxyvm-as-a-vpn-gateway-using-the-qubes-tunnel-service
https://github.com/tasket/qubes-tunnel



dangm...@gmail.com

unread,
May 12, 2018, 2:24:00 PM5/12/18
to qubes-users
Instructions also make no sense.


1. Copy to template

2. Copy to template VM



JonHBit

unread,
May 12, 2018, 3:11:06 PM5/12/18
to qubes-users

I've updating to 1.4beta4 and switched templates from debian-9 to fedora-28, but I'm getting the same error - also it seems like openvpn flag defaults changed, as it now returns an error for the up and down arguments

Specifically, it parses /usr/lib/qubes/qtunnel-connect up as 2 arguments instead of 1; putting the whole phrase in double quotes fixes this, which I see you did but for some reason the quotes seem to be removed when ExecStart runs, i.e. checking systemctl status qubes-tunnel shows the command without the quotes

Chris Laprise

unread,
May 14, 2018, 9:09:22 AM5/14/18
to JonHBit, qubes-users
On 05/12/2018 03:11 PM, JonHBit wrote:

> I've updating to 1.4beta4 and switched templates from debian-9 to fedora-28, but I'm getting the same error - also it seems like openvpn flag defaults changed, as it now returns an error for the up and down arguments

Did you mean fedora-26?


> Specifically, it parses /usr/lib/qubes/qtunnel-connect up as 2 arguments instead of 1; putting the whole phrase in double quotes fixes this, which I see you did but for some reason the quotes seem to be removed when ExecStart runs, i.e. checking systemctl status qubes-tunnel shows the command without the quotes

I'm a little unclear: Did you get the link working like this?

I have two fedora 26 templates, one was last updated over 10 days ago
and the other updated today. The VPN link won't come up with the latter
one...

Chris Laprise

unread,
May 14, 2018, 3:35:53 PM5/14/18
to morlan...@gmail.com, qubes-users
On 05/06/2018 05:24 PM, morlan...@gmail.com wrote:
> Worked great for me with Qubes 4.0 and Fedora 26.
>
> I'm unclear on how to use sys-firewall now though. Should it be sys-net -> sys-firewall -> VPN -> App?
>
> Thanks.

That arrangement is OK. But you can take sys-firewall out of the path
(connect VPN directly to sys-net) because a VPN qube configured with
qubes-tunnel still does the job of a regular proxy qube (like sys-firewall).

Chris Laprise

unread,
May 14, 2018, 3:37:33 PM5/14/18
to JonHBit, qubes-users
On 05/14/2018 09:09 AM, Chris Laprise wrote:
> On 05/12/2018 03:11 PM, JonHBit wrote:
>
>> I've updating to 1.4beta4 and switched templates from debian-9 to
>> fedora-28, but I'm getting the same error - also it seems like openvpn
>> flag defaults changed, as it now returns an error for the up and down
>> arguments
>
> Did you mean fedora-26?
>
>
>> Specifically, it parses /usr/lib/qubes/qtunnel-connect up as 2
>> arguments instead of 1; putting the whole phrase in double quotes
>> fixes this, which I see you did but for some reason the quotes seem to
>> be removed when ExecStart runs, i.e. checking systemctl status
>> qubes-tunnel shows the command without the quotes
>
> I'm a little unclear: Did you get the link working like this?
>
> I have two fedora 26 templates, one was last updated over 10 days ago
> and the other updated today. The VPN link won't come up with the latter
> one...
>

I did some tests and there seems to be an intermittent problem with
qubes-firewall on fedora only. This can prevent openvpn from connecting.

Chris Laprise

unread,
May 14, 2018, 3:45:04 PM5/14/18
to dangm...@gmail.com, qubes-users
On 05/12/2018 01:54 PM, dangm...@gmail.com wrote:
> I can get my browser to connect in the ProxyVM only after I manually change /etc/resolv.conf to NordVPN DNS servers.

This is as intended: local proxyVM programs running but not using the
tunnel.

You wouldn't normally use a browser in the proxyVM.


> But nothing that uses the ProxyVM as a NetVM can access the internet in any way. Cannot ping 8.8.8.8. Can't do anything. Doesn't matter what I do to /etc/resolv.conf in the AppVM.

Can you look at the log with 'sudo journalctl -u qubes-tunnel'? Does it
say "Initialization sequence completed" or an error message?

Also what is the output of 'sudo iptables -v -L PR-QBS -t nat'?

Chris Laprise

unread,
May 14, 2018, 4:11:20 PM5/14/18
to get, qubes-users
On 05/12/2018 02:10 PM, get wrote:
> Hi. script not working more on debian-9/fedora-26. Please fix it.
>
> Tested vpn's : mullvad, privateinternetaccess, expressvpn and multiple random openvpn.
>
> Guides:
> https://github.com/tasket/Qubes-vpn-support
> https://github.com/tasket/qubes-doc/blob/tunnel/configuration/vpn.md#set-up-a-proxyvm-as-a-vpn-gateway-using-the-qubes-tunnel-service
> https://github.com/tasket/qubes-tunnel

This thread is for qubes-tunnel not Qubes-vpn-support.

Also I can't read minds... Can you describe a specific example with one VPN?

pietr...@gmail.com

unread,
Jul 14, 2018, 7:30:49 PM7/14/18
to qubes-users
On Monday, May 14, 2018 at 9:45:04 PM UTC+2, Chris Laprise wrote:
> On 05/12/2018 01:54 PM, dangm...@gmail.com wrote:
> > I can get my browser to connect in the ProxyVM only after I manually change /etc/resolv.conf to NordVPN DNS servers.
>
> This is as intended: local proxyVM programs running but not using the
> tunnel.
>
> You wouldn't normally use a browser in the proxyVM.
>
>
> > But nothing that uses the ProxyVM as a NetVM can access the internet in any way. Cannot ping 8.8.8.8. Can't do anything. Doesn't matter what I do to /etc/resolv.conf in the AppVM.
>
> Can you look at the log with 'sudo journalctl -u qubes-tunnel'? Does it
> say "Initialization sequence completed" or an error message?
>
> Also what is the output of 'sudo iptables -v -L PR-QBS -t nat'?

Hi Chris,
thanks for your effort behind qubes-tunnel. I tried recent version and have similar issues. Namely I would like to reach clearnet from my VM which is behind ProxyVM. My VPN leads to company network (which can be reached without problems), what is useful for devices which are there, but there is no separate DNS for it.

'sudo journalctl -u qubes-tunnel' looks fine - no errors. ipables look like that:

Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
78 5206 DNAT udp -- vif+ any anywhere 10.139.1.1 udp dpt:domain to:8.8.8.8
0 0 DNAT tcp -- vif+ any anywhere 10.139.1.1 tcp dpt:domain to:8.8.8.8
64 4338 DNAT udp -- vif+ any anywhere anywhere udp dpt:domain to:8.8.4.4
0 0 DNAT tcp -- vif+ any anywhere anywhere tcp dpt:domain to:8.8.4.4

/etc/resolv.conf:
nameserver 10.139.1.1
nameserver 10.139.1.2

BTW do you think it makes sense to move setup stuff and do that using salt? - I made some basic sls files with your setup now purely reproducing your instructions.

Chris Laprise

unread,
Jul 16, 2018, 7:40:47 PM7/16/18
to pietr...@gmail.com, qubes-users
On 07/14/2018 07:30 PM, pietr...@gmail.com wrote:
> Hi Chris,
> thanks for your effort behind qubes-tunnel. I tried recent version and have similar issues. Namely I would like to reach clearnet from my VM which is behind ProxyVM. My VPN leads to company network (which can be reached without problems), what is useful for devices which are there, but there is no separate DNS for it.
>
> 'sudo journalctl -u qubes-tunnel' looks fine - no errors. ipables look like that:
>
> Chain PR-QBS (1 references)
> pkts bytes target prot opt in out source destination
> 78 5206 DNAT udp -- vif+ any anywhere 10.139.1.1 udp dpt:domain to:8.8.8.8
> 0 0 DNAT tcp -- vif+ any anywhere 10.139.1.1 tcp dpt:domain to:8.8.8.8
> 64 4338 DNAT udp -- vif+ any anywhere anywhere udp dpt:domain to:8.8.4.4
> 0 0 DNAT tcp -- vif+ any anywhere anywhere tcp dpt:domain to:8.8.4.4
>
> /etc/resolv.conf:
> nameserver 10.139.1.1
> nameserver 10.139.1.2

By default qubes-tunnel relies on the routing configuration supplied by
the VPN provider -- in this case, your corporate server setup by your IT
staff. Their preferences in routing will affect how and whether packets
will get routed.

The first thing I'd look for is whether they are pushing a
'redirect-gateway def1' directive to your client... you can see this in
the journalctl log. Alternately, it might be included in your conf file.
If there is no such redirect-gateway directive you can add it to your
conf file (it won't take effect until you restart the qubes-tunnel service).

If that doesn't help you can try troubleshooting the VPN link with no
frills: disable the firewall script and qubes-tunnel service, reboot
proxyVM, cd /rw/config/qtunnel and then run 'sudo openvpn --config
qtunnel.conf -up /etc/openvpn/update-resolv-conf'.

This sets up DNS _locally_ for a Debian proxyVM. For Fedora try '-up
/usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up' instead.

After connecting use 'traceroute' with known IP addresses and domain
names to determine if the link is working as expected.

>
> BTW do you think it makes sense to move setup stuff and do that using salt? - I made some basic sls files with your setup now purely reproducing your instructions.

Sounds interesting, I would like to see it sometime!

Piotr Król

unread,
Jul 17, 2018, 5:29:15 PM7/17/18
to Chris Laprise, qubes-users


On 07/17/2018 01:40 AM, Chris Laprise wrote:
> On 07/14/2018 07:30 PM, pietr...@gmail.com wrote:
(...)
That is the option I needed. After adding it to my conf file I have
access to both Internet and devices behind VPN.

>>
>> BTW do you think it makes sense to move setup stuff and do that using
>> salt? - I made some basic sls files with your setup now purely
>> reproducing your instructions.
>
> Sounds interesting, I would like to see it sometime!

I will try to pack that in consumable form and publish on github. BTW it
would be great if QubesOS would have some better guidance how to extend
standard salt stuff with custom modifications. At this point I'm just
dropping symbolic links to /srv/salt, enable top and run highstate. If
anyone have reusable example it would help a lot.

I assume some salt stuff should be developed if you plan to include
qubes-tunnel as default component in QubesOS.

Best Regards,
Piotr Król

sm...@tutamail.com

unread,
Aug 7, 2018, 2:36:02 PM8/7/18
to qubes-users
Just got this going, awesome Tasket. Thank you again Qubes team for what you do!

Works like a charm...the only feedback is the newly updated "Qubes Manager" is sometimes "buggy" with the VPNApVM. I don't believe it impacts performance.

Some notes:
-Qubes 4.0
-Worked in Fedora28 and Debian9 template/Proxy VM
-Changed the DNS to use Quad9 and it worked
-Using PIA, utilizing the OpenVPN-IP files (haven't tried the other PIA configs from their site)
- I needed to install Nautilus and OpenVPN for Debian9 (using my instructions below)

I really struggled setting this up, but below are the steps/notes I followed in combination with the instructions on Github, the order to set this up does matter...hope this helps others out(open to feedback):

Instructions for the "terminal" challenged:

Using qTunnel: https://github.com/tasket/qubes-tunnel

In a Template do this:
For Debian proxy, add OpenVPN package to your VPN template(Fedora already has OpenVPN included):
su
apt-get install openvpn

Download and transfer file to VPN template:
https://github.com/tasket/qubes-tunnel.git

cd “Then drag downloaded, unzipped file into terminal from tasket”
sudo bash ./install

sudo mkdir /rw/config/qtunnel

Close Template.

Create a proxy VM:
Create proxy AppVM using VPN template: sys-VPN
Colour: Green
Provides Network Checked
connect to sys-net (or firewall)
Launch settings - Checked

Settings:
Add “Files” and “Terminal” to “Applications” in ProxyVM
Add “qubes-tunnel-openvpn” to services, hit the +

Optional - Change config DNS(Quad9 DNS), by adding the text below to the VPN config file, then hit save:
setenv tunnel_dns '9.9.9.9 149.112.112.112’'

In terminal move VPN config files to new proxy AppVM:
sudo mv “Then highlight the VPN folder and drag to terminal” /rw/config/qtunnel

cd /rw/config/qtunnel
sudo ln -s xx.ovpn qtunnel.conf
(xx is the VPN client config)

sudo /usr/lib/qubes/qtunnel-setup --config
Enter VPN name and password

exit

Restart AppVM...look for “Links is up” pop-up


(Sorry if this is Top posting!)

22...@tutamail.com

unread,
Sep 5, 2018, 11:27:14 AM9/5/18