Worked well for me using a debian-9 template & commit 4e96ca8, only trouble was that my VPN provider's configs used /etc/update-resolv-conf and failed silently when it was missing - so shipping it with qubes-tunnel and installing it by default may be helpful.
Hi Chris,
Good to see the update!
However I think that's a separate issue; what I'm referencing is these lines in my .ovpn config:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
The VPN installer script will normally download this if it's missing - used to change the DNS server to the VPN-provided one.
The script is here: https://raw.githubusercontent.com/ProtonVPN/scripts/master/update-resolv-conf.sh
After adding it everything worked well.
"Master version"
I have this running in a proxy AppVM (Not in a template)
Using PIA VPN service
OpenDNS checks out OK
I just tried this version in 4.0 in the template. Some notes feedback:
1) When I tried changing the DNS to OpenDNS in my config file:
setenv vpn_dns '208.67.222.222 208.67.220.220'
I then went to:
http://welcome.opendns.com/
It failed and informed me I was not using OpenDNS.
2) The step 3. in the abbreviated instructions say to run:
/usr/lib/qubes/qtunnel-setup --config
However I had to run:
sudo /usr/lib/qubes/qtunnel-setup --config
I was able to get to the internet....I didn't do any further testing. If you want me to try some things more then happy to help...
Thanks again for the work.
V
V
instead of:
setenv vpn_dns '208.67.222.222 208.67.220.220'
worked.
Both http://welcome.opendns.com/ and https://www.dnsleaktest.com/ show that OpenDNS are being used.
I am more then happy to help test, I was planning to make the shift but my DNS wasn't working...all good now. Thanks for the help...
I'll move my sys-VPNs to this new project...I was just reluctant to make the move as my DNS was not showing correct. All good now!
Thanks again...if anything comes up I'll report back. If you want me to try something more then happy to help...
Thx
Sorry for the basic question but is there something I need to do to the fresh debian template after installation?
I am trying to eliminate all possible issues but to install OpenVPN to the debian template:
1) I simply allow access to TOR or a network to get OpneVPN
2) Type : sudo apt-get install openvpn
I am having the same issue with Fedora as well, could there be another reason for this not connecting?
I get the "Waiting for connection" message but I don't get the "Link is up"...
Thanks for any thoughts...
V
Worked great for me with Qubes 4.0 and Fedora 26.
I'm unclear on how to use sys-firewall now though. Should it be sys-net -> sys-firewall -> VPN -> App?
Thanks.
Yes I can update my templates
> 2)
> sudo apt-get install openvpn should have nothing to do with the later
> step of install the tasket scrip-let ..... (not the tunnel) just
> the VPN script on GitHub
I was just hoping to make sure I haven't missed a basic step. It is my understanding the stock Debian-9 template that comes with 4.0 does not have OpenVPN installed. "sudo apt-get install openvpn" is all thats needed? Is there additional commands to install any dependencies?
> 3)
> if you Not talking about the "tunnel" script just the VPN tasket
> script, why not leave the Template out of the equation and just
> install the script in a fresh App-ProxyVM that "allows networking"
> (proxy)
Whats strange is I had the "Tunnel" script working prior to my fresh 4.0 install. The "VPN Tasket" also worked but moved to the "Tunnel" prior to my fresh install.
I tried going back to the "App-ProxyVM" only(i.e. no template configuration) but it too didn't work....
>
> and just leave Tor out of the whole puzzle IMO
I'll try with out TOR to see if that changes anything...
Thanks,
V
(Morlan - I used to connect my VPN proxy via sys-net -> VPN -> AppVM when I had this running...I would defer to other more seasoned Q users but consider multiple VPNs configured for different IPs, TOR over VPN...my thought was VPN thru sys-firewall consumed resources and wasn't sure it provided additional security...I would be open to being corrected if that is wrong)
I can get my browser to connect in the ProxyVM only after I manually change /etc/resolv.conf to NordVPN DNS servers.
But nothing that uses the ProxyVM as a NetVM can access the internet in any way. Cannot ping 8.8.8.8. Can't do anything. Doesn't matter what I do to /etc/resolv.conf in the AppVM.
I've updating to 1.4beta4 and switched templates from debian-9 to fedora-28, but I'm getting the same error - also it seems like openvpn flag defaults changed, as it now returns an error for the up and down arguments
Specifically, it parses /usr/lib/qubes/qtunnel-connect up as 2 arguments instead of 1; putting the whole phrase in double quotes fixes this, which I see you did but for some reason the quotes seem to be removed when ExecStart runs, i.e. checking systemctl status qubes-tunnel shows the command without the quotes
Hi Chris,
thanks for your effort behind qubes-tunnel. I tried recent version and have similar issues. Namely I would like to reach clearnet from my VM which is behind ProxyVM. My VPN leads to company network (which can be reached without problems), what is useful for devices which are there, but there is no separate DNS for it.
'sudo journalctl -u qubes-tunnel' looks fine - no errors. ipables look like that:
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
78 5206 DNAT udp -- vif+ any anywhere 10.139.1.1 udp dpt:domain to:8.8.8.8
0 0 DNAT tcp -- vif+ any anywhere 10.139.1.1 tcp dpt:domain to:8.8.8.8
64 4338 DNAT udp -- vif+ any anywhere anywhere udp dpt:domain to:8.8.4.4
0 0 DNAT tcp -- vif+ any anywhere anywhere tcp dpt:domain to:8.8.4.4
/etc/resolv.conf:
nameserver 10.139.1.1
nameserver 10.139.1.2
BTW do you think it makes sense to move setup stuff and do that using salt? - I made some basic sls files with your setup now purely reproducing your instructions.