ah that was a good idea. Well it seems to be DNS related in the VpnVM as I am able to ping a site/ip address from the firewallVM and ping an IP from in the VpnVM but not a site name. I am not sure why that would be though since as far as I can tell everything is the same as it was in the previous setup (obviously not I guess). It seems to netmanager is setting a DNS other than what my VPN provider normally sets? I tried manually editing the /etc/resolv.conf file but that didn't seem to help (automatically generated?) so am not sure where to go from here?
Thanks for that. While I could have sworn that the ping wnet through (pinged mult times) when I pinged an IP from the VpnVM this time it doesn't seem to be going through, or it pings once then hangs, eg:
[user@VPN ~]$ sudo sg qvpn -c 'ping 216.218.239.2'
PING 216.218.239.2 (216.218.239.2) 56(84) bytes of data.
^C
--- 216.218.239.2 ping statistics ---
0 packets transmitted, 0 received
[user@VPN ~]$
I tried the 'sudo iptables -L -v -t nat' anyway and to be honest I am not sure I understand the output:
[user@VPN ~]$ sudo iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 PR-QBS all -- any any anywhere anywhere
0 0 PR-QBS-SERVICES all -- any any anywhere anywhere
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 432 packets, 30668 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any vif+ anywhere anywhere
3 192 ACCEPT all -- any lo anywhere anywhere
12 812 MASQUERADE all -- any any anywhere anywhere
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- any any anywhere 10.137.4.1 udp dpt:domain to:10.137.2.1
0 0 DNAT tcp -- any any anywhere 10.137.4.1 tcp dpt:domain to:10.137.2.1
0 0 DNAT udp -- any any anywhere 10.137.4.254 udp dpt:domain to:10.137.2.254
0 0 DNAT tcp -- any any anywhere 10.137.4.254 tcp dpt:domain to:10.137.2.254
Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
Hi, I don't think I am using Network Manager to connect, that is I went only by the Qubes VPN wiki but while trying to diag the problem I read about /etc/resolv.conf in some other doc while searching so thought I'd try (obviously no luck).
As for the sudo sg qvpn -c ping whateversite, does returning one thing back and hanging count for anything? I am thinking not as I am not able to connect to the net via the VpnVM.
Any thoughts on the DNS dnat rules?
well you are right about being able to ping an IP from the appvm that is connected to the vpnvm, it works fine.
As for the misconfigured .opvn I can't make heads or tails of that as the first time I just used the exact same file that I had backed up, I rechecked it and I think its ok (I also got a new pre-configured one from my vpn provider, c/p the needed edits in, and still get the same error). I checked the permissions user of the two files and I think they are ok?
-rw-r--r-- 1 root root 423 Jul 21 21:28 openvpn-client.ovpn
-rwxr-xr-x 1 root root 1089 Jul 10 21:15 qubes-vpn-handler.sh
I didn't quite follow you about the shebang? What parts at the begining do you think might have been left out? Are you refering to the configuration of the VM when I was creating it? (like setting as a proxyvm etc?)
The last three lines you refered to, of the .ovpn, I believe I added as the Qubes VPN doc instructed, anyway I just c/p'd from the .ovpn I have:
script-security 2
up 'qubes-vpn-handler.sh up'
down 'qubes-vpn-handler.sh down'
Is that what you were referring to?
Ahhhh. Ok. Well I checked and I had forgotten to remove the origonal #!/bin/sh but it was the same file I had used before that had worked? Anyway, I edited it and now only one line and it is bash. But still can't access anything other than direct ip addresses via the appvm that is using the vpnvm?
>
> > The last three lines you refered to, of the .ovpn, I believe I added as the Qubes VPN doc instructed, anyway I just c/p'd from the .ovpn I have:
> >
> > script-security 2
> > up 'qubes-vpn-handler.sh up'
> > down 'qubes-vpn-handler.sh down'
> >
> > Is that what you were referring to?
>
> Yes.
>
> Something else you can try is to bypass the DHCP stuff and add the DNS
> server manually in your .ovpn with a line like this:
> setenv vpn_dns 'X.X.X.X'
>
> Replace X's with DNS server address.
I tried this next, added both like
setenv vpn_dns 'X.X.X.X X.X.X.X'
(tried without quotes too) but still no go. I then noticed that there was a commented line in the qubes-vpn-handler.sh script so I added that line in that script and took it out of the ovpn file, still not able to ping non ip addresses...
>
> Then when you connect and list your nat table again, you should see the
> DNS IP there.
>
> Chris
and both times (restarting vpnvm/appvm) the new DNS didn't show up when i tried to list the nat tables?
I would have thought manually putting in the DNS would have been sufficent?
Should the openvpn-client.ovpn file have the #!/bin/bash in it as well? I have run out of ideas. I have also noticed that the VPN connects (the little notification at the top of the screen) then occasionally disconnects and reconnects again fairly quickly.