VPN up/down pop up not working?

[Stumpy]

I managed to setup vpn proxies using the Set up a ProxyVM as a VPN gateway using iptables and CLI scripts instructions which worked in so far as I now have traffic going through them but the icons are showing up as "network disabled" (see attachment) and I do not get any sort of confirmation/popup that the vpns are up nor down?

[Stumpy]

On 2021-06-11 15:20, Stumpy wrote:
> I managed to setup vpn proxies using the Set up a ProxyVM as a VPN

> gateway using iptables and CLI scripts [1] instructions which worked

> in so far as I now have traffic going through them but the icons are
> showing up as "network disabled" (see attachment) and I do not get any
> sort of confirmation/popup that the vpns are up nor down?
>

> --
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to qubes-users...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/d9fa32f1280ff00ea9785295965ac600%40posteo.net
> [2].
>
>
> Links:
> ------
> [1]
> https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts
> [2]
> https://groups.google.com/d/msgid/qubes-users/d9fa32f1280ff00ea9785295965ac600%40posteo.net?utm_medium=email&utm_source=footer

Thoughts?
I looked in the vpn trouble shooting docs but this didnt seem to be
covered?

[Sven Semmler]

Do you have a notification daemon installed? If unsure, install and run
dunst and see if it works then.

[Stumpy]

On 2021-06-17 07:42, Sven Semmler wrote:
> Do you have a notification daemon installed? If unsure, install and
> run dunst and see if it works then.

Thanks. I pretty much installed the packages listed as being needed for centos minimal to function as a proxy, one of them being "notification-daemon" which I assumed was what was needed. I went back and double checked that I had it installed and it was:

bash-4.2# sudo yum install -y notification-daemon
Loaded plugins: fastestmirror, yum-qubes-hooks
Loading mirror speeds from cached hostfile
 * base: centos.hitme.net.pl
 * centos-virt-xen-epel: epel.besthosting.ua
 * epel: epel.besthosting.ua
 * extras: centos-mirror.datakeepers.co.za
 * updates: centos-distro.1gservers.com
Package notification-daemon-3.20.0-1.el7.x86_64 already installed and latest version
Nothing to do
bash-4.2# 

 I then tried dunst but it seems it was not in the centos repo?

bash-4.2# sudo yum install -y dunst
Loaded plugins: fastestmirror, yum-qubes-hooks
Determining fastest mirrors
centos-virt-xen-epel/7/x86_64/metalink                   |  30 kB     00:00     
epel/x86_64/metalink                                     |  30 kB     00:00     
 * base: centos.hitme.net.pl
 * centos-virt-xen-epel: epel.besthosting.ua
 * epel: epel.besthosting.ua
 * extras: centos-mirror.datakeepers.co.za
 * updates: centos-distro.1gservers.com
base                                                     | 3.6 kB     00:00     
centos-virt-xen-410                                      | 3.0 kB     00:00     
centos-virt-xen-epel                                     | 4.7 kB     00:00     
epel                                                     | 4.7 kB     00:00     
extras                                                   | 2.9 kB     00:00     
qubes-vm-r4.0-current                                    | 3.8 kB     00:00     
updates                                                  | 2.9 kB     00:00     
(1/5): epel/x86_64/updateinfo                              | 1.0 MB   00:05     
(2/5): centos-virt-xen-epel/7/x86_64/updateinfo            | 1.0 MB   00:05     
(3/5): centos-virt-xen-epel/7/x86_64/primary_db            | 6.9 MB   00:18     
(4/5): epel/x86_64/primary_db                              | 6.9 MB   00:18     
(5/5): updates/7/x86_64/primary_db                         | 8.8 MB   00:21     
No package dunst available.
Error: Nothing to do
bash-4.2# 

[unman]

On Thu, Jun 17, 2021 at 10:55:46AM +0000, Stumpy wrote:
>
>
> On 2021-06-17 07:42, Sven Semmler wrote:
> > Do you have a notification daemon installed? If unsure, install and
> > run dunst and see if it works then.
>
> Thanks. I pretty much installed the packages listed as being needed for

> centos minimal to function as a proxy [1], one of them being

> "notification-daemon" which I assumed was what was needed. I went back
> and double checked that I had it installed and it was:

You know, minimal templates come with a health warning for a reason.
They expect, (and often require) a level of understanding and
experience.

Important

The Minimal TemplateVMs are intended only for advanced users. If
you encounter problems with the Minimal TemplateVMs, we recommend
that you use their standard TemplateVM counterparts instead.

If something works with a standard TemplateVM but not the minimal
version, this is most likely due to user error (e.g., a missing
package or misconfiguration) rather than a bug. In such cases, please
do not file a bug report. Instead, please see Help, Support, Mailing
Lists, and Forum for the appropriate place to ask for help. Once
you have learned how to solve your problem, please contribute what
you learned to the documentation.

Make sure that everything works in a standard template, and then look to
see what relevant packages are installed there compared to what you have,
and then check back here.

[Stumpy]

Point taken.
I suppose I focused more on the minimal versions for the purposes of
"reduce unnecessary risk", and I had (incorrectly) assumed that the
instructions given were because they generally worked?

Anyway, I am not at a level that I can do particuarly deep poking and
figuring out such things, though the community has been a great resource
in helping me improve my "qubes/linux kungu". I do remember getting this
popup before (like a year ago) with centos and am pretty sure it would
"just work" with fedora, i just prefer centos minimal as its less crufty
with other things installed and has a much longer upgrade cycle (is that
the word for it?) than fedora which for the purposes of proxy vms I am
certainly not looking for bleeding edge, just secure and can just "set
it and forget it" :)

I guess I will just grin and bear it as its not crucial, I was just
hoping the fix might be simple like Sven's suggestion (thanks for the
suggestion though Sven!).

Cheers

[b17b7bdb]

On 2021-06-17 07:42, Sven Semmler wrote:

> Do you have a notification daemon installed? If unsure, install and

> run dunst and see if it works then.

I don't know if there is a similar daemon in CentOS, but Debian-minimal requires an xfce specific package for the vpn status notifications to work:

   apt-get install xfce4-notifyd

Sent with ProtonMail Secure Email.

[unman]

On Thu, Jun 17, 2021 at 01:59:23PM +0000, Stumpy wrote:
> Anyway, I am not at a level that I can do particuarly deep poking and
> figuring out such things, though the community has been a great resource in
> helping me improve my "qubes/linux kungu". I do remember getting this popup
> before (like a year ago) with centos and am pretty sure it would "just work"
> with fedora, i just prefer centos minimal as its less crufty with other
> things installed and has a much longer upgrade cycle (is that the word for
> it?) than fedora which for the purposes of proxy vms I am certainly not
> looking for bleeding edge, just secure and can just "set it and forget it"
> :)
>
> I guess I will just grin and bear it as its not crucial, I was just hoping
> the fix might be simple like Sven's suggestion (thanks for the suggestion
> though Sven!).
>
> Cheers
>

Thanks for the way you took that. I wasn't trying to put you off - you
have done *exactly* the right thing by checking here.
Have you checked that everything works with a full centos template?

[Sven Semmler]

On 6/17/21 8:59 AM, Stumpy wrote:
> I guess I will just grin and bear it as its not crucial, I was just
> hoping the fix might be simple like Sven's suggestion (thanks for the
> suggestion though Sven!).

No problem. To further drill down and what could be the cause ... what
happens when you type

notify-send test

in your VPN qube? I am guessing, but there is a very high chance that's
exactly what the qtunnel script will call.

/Sven

--
public key: https://www.svensemmler.org/2A632C537D744BC7.asc
fingerprint: DA59 75C9 ABC4 0C83 3B2F 620B 2A63 2C53 7D74 4BC7

[Sven Semmler]

What happens when you type 'notify-send test' in your VPN qube?

[Stumpy]

Hi Sven,
Thanks for the follow up.
When I type notify-send test in the vpn appvm a small notification
"send" pops up in the top right side of my screen, that seems like a
positive sign?

Btw, per unman's question, I installed CentOS full template and tried
starting the vpn appvm and nothing happened, then tried using the full
fed33 template and I got the vpn up popup.

Cheers

[unman]

So, it would seem to be a Centos issue, and not a "minimal template"
issue.

[Stumpy]

Yep. Also tried Debian 10 (not minimal), no popup. so far the only
template I have tried that seems to work (have a vpn up/down popup) out
of the box is fed33 full.

[Sven Semmler]

Hi @stumpy,

I don't know what your goals are exactly, but if you'd like a
debian-minimal based qube to connect to a OpenVPN than this will work
for sure:

Template (cloned from debian-minimal):

apt install qubes-repo-contrib
apt update
apt install qubes-tunnel openvpn qubes-core-agent-networking

Qube (based on above template)

Obviously provide netvm and set provides_network to true. Also
'qvm-service sys-vpn qubes-tunnel on'

Then inside the qube

/usr/lib/qubes/qtunnel-setup --config

and finally copy and rename the .ovpn file provided by your VPN provider
to /rw/config/qtunnel/qtunnel.conf

That's all there is. Restart the qube and be happy.

[Stumpy]

As usual thank you very much Sven!
I will give that a try this weekend.
As for my goals they are pretty simple for proxyvms at least, I wanted
to minimal templates that have a reduced attack surface, that I did not
have to update all the time (though of my goals this was the least
important so long as it was stable), and also a template i did not have
to change so often. As setting up vpn vms has never been smooth for me,
i am keen on using a distro like say centos or debian that i dont have
to worry about EOL too often.

Cheers

btw, anyone know if there are any plans to replace the centos template
with something like rocky linux? (or something that has a similarly long
life cycle?)

[Stumpy]

Hi, I just wanted to check and see if something has changed with the
centos minimal template?
This morning my vpn vm wasnt working which happens sometimes so I
shutdown the vpn vm from dom0 (qvm-run shutdown now etc) and then
restarted it and... I got a "VPN link up" popup?! I swear I havent
changed anything, and actually dont remember any centos updates within
the last few days... huh?

[Sven Semmler]

On 6/24/21 6:23 AM, Stumpy wrote:
> I swear I havent changed anything, and actually dont remember any > centos updates within the last few days... huh?

My guess is that you made necessary changes (e.g. installed something)
in the template and then forgot to shut the template down before testing
the qube based on the template.

In which case that qube would start with the version of the template
before your necessary changes. Now, a day or two passed. You maybe
restarted your PC or some other action of yours shutdown the template
and committed the respective changes.

So this time your VPN qube started with all the bits in the right order
and it worked.

Happened more than once to me ... no way to prove that that's what
happened to you.