VPN/OpenVPN Setup

[Dogged One]

Not finding much specifics on how to accomplish setting up a VPN client using OpenVPN anywhere.

I see if I click the network connection settings on the lower right I can choose VPN Connections but I don't see how to configure this for my OpenVPN credentials.

I've read on the wiki and in this group a couple things, but nothing specific on how to actually make it work.

I've read about using the netvm vs a proxyvm and I'm fine with using the netvm, if I can figure out how to do so.  What I read said to use networkmanager and I did activate the service within the netvm, so now what?

Is this all done via terminal?  Can someone please help give me some step by step instructions on how to get a vpn client setup.

If it's better, more secure, to use a proxyvm that's good, but I don't really care I just want to tunnel directly from Qubes to help protect my privacy, both at home and at wireless hot spots.

[Gorka Alonso]

Cisco VPN related.

Using the GUI: https://qubes-os.org/wiki/VPN
Using terminal: https://groups.google.com/d/topic/qubes-users/W8PjtzcHJAE/discussion

OpenVPN (using terminal)

https://groups.google.com/d/topic/qubes-users/GkpQ6LCaQY4/discussion

PS: Check the warning about NetworkManager in the wiki link.


Hope it help :-)

[cprise]

I'm using openvpn from networkmanager. It works like it does in other Linux systems. If your VPN is a subscription service they should have instructions for 'OpenVPN with Ubuntu' or similar.

On 11/19/14 11:03, Dogged One wrote:

Not finding much specifics on how to accomplish setting up a VPN client using OpenVPN anywhere.

I see if I click the network connection settings on the lower right I can choose VPN Connections but I don't see how to configure this for my OpenVPN credentials.

Next click 'Add' then select the connection type 'OpenVPN'.

I've read on the wiki and in this group a couple things, but nothing specific on how to actually make it work.

I've read about using the netvm vs a proxyvm and I'm fine with using the netvm, if I can figure out how to do so.  What I read said to use networkmanager and I did activate the service within the netvm, so now what?

You shouldn't have to take any extra steps to have networkmanager enabled in netvm. It should appear in your systray and you can use it from there.

Is this all done via terminal?  Can someone please help give me some step by step instructions on how to get a vpn client setup.

If it's better, more secure, to use a proxyvm that's good, but I don't really care I just want to tunnel directly from Qubes to help protect my privacy, both at home and at wireless hot spots.

--

[Ade Devereux]

So basically to setup openvpn via the cli/terminal each time the ProxyVM booted, I did the following:

[user@vpnvm config]$ ls -lAh /rw/config
total 16K
-rw-rw-r-- 1 root root 499 Nov 19 18:44 openvpn-client.service
drwxrwxr-x 2 root root 4.0K Nov 19 18:56 openvpnconf
-rwxr-xr-x 1 root root 240 Nov 19 18:50 rc.local
-rw-r--r-- 1 root root 0 Oct 27 12:36 rc.local-early

[user@vpnvm config]$ cat /rw/config/openvpn-client.service
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application
After=syslog.target network.target

[Service]
PrivateTmp=true
Type=forking
PIDFile=/var/run/openvpn/openvpn-client.pid
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/openvpn-client.pid --cd /etc/openvpn/ --config openvpn-client.ovpn
ExecStartPost=/usr/lib/qubes/qubes-setup-dnat-to-ns
ExecStopPost=/usr/lib/qubes/qubes-setup-dnat-to-ns
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target

[user@vpnvm config]$ cat /rw/config/rc.local
#!/bin/sh

cp /rw/config/openvpnconf/* /etc/openvpn/

cp /rw/config/openvpn-client.service /etc/systemd/system/

sleep 2; sync

systemctl --no-block enable openvpn-client.service

sleep 1

systemctl --no-block start openvpn-client.service


*Don't forget to chmod rc.local*
[user@vpnvm config]$ sudo chmod +x /rw/config/rc.local

[Dogged One]

All I want is a persistent connection, one that reconnects after a reboot, to my VPN service and EVERYTHING to pipe through it.  Whatever the easiest way to acheive this is what I'm about.  I see several different instructions on my VPN service about using Ubunutu with OpenVPN.  It doesn't really look like they apply to Qubes/Fedora.  If I download and install OpenVPN is it all terminal from there or what?  I don't want to fuck up my netvm in the process of trying to get this working.

[cprise]

--

The Fedora 20 (Qubes) version of Network Manager is slightly different. As Fedora no longer creates user documentation for their OS, its basically just a matter of looking around to see what's changes (luckily not that much in NM).

I doubt NM can do a persistent VPN anyway (I just manually click on it to get it going) so one of the scripts out there for either openvpn or NM should do the trick (you can check out Gorka's recommendation in this thread). If it were me, I'd still setup the VPN in NM without the auto-reconnect, and then use a script with the nmcli command to tell NM to handle VPN (re)connection.

[Dogged One]

Okay I backed up and gave this another go and got quite a bit further.  I have the VPN VM setup with Proxy selected and it is running.  I found the new Network Connections icon on the lower right and got into it selecting OpenVPN for the protocol.  I went into the new OpenVPN settings and input the domain name for the server I want from my service in the Gateway box.  I then selected Password with Certificate (TLS) and input my username and password and placed the CA certificate into the files folder of the VPN VM and pointed the CA selector too it.  I left the Private Key disabled and the rest of the settings as default.

All of this looks good and is familiar to me setting up OpenVPN before.  Now the problem is I cannot save the new connection.  The Save button is greyed out and I'm not sure what's holding it up.  I tried a couple different things but it still won't let me save the configuration.  Any thoughts/suggestoins?  Thanks

[Dogged One]

Okay I figured that part out.  Didn't need the with TLS part.  So all looks good, except....
I'm not sure what to put in the VPN VM for firewall rules and what do I put in the VPN for netvm?  Because as of right now it won't connect to anything.   Thanks

[Dogged One]

Alright all is well in the world it is up and running, AND persistent!  Was weird trying to put it through a new Proxy VM.  Didn't want to connect without the firewallvm attached.  Had to attach the devices to the new proxyvm and when I did that netvm seemed to conflict.  So not sure how it's meant to run both, ie some through the netvm and some through the VPN, unless they can't be running at the same time and then also with seperate firewallvm's?  Either way I got it working how I want it now.

Thanks for the patience and tips!

[cprise]

On 11/20/14 01:47, Ade Devereux wrote:
> So basically to setup openvpn via the cli/terminal each time the ProxyVM booted, I did the following:
>

Thanks! I added your rc.local script to a proxyvm for connection to the
privateinternetaccess.com service. One can use the config in the zip
file supplied here:
https://www.privateinternetaccess.com/pages/client-support/#robolinux_openvpn

This should be typical of using a commercial/public VPN service.

Just remember to include both the ca.crt and crl.pem files in the
/rw/config/openvpnconf folder, and rename your regional .ovpn file to
'openvpn-client.ovpn'. You can add a filename (i.e. 'userpass.txt') to
the 'auth-user-pass' line in the config file, then create that file in
the openvpnconf folder with the username on the first line and password
on the second.


$ ls -l /rw/config/openvpnconf/
total 16
-rw-r--r-- 1 root root 22 Nov 24 02:13 userpass.txt
-rw-r--r-- 1 root root 1395 Nov 24 01:27 ca.crt
-rw-r--r-- 1 root root 577 Nov 24 02:30 crl.pem
-rw-r--r-- 1 root root 370 Nov 24 02:12 openvpn-client.ovpn



$ cat /rw/config/openvpnconf/openvpn-client.ovpn
client
dev tun
proto udp
remote us-east.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass userpass.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem

[cprise]

It seems that 'persist-tun' causes the link to hang up when it is auto
restarted (from SIGUSR1 due to a timeout after a physical disconnect,
for example). I recommend commenting that option out so the config looks
like this:

client
dev tun
proto udp
remote us-east.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key

#persist-tun

[cprise]

On 11/24/14 12:57, cprise wrote:
>
> It seems that 'persist-tun' causes the link to hang up when it is auto
> restarted (from SIGUSR1 due to a timeout after a physical disconnect,
> for example). I recommend commenting that option out so the config
> looks like this:
>
> client
> dev tun
> proto udp
> remote us-east.privateinternetaccess.com 1194
> resolv-retry infinite
> nobind
> persist-key
> #persist-tun
> ca ca.crt
> tls-client
> remote-cert-tls server
> auth-user-pass userpass.txt
> comp-lzo
> verb 1
> reneg-sec 0
> crl-verify crl.pem
>

I found this configuration within a proxyVM doesn't route all traffic
over the VPN tunnel. DNS packets are leaking via the original route
outside of the VPN, and I believe the firewall settings created by
'qubes-setup-dnat-to-ns.sh' is causing this behavior. It can also help
undo the problem if I change /etc/resolv.conf to use the VPN provider's
DNS addresses and then run the script, the following change in iptables
occurs:

(before)
Chain PR-QBS (1 references)
target prot opt source destination
DNAT udp -- anywhere 10.137.2.1 udp
dpt:domain to:10.137.1.1
DNAT udp -- anywhere 10.137.2.254 udp
dpt:domain to:10.137.1.254

(after)
Chain PR-QBS (1 references)
target prot opt source destination
DNAT udp -- anywhere 10.137.2.1 udp dpt:domain
to:209.222.18.222
DNAT udp -- anywhere 10.137.2.254 udp
dpt:domain to:209.222.18.218

I'm not sure why this works, actually. Wireshark in the upstream
firewallvm shows only OpenVPN packets after the change, and the client
VMs can still do name lookups. However, I don't understand the
significance of those destination addresses on subnet 2.x other than
they are defined as nameservers in /var/run/qubes/qubes-ns.

My inclination is to have a single rule in PR-QBS that takes any packet
heading to 'domain' (port 53) at any address and send it to the VPN's
gateway address. But the existing iptables and routing environment in
the proxyVM is complex and I'm not sure if this is correct/secure...

[marek Marczykowski]

Those are addresses set in children /etc/resolv.conf. This DNAT is to
not require change /etc/resolv.conf on every AppVM when you switch the
network.

Your approach with setting /etc/resolv.conf then calling
qubes-setup-dnat-to-ns.sh is correct. You can hook it up to openvpn
configuration - check "SCRIPTING AND ENVIRONMENTAL VARIABLES" section of
openvpn manual.

> My inclination is to have a single rule in PR-QBS that takes any packet
> heading to 'domain' (port 53) at any address and send it to the VPN's
> gateway address. But the existing iptables and routing environment in the
> proxyVM is complex and I'm not sure if this is correct/secure...

Of course you can also set it this way. Perhaps you want also set
firewall rules for your VpnVM to allow only OpenVPN traffic. If your
VpnVM is connected to another ProxyVM (firewallvm), you can simply use
firewall in VM settings (Qubes Manager or qvm-firewall).

--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[cprise]

I think I have a leakproof VPN setup now, by having openvpn call a script as you suggested (the script copies my /rw/config/openvpnconf/resolv.conf over the one in /etc, then calls qubes-setup-dnat-to-ns.sh). But also, I added an iptables rule to prevent any routing of traffic directly to the VM's eth0 interface. This prevents any leakage 'in the clear' should openvpn exit for any reason:

 iptables -t mangle -I FORWARD -o eth0 -j DROP

Mangle is used because Qubes flushes and rebuilds the filter table whenever another VM connects to the VPN VM.

[marek Marczykowski]

You can use /rw/config/qubes-firewall-user-script instead
(https://wiki.qubes-os.org/wiki/UserDoc/ConfigFiles).

[cprise]

On 12/01/14 06:24, marek Marczykowski wrote:
> On Mon, Dec 01, 2014 at 05:09:35AM -0500, cprise wrote:
>> On 11/28/14 17:25, marek Marczykowski wrote:
>>
>> On Fri, Nov 28, 2014 at 01:09:19PM -0500, cprise wrote:
>>
>> My inclination is to have a single rule in PR-QBS that takes any packet
>> heading to 'domain' (port 53) at any address and send it to the VPN's
>> gateway address. But the existing iptables and routing environment in the
>> proxyVM is complex and I'm not sure if this is correct/secure...
>>
>> Of course you can also set it this way. Perhaps you want also set
>> firewall rules for your VpnVM to allow only OpenVPN traffic. If your
>> VpnVM is connected to another ProxyVM (firewallvm), you can simply use
>> firewall in VM settings (Qubes Manager or qvm-firewall).
>>
>>
>> I think I have a leakproof VPN setup now, by having openvpn call a script as
>> you suggested (the script copies my /rw/config/openvpnconf/resolv.conf over the
>> one in /etc, then calls qubes-setup-dnat-to-ns.sh). But also, I added an
>> iptables rule to prevent any routing of traffic directly to the VM's eth0
>> interface. This prevents any leakage 'in the clear' should openvpn exit for any
>> reason:
>>
>> iptables -t mangle -I FORWARD -o eth0 -j DROP
>>
>>
>> Mangle is used because Qubes flushes and rebuilds the filter table whenever
>> another VM connects to the VPN VM.
> You can use /rw/config/qubes-firewall-user-script instead
> (https://wiki.qubes-os.org/wiki/UserDoc/ConfigFiles).
>

Very nice. Thanks!