4.2 vpn problems please help

User Support
1

Please any guide how to setup wireguard and openvpn to work under 4.2. After upgrade all vpn loses.

Actually, I need instructions how to fix this script from iptables to new firewall

case "$1" in

up)
# To override DHCP DNS, assign static DNS addresses with 'setenv vpn_dns' in openvpn config;
# Format is 'X.X.X.X  Y.Y.Y.Y [...]' with quotes.
if [[ -z "$vpn_dns" ]] ; then
    # Parses DHCP options from openvpn to set DNS address translation:
    for optionname in ${!foreign_option_*} ; do
        option="${!optionname}"
        unset fops; fops=($option)
        if [ ${fops[1]} == "DNS" ] ; then vpn_dns="$vpn_dns ${fops[2]}" ; fi
    done
fi

iptables -t nat -F PR-QBS
if [[ -n "$vpn_dns" ]] ; then
    # Set DNS address translation in firewall:
    for addr in $vpn_dns; do
        iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
        iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr
    done
    su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user
else
    su - -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user
fi

;;
down)
su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user
;;
esac

Thanks

2

and second file I’m originally using at 4.1

cat qubes-firewall-user-script 
#!/bin/sh

# This script is called in AppVMs after every firewall update (configuration
# change, starting some VM etc). This is a good place to write own custom
# firewall rules, in addition to autogenerated ones. Remember that in most cases
# you'll need to insert the rules at the beginning (iptables -I) for it to be
# effective.

#<----->Block forwarding of connections through upstream network device
#<----->(in case the vpn tunnel breaks):
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP
3

You can see an example of how to convert rules from iptables to nftables here:

1 Like
4

There is a iptables-translate command that tells you the nftables command for a given iptables command.

3 Likes
5

I can connect to vpn now, but without qubes-firewall-user-script. This anti leak from proxy-firewall-restrict file don’t work at all. Not possible to connect if installed or an connect (notification show) by vpn not work

6

What commands do you have there?

7

If you can’t convert the firewall to nftables yourself, create a new qube, install and use this instead:

8

Tried with this:

9

I’m using 3rd party service in some vms, like mullwad. It receive configs from server, so I need other workaround. Simple anti leak script to place at qubes-firewall-user-script as I did at 4.1

10

It works with most VPN providers.

11

The script assumes that you run openvpn process under qvpn group with --group qvpn option:

And it assumes that the tunnel interface created by openvpn will be set to group 9:

In the openvpn up script:

1 Like
12

Yes, it run under qvpn the same like previous R4.1 script. Seems the problem that tunnel not set to group 9. Thank, for your example, I will try :slight_smile:

13

What tempalte are you using for your vpn qube? I also faced an issue where my vpn qubes stopped working after an upgrade to 4.2. In my case I’m using minimal templates. After switching to full fedora-38 templates vpn is working again. So I suspect with the new 4.2 release I’m missing some package in my minimal template.