Cannot set up VPN? "Permission denied" on my certificate?!

tl;dr: If you have gotten an OpenVPN vpn working with Qubes 4.2 please show me how you did it because the method that worked in 4.0 is now broken

Bruh did they hire a new guy to code R4.2? I am NOT having a smooth transition so far. I’ve wasted SO MUCH TIME trying to get my system up on 4.2 and I’m nowhere near done yet. FFS. This has been two weekends in a row completely wasted. Every little thing takes ducking hours to figure out in this broken version.

I am trying to set up my VPN qube. I copied the files from a working VPN qube from R4.0 (which I was not able to restore using Qubes Restore) and made sure to chown -R user. I’m still getting permission problems on my VPN certificate file which is stored in my user folder. I even gave it chmod a+r and it’s still failing. Error spotted in journalctl:

sys-dns nm-openvpn[1912]: Options error: --ca fails with '/home/user/QubesIncoming/vault/vpn_config/certificate.crt`: Permission denied (errno=13)

I’m at a loss. I thought a+r meant everybody could read it but I’m guessing whatever user network-manager is working under is still getting bounced.

Bonus question: How does R4.1 compare against 4.0 and 4.2? Which one is it closest to? If it’s closer to 4.0 I’m freakin’ downgrading

1 Like

which vpn company do you use?

Shouldn’t matter. I’m using the same certificate and credentials I was using in R4.0. This is a valid standard OpenVPN certificate

sure it matters, usually when things fail, I toss them and make a new appvm and start over

Same here, but I already did that. This is the 4th time trying to create this vm and this is the furthest I’ve gotten…

edit: According to the following thread there was an OpenVPN update that changed how things work and now it wants specific permissions… I did everything in that thread but there’s no “network” group in Qubes Fedora, although there is an “openvpn” user. Setting the user to openvpn and resetting permissions to u+r only did absolutely nothing… maybe I’m just missing the group if anybody actually knows how to look that up

Have you check permission on the file and the folder where the cert is located?
Have you tried to move the cert in another folder which is maybe not your home folder?
Are you using a new version of Fedora which has maybe Selinux up and running and the secontext is not correct set up?
Have you checked in what context NetworkManager is running and are you sure the permissions are correct?

@Quben Iptables was replaced by nftable in 4.2, your problem may come from it.
I advise you to have a look in these topics, you might find your solution there:

I hope it will help you :slight_smile:

What might be relevant to this discussion.

Since my creating a VPN-Qube for use at the level of -just beyond sys-firewall, I decided I could limit the install problems, if I tried to install it in a Standalone App Qube that used Fedora. So I chose Personal.

As an alternative, I tried to set up Mullvad VPN app inside a clone of Personal Qube. I used the install information from Mullvad itself on how to install to Linux. I know that one of the issues would be that earlier versions of Qubes used Gnome, now we use XFCE.

I could have installed the Gnome desktop (I am not clear on how to implement that into sys-net.)

I did not install the Gnome desktop.

I muddled on and used the install terminal suggestions from Mullvad, installing the stable version, not beta, of the Mullvad App GUI.

I got up to next to the end, and it would still not start the App. Mullvad help suggested some means of starting the App with some direct CLI commands. Finally getting the GUI App, which gave me a suggestion that it might be that I had a Firewall obstructing its connection to the Mullvad.

Since this attempt was an experiment to find issues. I changed the Personal\Settings\ to take a connection from sys-firewall to sys-net.

Went through using the CLI commands (from Mullvad Help) and killed the app. I tried the commands to explicitly start the App, and it only worked when I got to the last command –

The mullvad-daemon does not start

Try to start it using sudo systemctl start mullvad-daemon. If it does not help then run sudo /usr/bin/mullvad-daemon -v

The Mullvad GUI does not start

Try to kill the Mullvad app GUI using killall mullvad-gui and start it without GPU acceleration with this command:

/opt/Mullvad\ VPN/mullvad-vpn --disable-gpu

that is, ended up at the last step: – /opt/Mullvad\ VPN/mullvad-vpn --disable-gpu

The GUI for Mullvad showed and allowed me to enter my Passcode. Then the connection, which said it was going to Sweden, showed as IP in Belgium… ??

I could choose other cities, and the IP showed to be accurate in place.

All right there was a point in the install that offered a proof of correction of software with PGP key, which I did not verify.

Everything seemed functional, so I closed the terminal. and the connection crashed. Seems leaving the Terminal open, as I started Mullvad App GUI from there, is required.

I do not have a Tab in Personal\ ??for Mullvad VPN ??

I just did this last night, So I obviously have more tinkering to do to install Mullvad VPN in a Fedora 38 stand alone Qube. I have not verified it does not leak somehow. Which the Mullvad Help site explains how to detect and fix.

Before this I was working trying to get Proton VPN to work in sys-proton-vpn qube for the entire machine. After I had gotten to work, I had restarted the computer, and kept getting an “Enter Password” which would not work with my entering Password to my ProtonVPN account. Someone suggested it wanted for me to enter a Gnome password, even if I an not using Gnome, but XFCE.

Solene suggested that I had not finished the install method she had listed, which included securing. Well, you can read that. I was less interested in pursuing that as I do not pay for ProtonVPN, and I already know that the free versions of ProtonVPN are slow. I also know ProtonVPN withholds some options for pay for clients, not free use of their stuff. I think I will only tinker with that after I pony up some money to buy a ProtonVPN Mail, and ProtonVPN license.

This re-opens another consideration. For Qubes to rise above being an OS for fanboys, (those with additional Linux training) and it is more of a toolkit.

I do not criticize the point that the Qubes developers stop. They create a useful Xen Hypervisor, and install onto that some minimized Qubes of some Operating Systems, stitch it together so it is likely safe. But the Qubes developers leave the functioning of the individual App Operating Systems, now Fedora/Debian/Whonix to their respective groups. That is a good decision on the part of the Qubes Developers, else they would be bogged down in all kind of additional implementation problems with different hardware, and with every update to Fedora/Debian/Whonix.

To make Qubes useful, to amateurs, or even just Journalists/Business-People we need a ready to install Qubes for VPN: That is, whether it be from SALT, or a download of Qubes-sys-xxxxVPN. so it is click and install, only need login credentials to get it working.

What we have now is a hodge podge of CLI commands to enter on terminal which partially works for some, not others.

I may spend some more hours this week trying to -first, clean up the security issues on installing the Mullvad App GUI into a Stand Alone Qube.

Then go back to installing Mullvad App GUI into a sys-vpn-qube of its own.

and borrow some money to install the xxxvpn. Which has more complete–recent documentation of how to create the sys-qube for Qubes 4.2.


This is certainly an issue with selinux, you can try to disable it to see if it helps, if so you should seek how to solve it (it’s boring).

sudo setenforce 0

This little command fixed everything! I would’ve never figured this out on my own because I had never seen this command before. Thank you!!

Oh great… then his won’t be my last struggle with R4.2. I’ll be calling you guys again when I get to port the forwarding part… and here I thought I’d finally mastered iptables commands… rip me

@catacombs I always use the following tutorial. It says Mullvad but it’ll work for any VPN that gives you OpenVPN config files. With this method you don’t need to download their custom client either if you don’t need it

It’s meant for Qubes 3 but it works in 4.2… as you can tell the only difference now is you have to do sudo setenforce 0

long story short, selinux doesn’t allow some daemons (like openvpn) to read files that aren’t tagged with the according context, the issue here is that openvpn can’t read the imported certificated because the tag is missing

I struggled with this for hours a last year (not on Qubes OS), I finally solved it back in time, but I can’t remember how now.

selinux is very effective, but so boring to fix most problems that, unfortunately, it’s often disabled…

1 Like

here is the official documentation Firewall | Qubes OS

a simplified guide explaining how to use it in practice Qubes OS 4.2 nftables / nft firewall guide

a script to make this easier: [Qubes OS 4.2] Easily NAT qubes port to external network