Cant get contrib qubes tunnel to work?

stumpi · January 11, 2021, 12:21pm

Firstly, I posted this in the mailing list but it hasnt gotten any responses there and I really want to get this working as I have only been able to get it working in fedora 31 minmal (which has reached EOL). Below I tried outlining the procedure I have used (that isnt working). While I have gotten it to work in fedora 31 minimal on my desktop, I have tried getting it to work on fed32 minimal, deb10 minimal, and centos7 minimal, and tried it on my laptop - but have not been sucessful so far. Considering, I am assuming I am doing something incorrectly so any thoughts on what I have outlined below, would really really be appreciated:

I start with
sudo dnf install qubes-repo-contrib && sudo dnf update && sudo dnf upgrade

then sudo dnf install qubes-tunnel

Intially I think I was just doing that and not installing anything else but in trying to figure things out I started installing packages that the minimal docs page says are needed for NetVM and VPN qube (things like openvpn and qubes-core-agent-networking qubes-core-agent-network-manager NetworkManager-wifi network-manager-applet wireless-tools notification-daemon gnome-keyring polkit and sakura, a term i can paste into)

The above now seems to work ok, but then I create an appvm - vpnfed32, select the template (centos/deb/fed32 minimals) then check the “provides network” then go to the Services tab and add qubes-tunnel-openvpn then click ok.

Then I make sure the template and new appvm are closed, then start up the vpnvm from dom0:

qvm-run -u root vpnfed32 sakura &

and run

/usr/lib/qubes/qtunnel-setup --config

then enter my vpn provider (PIA) username then password

then copy one of the pia .ovpn profiles to

/rw/config/qtunnel/qtunnel.conf

then shutdown the vpn vm, then open the settings for another appvm set vpnfed32 as the networking vm to vpnfed32 and then try to start the AppVM (that I just set to use vpnfed32) up but nada, no connection to the internet at all. I have tried with protonvpn as well and still nothing so I really am… stumped

Plum · January 12, 2021, 7:28pm

I have a feeling it’s not working at the moment see @tasket 's comment here

fieryrajang · January 14, 2021, 10:33pm

I have qubes-tunnel set up and working on debian-10-minimal on R4.1. However the notifications do not appear. I have libnotify4 and libnotify-bin installed on template.

VPN is able to successfully connect, confirmed via AppVM and journalctl -u qubes-tunnel. however no notification that link is up.

@stumpi do you have any .crt (certificate) file related to PIA? If so, that needs to be moved to the qtunnel folder as well.

QubicRoot · January 15, 2021, 12:49am

@fieryrajang : On my D10Min on R4.0 I needed xfce4-notifyd. Initial “up” notification still doesn’t appear, but subsequent “down” & “up” notifications do…

fieryrajang · January 15, 2021, 2:56am

@QubicRoot xfce4-notifyd did the trick, thank you!

deeplow · January 15, 2021, 2:50pm

I can confirm as well. Installing this solves the issue. Thanks @QubicRoot. This was on fedora32.

stumpi · January 17, 2021, 2:27am

Hi @fieryrajang, I am ashamed to admit that I hadnt, though I didnt when i used fed31 either and its working?
Regardless I just added the crt and pem file to the /rw/config/qtunnel directory and admittedly the result is different though still not connecting.
Before the appvm using the non fed31 based vpn would just go straight to “no connection” but now, trying the vpn using the centos7-min, deb10-min, and fed32-min templates with the crt and pem file in the same directory as the qtunnel.conf and tunneluserpwd.txt, the browser seems to try but then after a minute or so says it cant connect, and curl gives me:
curl: (6) Could not resolve host: ifconfig.co

I am not familar with journal but thought I’d try it as you mentioned it, it gave me the following:

bash-5.0# journalctl -u qubes-tunnel
-- Logs begin at Fri 2021-01-01 11:05:08 EST, end at Sat 2021-01-16 21:41:54 EST. --
Jan 02 08:56:03 fedora-32-minimal systemd[1]: Condition check resulted in Tunnel service for Qubes proxyVM being skipped.
-- Reboot --
Jan 16 21:28:24 vpn systemd[1]: Condition check resulted in Tunnel service for Qubes proxyVM being skipped.

Lastly, I tried using the fed31-min template on the vpn-vm and that is not working. Something about the other vpn-vms I originally created that were based on fed31-min worked… though I have no idea what I did differently.
Thoughts?

fieryrajang · January 17, 2021, 7:39pm

@QubicRoot @deeplow I’ve since swapped to Qubes-vpn-support, both Link Starting and Link Up notifications work with xfce4-notifyd, compared to just Link Up on qubes-tunnel. (Maybe related to December update of Qubes-vpn-support).

Qubes-vpn-support can connect to the VPN almost instantly compared to qubes-tunnel which took ~2 minutes for initial connect for some reason.

@stumpi Im not sure honestly, because as you say it is working in some of your previous appVMs. So the actual vpn config seems okay, maybe missing package or service? Following is my setup using Qubes-vpn-support rather than qubes-tunnel (both made by same author but former is updated more, and for some reason have some differences).

On a base debian-10-minimal, clone, update, reboot and then install following packages:

qubes-core-agent-networking
pciutils (unsure if needed for a VPN template)
openvpn
apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
zenity (unsure if needed for a VPN template)
xfce4-notifyd

qubes-vm-hardening and Qubes-vpn-support installed in template. tasket · GitHub

To set up protected folders, create a VPN whitelist.

/etc/default/vms/@tags/vpn.whitelist

/rw/config/vpn/
/rw/config/qubes-firewall.d/

Create ProxyVM with Provides Network, PVH, 300-500mb. Netvm to sys-firewall.

Kernel opts of ProxyVM:

nopat apparmor=1 security=apparmor

ProxyVM services enabled:

vm-boot-protect-root
vm-boot-tag-vpn
vpn-handler-openvpn

Launch and reboot ProxyVM once to initialize vm-boot-protect-root.
Transfer vpn-client.conf and .crt to /rw/config/vpn/
Finish setup of Qubes-vpn-support in ProxyVM.
Restart.

That’s all I need to do set up from scratch to a working VPN. Sorry I can’t be of more help, as I am fairly new as well, but hopefully this process written out helps you. Please let me know if you have issues still.

Edit: First thing I suggest trying is remove all related NetworkManager packages (apt autoremove qubes-core-agent-network-manager).

QubicRoot · January 18, 2021, 8:48pm

See https://forum.qubes-os.org/t/qubes-tunnel-vs-qubes-vpn-support/1091.

Based on this, Qubes-vpn-support is more “Development” and qubes-tunnel is more “Stable”, whatever that means in reality…

There was also talk at one time of this (not sure which one) being incorporated into Qubes. Don’t know where that stands… Perhaps @tasket or someone else can clarify…

stumpi · January 24, 2021, 4:11pm

Thanks, in the past I have used the vpn doc page to setup vpns and it has always been really difficult to get working (for me that is) so I had really high hopes for the contrib tunnel.
I just installed 4.0.4rc2 and tried again, and again its not working which makes me think its something I am doing (or not doing) but I cant figure out what. I put the output of my journalctrl here Debian paste error (really hope there is nothing too personal in there, but am desperate). I wasn’t able to make much sense of it but did notice this bit:>

Jan 24 10:52:04 vpn-pia-atlanta systemd[1]: Reached target Network.
Jan 24 10:52:04 vpn-pia-atlanta systemd[1]: Starting OpenVPN service…
Jan 24 10:52:04 vpn-pia-atlanta systemd[1]: Starting Permit User Sessions…
Jan 24 10:52:04 vpn-pia-atlanta systemd[1]: Condition check resulted in Tunnel service for Qubes proxyVM being skipped.
Jan 24 10:52:04 vpn-pia-atlanta systemd[1]: Condition check resulted in Tinyproxy lightweight HTTP Proxy being skipped.
Jan 24 10:52:04 vpn-pia-atlanta systemd[1]: Started OpenVPN service.

and the " Jan 24 10:52:04 vpn-pia-atlanta systemd[1]: Condition check resulted in Tunnel service for Qubes proxyVM being skipped." seems to be a big part of the problem, though why its being skipped i dont know.

For those patient enough to help I really appreciate it.

phl · March 16, 2021, 9:09am

I know it has been some time, but I just came across your post @stumpi and this looked familiar to me.
In your first post you said that you added “qubes-tunnel-openvpn” on the Services tab of your VM settings.
Are you sure you did this again in your most recent installation? The error message you are seeing indicates that the service is not starting because it does not meet the criteria configured in the service file.
You can investigate the specific requirements yourself by looking at the service configuration in /usr/lib/systemd/system/qubes-tunnel.service.

One of the lines at the beginning of the file should read ConditionPathExistsGlob=/var/run/qubes-service/qubes-tunnel*. This is how Qubes identifies if you added a service in the VM config. Every entry you create results in a file with the same name placed in /var/run/qubes-services.
If you configured this correctly, it must be one of the other conditions stated in the file.
Go through them one by one, and I am sure you will find the culprit.