Can't get vpn to work

Hey

I wanted to switch from Mullvad to IVPN.
As IVPN has an official Qubes guide I tried that first (IVPN on Qubes OS - IVPN Help)

but I couldn’t get it working correctly (dns leaked)

So I tried to make it work through the mullvad guide (WireGuard on Qubes OS - Guides | Mullvad VPN)
This worked fine for me in the past ( had many connections issues but it connected)

But wg-quick for some reason refuses to work with my ivpn config files. First, I can’t start them from the home dir ( invalid name, or can’t find it). Only works when I copy them to /etc/wireguard/. But even then I can’t get Internet through the proxy VM.

Would also be nice if I can get port forwarding to work and the connection issues resolved (maybe because ICMP is disabled? I have hybrid Internet via. DSL and LTE when I force connection through DSL most issues go away(Also does blocking ICMP improve privacy?)

How do I troubleshoot this? Are there better way’s to get VPN working?

I know obviously almost nothing about networking and have wasted dozens of hours on this issue.

PLS help me.

Hi,

If you already have the VPN configuration file, you could spin a VPN Qube with fedora-38 (latest fedora available right now) and import the configuration file in its network manager.

I wrote a bit about using wireguard this way earlier this week Wireguard VPN setup

With ICMP disabled you may encounter MTU issue like this one:

More information on MTU issues:

Why does mullvad recommend turning off icmp? Do their nomal clients also block it?

do I have to modify something in the iptable rules? If I want use something other than mullvad? What dns should I put here? What is the IP address of your DNS servers? - IVPN Help

I replaced 10.64.0.1 with 172.16.0.1 (the same as in the .conf) and 10.0.254.2 but still does not work.

# replace 10.137.0.47 with the IP address of your vif* interface
virtualif=10.137.0.47
vpndns1=10.64.0.1
iptables -F OUTPUT
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu
iptables -F PR-QBS -t nat
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1

I think the main issue is dns. WG seems to work ok now. But no idea how to get dns working.

Did you change virtualif to your VPN qube vif IP?
Also do you have Qubes OS 4.1 or Qubes OS 4.2?
If it’s Qubes 4.2 then you’ll need to use nftables instead of iptables:

I would like do you hear your opinion in regards to qubes os and mullvad on this. Should I allow icmp?

Still using 4.1

What is the “right” dns server I should put in the rules I don’t really understand

If I put 172.16.0.1 or 10.64.0.1 I get timeout error with the upstream appVM DNS server when I do dig duckduckgo.com (inside the proxyVM)

curl ip.me returns the address of the vpn server and ping 1.1.1.1 also works

There are some ICMP attacks:

But blocking all ICMP outright can break something in your connections and then you’ll be stuck figuring out why do you have problems with connection.
I’d at least allow path MTU discovery.

I don’t know which IVPN DNS you should use. You can ask IVPN about it.
You can try to use public DNS (9.9.9.9 / 1.1.1.1 / 8.8.8.8 / etc) to check if the problem is with DNS server IP or somewhere else.

how do I allow this in qubes firewall?

No matter what dns server I put here

I get timeout error with the upstream proxyVM DNS

;; communications error to 10.139.1.1#53: timed out

Should I change the dns server in the wireguard config?

iptables -I INPUT -p icmp --icmp-type fragmentation-needed -m state --state RELATED -j ACCEPT

Do you try to resolve DNS in your VPN qube or in the qube connected to the VPN qube?

You should.

both. A few hours ago I got dns in the appVM connected to the proxyVM but it just leaked DNS

I put 1.1.1.1 in the wireguard config and iptable rules but still get that error. No idea wha’s wrong now.
In new vm I also get the same error.

So if you dig ip.me in ProxyVM it’ll fail but if you curl ip.me it’ll work?

ip a returns

inet 10.137.0.63/32 scope global eth0

Yes. no Idea what’s happening

What’s your ProxyVM template?

Fedora 38. I normarly use DISP for my vpn qubes. But I also tried fresh AppVM’s

When I swap the ivpn config with a mullvad config everything works fine.
The configs have the same amount of lines and probably also characters…

When I use IVPN, wg-quick doesn’t want them from the home dir and then dig always gives timeout errors

This is my ivpn config.

[Interface]
PrivateKey = X
Address = X
DNS = 172.16.0.1

[Peer]
PublicKey = X
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = xxxx:xxxx

And Mullvad is the same.
I really don’t get it

How can I troubleshoot this??
Does wireguard not apply the conf correctly somehow?

Also I can’t post any replies anymore. The forum blocks me for 12 hours

I did that

This is not just an issue with ivpn. Just tried it with proton same issue. Only mullvad works

Changed the dns in the wireguard config and the dns hijacking scriipt restarted and run the commands. Still no dns

I did not add these rules. Sorry did i mention that I have the ivpn-proxy behind a mullvad-proxy (with the exact mullvad setup). I only tried to get it working behind the mullvad-proxy. I guess that might be the issue? But the GUI client from IVPN worked fine. Just leaked the mullvad DNS… Almost the same as the current config…

sudo iptables -t nat -L PR-QBS -n -v
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT 17 – vif+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:1.1.1.1
0 0 DNAT 6 – vif+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:1.1.1.1

i changed the dns to 1.1.1.1 BTW

Jup exactly

No idea. Sorry this is my first time in networking where i don’t just follow guides that just work. I really appreciate your help

A0:

no it appears they are updating it regulary.

like this i guess?

# replace 10.137.0.47 with the IP address of your vif* interface
virtualif=10.137.0.47
vpndns1=10.64.0.1
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu
iptables -F OUTPUT
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
iptables -F PR-QBS -t nat
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1

I tested also from the test-appvm but currently just the ivpn-proxy. I mean i am restarting all the time.

Changed it like that. With every dns set to 1.1.1.1 and also

but still this error

;; communications error to 10.139.1.1#53: timed out

Also this time form the test-appvm

sudo iptables -t nat -L PR-QBS -n -v
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
4 248 DNAT 17 – vif+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:1.1.1.1
0 0 DNAT 6 – vif+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:1.1.1.1

curled ip.me this works fine for some reason

I am using this for openvpn. But is the wireguard support good enough?

does not work

changed it like this does still not work

virtualif=10.137.0.63
vpndns1=1.1.1.1
iptables -F OUTPUT
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -F PR-QBS -t nat
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1

BTW where is taskets puplic key?

I shows connection established but dig still returns nothing. So the same as the mullvad guide I guess. Curl ip.me also works… i should mention that tasket-ivpn is behind mullvad-proxy. I will convert mullvad also to tasket… wait

Tasket behind Tasket gives the same error…
Just IVPN in tasket gives also no dig reply…

What do you have in ProxyVM:

iptables -L -n -v
iptables -t nat -L -n -v
ip a
cat /etc/resolv.conf

Chain PR-QBS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       17   --  *      *       0.0.0.0/0            10.139.1.1           udp dpt:53 to:10.139.1.1
    0     0 DNAT       6    --  *      *       0.0.0.0/0            10.139.1.1           tcp dpt:53 to:10.139.1.1
    0     0 DNAT       17   --  *      *       0.0.0.0/0            10.139.1.2           udp dpt:53 to:10.139.1.2
    0     0 DNAT       6    --  *      *       0.0.0.0/0            10.139.1.2           tcp dpt:53 to:10.139.1.2

Add DNS hijacking rules

Now we will add firewall rules to redirect DNS requests to 10.64.0.1 (the DNS on the VPN server) for all AppVMs that use the MullvadVPN ProxyVM.

Make sure that you have started an AppVM that has the Networking set to MullvadVPN, otherwise the “vif” IP address will not be visible.

Still in the MullvadVPN Terminal:

1. To find out your vif* IP address, run ip a | grep -i vif
2. Edit the firewall user file with nano:
   sudo nano /rw/config/qubes-firewall-user-script
3. Copy and paste the following in the bottom. Replace 10.137.0.47 with your own vif* IP address:

# replace 10.137.0.47 with the IP address of your vif* interface
virtualif=10.137.0.47
vpndns1=10.64.0.1
iptables -F OUTPUT
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu
iptables -F PR-QBS -t nat
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1

4. Press Ctrl+O (Enter) and then Ctrl+X to save and exit.

Make sure that you have started an AppVM that has the Networking set to MullvadVPN, otherwise the “vif” IP address will not be visible.