Can't get vpn to work

disp6252 · June 10, 2023, 11:40am

Your iptables rules are clearly not configured correctly.
Run these command in ProxyVM and check if DNS will work in AppVM connected to your ProxyVM:

sudo iptables -F PR-QBS -t nat
sudo iptables -A PR-QBS -t nat -i vif+ -p udp --dport 53 -j DNAT --to 1.1.1.1
sudo iptables -A PR-QBS -t nat -i vif+ -p tcp --dport 53 -j DNAT --to 1.1.1.1

UPD:
Also don’t add rules:

iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

Because you already have DROP policy for these chains:

Chain INPUT (policy DROP 0 packets, 0 bytes)
Chain FORWARD (policy DROP 0 packets, 0 bytes)

And because you’ve added these rules your TCPMSS clamp rule is not working:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
...
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 TCPMSS     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU

Since all packets are dropped before it.

UPD2:

And what’s the output of this command in ProxyVM now?

iptables -t nat -L PR-QBS -n -v

UPD3:

By ivpn-proxy behind a mullvad-proxy you mean setup like this?
sys-net -> sys-firewall -> mullvad-proxy -> ivpn-proxy -> test-appvm
Where mullvad-proxy and ivpn-proxy are configured to connect to mullvad and ivpn wireguard servers?
And you’ve configured mullvad-proxy and ivpn-proxy the same way but just with different IPs and keys?
Where did INPUT and FORWARD DROP iptables rules came from then?

UPD4:

Ok, it seems that they are a default iptables rules (I’m using Qubes 4.2 so I don’t have iptables). But I don’t know why mullvads guide is suggesting to add TCPMSS rule at the end of the FORWARD chain then since it won’t work:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Maybe the guide is outdated.
You can change it to insert to add it at the top of the chain rules:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

UPD5:

humming:

This is not just an issue with ivpn. Just tried it with proton same issue. Only mullvad works
disp6252:
Your iptables rules are clearly not configured correctly.
Run these command in ProxyVM and check if DNS will work in AppVM connected to your ProxyVM:
sudo iptables -F PR-QBS -t nat
sudo iptables -A PR-QBS -t nat -i vif+ -p udp --dport 53 -j DNAT --to 1.1.1.1
sudo iptables -A PR-QBS -t nat -i vif+ -p tcp --dport 53 -j DNAT --to 1.1.1.1
Changed the dns in the wireguard config and the dns hijacking scriipt restarted and run the commands. Still no dns

Are you testing the DNS from test-appvm or from ivpn-proxy?
Because I don’t see the packets from test-appvm arriving to ivpn-proxy based on the packet counters in iptables rules for PR-QBS chain. 0 packets are received.

UPD6:

No, you need to use:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Instead of:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Can you try to setup your mullvad and ivpn ProxyVMs using Qubes-vpn-support instead of mullvad guide?
GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS
Wireguard VPN connections in Qubes OS · tasket/Qubes-vpn-support Wiki · GitHub

UPD7:

And if you run dig ip.me then will it work or not?

Yes, it works for wireguard without a problem.

UPD8:

What if you try to curl other sites?

curl https://myexternalip.com/raw
curl https://zx2c4.com/ip

nohoney · June 10, 2023, 1:29pm

Also run out of daily edits…

both of these work fine with IVPN. Mullvad works completly everything else doesn’t. What is going on.

dig really only works if I specify a DNS server like nslookup ip.me 1.1.1.1

disp6252 · June 10, 2023, 1:39pm

So only dig command in test-appvm doesn’t work? Everything else works? Like any sites in firefox in test-appvm?

nohoney · June 10, 2023, 1:42pm

No dns does not work with the vpn (the same as before). Just when I specify that nslookup should use 1.1.1.1 it works in ivpn-proxy and appvm

disp6252 · June 10, 2023, 1:43pm

But curl works in appvm, right?
Then firefox works as well?

nohoney · June 10, 2023, 1:44pm

no only the curl ip.me and the other 2 work (without telling what dns server it should use). Everything else does not. The same as in the start

disp6252 · June 10, 2023, 1:46pm

https://zx2c4.com/ip works in firefox in appvm?

nohoney · June 10, 2023, 1:47pm

Yes. Ipleak.net also works. it shows that the mullvad dns is leaking. (appvm —> tasket-ivpn—> tasket-mullvad)

disp6252 · June 10, 2023, 1:49pm

Ok, seems like it’s MTU issue once again:

Try to run these commands in ivpn-proxy:

sudo ip link set dev eth0 mtu 1420
sudo ip link set dev <your ivpn wireguard interface> mtu 1340

And this command in appvm:

sudo ip link set dev eth0 mtu 1340

And check if other sites in appvms firefox will start to work.

UPD:
I’ve changed MTU from 1360 to 1340.

nohoney · June 10, 2023, 1:53pm

I can reach youtube. But ipleak.net still shows dns leak

disp6252 · June 10, 2023, 1:53pm

And what DNS does it show?

nohoney · June 10, 2023, 1:54pm

from tasket-mullvad. But duckduckgo finally loads with the mtu change

disp6252 · June 10, 2023, 1:57pm

What’s the output of this command in mullvad-proxyvm and in ivpn-proxyvm?

iptables -t nat -L PR-QBS -n -v

nohoney · June 10, 2023, 1:59pm

mullvad

sudo iptables -t nat -L PR-QBS -n -v
Chain PR-QBS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   54  3944 DNAT       17   --  vif+   *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 to:100.64.0.31
    0     0 DNAT       6    --  vif+   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 to:100.64.0.31

ivpn

sudo iptables -t nat -L PR-QBS -n -v
Chain PR-QBS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   70  5000 DNAT       17   --  vif+   *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 to:1.1.1.1
    0     0 DNAT       6    --  vif+   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 to:1.1.1.1

disp6252 · June 10, 2023, 2:04pm

What if you run these commands in ivpn-proxy and check the dns with ipleak.net again?

sudo iptables -F PR-QBS -t nat
sudo iptables -A PR-QBS -t nat -i vif+ -p udp --dport 53 -j DNAT --to 9.9.9.9
sudo iptables -A PR-QBS -t nat -i vif+ -p tcp --dport 53 -j DNAT --to 9.9.9.9

nohoney · June 10, 2023, 2:06pm

mullvad dns leaks. I am still using the tasket-vms. With unmodified autogenerated wireguard .configs
So no icmp disabled? trough qubes-firewall and no custom dns hijacking rules.

Also tasket-ivpn ----> sys-firewall----> sys-net

There DNS also does not work. Only mullvad works…

DVM · June 10, 2023, 2:43pm

I was curious since I never got any issue with tasket’s script using Mullvad, so I bought iVPN for a week to test it out.

I cloned a debian-11 template to install wireguard and openresolv
I created a new AppVM where I installed tasket vpn scripts using the iVPN wireguard config I generated

Now the VPN works, no DNS leaks on https://ipleak.net too.

disp6252 · June 10, 2023, 2:43pm

What do you mean does not work? The same problem that it works for sites like ip.me but not youtube etc?

Did you setup tasket-ivpn using new clean qube or did you use the one that you previously used to setup VPN using mullvad guide?

nohoney · June 10, 2023, 2:45pm

I… already forgot… wait will get a fresh appvm and repeat

… fresh appvm also does not work. I will restart my computer and network. If it still does not work I will try a debian tasket.

nohoney · June 10, 2023, 2:48pm

did you use wireguard? How was the ivpn config configured?

which port? which dns server? ipv4 and 6? Maybe even the country and server. I am desperate