Certain domains resolve but cannot be reached when using a GUI VPN

User Support General
1

I have a VPN qube (fedora 34) that I have installed the IVPN GUI onto. I have made /opt/ivpn persistent so that it I do not have to log in every time that it starts.

This is how it is connected: appvm → sys-IVPN → sys-firewall → sys-net

Originally, I had DNS issues and saw that another user used the qubes-setup-dnat-to-ns script to fix it but had problems where if they changed the vpn server, they would need to run the command again. I believe this is because IVPN and mullvad use their own DNS servers internally. I wrote this script that runs in sys-IVPN to attempt to fix that:

sudo /usr/lib/qubes/qubes-setup-dnat-to-ns
ivpnstatus=$(ivpn status)
while [ “true” ]
do
teststatus=$(ivpn status)
if [[ “$ivpnstatus” == “$teststatus” ]]
then
echo “No changes. Sleeping for a bit”
ivpnstatus=$teststatus
sleep 5
else
ivpnstatus=$teststatus
echo “Fixing dns thingy”
sudo /usr/lib/qubes/qubes-setup-dnat-to-ns
fi
done

It just runs the dnat-to-ns script whenever there is a change in the VPN. DNS appears to work, however there are a couple domains or IP address that will resolve correctly but that I cannot actually reach. Attempting to go to duckduckgo or aol doesn’t work. Running dig www.duckduckgo.com on my appvm returns 40.89.244.232 however I cannot ping either the domain or ip on the appvm. (typing that ip into tor on a whonix cube (not connected to the vpn) gets me to duckduckgo but running dig duckduckgo.com on a whonix terminal returns a different ip than what I got on my appvm through the vpn)

Running a traceroute on duckduckgo and its IP reveals that my request makes it out of the VPN server and bounces around several times before stopping. I am not sure if the issues I am having are still related to the DNS or something else.

Some websites (duckduckgo aol) don’t work at all. Others (github) work sometimes. And others (google searx be) work normally.

Does anyone know of any possible causes or fixes? Or are GUI VPNs just not something that works well with qubes. Thank you, I’m not too proficient with qubes, linux, networking or bash yet but am determined to learn.

1 Like
2

Hi

Did you manage to solve this issue? I’m trying to setup IVPN on my sys-firewall and I’m having no success. It seems to behave similarly to your VM. The VPN connection is stablished, a browser at sys-firewall loads any pages I’ve tried, but another appvm connected to sys-firewall loads some pages (i.e. google.com) and not others (i.e. ddg.gg).

The difference here is I have not tried only the IVPN GUI program, but also on the CLI and wireguard on network manager. Running sudo /usr/lib/qubes/qubes-setup-dnat-to-ns on sys-firewall did not do anything for me.

I could not setup OpenVPN on network manager because it gives me a password error, even though the guide says it is not necessary. ProtonVPN on network manager works it should. I’m using Qubes 4.1.1.

Any tips from anybody reading this? Thanks