Help setting up a sys-vpn

naverone · January 11, 2022, 1:17pm

Im trying to setup a sys-vpn qube using a fedora-34-minimal template.
I created a proxyVM and named it sys-vpn

Then i tried to follow this guide by NordVPN.
I opened a terminal for the template using
qvm-run -u root fedora-34-minimal xterm
dnf install openvpn
worked fine. But,
sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)
wont run in template VM because no internet access? Yet can install packages??
Am i suppose to give the template sys-net access temporarily?
I thought that was a no no…?

I’ve also read the guide.
It details two options, using NetworkManager OR iptables and CLI scripts,
is one better than the other?
would it be better than using Nord’s linux install?
I dont want any leaks.

Ive also read another posts saying to use Qubes-vpn-support however again i couldnt get this to install in the template.

0bit · January 11, 2022, 1:38pm

curl wont work on a template which hasnt sys-firewall etc enabled. You could activate sys-firewall as net for the template for a quick download, but i wouldnt trust it.

I would setup a sys-vpn qube from this guide as CLI if you feel comfortable.

Keep in mind - thats currently my problem with temp. workaround on 4.1rc3- to add the server IPs in the *.ovpn config, not the domain-names. (qubes-firewall-user-script dont work as it should → couldnt resolve hostnames)

naverone · January 11, 2022, 3:10pm

i decided to clone a template and let it have sys-net access just to test setup a sys-vpn.

I got nordvpn installed and connecting fine on sys-vpn, but whenever i try route another app-vm through sys-vpn, the app-vm cant get internet despite ticking “provides network” in sys-vpn. (sys-vpn has working vpn internet though)

EDIT: when OpenVPN/Nord isnt connected in sys-vpn, AppVMs can route through it, so this is nordvpn doing something to block traffic routing when its active.

fepitre · January 11, 2022, 3:20pm

See GitHub - QubesOS-contrib/qubes-tunnel: Integration of vpn tunnels for Qubes OS

naverone · January 11, 2022, 4:39pm

@fepitre man im too tired to be doing this right now, was following the wrong guide on other tab.


dnf qubes-repo-contrib

installed

dnf qubes-tunnel

unable to find a match: "qubes-tunnel

??

anon42456682 · January 11, 2022, 4:47pm

I tried this guide and having the same issue… I have never had success with these scripts. I need some video-guide for that probably…
I find this guide to be the best. Step by step, but mostly because i get it to work!

github.com

Qubes-Community/Contents/blob/master/docs/configuration/vpn.md#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts


How To make a VPN Gateway in Qubes
==================================

<div class="alert alert-info" role="alert">
  <i class="fa fa-info-circle"></i>
  <b>Note:</b> If you seek to enhance your privacy, you may also wish to consider <a href="/doc/whonix/">Whonix</a>.
  You should also be aware of <a href="https://www.whonix.org/wiki/Tunnels/Introduction">the potential risks of VPNs</a>.
</div>

Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.

Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)

### NetVM

The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:

- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)

This file has been truncated. show original

I think Qubes should have a sys-vpn by default… That people can use and switch to! It’s a sweet OS, but stuff could definitely improve… Like default stuff people need. VPN, and other stuff…

naverone · January 11, 2022, 4:49pm

thanks @anon42456682
i need to rest, will try it later

anon42456682 · January 11, 2022, 4:49pm

Ok do that Yeah try it sometime… I know how frustrating it can be to set up a VPN in Qubes if you’re not a coder or know linux and systems like others on here. hehe. Good luck

fepitre · January 11, 2022, 5:22pm

Please retry I’ve just migrated them for Fedora 34 into stable repository.

naverone · January 11, 2022, 11:29pm

@fepitre
Made progress, qubes-tunnel now installs.
sys-vpn: LINK IS UP

cant ping from sys-vpn
or through sys-vpn

naverone · January 12, 2022, 12:11am

@fepitre
Ok i have a VPN connection working now BUT only on some VM…?
I cant ping from sys-vpn, i also cant ping or connect from my disposable-fedora-VM routing through sys-vpn
This made me think there was an issue with my sys-vpn
However i can route successfully route through sys-vpn using my personal-VM.

UPDATE: i made a new disposible-VM template and it can use sys-vpn, so i guess something is screwed up in my default disposable vm.

sys-vpn working now though, thanks

anon42456682 · January 15, 2022, 8:04pm

Yeah you switch the connection in template manager after that as you probably did.

QubesAnon · February 2, 2022, 10:28am

I just went thru these steps, creating the sys-vpn from fc-34-minimal on my 4.1-rc? system, targeting my NordVPN service. It claims to work (per journactl -u qubes-tunnel) but I think the routes are messed up or something. DNS lookups fail. If I run tcpdump on eth0, all I see are what looks like keep-alive pings happening on the encrypted connexion to the NordVPN server. Just periodic TCP packets.

On the tun0 device, I never see packet counts incremented off zero. Not sure whats happening there.

# tracepath -n 1.1.1.1
 1?: [LOCALHOST]                      pmtu 1500
 1:  send failed
 1:  send failed
     Resume: pmtu 1500
# route -vn
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.7.1.1        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         10.138.31.72    0.0.0.0         UG    0      0        0 eth0
10.7.1.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.138.31.72    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
31.171.152.19   10.138.31.72    255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       10.7.1.1        128.0.0.0       UG    0      0        0 tun0
# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 10.137.0.27/32 brd 10.255.255.255 scope global eth0
       valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 10.7.1.29/24 scope global tun0
       valid_lft forever preferred_lft forever
# ip -4 link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:16:3e:5e:6c:00 brd ff:ff:ff:ff:ff:ff
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 500
    link/none
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.0.27  netmask 255.255.255.255  broadcast 10.255.255.255
        inet6 fe80::216:3eff:fe5e:6c00  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:5e:6c:00  txqueuelen 1000  (Ethernet)
        RX packets 460  bytes 34414 (33.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 437  bytes 30300 (29.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 60  bytes 2678 (2.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 60  bytes 2678 (2.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.7.1.29  netmask 255.255.255.0  destination 10.7.1.29
        inet6 fe80::9ae7:9d30:9423:f2ed  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

# journalctl -u qubes-tunnel
Feb 02 17:16:34 sys-vpn qtunnel-setup[792]: EXEC /usr/sbin/openvpn --cd /rw/config/qtunnel/ --config /tmp/qtunnel.conf --verb 3 -
-mlock --ping 10 --ping-restart 42 --connect-retry 5 30 --connect-retry-max 7 --resolv-retry 15 --group qtunnel --script-security
 2 --up "/usr/lib/qubes/qtunnel-connect up" --down "/usr/lib/qubes/qtunnel-connect down" --auth-user-pass /tmp/tunneluserpwd.txt
Feb 02 17:16:34 sys-vpn qtunnel-setup[793]: START-ing network forwarding!
Feb 02 17:16:34 sys-vpn systemd[1]: Started Tunnel service for Qubes proxyVM.
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in -
-data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' t
o --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 OpenVPN 2.5.5 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4]
 [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 15 2021
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 library versions: OpenSSL 1.1.1l  FIPS 24 Aug 2021, LZO 2.10
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 mlockall call succeeded
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 WARNING: you are using user/group/chroot/setcon without persist-t
un -- this may cause restarts to fail
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 NOTE: the current --script-security setting may allow this config
uration to call user-defined scripts
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 NOTE: --fast-io is disabled since we are not using UDP
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 Outgoing Control Channel Authentication: Using 512 bit message ha
sh 'SHA512' for HMAC authentication
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 Incoming Control Channel Authentication: Using 512 bit message ha
sh 'SHA512' for HMAC authentication
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 TCP/UDP: Preserving recently used remote address: [AF_INET]31.171
.152.19:443
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 Socket Buffers: R=[131072->131072] S=[16384->16384]
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 Attempting to establish TCP connection with [AF_INET]31.171.152.1
9:443 [nonblock]
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 TCP connection established with [AF_INET]31.171.152.19:443
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 TCP_CLIENT link local: (not bound)
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 TCP_CLIENT link remote: [AF_INET]31.171.152.19:443
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 NOTE: UID/GID downgrade will be delayed because of --client, --pu
ll, or --up-delay
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 TLS: Initial packet from [AF_INET]31.171.152.19:443, sid=12bb3b6a
 d8f872f4
Feb 02 17:16:36 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:36 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Feb 02 17:16:36 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:36 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
Feb 02 17:16:36 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:36 VERIFY KU OK
Feb 02 17:16:36 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:36 Validating certificate extended key usage
Feb 02 17:16:36 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:36 ++ Certificate has EKU (str) TLS Web Server Authentication, expec
ts TLS Web Server Authentication
Feb 02 17:16:36 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:36 VERIFY EKU OK
Feb 02 17:16:36 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:36 VERIFY OK: depth=0, CN=al18.nordvpn.com
Feb 02 17:16:37 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:37 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384,
peer certificate: 4096 bit RSA, signature: RSA-SHA512
Feb 02 17:16:37 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:37 [al18.nordvpn.com] Peer Connection Initiated with [AF_INET]31.171
.152.19:443
Feb 02 17:16:38 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:38 SENT CONTROL [al18.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1
,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-g
ateway 10.7.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.2.12 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: timers and/or timeouts modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: --explicit-exit-notify can only be used with --pr
oto udp
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: compression parms modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 Socket Buffers: R=[131072->425984] S=[87040->425984]
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: --ifconfig/up options modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: route options modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: route-related options modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: peer-id set
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: adjusting link_mtu to 1659
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: data channel crypto options modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 Data Channel: using negotiated cipher 'AES-256-GCM'
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256
bit key
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256
bit key
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_route_v4_best_gw query: dst 0.0.0.0
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_route_v4_best_gw result: via 10.138.31.72 dev eth0
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 ROUTE_GATEWAY 10.138.31.72
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 TUN/TAP device tun0 opened
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_iface_mtu_set: mtu 1500 for tun0
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_iface_up: set tun0 up
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_addr_v4_add: 10.7.2.12/24 dev tun0
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 /usr/lib/qubes/qtunnel-connect up tun0 1500 1587 10.7.2.12 255.25
5.255.0 init
Feb 02 17:16:39 sys-vpn qtunnel-setup[885]: Using DNS servers 103.86.99.100 103.86.96.100
Feb 02 17:16:39 sys-vpn qtunnel-setup[893]: Chain QBS-FORWARD (1 references)
Feb 02 17:16:39 sys-vpn qtunnel-setup[893]: target     prot opt source               destination
Feb 02 17:16:39 sys-vpn su[898]: (to user) root on none
Feb 02 17:16:39 sys-vpn su[898]: pam_unix(su-l:session): session opened for user user(uid=1000) by (uid=0)
Feb 02 17:16:39 sys-vpn su[898]: pam_unix(su-l:session): session closed for user user
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_route_v4_add: 31.171.152.19/32 via 10.138.31.72 dev [NULL] ta
ble 0 metric -1
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_route_v4_add: 0.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 metri
c -1
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_route_v4_add: 128.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 met
ric -1
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 GID set to qtunnel
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 WARNING: this configuration may cache passwords in memory -- use
the auth-nocache option to prevent this
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 Initialization Sequence Completed
Feb 02 18:06:23 sys-vpn systemd[1]: Stopping Tunnel service for Qubes proxyVM...
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 event_wait : Interrupted system call (code=4)
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 net_route_v4_del: 31.171.152.19/32 via 10.138.31.72 dev [NULL] ta
ble 0 metric -1
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 net_route_v4_del: 0.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 metri
c -1
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 net_route_v4_del: 128.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 met
ric -1
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 Closing TUN/TAP interface
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 net_addr_v4_del: 10.7.2.12 dev tun0
Feb 02 18:06:23 sys-vpn qtunnel-setup[1102]: STOP-ing network forwarding!
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 /usr/lib/qubes/qtunnel-connect down tun0 1500 1587 10.7.2.12 255.
255.255.0 init
Feb 02 18:06:23 sys-vpn su[1110]: (to user) root on none
Feb 02 18:06:23 sys-vpn su[1110]: pam_unix(su-l:session): session opened for user user(uid=1000) by (uid=0)
Feb 02 18:06:23 sys-vpn su[1110]: pam_unix(su-l:session): session closed for user user
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 SIGTERM[hard,] received, process exiting
Feb 02 18:06:23 sys-vpn systemd[1]: qubes-tunnel.service: Deactivated successfully.
Feb 02 18:06:23 sys-vpn systemd[1]: Stopped Tunnel service for Qubes proxyVM.
Feb 02 18:06:23 sys-vpn systemd[1]: Starting Tunnel service for Qubes proxyVM...
Feb 02 18:06:23 sys-vpn su[1139]: (to user) root on none
Feb 02 18:06:23 sys-vpn su[1139]: pam_unix(su-l:session): session opened for user user(uid=1000) by (uid=0)
Feb 02 18:06:23 sys-vpn su[1139]: pam_unix(su-l:session): session closed for user user
Feb 02 18:06:23 sys-vpn qtunnel-setup[1158]: START-ing network forwarding!
Feb 02 18:06:23 sys-vpn systemd[1]: Started Tunnel service for Qubes proxyVM.
Feb 02 18:06:23 sys-vpn qtunnel-setup[1157]: EXEC /usr/sbin/openvpn --cd /rw/config/qtunnel/ --config /tmp/qtunnel.conf --verb 3
--mlock --ping 10 --ping-restart 42 --connect-retry 5 30 --connect-retry-max 7 --resolv-retry 15 --group qtunnel --script-securit
y 2 --up "/usr/lib/qubes/qtunnel-connect up" --down "/usr/lib/qubes/qtunnel-connect down" --auth-user-pass /tmp/tunneluserpwd.txt
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in
--data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC'
to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 OpenVPN 2.5.5 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4
] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 15 2021
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 library versions: OpenSSL 1.1.1l  FIPS 24 Aug 2021, LZO 2.10
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 mlockall call succeeded
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 WARNING: you are using user/group/chroot/setcon without persist-
tun -- this may cause restarts to fail
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 NOTE: the current --script-security setting may allow this confi
guration to call user-defined scripts
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 NOTE: --fast-io is disabled since we are not using UDP
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 Outgoing Control Channel Authentication: Using 512 bit message h
ash 'SHA512' for HMAC authentication
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 Incoming Control Channel Authentication: Using 512 bit message h
ash 'SHA512' for HMAC authentication
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 TCP/UDP: Preserving recently used remote address: [AF_INET]31.17
1.152.19:443
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 Socket Buffers: R=[131072->131072] S=[16384->16384]
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 Attempting to establish TCP connection with [AF_INET]31.171.152.
19:443 [nonblock]
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 TCP connection established with [AF_INET]31.171.152.19:443
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 TCP_CLIENT link local: (not bound)
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 TCP_CLIENT link remote: [AF_INET]31.171.152.19:443
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 NOTE: UID/GID downgrade will be delayed because of --client, --p
ull, or --up-delay
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 TLS: Initial packet from [AF_INET]31.171.152.19:443, sid=ff076d2
3 e8a6c2b2
Feb 02 18:06:25 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:25 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Feb 02 18:06:25 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:25 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
Feb 02 18:06:25 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:25 VERIFY KU OK
Feb 02 18:06:25 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:25 Validating certificate extended key usage
Feb 02 18:06:25 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:25 ++ Certificate has EKU (str) TLS Web Server Authentication, expe
cts TLS Web Server Authentication
Feb 02 18:06:25 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:25 VERIFY EKU OK
Feb 02 18:06:25 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:25 VERIFY OK: depth=0, CN=al18.nordvpn.com
Feb 02 18:06:26 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:26 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384,
 peer certificate: 4096 bit RSA, signature: RSA-SHA512
Feb 02 18:06:26 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:26 [al18.nordvpn.com] Peer Connection Initiated with [AF_INET]31.17
1.152.19:443
Feb 02 18:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:27 SENT CONTROL [al18.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def
1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-
gateway 10.7.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.1.29 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: timers and/or timeouts modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: --explicit-exit-notify can only be used with --p
roto udp
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: compression parms modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 Socket Buffers: R=[131072->425984] S=[87040->425984]
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: --ifconfig/up options modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: route options modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: route-related options modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: peer-id set
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: adjusting link_mtu to 1659
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: data channel crypto options modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 Data Channel: using negotiated cipher 'AES-256-GCM'
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256
 bit key
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256
 bit key
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_route_v4_best_gw query: dst 0.0.0.0
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_route_v4_best_gw result: via 10.138.31.72 dev eth0
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 ROUTE_GATEWAY 10.138.31.72
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 TUN/TAP device tun0 opened
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_iface_mtu_set: mtu 1500 for tun0
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_iface_up: set tun0 up
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_addr_v4_add: 10.7.1.29/24 dev tun0
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 /usr/lib/qubes/qtunnel-connect up tun0 1500 1587 10.7.1.29 255.2
55.255.0 init
Feb 02 18:06:28 sys-vpn qtunnel-setup[1164]: Using DNS servers 103.86.99.100 103.86.96.100
Feb 02 18:06:28 sys-vpn qtunnel-setup[1171]: Chain QBS-FORWARD (1 references)
Feb 02 18:06:28 sys-vpn qtunnel-setup[1171]: target     prot opt source               destination
Feb 02 18:06:28 sys-vpn su[1176]: (to user) root on none
Feb 02 18:06:28 sys-vpn su[1176]: pam_unix(su-l:session): session opened for user user(uid=1000) by (uid=0)
Feb 02 18:06:28 sys-vpn su[1176]: pam_unix(su-l:session): session closed for user user
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_route_v4_add: 31.171.152.19/32 via 10.138.31.72 dev [NULL] t
able 0 metric -1
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_route_v4_add: 0.0.0.0/1 via 10.7.1.1 dev [NULL] table 0 metr
ic -1
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_route_v4_add: 128.0.0.0/1 via 10.7.1.1 dev [NULL] table 0 me
tric -1
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 GID set to qtunnel
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 WARNING: this configuration may cache passwords in memory -- use
 the auth-nocache option to prevent this
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 Initialization Sequence Completed
Feb 02 19:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:27 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Feb 02 19:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:27 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
Feb 02 19:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:27 VERIFY KU OK
Feb 02 19:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:27 Validating certificate extended key usage
Feb 02 19:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:27 ++ Certificate has EKU (str) TLS Web Server Authentication, expe
cts TLS Web Server Authentication
Feb 02 19:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:27 VERIFY EKU OK
Feb 02 19:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:27 VERIFY OK: depth=0, CN=al18.nordvpn.com
Feb 02 19:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:28 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256
 bit key
Feb 02 19:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:28 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256
 bit key
Feb 02 19:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:28 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384,
 peer certificate: 4096 bit RSA, signature: RSA-SHA512
#  iptables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 DROP       udp  --  vif+   *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
  286 35429 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  vif+   *       0.0.0.0/0            0.0.0.0/0
   27   861 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  vif+   *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 QBS-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  vif+   vif+    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  vif+   *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 3328 packets, 433K bytes)
 pkts bytes target     prot opt in     out     source               destination
  269 21170 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            owner GID match 993
   31  1229 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

Chain QBS-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
# iptables -n -v -L -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2    80 PR-QBS     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    2    80 PR-QBS-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1641 packets, 292K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      vif+    0.0.0.0/0            0.0.0.0/0
   27   861 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    3   144 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PR-QBS (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  vif+   *       0.0.0.0/0            10.139.1.1           udp dpt:53 to:103.86.96.100
    0     0 DNAT       tcp  --  vif+   *       0.0.0.0/0            10.139.1.1           tcp dpt:53 to:103.86.96.100
    0     0 DNAT       udp  --  vif+   *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 to:103.86.99.100
    0     0 DNAT       tcp  --  vif+   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 to:103.86.99.100

Chain PR-QBS-SERVICES (1 references)
 pkts bytes target     prot opt in     out     source               destination
# dig www.apple.com

; <<>> DiG 9.16.24-RH <<>> www.apple.com
;; global options: +cmd
;; connection timed out; no servers could be reached

# ping -c 3 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2079ms

# tcpdump -vvvtttns0 -i eth0 &
[1] 1604
# dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

# ping -c 3 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2038ms

# fg
tcpdump -vvvtttns0 -i eth0
^Z
[1]+  Stopped                 tcpdump -vvvtttns0 -i eth0
# bg
[1]+ tcpdump -vvvtttns0 -i eth0 &
# ping -c 10.138.1.1
PING 10.138.1.1 (10.138.1.1) 56(84) bytes of data.
 00:00:00.000000 IP (tos 0x0, ttl 64, id 33705, offset 0, flags [DF], proto TCP (6), length 83)
    10.137.0.27.52722 > 31.171.152.19.https: Flags [P.], cksum 0xc2a7 (incorrect -> 0xb0ec), seq 1150689455:1150689498, ack 944014714, win 501, length 43
 00:00:00.366244 IP (tos 0x0, ttl 31, id 62658, offset 0, flags [DF], proto TCP (6), length 40)
    31.171.152.19.https > 10.137.0.27.52722: Flags [.], cksum 0xb31f (correct), seq 1, ack 43, win 18294, length 0
 00:00:01.004481 IP (tos 0x0, ttl 31, id 62659, offset 0, flags [DF], proto TCP (6), length 83)
    31.171.152.19.https > 10.137.0.27.52722: Flags [P.], cksum 0xca0f (correct), seq 1:44, ack 43, win 18294, length 43
 00:00:00.000036 IP (tos 0x0, ttl 64, id 33706, offset 0, flags [DF], proto TCP (6), length 40)
    10.137.0.27.52722 > 31.171.152.19.https: Flags [.], cksum 0xc27c (incorrect -> 0xf875), seq 43, ack 44, win 501, length 0
 00:00:04.316516 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.137.0.27 tell 10.138.31.72, length 28
 00:00:00.000016 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.137.0.27 is-at 00:16:3e:5e:6c:00, length 28

--- 10.138.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2062ms

# ping -c 3 10.138.1.1
PING 10.138.1.1 (10.138.1.1) 56(84) bytes of data.

--- 10.138.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2080ms

# netstat -s | grep drop
    3146 outgoing packets dropped
# ping -c 3 10.138.1.1
PING 10.138.1.1 (10.138.1.1) 56(84) bytes of data.

--- 10.138.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2045ms

# netstat -s | grep drop
    3170 outgoing packets dropped
# netstat -s | grep drop
    3175 outgoing packets dropped


# netstat -s -u
IcmpMsg:
    InType0: 3
    InType8: 3
    OutType0: 3
    OutType8: 2762
Udp:
    26 packets received
    0 packets to unknown port received
    0 packet receive errors
    26 packets sent
    0 receive buffer errors
    0 send buffer errors
UdpLite:
IpExt:
    OutMcastPkts: 2
    InOctets: 37137
    OutOctets: 23338
    OutMcastOctets: 80
    InNoECTPkts: 328
MPTcpExt:

anon42456682 · April 12, 2022, 12:26am

I can’t get a VPN to work on the newest Qubes… Could anyone link some working guide? Thanks allot

newbie · December 12, 2022, 4:39pm

hi @naverone @fepitre

i have created template VM, & installed qubes-repo-contrib & qubes-tunnel.
also followed the step in NordVPN, using install.sh, to install NordVPN,
then creating appVM sys-vpn,
also login & connect to NordVPN successfully,
both in the template VM & app VM sys-vpn,
by using the NordVPN installed in the template VM.

but not sure how to do the step 4,
copying ovpn config to qtunnel. in qubes-tunnel,
because, not sure how to create / get the ovpn config,

so, please kindly help, how to get the ovpn config,
do we have to setup open VPN, instead of NordVPN app ?

sina · January 30, 2023, 8:28pm

Hi, I’ve combined the procedure of configuring Mulvad VPN: Using Mullvad VPN in Qubes via Network Manager and setting up NordVPN according to Connect to NordVPN using Linux Terminal | NordVPN support. It works for me without problems.
Sina.