I just went thru these steps, creating the sys-vpn from fc-34-minimal on my 4.1-rc? system, targeting my NordVPN service. It claims to work (per journactl -u qubes-tunnel) but I think the routes are messed up or something. DNS lookups fail. If I run tcpdump on eth0, all I see are what looks like keep-alive pings happening on the encrypted connexion to the NordVPN server. Just periodic TCP packets.
On the tun0 device, I never see packet counts incremented off zero. Not sure whats happening there.
# tracepath -n 1.1.1.1
1?: [LOCALHOST] pmtu 1500
1: send failed
1: send failed
Resume: pmtu 1500
# route -vn
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.7.1.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 10.138.31.72 0.0.0.0 UG 0 0 0 eth0
10.7.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.138.31.72 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
31.171.152.19 10.138.31.72 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 10.7.1.1 128.0.0.0 UG 0 0 0 tun0
# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 10.137.0.27/32 brd 10.255.255.255 scope global eth0
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
inet 10.7.1.29/24 scope global tun0
valid_lft forever preferred_lft forever
# ip -4 link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 00:16:3e:5e:6c:00 brd ff:ff:ff:ff:ff:ff
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 500
link/none
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.27 netmask 255.255.255.255 broadcast 10.255.255.255
inet6 fe80::216:3eff:fe5e:6c00 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:5e:6c:00 txqueuelen 1000 (Ethernet)
RX packets 460 bytes 34414 (33.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 437 bytes 30300 (29.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 60 bytes 2678 (2.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 60 bytes 2678 (2.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.7.1.29 netmask 255.255.255.0 destination 10.7.1.29
inet6 fe80::9ae7:9d30:9423:f2ed prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# journalctl -u qubes-tunnel
Feb 02 17:16:34 sys-vpn qtunnel-setup[792]: EXEC /usr/sbin/openvpn --cd /rw/config/qtunnel/ --config /tmp/qtunnel.conf --verb 3 -
-mlock --ping 10 --ping-restart 42 --connect-retry 5 30 --connect-retry-max 7 --resolv-retry 15 --group qtunnel --script-security
2 --up "/usr/lib/qubes/qtunnel-connect up" --down "/usr/lib/qubes/qtunnel-connect down" --auth-user-pass /tmp/tunneluserpwd.txt
Feb 02 17:16:34 sys-vpn qtunnel-setup[793]: START-ing network forwarding!
Feb 02 17:16:34 sys-vpn systemd[1]: Started Tunnel service for Qubes proxyVM.
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in -
-data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' t
o --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 OpenVPN 2.5.5 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4]
[EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 15 2021
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 library versions: OpenSSL 1.1.1l FIPS 24 Aug 2021, LZO 2.10
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 mlockall call succeeded
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 WARNING: you are using user/group/chroot/setcon without persist-t
un -- this may cause restarts to fail
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 NOTE: the current --script-security setting may allow this config
uration to call user-defined scripts
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 NOTE: --fast-io is disabled since we are not using UDP
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 Outgoing Control Channel Authentication: Using 512 bit message ha
sh 'SHA512' for HMAC authentication
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 Incoming Control Channel Authentication: Using 512 bit message ha
sh 'SHA512' for HMAC authentication
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 TCP/UDP: Preserving recently used remote address: [AF_INET]31.171
.152.19:443
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 Socket Buffers: R=[131072->131072] S=[16384->16384]
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 Attempting to establish TCP connection with [AF_INET]31.171.152.1
9:443 [nonblock]
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 TCP connection established with [AF_INET]31.171.152.19:443
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 TCP_CLIENT link local: (not bound)
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 TCP_CLIENT link remote: [AF_INET]31.171.152.19:443
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 NOTE: UID/GID downgrade will be delayed because of --client, --pu
ll, or --up-delay
Feb 02 17:16:34 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:34 TLS: Initial packet from [AF_INET]31.171.152.19:443, sid=12bb3b6a
d8f872f4
Feb 02 17:16:36 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:36 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Feb 02 17:16:36 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:36 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
Feb 02 17:16:36 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:36 VERIFY KU OK
Feb 02 17:16:36 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:36 Validating certificate extended key usage
Feb 02 17:16:36 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:36 ++ Certificate has EKU (str) TLS Web Server Authentication, expec
ts TLS Web Server Authentication
Feb 02 17:16:36 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:36 VERIFY EKU OK
Feb 02 17:16:36 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:36 VERIFY OK: depth=0, CN=al18.nordvpn.com
Feb 02 17:16:37 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:37 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384,
peer certificate: 4096 bit RSA, signature: RSA-SHA512
Feb 02 17:16:37 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:37 [al18.nordvpn.com] Peer Connection Initiated with [AF_INET]31.171
.152.19:443
Feb 02 17:16:38 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:38 SENT CONTROL [al18.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1
,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-g
ateway 10.7.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.2.12 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: timers and/or timeouts modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: --explicit-exit-notify can only be used with --pr
oto udp
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: compression parms modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 Socket Buffers: R=[131072->425984] S=[87040->425984]
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: --ifconfig/up options modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: route options modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: route-related options modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: peer-id set
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: adjusting link_mtu to 1659
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 OPTIONS IMPORT: data channel crypto options modified
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 Data Channel: using negotiated cipher 'AES-256-GCM'
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256
bit key
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256
bit key
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_route_v4_best_gw query: dst 0.0.0.0
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_route_v4_best_gw result: via 10.138.31.72 dev eth0
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 ROUTE_GATEWAY 10.138.31.72
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 TUN/TAP device tun0 opened
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_iface_mtu_set: mtu 1500 for tun0
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_iface_up: set tun0 up
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_addr_v4_add: 10.7.2.12/24 dev tun0
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 /usr/lib/qubes/qtunnel-connect up tun0 1500 1587 10.7.2.12 255.25
5.255.0 init
Feb 02 17:16:39 sys-vpn qtunnel-setup[885]: Using DNS servers 103.86.99.100 103.86.96.100
Feb 02 17:16:39 sys-vpn qtunnel-setup[893]: Chain QBS-FORWARD (1 references)
Feb 02 17:16:39 sys-vpn qtunnel-setup[893]: target prot opt source destination
Feb 02 17:16:39 sys-vpn su[898]: (to user) root on none
Feb 02 17:16:39 sys-vpn su[898]: pam_unix(su-l:session): session opened for user user(uid=1000) by (uid=0)
Feb 02 17:16:39 sys-vpn su[898]: pam_unix(su-l:session): session closed for user user
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_route_v4_add: 31.171.152.19/32 via 10.138.31.72 dev [NULL] ta
ble 0 metric -1
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_route_v4_add: 0.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 metri
c -1
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 net_route_v4_add: 128.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 met
ric -1
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 GID set to qtunnel
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 WARNING: this configuration may cache passwords in memory -- use
the auth-nocache option to prevent this
Feb 02 17:16:39 sys-vpn qtunnel-setup[796]: 2022-02-02 17:16:39 Initialization Sequence Completed
Feb 02 18:06:23 sys-vpn systemd[1]: Stopping Tunnel service for Qubes proxyVM...
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 event_wait : Interrupted system call (code=4)
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 net_route_v4_del: 31.171.152.19/32 via 10.138.31.72 dev [NULL] ta
ble 0 metric -1
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 net_route_v4_del: 0.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 metri
c -1
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 net_route_v4_del: 128.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 met
ric -1
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 Closing TUN/TAP interface
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 net_addr_v4_del: 10.7.2.12 dev tun0
Feb 02 18:06:23 sys-vpn qtunnel-setup[1102]: STOP-ing network forwarding!
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 /usr/lib/qubes/qtunnel-connect down tun0 1500 1587 10.7.2.12 255.
255.255.0 init
Feb 02 18:06:23 sys-vpn su[1110]: (to user) root on none
Feb 02 18:06:23 sys-vpn su[1110]: pam_unix(su-l:session): session opened for user user(uid=1000) by (uid=0)
Feb 02 18:06:23 sys-vpn su[1110]: pam_unix(su-l:session): session closed for user user
Feb 02 18:06:23 sys-vpn qtunnel-setup[796]: 2022-02-02 18:06:23 SIGTERM[hard,] received, process exiting
Feb 02 18:06:23 sys-vpn systemd[1]: qubes-tunnel.service: Deactivated successfully.
Feb 02 18:06:23 sys-vpn systemd[1]: Stopped Tunnel service for Qubes proxyVM.
Feb 02 18:06:23 sys-vpn systemd[1]: Starting Tunnel service for Qubes proxyVM...
Feb 02 18:06:23 sys-vpn su[1139]: (to user) root on none
Feb 02 18:06:23 sys-vpn su[1139]: pam_unix(su-l:session): session opened for user user(uid=1000) by (uid=0)
Feb 02 18:06:23 sys-vpn su[1139]: pam_unix(su-l:session): session closed for user user
Feb 02 18:06:23 sys-vpn qtunnel-setup[1158]: START-ing network forwarding!
Feb 02 18:06:23 sys-vpn systemd[1]: Started Tunnel service for Qubes proxyVM.
Feb 02 18:06:23 sys-vpn qtunnel-setup[1157]: EXEC /usr/sbin/openvpn --cd /rw/config/qtunnel/ --config /tmp/qtunnel.conf --verb 3
--mlock --ping 10 --ping-restart 42 --connect-retry 5 30 --connect-retry-max 7 --resolv-retry 15 --group qtunnel --script-securit
y 2 --up "/usr/lib/qubes/qtunnel-connect up" --down "/usr/lib/qubes/qtunnel-connect down" --auth-user-pass /tmp/tunneluserpwd.txt
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in
--data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC'
to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 OpenVPN 2.5.5 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4
] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 15 2021
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 library versions: OpenSSL 1.1.1l FIPS 24 Aug 2021, LZO 2.10
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 mlockall call succeeded
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 WARNING: you are using user/group/chroot/setcon without persist-
tun -- this may cause restarts to fail
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 NOTE: the current --script-security setting may allow this confi
guration to call user-defined scripts
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 NOTE: --fast-io is disabled since we are not using UDP
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 Outgoing Control Channel Authentication: Using 512 bit message h
ash 'SHA512' for HMAC authentication
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 Incoming Control Channel Authentication: Using 512 bit message h
ash 'SHA512' for HMAC authentication
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 TCP/UDP: Preserving recently used remote address: [AF_INET]31.17
1.152.19:443
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 Socket Buffers: R=[131072->131072] S=[16384->16384]
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 Attempting to establish TCP connection with [AF_INET]31.171.152.
19:443 [nonblock]
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 TCP connection established with [AF_INET]31.171.152.19:443
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 TCP_CLIENT link local: (not bound)
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 TCP_CLIENT link remote: [AF_INET]31.171.152.19:443
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 NOTE: UID/GID downgrade will be delayed because of --client, --p
ull, or --up-delay
Feb 02 18:06:23 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:23 TLS: Initial packet from [AF_INET]31.171.152.19:443, sid=ff076d2
3 e8a6c2b2
Feb 02 18:06:25 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:25 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Feb 02 18:06:25 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:25 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
Feb 02 18:06:25 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:25 VERIFY KU OK
Feb 02 18:06:25 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:25 Validating certificate extended key usage
Feb 02 18:06:25 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:25 ++ Certificate has EKU (str) TLS Web Server Authentication, expe
cts TLS Web Server Authentication
Feb 02 18:06:25 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:25 VERIFY EKU OK
Feb 02 18:06:25 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:25 VERIFY OK: depth=0, CN=al18.nordvpn.com
Feb 02 18:06:26 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:26 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384,
peer certificate: 4096 bit RSA, signature: RSA-SHA512
Feb 02 18:06:26 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:26 [al18.nordvpn.com] Peer Connection Initiated with [AF_INET]31.17
1.152.19:443
Feb 02 18:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:27 SENT CONTROL [al18.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def
1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-
gateway 10.7.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.1.29 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: timers and/or timeouts modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: --explicit-exit-notify can only be used with --p
roto udp
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: compression parms modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 Socket Buffers: R=[131072->425984] S=[87040->425984]
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: --ifconfig/up options modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: route options modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: route-related options modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: peer-id set
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: adjusting link_mtu to 1659
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 OPTIONS IMPORT: data channel crypto options modified
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 Data Channel: using negotiated cipher 'AES-256-GCM'
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256
bit key
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256
bit key
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_route_v4_best_gw query: dst 0.0.0.0
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_route_v4_best_gw result: via 10.138.31.72 dev eth0
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 ROUTE_GATEWAY 10.138.31.72
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 TUN/TAP device tun0 opened
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_iface_mtu_set: mtu 1500 for tun0
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_iface_up: set tun0 up
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_addr_v4_add: 10.7.1.29/24 dev tun0
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 /usr/lib/qubes/qtunnel-connect up tun0 1500 1587 10.7.1.29 255.2
55.255.0 init
Feb 02 18:06:28 sys-vpn qtunnel-setup[1164]: Using DNS servers 103.86.99.100 103.86.96.100
Feb 02 18:06:28 sys-vpn qtunnel-setup[1171]: Chain QBS-FORWARD (1 references)
Feb 02 18:06:28 sys-vpn qtunnel-setup[1171]: target prot opt source destination
Feb 02 18:06:28 sys-vpn su[1176]: (to user) root on none
Feb 02 18:06:28 sys-vpn su[1176]: pam_unix(su-l:session): session opened for user user(uid=1000) by (uid=0)
Feb 02 18:06:28 sys-vpn su[1176]: pam_unix(su-l:session): session closed for user user
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_route_v4_add: 31.171.152.19/32 via 10.138.31.72 dev [NULL] t
able 0 metric -1
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_route_v4_add: 0.0.0.0/1 via 10.7.1.1 dev [NULL] table 0 metr
ic -1
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 net_route_v4_add: 128.0.0.0/1 via 10.7.1.1 dev [NULL] table 0 me
tric -1
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 GID set to qtunnel
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 WARNING: this configuration may cache passwords in memory -- use
the auth-nocache option to prevent this
Feb 02 18:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 18:06:28 Initialization Sequence Completed
Feb 02 19:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:27 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Feb 02 19:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:27 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
Feb 02 19:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:27 VERIFY KU OK
Feb 02 19:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:27 Validating certificate extended key usage
Feb 02 19:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:27 ++ Certificate has EKU (str) TLS Web Server Authentication, expe
cts TLS Web Server Authentication
Feb 02 19:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:27 VERIFY EKU OK
Feb 02 19:06:27 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:27 VERIFY OK: depth=0, CN=al18.nordvpn.com
Feb 02 19:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:28 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256
bit key
Feb 02 19:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:28 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256
bit key
Feb 02 19:06:28 sys-vpn qtunnel-setup[1161]: 2022-02-02 19:06:28 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384,
peer certificate: 4096 bit RSA, signature: RSA-SHA512
# iptables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP udp -- vif+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
286 35429 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- vif+ * 0.0.0.0/0 0.0.0.0/0
27 861 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- vif+ * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 QBS-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- vif+ * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 3328 packets, 433K bytes)
pkts bytes target prot opt in out source destination
269 21170 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 owner GID match 993
31 1229 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
Chain QBS-FORWARD (1 references)
pkts bytes target prot opt in out source destination
# iptables -n -v -L -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 80 PR-QBS all -- * * 0.0.0.0/0 0.0.0.0/0
2 80 PR-QBS-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1641 packets, 292K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * vif+ 0.0.0.0/0 0.0.0.0/0
27 861 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
3 144 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- vif+ * 0.0.0.0/0 10.139.1.1 udp dpt:53 to:103.86.96.100
0 0 DNAT tcp -- vif+ * 0.0.0.0/0 10.139.1.1 tcp dpt:53 to:103.86.96.100
0 0 DNAT udp -- vif+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:103.86.99.100
0 0 DNAT tcp -- vif+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:103.86.99.100
Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
# dig www.apple.com
; <<>> DiG 9.16.24-RH <<>> www.apple.com
;; global options: +cmd
;; connection timed out; no servers could be reached
# ping -c 3 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2079ms
# tcpdump -vvvtttns0 -i eth0 &
[1] 1604
# dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
# ping -c 3 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2038ms
# fg
tcpdump -vvvtttns0 -i eth0
^Z
[1]+ Stopped tcpdump -vvvtttns0 -i eth0
# bg
[1]+ tcpdump -vvvtttns0 -i eth0 &
# ping -c 10.138.1.1
PING 10.138.1.1 (10.138.1.1) 56(84) bytes of data.
00:00:00.000000 IP (tos 0x0, ttl 64, id 33705, offset 0, flags [DF], proto TCP (6), length 83)
10.137.0.27.52722 > 31.171.152.19.https: Flags [P.], cksum 0xc2a7 (incorrect -> 0xb0ec), seq 1150689455:1150689498, ack 944014714, win 501, length 43
00:00:00.366244 IP (tos 0x0, ttl 31, id 62658, offset 0, flags [DF], proto TCP (6), length 40)
31.171.152.19.https > 10.137.0.27.52722: Flags [.], cksum 0xb31f (correct), seq 1, ack 43, win 18294, length 0
00:00:01.004481 IP (tos 0x0, ttl 31, id 62659, offset 0, flags [DF], proto TCP (6), length 83)
31.171.152.19.https > 10.137.0.27.52722: Flags [P.], cksum 0xca0f (correct), seq 1:44, ack 43, win 18294, length 43
00:00:00.000036 IP (tos 0x0, ttl 64, id 33706, offset 0, flags [DF], proto TCP (6), length 40)
10.137.0.27.52722 > 31.171.152.19.https: Flags [.], cksum 0xc27c (incorrect -> 0xf875), seq 43, ack 44, win 501, length 0
00:00:04.316516 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.137.0.27 tell 10.138.31.72, length 28
00:00:00.000016 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.137.0.27 is-at 00:16:3e:5e:6c:00, length 28
--- 10.138.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2062ms
# ping -c 3 10.138.1.1
PING 10.138.1.1 (10.138.1.1) 56(84) bytes of data.
--- 10.138.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2080ms
# netstat -s | grep drop
3146 outgoing packets dropped
# ping -c 3 10.138.1.1
PING 10.138.1.1 (10.138.1.1) 56(84) bytes of data.
--- 10.138.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2045ms
# netstat -s | grep drop
3170 outgoing packets dropped
# netstat -s | grep drop
3175 outgoing packets dropped
# netstat -s -u
IcmpMsg:
InType0: 3
InType8: 3
OutType0: 3
OutType8: 2762
Udp:
26 packets received
0 packets to unknown port received
0 packet receive errors
26 packets sent
0 receive buffer errors
0 send buffer errors
UdpLite:
IpExt:
OutMcastPkts: 2
InOctets: 37137
OutOctets: 23338
OutMcastOctets: 80
InNoECTPkts: 328
MPTcpExt: