Help troublshooting Qubes-vpn-support? ("operation not permitted"?)

So I thought I followed the directions Qubes-vpn-support but perhaps not? I set the sys-vpn-us proxy vm as a network vm for another vm but the other VM could not connect to the internet so I tried the first suggestion in the trouble shooting section and got:

root@sys-vpn-us:/rw/config/vpn# sudo openvpn --cd  /rw/config/vpn --config vpn-client.conf --auth-user-pass userpassword.txt
2024-06-11 07:25:44 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2024-06-11 07:25:44 library versions: OpenSSL 3.0.11 19 Sep 2023, LZO 2.10
2024-06-11 07:25:44 DCO version: N/A
2024-06-11 07:25:44 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-06-11 07:25:44 TCP/UDP: Preserving recently used remote address: [AF_INET]149.102.224.162:80
2024-06-11 07:25:44 UDPv4 link local: (not bound)
2024-06-11 07:25:44 UDPv4 link remote: [AF_INET]149.102.224.162:80
2024-06-11 07:25:44 write UDPv4 []: Operation not permitted (fd=3,code=1)
2024-06-11 07:25:46 write UDPv4 []: Operation not permitted (fd=3,code=1)
2024-06-11 07:25:50 write UDPv4 []: Operation not permitted (fd=3,code=1)
2024-06-11 07:25:58 write UDPv4 []: Operation not permitted (fd=3,code=1)
^C2024-06-11 07:26:02 event_wait : Interrupted system call (fd=-1,code=4)
2024-06-11 07:26:02 SIGINT[hard,] received, process exiting

unfortunately I don’t really understand the error, thoughts anyone?

If it helps I am using a debian 12 minimal template and I installed the recomended apps needed for vpn and networking. Also I installed this on my template VM then configured it the proxyvm.

Did you use replace-iptables-with-nftables branch?

Do you have working network in this qube? Are you able to ping 9.9.9.9 successfully?

hmmmm, so “no” and “no” to both questions.

For the first question, I (naively i guess) thought that the script would somehow make the necessary changes? That said, I guess I should go through how I intupreted the instructions: I downloaded a zip of all the files (branch?) which gave me a Qubes-vpn-support-master.zip file, in that file was the install script which I chmod’d to 755 then ran (./install) and that seemed to go ok.
But, after you question I looked and tried specifically selecting the replace-iptables-with-nftables branch, downloaded a zipped version, unzipped it looked like the other branch I downloaded but I ran the install script (in the template) anyway shutdown the template then restarted the sys-vpn-us and … same result. Clearly I don’t understand git very well :confused:

Did you download file named Qubes-vpn-support-replace-iptables-with-nftables.zip?
Try to create a new VPN template and qube based on this template and install this version there. Maybe there are some files from old version that are messing with new one if you just install new version without uninstalling old version first.

Are you able to ping 9.9.9.9 in the qube based on this minimal VPN template without Qubes-vpn-support installed? Just to make sure that network works in this qube without Qubes-vpn-support.

ok, to be sure I am going to just try starting over (nuke my template and sys-vpn then re-download and recreate) but I also wanted to check about the Qubes-vpn-support-replace-iptables-with-nftables.zip. I did not download that, apologies for asking but would you mind providing a link so I can be 100% sure I am getting the right thing?
Also, I would run that in addition to downloading the Qubes-vpn-support.zip and running that?

Go to this page:

Press on the “Code” button → “Download ZIP”.
Direct link:
https://github.com/1cho1ce/Qubes-vpn-support/archive/refs/heads/replace-iptables-with-nftables.zip

No, you need to download and use the Qubes-vpn-support zip from the correct branch replace-iptables-with-nftables.

Thank you. again.
I removed the minimal template, and the sys-vpn appvm and am starting over. I wasn’t able to ping anything from the sys-vpn appvm but that kind of lead me to my next question before I start gooping up the currently pristine template.
The sys-vpn appvm is set to use the sys-firewall as the net qube, and is set (box checked) to provide a network.
What I haven’t done is install anything in the minimal template which I suspect is the issue but I wanted to be sure before I start installing things willy-nilly. Based on the minimal template docs for debian I was going to install the following, but wanted to see if I am “over installing” or leaving anything out that would be needed for this sys-vpn to function:

  • qubes-core-agent-networking
  • qubes-core-agent-dom0-updates
  • qubes-core-agent-network-manager
  • ntpd
  • and openvpn?
    Thanks!

The packages looks good, except ntpd, I don’t know why is it needed. Also there is no ntpd package in debian, I guess it should be ntp? But I think for clock qube the systemd-timesyncd is needed, not ntp package.
Also you may want to install xfce4-notifyd package to see notifications from Qubes-vpn-support.
Check the network in sys-vpn after installing these packages and before installing Qubes-vpn-support.

Unfortunately I seem to be back where i started. I did not noticed that the first trouble shooting step said to try it before installing replace-iptables-with-nftables.zip but regardless, I tried getting some other information:
I was unable to ping:

root@sys-vpn-us:/rw/config/vpn# ping 9.9.9.9
PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.
^C
--- 9.9.9.9 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9202ms

and systemctl gave me:

root@sys-vpn-us:/rw/config/vpn# systemctl status qubes-vpn-handler
â—‹ qubes-vpn-handler.service - VPN Client for Qubes proxyVM
     Loaded: loaded (/lib/systemd/system/qubes-vpn-handler.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/qubes-vpn-handler.service.d
             └─00_example.conf
     Active: inactive (dead)
  Condition: start condition failed at Thu 2024-06-13 08:24:34 EDT; 4min 40s ago
             └─ ConditionPathExistsGlob=/var/run/qubes-service/vpn-handler* was not met

Jun 13 08:24:34 sys-vpn-us systemd[1]: qubes-vpn-handler.service - VPN Client for Qubes proxyVM was skipped because of an unmet condition check (ConditionPathExistsGlo>

and
the journalctl output was too long for the pastebins so I am going to post this and then try to upload the journalctl.jog as a file.

Were you able to ping successfully before installing Qubes-vpn-support?

Did you add the vpn-handler-openvpn service to the sys-vpn qube as stated in setup guide?

Next, add vpn-handler-openvpn to the ProxyVM’s Settings / Services tab by typing it into the top line and clicking the plus icon. Do not add other network services such as Network Manager.

1 Like

Yes, I was able to ping prior to installing qubes-vpn-support that was from within the sys-vpn-us qube, but then I tried (once I corrected my oversight) from within an appvm that was using the sys-vpn appvm and that worked?

… :roll_eyes: :grimacing: :confounded: I apparently didn’t add vpn-handler-openvpn to the sys-vpn-us service this time - though I swear i did the previous times that I created the sys-vpn qube.