@longTimeQubesUser Thank you for taking the time to make this guide. If you have some time, would you mind helping me troubleshoot setting this up?
I recently did a fresh install of 4.3 and realized I wasn’t able to set up my VPN template/qubes the way I had before via: Configuring a ProxyVM VPN Gateway
I’ve followed your guide step-by-step a few times now, and I can’t figure out why I don’t have internet access (I’m using ProtonVPN, if this helps at all).
Things of note:
My ovpn config file:
client
dev tun
proto tcp
remote 156.146.54.81 443
remote 156.146.54.81 7770
remote 156.146.54.81 8443
remote-random
resolv-retry infinite
nobind
cipher AES-256-GCM
setenv CLIENT_CERT 0
tun-mtu 1500
mssfix 0
persist-key
persist-tun
reneg-sec 0
remote-cert-tls server
auth-user-pass pass.txt
redirect-gateway def1
script-security 2
up 'qubes-vpn-handler.sh up'
down 'qubes-vpn-handler.sh down'
verb 3
log /home/user/log
When I test my client configuration with:
openvpn --cd /rw/config/vpn --config openvpn-client.ovpn
I’m receiving packets via pinging, consistently, although I’m receiving this:
Connection reset, restarting [-1]
SIGUSR1[soft,connection-reset] received, process restarting
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
TCP/UDP: Preserving recently used remote address: [AF_INET]156.146.54.81:7770
I continued with the guide until I finished everything and the logs say I’m establishing a connection but I only receive the first notification stating “sys-vpn: Starting openvpn…”, I never receive the “sys-vpn: LINK IS UP.” notification.
Logs after starting my vpn qube:
2026-03-07 17:30:24 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2026-03-07 17:30:24 WARNING: file 'pass.txt' is group or others accessible
2026-03-07 17:30:24 OpenVPN 2.6.14 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [D>
2026-03-07 17:30:24 library versions: OpenSSL 3.5.4 30 Sep 2025, LZO 2.10
2026-03-07 17:30:24 DCO version: N/A
2026-03-07 17:30:24 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2026-03-07 17:30:24 TCP/UDP: Preserving recently used remote address: [AF_INET]156.146.54.81:7770
2026-03-07 17:30:24 Socket Buffers: R=[131072->131072] S=[16384->16384]
2026-03-07 17:30:24 Attempting to establish TCP connection with [AF_INET]156.146.54.81:7770
2026-03-07 17:30:24 TCP connection established with [AF_INET]156.146.54.81:7770
2026-03-07 17:30:24 TCPv4_CLIENT link local: (not bound)
2026-03-07 17:30:24 TCPv4_CLIENT link remote: [AF_INET]156.146.54.81:7770
2026-03-07 17:30:43 Connection reset, restarting [-1]
2026-03-07 17:30:43 SIGUSR1[soft,connection-reset] received, process restarting
2026-03-07 17:30:43 Restart pause, 1 second(s)
2026-03-07 17:30:44 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2026-03-07 17:30:44 TCP/UDP: Preserving recently used remote address: [AF_INET]156.146.54.81:8443
2026-03-07 17:30:44 Socket Buffers: R=[131072->131072] S=[16384->16384]
2026-03-07 17:30:44 Attempting to establish TCP connection with [AF_INET]156.146.54.81:8443
2026-03-07 17:30:44 TCP connection established with [AF_INET]156.146.54.81:8443
2026-03-07 17:30:44 TCPv4_CLIENT link local: (not bound)
2026-03-07 17:30:44 TCPv4_CLIENT link remote: [AF_INET]156.146.54.81:8443
2026-03-07 17:31:04 Connection reset, restarting [-1]
2026-03-07 17:31:04 SIGUSR1[soft,connection-reset] received, process restarting
2026-03-07 17:31:04 Restart pause, 1 second(s)
2026-03-07 17:31:05 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2026-03-07 17:31:05 TCP/UDP: Preserving recently used remote address: [AF_INET]156.146.54.81:443
2026-03-07 17:31:05 Socket Buffers: R=[131072->131072] S=[16384->16384]
2026-03-07 17:31:05 Attempting to establish TCP connection with [AF_INET]156.146.54.81:443
2026-03-07 17:31:05 TCP connection established with [AF_INET]156.146.54.81:443
I cloned both the template/vpn qube to correct the kernel support error by installing: openvpn-dco-dkms - but I don’t think it’s necessary, though. I’m not sure if changing the location of any of the configurations in the ovpn config file would make a difference, as I tried that (keeping redirect-gateway def1 above script-security 2).
Now I’m receiving pretty much the same thing, just without the kernel error:
2026-03-07 17:40:00 WARNING: file 'pass.txt' is group or others accessible
2026-03-07 17:40:00 OpenVPN 2.6.14 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2026-03-07 17:40:00 library versions: OpenSSL 3.5.4 30 Sep 2025, LZO 2.10
2026-03-07 17:40:00 DCO version: 0.0+git20241121
2026-03-07 17:40:00 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2026-03-07 17:40:00 TCP/UDP: Preserving recently used remote address: [AF_INET]156.146.54.81:443
2026-03-07 17:40:00 Socket Buffers: R=[131072->131072] S=[16384->16384]
2026-03-07 17:40:00 Attempting to establish TCP connection with [AF_INET]156.146.54.81:443
2026-03-07 17:40:00 TCP connection established with [AF_INET]156.146.54.81:443
2026-03-07 17:40:00 TCPv4_CLIENT link local: (not bound)
2026-03-07 17:40:00 TCPv4_CLIENT link remote: [AF_INET]156.146.54.81:443
If there’s something I’m missing to give more insight into what’s going on, please let me know. Thank you again for the excellent guide. Any help would be greatly appreciated.