I can’t make the openvpn work

Habart · December 12, 2023, 3:36pm

Have been using Qubes for about 5 years without any major issues. But since the 4.1 version up to the current testing Qubes-R4.2.0-rc5-x86_64.iso I can’t make the openvpn work in ether the sys-vm, nor any separate VM both with Network manager and without. I tried using both fedora-38 and debian-12, still no result. Seems either dns or firewall problem.
GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS stopped working in both the 4.1.2 and 4.2.0-rc5
I only managed to make the debian-11 template to work on Qubes-R4.1.2-x86_64.iso but it’s insecure since reached the end of life.

I also have somewhat a little bit blurred screen after enabling the display scaling ratio to 0.5 since I have 4K monitor in the Qubes-R4.2.0-rc5-x86_64.iso. It seems counter intuitive to not setting it to 2X, but it’s mainly the Fedora itself bug. But still it’s way better than not having this option at all, like in 4.1.2 stable release, where I didn’t manage to enlarge the Qubes Manager and debian templates whatever I tried.

The VPN issue is of the main priority, since I can’t use Qubes any more.

DVM · December 12, 2023, 3:48pm

I use qubes-vpn-support and it works, I’ve never had any problems with it.
Debian-11 is not end-of-life, it has long-term support until 2026.

For Qubes 4.2, you need to use the nftables version, since Qubes is switching from iptables to it. Check out the pull request below:

github.com/tasket/Qubes-vpn-support

Replace iptables with nftables

tasket:master ← 1cho1ce:replace-iptables-with-nftables

opened 07:01PM - 25 May 23 UTC

1cho1ce

+153 -43

Qubes dropped iptables support and replaced it with nftables: https://github.co…m/QubesOS/qubes-core-agent-linux/commit/28b95535c7cbd15543c804e822c0e4c997f5966e This pull request replaces iptables with nftables. Removed `allow established input` rules from `proxy-firewall-restrict` since they are already present in nft tables ip/ip6 qubes. TODO: Need to think of a better way to check in `--check-firewall` in `qubes-vpn-setup` script if the forward drop rules are present (or `proxy-firewall-restrict` script finished successfully).

Habart · December 14, 2023, 8:07am

Thanks, DVM. I managed to make it working on Debian-12 from replace-iptables-with-nftables branch. Many thanks to 1cho1ce
As to Fedora-38, I had some vpn config issues regarding cipher and keys, if someone could help I could post the logs in the appropriate thread.

As for Debian-11 EOL it seems I was wrong, since I thought it would be the same as with Fedora-37 reaching EOL on 2023-11-21. Thanks for clarification)

As for qubes-vpn-support from tusket master branch, it doesn’t work on new templates Debian-12 and Fedora-38 on the 4.1.2 stable release. As far as I know 4.1.2 doesn’t use nftables yet instead of iptables

adw · December 14, 2023, 6:27pm

But note that Qubes follows the regular EOL date, not the LTS EOL date:

https://www.qubes-os.org/doc/supported-releases/#note-on-debian-support

Nonetheless, Debian 11 has not reached its regular EOL date yet:

https://wiki.debian.org/DebianReleases

DVM · December 14, 2023, 6:38pm

Good to know. So Debian 11 will be EOL (for Qubes) in about 6 months.

fsflover · December 20, 2023, 5:08pm

I created a dedicated topic for this problem.

Qoobsnoob · January 13, 2024, 3:09am

How do i do this? Ive never used iptables before. On 4.1 i used openvpn, network manager and firewall settings in qubes settings

Why does 4.2 seem more difficult to use than 4.1

DVM · January 13, 2024, 4:07pm

You need to clone the repo and then checkout to the correct branch:

git clone https://github.com/1cho1ce/Qubes-vpn-support
cd Qubes-vpn-support
git checkout replace-iptables-with-nftables

Then continue with the installation script:

sudo bash ./install

I would recommend installing it in a new ProxyVM instead of the template. Use the template only to install openvpn.
Also, be sure to add the correct service for the setup to work (run in dom0):

# OpenVPN
qvm-service <YourProxyVM> vpn-handler-openvpn --enable