I can’t make the openvpn work

Have been using Qubes for about 5 years without any major issues. But since the 4.1 version up to the current testing Qubes-R4.2.0-rc5-x86_64.iso I can’t make the openvpn work in ether the sys-vm, nor any separate VM both with Network manager and without. I tried using both fedora-38 and debian-12, still no result. Seems either dns or firewall problem.
GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS stopped working in both the 4.1.2 and 4.2.0-rc5
I only managed to make the debian-11 template to work on Qubes-R4.1.2-x86_64.iso but it’s insecure since reached the end of life.

I also have somewhat a little bit blurred screen after enabling the display scaling ratio to 0.5 since I have 4K monitor in the Qubes-R4.2.0-rc5-x86_64.iso. It seems counter intuitive to not setting it to 2X, but it’s mainly the Fedora itself bug. But still it’s way better than not having this option at all, like in 4.1.2 stable release, where I didn’t manage to enlarge the Qubes Manager and debian templates whatever I tried.

The VPN issue is of the main priority, since I can’t use Qubes any more.

I use qubes-vpn-support and it works, I’ve never had any problems with it.
Debian-11 is not end-of-life, it has long-term support until 2026.

For Qubes 4.2, you need to use the nftables version, since Qubes is switching from iptables to it. Check out the pull request below:

1 Like

Thanks, DVM. I managed to make it working on Debian-12 from replace-iptables-with-nftables branch. Many thanks to 1cho1ce :slight_smile:
As to Fedora-38, I had some vpn config issues regarding cipher and keys, if someone could help I could post the logs in the appropriate thread.

As for Debian-11 EOL it seems I was wrong, since I thought it would be the same as with Fedora-37 reaching EOL on 2023-11-21. Thanks for clarification)

As for qubes-vpn-support from tusket master branch, it doesn’t work on new templates Debian-12 and Fedora-38 on the 4.1.2 stable release. As far as I know 4.1.2 doesn’t use nftables yet instead of iptables

But note that Qubes follows the regular EOL date, not the LTS EOL date:


Nonetheless, Debian 11 has not reached its regular EOL date yet:



Good to know. So Debian 11 will be EOL (for Qubes) in about 6 months.

1 Like

I created a dedicated topic for this problem.

1 Like

How do i do this? Ive never used iptables before. On 4.1 i used openvpn, network manager and firewall settings in qubes settings

Why does 4.2 seem more difficult to use than 4.1

You need to clone the repo and then checkout to the correct branch:

git clone https://github.com/1cho1ce/Qubes-vpn-support
cd Qubes-vpn-support
git checkout replace-iptables-with-nftables

Then continue with the installation script:

sudo bash ./install

I would recommend installing it in a new ProxyVM instead of the template. Use the template only to install openvpn.
Also, be sure to add the correct service for the setup to work (run in dom0):

# OpenVPN
qvm-service <YourProxyVM> vpn-handler-openvpn --enable