Issues connecting to OpenVPN

refere232 · August 26, 2025, 9:51pm

Hello everyone,

I am experiencing issues with my VPN setup on fresh install of Qubes OS 4.2.4 and would appreciate any assistance.

Without network-manager

sys-vpn:

I created a sys-vpn qube and tested my connection
sudo openvpn --config 1.ovpn

I was successfully connected without any issues.
App Qube:

I created an App Qube that is supposed to connect to the sys-vpn qube. However, this App Qube does not have internet access. When I run the command curl ifconfig.me in App Qube it hangs indefinitely.
- I have not configured any firewalls, and I previously had no problems with this VPN setup.

With Network Manager

Network Manager Configuration:

I added the Network Manager service to the sys-vpn qube and configured my 1.ovpn file in NM. After this, the connection in the AppQube worked.

Firewall Rules:

I configured the firewall in dom0 with the following commands (from this post):

qvm-firewall sys-vpn reset # (1)
qvm-firewall sys-vpn add accept dsthost=1.2.3.4 # (2)
qvm-firewall sys-vpn del --rule-no 0 # (3)

Connection Behavior:
The connection in the AppQube worked without problems until I restarted the sys-vpn qube. After the restart, I need to reconnect to the VPN in sys-vpn, but I cannot. When I click on my OpenVPN config in Network Manager, it loads indefinitely without success. If I reset the firewall rules using qvm-firewall sys-vpn reset # (1) it works again.

What could be causing the VPN connection to fail after a restart?

Thank you for your help!

MellowPoison · August 27, 2025, 2:28am

Did you change 1.2.3.4 to the IP address of your OpenVPN server from your OpenVPN client config file?
If there are multiple servers in the config file, then you need to add all of them in firewall.

refere232 · August 27, 2025, 10:41am

I changed 1.2.3.4 to the correct IP of the OpenVPN server, which is a single server config. I also configured the firewall rules in the Qube settings with the same IP I entered in qvm-firewall, and the firewall works without issues (by setting the ‘Limit outgoing connections to’ option in the Firewall rules tab of the sys-vpn Qube settings).

However, I would prefer to set the firewall using qvm-firewall

MellowPoison · August 28, 2025, 3:57am

You can use tcpdump, wireshark of nftables logging in the net qube of sys-vpn to see if the VPN connection is passed through. No idea why it doesn’t work with qvm-firewall rules restricting connections.

refere232 · August 31, 2025, 1:15am

This was a DNS issue. I tried using qvm-firewall sys-vpn add accept dsthost=myvpnserver.com (or 1.2.3.4), but it didn’t work unless I added a second rule: qvm-firewall sys-vpn add accept specialtarget=dns

Solution: In the wireguard.conf file, I changed Endpoint = myvpnserver.com to Endpoint = 1.2.3.4, and now it works.