Good afternoon, please help me!
Internet does not work in qube OpenVPN
Qubes R4.2.1
Debian-12
config with vpn-client.conf:
where added: redirect-gateway def1, DNS from OpenDNS
We used the updated Qubes-vpn-support script from @1cho1ce
(on early versions of Qubes everything was fine until nftables appeared)
git clone GitHub - 1cho1ce/Qubes-vpn-support: VPN configuration in Qubes OS
cd Qubes-vpn-support
git checkout replace-iptables-with-nftables
Chain 1:
sys-net - sys-firewall - sys-vpn - work | No Internet in sys-vpn, work
Chain 2:
sys-net - sys-firewall - sys-vpn - sys-whonix - work | No Internet in sys-vpn, work - connect!
I checked 1 chain via ping 8.8.8.8 (no packets) or Firefix opening a site in each cube, I can’t understand the reason, maybe in DNS
When running sys-vpn I get sys-vpn: Link is UP
nftables in sys-vpn:
sudo nft list ruleset
table ip qubes {
set downstream {
type ipv4_addr
elements = { 10.137.0.11 }
}set allowed {
type ifname . ipv4_addr
elements = { “vif41.0” . 10.137.0.11 }
}chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip saddr @ downstream counter packets 0 bytes 0 drop
}chain antispoof {
iifname . ip saddr @ allowed accept
counter packets 0 bytes 0 drop
}chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif “lo” accept
masquerade
}chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 0 bytes 0 drop
iifgroup 2 udp dport 68 counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 meta l4proto icmp accept
iif “lo” accept
iifgroup 2 counter packets 0 bytes 0 reject with icmp host-prohibited
counter packets 1 bytes 576
}chain forward {
type filter hook forward priority filter; policy drop;
jump custom-forward
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}chain custom-input {
}chain custom-forward {
iifgroup 9 oifgroup 2 accept
iifgroup 2 oifgroup 9 accept
iifgroup 1 drop
oifgroup 1 drop
}chain output {
type filter hook output priority filter; policy drop;
oifgroup 1 meta skgid 993 accept
oif “lo” accept
meta l4proto icmp meta skgid 993 accept
}chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
iifgroup 2 ip daddr 10.139.1.1 tcp dport 53 dnat to 208.67.220.220
iifgroup 2 ip daddr 10.139.1.1 udp dport 53 dnat to 208.67.220.220
iifgroup 2 ip daddr 10.139.1.2 tcp dport 53 dnat to 208.67.220.220
iifgroup 2 ip daddr 10.139.1.2 udp dport 53 dnat to 208.67.220.220
}
}
table ip6 qubes {
set downstream {
type ipv6_addr
}set allowed {
type ifname . ipv6_addr
}chain antispoof {
iifname . ip6 saddr @ allowed accept
counter packets 0 bytes 0 drop
}chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip6 saddr @ downstream counter packets 0 bytes 0 drop
}chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif “lo” accept
masquerade
}chain _icmpv6 {
meta l4proto != ipv6-icmp counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
icmpv6 type { nd-router-advert, nd-redirect } counter packets 0 bytes 0 drop
accept
}chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 goto _icmpv6
iif “lo” accept
ip6 saddr XXXX::/64 udp dport 546 accept
meta l4proto ipv6-icmp accept
counter packets 0 bytes 0
}chain forward {
type filter hook forward priority filter; policy drop;
jump custom-forward
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}chain custom-input {
}chain custom-forward {
iifgroup 9 oifgroup 2 accept
iifgroup 2 oifgroup 9 accept
iifgroup 1 drop
oifgroup 1 drop
}chain output {
type filter hook output priority filter; policy drop;
oifgroup 1 meta skgid 993 accept
oif “lo” accept
meta l4proto icmp meta skgid 993 accept
}chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
}
}
table ip qubes-firewall {
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname != “vif*” accept
ip saddr 10.137.0.11 jump qbs-10-137-0-11
}chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifname != “vif*” ip saddr 10.137.0.11 drop
}chain postrouting {
type filter hook postrouting priority raw; policy accept;
oifname != “vif*” ip daddr 10.137.0.11 drop
}chain qbs-10-137-0-11 {
accept
reject with icmp admin-prohibited
}
}
table ip6 qubes-firewall {
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname != “vif*” accept
}chain prerouting {
type filter hook prerouting priority raw; policy accept;
}chain postrouting {
type filter hook postrouting priority raw; policy accept;
}
}
table inet qubes-nat-accel {
flowtable qubes-accel {
hook ingress priority filter
devices = { eth0, lo, vif41.0 }
}chain qubes-accel {
type filter hook forward priority filter + 5; policy accept;
meta l4proto { tcp, udp } iifgroup 2 oifgroup 1 flow add @ qubes-accel
counter packets 4471 bytes 2697580
}
}
If sudo openvpn ‘config’, then it works
I think the problem is in DNS or nftables
Please help me, it’s already 3 days of bad experience, thank you!
Please do not suggest WireGuard or any other method other than the Qubes-vpn-support script