I just installed the proper Qubes 4.1 version (been running the alpha 4.1 a long time) and now I can’t seem to get the qubes-tunnel to work. If I enable the qubes-tunnel service in my vpn qube then all outgoing traffic seems to be blocked (including the VPN traffic) resulting in ping not working as well as the VPN failing its DNS queries:
systemd[1]: Starting Tunnel service for Qubes proxyVM...
su[1050]: (to user) root on none
su[1050]: pam_unix(su-l:session): session opened for user user(uid=1000) by (uid=0)
su[1050]: pam_unix(su-l:session): session closed for user user
qtunnel-setup[1069]: START-ing network forwarding!
qtunnel-setup[1068]: EXEC /usr/sbin/openvpn --cd /rw/config/qtunnel/ --config /tmp/qtunnel.conf --verb 3 --mlock --ping 10 --ping-restart 42 --connect-retry 5 30 --connect-retry-max 7 --resolv-retry 15 --group qtunnel --script-security 2 --up "/usr/lib/qubes/qtunnel-connect up" --down "/usr/lib/qubes/qtunnel-connect down" --auth-user-pass /tmp/tunneluserpwd.txt
systemd[1]: Started Tunnel service for Qubes proxyVM.
qtunnel-setup[1072]: 2022-02-09 22:28:15 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
qtunnel-setup[1072]: 2022-02-09 22:28:15 OpenVPN 2.5.5 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan 27 2022
qtunnel-setup[1072]: 2022-02-09 22:28:15 library versions: OpenSSL 1.1.1l FIPS 24 Aug 2021, LZO 2.10
qtunnel-setup[1072]: 2022-02-09 22:28:15 mlockall call succeeded
qtunnel-setup[1072]: 2022-02-09 22:28:15 WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
qtunnel-setup[1072]: 2022-02-09 22:28:15 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
qtunnel-setup[1072]: 2022-02-09 22:28:15 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
qtunnel-setup[1072]: 2022-02-09 22:28:15 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
qtunnel-setup[1072]: 2022-02-09 22:28:15 RESOLVE: Cannot resolve host address: se.ovpn.azirevpn.net:1194 (Temporary failure in name resolution)
qtunnel-setup[1072]: 2022-02-09 22:28:15 RESOLVE: Cannot resolve host address: se.ovpn.azirevpn.net:1194 (Temporary failure in name resolution)
qtunnel-setup[1072]: 2022-02-09 22:28:20 RESOLVE: Cannot resolve host address: se.ovpn.azirevpn.net:1194 (Temporary failure in name resolution)
qtunnel-setup[1072]: 2022-02-09 22:28:25 RESOLVE: Cannot resolve host address: se.ovpn.azirevpn.net:1194 (Temporary failure in name resolution)
qtunnel-setup[1072]: 2022-02-09 22:28:25 Could not determine IPv4/IPv6 protocol
qtunnel-setup[1072]: 2022-02-09 22:28:25 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
qtunnel-setup[1072]: 2022-02-09 22:28:25 SIGUSR1[soft,init_instance] received, process restarting
qtunnel-setup[1072]: 2022-02-09 22:28:25 Restart pause, 5 second(s)
This is the output from sudo journalctl -u qubes-tunnel
. I’m also receiving the continuous popup notifications stating ‘Ready to start link’.
Without the qubes-tunnel service I can ping and connect to the internet just fine, but obviously there’s no VPN.
This VPN configuration works fine on my other devices currently.
Am I missing something here?