[qubes-users] Qubes 4.2: qubes-tunnel not working after upgrade (cannot resolve hostname)

Hi there,

vpnVM and netVM both in-place upgrades from Q4.1 (and worked fine
there). Template is fedora 38.
NetVM is online, ping of vpn server hostname is fine within netVM.
Ping and dig do not work within vpnVM, but afair that is intended (leak
prevention of qubes-tunnel)

I tried to restart qubes-tunnel servcie, tried to restart vpnVM. tried
to disconnect and reconnect. I tried to reboot QubesOS.

Did something change between 4.1 and 4.2 regarding DNS handling? Do I
need to configure a policy file or something?


This is on the Forum:



The forum post does not use qubes-tunnel and I do not use wireguard (but openVPN) - so I do not see how this post solves my issue?!

– You received this message because you are subscribed to the Google Groups “qubes-users” group. To unsubscribe from this group and stop receiving emails from it, send an email to . To view this discussion on the web visit .


Part of the answer may be that Q4.2 switched from iptables to nftables and qubes-tunnel has not been adapted for this
(However I am not sure whether this holds for fedora38 templates that were in-place upgrades from 4.1 to 4.2 or only for “native” 4.2 templates obtained from the server.): https://forum.qubes-os.org/t/can-t-get-the-qubesos-contrib-qubes-tunnel-to-work-in-4-2/22054

Anyways, using the openvpn command directly results in the same “cannot resolve” issue, even if qubes-tunnel service is not started.

So I created a new AppVM (as ProxyVMs and NetVMs cannot be selected in Q4.2 “create Qube”) that provides networking and followed Readme.md of
https://github.com/1cho1ce/Qubes-vpn-support/tree/replace-iptables-with-nftables - I was asked for the credentials during install step and again during the setup step

openvpn command and ping are successful now.

After following the steps, no “LINK IS UP” popup appears. There is no service for any of the two names involved. Somewhere near the bottom of readme.md I find that confusingly the service name is qubes-vpn-handler.

In its status I get: ExecStartPre=/usr/lib/qubes/qubes-vpn-setup --check-firewall (code=exited, status=1/FAILURE)

If I run /usr/lib/qubes/qubes-vpn-setup --check-firewall
manually, no output is shown.

VPN troubleshooting still references iptables, which seems to not apply for Q 4.2 anymore

So what is wrong here? how can I make vpn leak-proof again with Qubes 4.2?