Qubes-vpn-support error (cannot resolve host address)

Hello Qubes community!

I am trying to setup my multiple VPN qubes on 4.1 with fedora-34-minimal as the base. I was able to get NordVPN working but I am struggling to get ProtonVPN running.

I keep getting: cannot resolve host address: x.protonvpn.com name or service not known

Anyone have an idea?

Can you share the instructions you are following to set up ProtonVPN?

The domain x.protonvpn.com does not point to anything, which is why you are getting this error. But it is hard to say how you can fix it without further information

I have put X instead of the real one for simplicity. I have followed the information on the qubes-vpn-support. I am use to do that on qubes 4.0. I was able to do protonvpn on 4.0.

Bishop

Please, make it easy for us to help you by linking to the instructions you followed.

Can you solve other domain names in the VM?
try:
dig google.com

If it says that dig is not a recognized program, install the package bind-utils (temporarily in the AppVM itself) with sudo dnf install bind-utils and try again.

Paste the output here.

I followed the instruction here:

I am making progress. on the other VPN proxy VM, connection is done by IP address.

dig does not work on both VM but sudo sg qvpn “dig google.ca” work.

It seems that the user starting the VPN does not have the right to do name resolution.

Ok, thanks for the extra information, it is becoming more clear to me.

When do you get the error listed in your first message? Is it after you run some command? If so, which command is it?

This is very likely a firewall issue. Only the qvpn user can access the network based on the configuration. Are you sure that the vpn is started by the qvpn user?

I get the error in the log if I try to start the the service
systemctl start qubes-vpn-handler
or if I try to start manually the tunnel with
sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass userpassword.txt

There is nothing in the documentation to start the service as qvpn. And there is no qvpn user, only a group.

I have added the vpn-handler-egress service to the proxy vm and it works. Is there another way?

Bishop

Hi, I am experiencing the same problem @Bishop did.

On Qubes 4.1-rc1 I created a sys-vpn qube, based on fedora-34-minimal and qubes-tunnel.

When I start sys-vpn it cannot connect to my VPN provider. According to journalctl -u qubes-tunnel this is because:

sys-vpn-air qtunnel-setup[776]: 2021-10-23 05:28:03 RESOLVE: Cannot resolve host address: domain.ofmy.vpn.org:443

A workaround is to set the IP address of my VPN provider in /rw/config/qtunnel/qtunnel.conf

remote ipaddres 443

That said, I am not sure why sys-vpn is not resolving DNS. I installed openresolv package (it did not work) and my resolv.conf file state:

nameserver 10.139.1.1
nameserver 10.139.1.2

May be some package is missing in fedora-34-minimal? I tried to install bind-utils but it did not work.

Cheers.

Did you do the link testing suggested at the end of Step 2? That narrows
down the source of connection issues by testing before any
Qubes-vpn-support bits are enabled.

One thing you should try that’s suggested in the Troubleshooting notes
is to add ‘vpn-handler-egress’ to the Services of the VPN VM. This will
disable a set a firewall restrictions that are related only to traffic
originating from inside the VPN VM, so its not critical for protecting
data streams.