[SOLVED] 4.2 broke my oVPN qubes: Connection refused (fd=3,code=111)

User Support General
, ,
1

(Scroll down for solution.)

ORIGINAL POST

Fresh 4.2 install

I strictly follow this (or this )

I had 4 working vpn qubes in 4.1 following guide, now i get ovpn error message, i do something wrong.

whenever i sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn
I get error

read UDPv4 [ECONNREFUSED]: Connection refused (fd=3,code=111)

2024-04-04 14:57:28 write UDPv4 []: Operation not permitted (fd=3,code=1)

I try troubleshoot

sudo journalctl -u qubes-vpn-handler

– No entries –

sudo iptables -L -v

sudo: iptables: command not found

hmm ok??, i install in template and vm reboot. then I get:

user@vpnqube:/rw/config/vpn$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
user@vpnqube:/rw/config/vpn$ sudo iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Nothing in /var/logs/syslog

I don’t think is this because i use iptables and script (fail-closed/killswitch threat model requirement). I look here, and here, here. I don’t use minimal templates, just fed39 and deb12

I think I need to open port somewhere? how and where? what doing wrong? I’m sad

E1&2: Formatting
E3: I read more nftables being used instead of iptables? Is there any orderly 4.2 VPN guide for Mullvad / ovpn?
Networking is super hard…

How I got my VPN qube / ProxyVM working

Requirements

  • Mullvad VPN
  • Use TCP, not UDP
  • Debian 12 template
  • Nftables replaces iptables

Step 1 - Prepare Template

Install openvpn in debian template sudo apt install openvpn nftables is already installed for me.

Step 2 - Create new qube.

Apply these settings:

  • Network: sys-firewall
  • Advanced: Check Provides network access to other qubes.
  • Check Launch qube settings after creating
  • Create, wait for settings or go to qube settings, then;
  • Go to Services > Select a service: > Custom > + Add > Name of service: vpn-handler-openvpn
  • Apply & OK

Note: Do not add any other network services or managers.

Step 3 - Create dir /rw/config/vpn

sudo mkdir -p /rw/config/vpn

Step 4 - Downloads and config files

ovpn config file

  • Go to mullvad.net
  • Account > Downloads > OpenVPN configuration > Linux > choose location > Advanced settings: TCP 443 > Download .zip archive
  • Extract .zip

Qubes-vpn-support-replace-iptables-with-nftables.zip

Step 5 Copy the files

Copy all downloaded files to the ProxyVM’s ‘/rw/config/vpn’ folder.

Change config file name to ‘vpn-client.conf’

e.g sudo cp mullvad_*.conf vpn-client.conf

Step 6 Test connection (before script)

In VPN qube, first see if there is connection with ping qubes-os.org

then

sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass userpassword.txt

userpassword.txt might be mullvad_userpass.txt

I just copied both with sudo cp mullvad_userpass.txt userpassword.txt

You should see ‘Attempting to establish TCP connection with xxx’ and no errors.

Make sure ports in config file are correct (thanks @ DVM)

Step 7 - Install scripts

In /rw/config/vpn you should have unziped Qubes-vpn-support-replace-iptables-with-nftables

Now install with:

cd Qubes-vpn-support-replace-iptables-with-nftables
sudo bash ./install

Step 8 - Restart VM, check connection

Reboot the vpn qube and it should now start with

Ready to start link and shortly after LINK IS UP

Thanks for all the quick responses and help!

2

Qubes 4.2 switched to nftables.

I see qubes-vpn-handler there, so you can use the following which works with nftables:

Also, Fedora now uses selinux, which could be the cause of the “Operation not permitted” error if you use it.
You can temporarily disable it with this command:

sudo setenforce 0
1 Like
3

Qubes 4.2 uses nftables, not iptables. (Thus command not found.)
In those old guides you need to replace the iptables calls with the nft
equivalents.
The tables and chain structure is different in 4.2 so the rules you
apply, and where you apply them, will be different.

What script are you trying to use?

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.
1 Like
4

Ok I try fresh, from 1cho1ce

1. Next, add vpn-handler-openvpn to the ProxyVM’s Settings / Services tab by typing it into the top line and clicking the plus icon. Do not add other network services such as Network Manager.

I create new qube: qubevpn, it provides network access. Template: deb12 (with ovpn & nftables).

I create custom service in Settings GUI of qubevpn called: vpn-handler-openvpn

2.Copy the VPN config files from your service provider to the ProxyVM’s ‘/rw/config/vpn’ folder, then copy or link the desired config to ‘vpn-client.conf’:

I make /rw/config/vpn folder with sudo mkdir -p /rw/config/vpn
I sudo copy to /rw/config/vpn

3 Test connection

I test connection and get error

sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass userpassword.txt

2024-04-05 09:55:15 read UDPv4 [ECONNREFUSED]: Connection refused (fd=3,code=111)

I tried with sys-firewall and sys-net, same error.

If I use fedora template I get /etc missing dir.

Options error: --up script fails with ‘/etc/openvpn/update-resolv-conf’: No such file or directory (errno=2)

In debian I find update-resolv-conf in /etc/openvpn

Troubleshooting

From 1cho1ce

Connections should be manually tested with a command like sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass userpassword.txt before the script ‘install’ step. This is a good idea because it shows whether or not the basic link is working before Qubes-specific scripts become a factor.

I don’t make basic connection. Ok, if i ping I get response:
ping qubes-os.org

PING qubes-os.org (188.114.97.0) 56(84) bytes of data.
64 bytes from 188.114.97.0 (188.114.97.0): icmp_seq=1 ttl=57 time=5.71 ms
64 bytes from 188.114.97.0 (188.114.97.0): icmp_seq=2 ttl=57 time=7.22 ms
64 bytes from 188.114.97.0 (188.114.97.0): icmp_seq=3 ttl=57 time=5.99 ms
^C
qubes-os.org ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2003ms

and

sudo journalctl -u qubes-vpn-handler
-- No entries --

5

I strictly followed Set up a ProxyVM as a VPN gateway using iptables and CLI scripts for 4.1. I don’t use any custom scripts I’m not advanced.

For 4.2 I have tried many things but seems like I cannot get connection before scripts…

I tried again

How can I better troubleshoot? Seems like I’m missing something obvious

6

Are you sure that your VPN server is working and your VPN client config is correct?
Or maybe you have some firewall blocking the the connection outside of Qubes OS?

1 Like
7

Are you sure that your VPN server is working and your VPN client config is correct?

I use Mullvad, which worked on 4.1. I don’t change config file unless it’s advised.

Old config:

client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf xxxxxx
rcvbuf xxxxxx
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
proto tcp
auth-user-pass mullvad_userpass.txt
ca mullvad_ca.crt
tun-ipv6
script-security 2
up ‘qubes-vpn-handler.sh up’ #added by me
down ‘qubes-vpn-handler.sh down’ #added by me
redirect-gateway def1 #added by me
remote-random
remote ip xxx

New config:

client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf xxxxxx
rcvbuf xxxxxx
cipher AES-256-GCM
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
proto udp
auth-user-pass mullvad_userpass.txt
ca mullvad_ca.crt
tun-ipv6
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
fast-io
remote-random
IP xxx

Or maybe you have some firewall blocking the the connection outside of Qubes OS?

Unlikely, unless I’m compromised which is possible but then someone is really wasting their time and money on me.

8

Can you try to connect using TCP as in old config?

1 Like
9

user@aVPN:~$ sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass userpassword.txt

2024-04-05 11:04:24 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
2024-04-05 11:04:24 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2024-04-05 11:04:24 WARNING: file ‘userpassword.txt’ is group or others accessible
2024-04-05 11:04:24 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2024-04-05 11:04:24 library versions: OpenSSL 3.0.11 19 Sep 2023, LZO 2.10
2024-04-05 11:04:24 DCO version: N/A
2024-04-05 11:04:24 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-04-05 11:04:24 NOTE: --fast-io is disabled since we are not using UDP
2024-04-05 11:04:24 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx
2024-04-05 11:04:24 Socket Buffers: R=[xxxxxx->xxxxxx] S=[xxxxx->xxxxx]
2024-04-05 11:04:24 Attempting to establish TCP connection with [AF_INET]IPxxx:1302
2024-04-05 11:04:24 TCP: connect to [AF_INET]IPxxx:1302 failed: Connection refused
2024-04-05 11:04:24 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-04-05 11:04:24 Restart pause, 1 second(s)

2024-04-05 11:05:18 Restart pause, 8 second(s)
^C2024-04-05 11:05:24 SIGINT[hard,init_instance] received, process exiting

changed something, but still ‘connection refused’

10

1302 is a UDP port. Mullvad supports 80, 443 and 1401 for TCP. Replace the port with one of these and try again.

1 Like
11

Thanks, that’s it. Why doesn’t UDP work? I’ll edit first post

12

Not sure, there could be several reasons. Your network could be blocking the UDP packets from going to the server.
Mullvad uses these UDP ports, if you want to try some of them and see if one might work in your situation:
53, 1194, 1195, 1196, 1197, 1300, 1301, 1302, 1303, 1400

1 Like