Sys-vpn extremly slow

User Support
11

Sadly, I currently cannot get the DNS to run in the setup - if I don’t hard overwrite the resolv.conf - whether in the sys-vpn qube or in a connected appvm qube, and I still can’t figure out why. Maybe you or someone else could help me with this.

This is the sys-vpn configuration:

openvpn-client.ovpn 
auth-user-pass pass.txt
client
dev tun
hand-window 120
inactive 604800
mute-replay-warnings
nobind
persist-key
persist-remote-ip
persist-tun
ping 5
ping-restart 120
redirect-gateway def1
remote-random
reneg-sec 3600
script-security 2
tls-cipher TLS_CHACHA20_POLY1305_SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS_AES_256_GCM_SHA384:TLS-RSA-WITH-AES-256-CBC-SHA
tls-timeout 5
verb 4

route-delay 2
resolv-retry 60
route-method exe


tun-mtu  1500
tun-mtu-extra  32
mssfix 1450

proto udp



remote 95.168.167.236 44 

remote 95.168.167.236 443 

remote 95.168.167.236 4433 

remote 95.211.95.233 44 

remote 95.211.95.233 443 

remote 95.211.95.233 4433 

remote 95.211.95.244 44 

remote 95.211.95.244 443 

remote 95.211.95.244 4433 

remote 37.48.94.1 44 

remote 37.48.94.1 443 

remote 37.48.94.1 4433 

remote 85.17.64.131 44 

remote 85.17.64.131 443 

remote 85.17.64.131 4433 

remote 85.17.28.145 44 

remote 85.17.28.145 443 

remote 85.17.28.145 4433 



data-ciphers AES-256-GCM
auth SHA512


remote-cert-tls server

<ca>
###removed###
</ca>
<cert>
###removed###
</cert>
<key>
###removed###
</key>
<tls-crypt>
###removed###
</tls-crypt>

up 'qubes-vpn-handler.sh up'
down 'qubes-vpn-handler.sh down'
qubes-vpn-handler.sh 
#!/bin/bash
set -e
export PATH="$PATH:/usr/sbin:/sbin"
  
case "$1" in
  
up)
# To override DHCP DNS, assign DNS addresses to 'vpn_dns' env variable before calling this script;
# Format is 'X.X.X.X  Y.Y.Y.Y [...]'
if [[ -z "$vpn_dns" ]] ; then
    # Parses DHCP foreign_option_* vars to automatically set DNS address translation:
    for optionname in ${!foreign_option_*} ; do
        option="${!optionname}"
        unset fops; fops=($option)
        if [ ${fops[1]} == "DNS" ] ; then vpn_dns="$vpn_dns ${fops[2]}" ; fi
    done
fi
  
nft flush chain ip qubes dnat-dns
if [[ -n "$vpn_dns" ]] ; then
    # Set DNS address translation in firewall:
    for addr in $vpn_dns; do
	nft add rule qubes dnat-dns iifname == "vif*" tcp dport 53 dnat "$addr"
        nft add rule qubes dnat-dns iifname == "vif*" udp dport 53 dnat "$addr"
    done
    # echo "setup ips: ${vpn_dns}" > /rw/config/vpn/dns.log
    su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user
else
    su - -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user
fi
  
;;
down)
su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user

# Restart the VPN automatically
sleep 5s
sudo /rw/config/rc.local
;;
esac
user@sy
dns.log 
setup ips: 37.48.94.55 185.17.184.3
rc.local 
VPN_CLIENT='openvpn'
VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'

groupadd -rf qvpn ; sleep 2s
sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS"
su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user
output of nft list table ip qubes 
table ip qubes {
	set downstream {
		type ipv4_addr
	}

	set allowed {
		type ifname . ipv4_addr
	}

	chain prerouting {
		type filter hook prerouting priority raw; policy accept;
		iifgroup 2 goto antispoof
		ip saddr @downstream counter packets 0 bytes 0 drop
	}

	chain antispoof {
		iifname . ip saddr @allowed accept
		counter packets 0 bytes 0 drop
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oifgroup 2 accept
		oif "lo" accept
		masquerade
	}

	chain input {
		type filter hook input priority filter; policy drop;
		jump custom-input
		ct state invalid counter packets 0 bytes 0 drop
		iifgroup 2 udp dport 68 counter packets 0 bytes 0 drop
		ct state established,related accept
		iifgroup 2 meta l4proto icmp accept
		iif "lo" accept
		iifgroup 2 counter packets 0 bytes 0 reject with icmp host-prohibited
		counter packets 0 bytes 0
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		jump custom-forward
		ct state invalid counter packets 0 bytes 0 drop
		ct state established,related accept
		oifgroup 2 counter packets 0 bytes 0 drop
	}

	chain custom-input {
	}

	chain custom-forward {
		iifname "eth0" counter packets 0 bytes 0 drop
		oifname "eth0" counter packets 0 bytes 0 drop
	}

	chain output {
		type filter hook output priority filter; policy accept;
		oifname "eth0" meta skgid 992 accept
		oifname "eth0" counter packets 0 bytes 0 drop
	}

	chain dnat-dns {
		type nat hook prerouting priority dstnat; policy accept;
		iifname "vif*" tcp dport 53 dnat to 37.48.94.55
		iifname "vif*" udp dport 53 dnat to 37.48.94.55
		iifname "vif*" tcp dport 53 dnat to 185.17.184.3
		iifname "vif*" udp dport 53 dnat to 185.17.184.3
	}
}
/etc/resolv.conf 
nameserver 10.139.1.1
nameserver 10.139.1.2

What am I missing here? Why are the DNS queries not being made correctly? The resolution does not work, not even via ping. So this means the local DNS resolution is already not working.

For example:

user@sys-vpn-pp-amsterdam:/rw/config/vpn$ ping google.com
ping: google.com: Name or service not known

I followed these instructions: Configuring a ProxyVM VPN Gateway

Very much thanks!