Sys-vpn extremly slow

spyro · May 3, 2024, 11:19pm

What would be the best approach?

The connection currently works like this:
sys-net → sys-firewall → sys-vpn-pp-amsterdam → appVM

So I would set the firewall rulles in the sys-vpn-pp-amsterdam qube so that only connections to the remote servers are allowed, right or would I create another qube between sys-vpn-pp-astermdam and appVM, for example sys-vpn-pp-amsterdam-firewall with the specific rules? If so, I can’t set any firewall rules for the firewall qube, am I right?

How do I do this with regard to the DNS server? This is not in the ovpn config, but is probably assigned dynamically by the OpenVPN connection. Can I set this rule dynamically?

apparatus · May 4, 2024, 6:07am

This.
When you have this connection:
sys-net → sys-firewall → sys-vpn-pp-amsterdam → appVM
And you set firewall rules in sys-vpn-pp-amsterdam Settings then these rules will apply in its upstream qube’s firewall sys-firewall.

DNS will go through VPN tunnel so you don’t need to allow it in Qubes firewall.

spyro · May 4, 2024, 1:24pm

Thank you!

One last question:

Under the Linux-Qubes the setup now works almost without problems, but unfortunately it is the case that it does not work for the Win10 StandaloneVMs.

Do you know what could be the reason for this? I created them via GitHub - ElliotKillick/qvm-create-windows-qube: Spin up new Windows qubes quickly, effortlessly and securely on Qubes OS

Output ping google.com:

C:\Users\user>ping google.com

Pinging google.com [142.250.184.238] with 32 bytes of data:
Reply from 10.255.240.12: Destination host unreachable.
Reply from 10.255.240.12: Destination host unreachable.
Reply from 10.255.240.12: Destination host unreachable.
Reply from 10.255.240.12: Destination host unreachable.

Ping statistics for 142.250.184.238:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

In the Windows VM under the properties for the Ethernet 2 adapter, the only one that exists there, 10.139.1.1 and 10.139.1.2 are also set as DNS servers, these are also displayed under Settings as Virtual DNS of the Net qube. Why does the reply come from a different, internal IP? So the IP 10.255.240.12?
In addition, the correct IP is displayed for every URL I ping, so I don’t think the problem is with the DNS. I have already set it manually to 10.139.1.1 or 10.139.1.2 and 8.8.8.8 or 1.1.1.1, without success.

Whether in the browser or via ping, I cannot access any of the pages. What step have I forgotten to take in order to be able to connect to the Internet in Windows Qube?

apparatus · May 4, 2024, 1:59pm

It’s definitely not an issue with DNS, since DNS resolution works in Windows:

google.com [142.250.184.238]

What’s your VPN address subnet?
10.255.240.12 seems to be some gateway IP inside VPN that is filtering your connections from Windows for some reason.
Try to ping some other hosts in Windows like ping 9.9.9.9 and ping 1.1.1.1.
Are you able to ping google.com and ping 9.9.9.9 and ping 1.1.1.1 in your Linux qube connected to your sys-vpn?