Once I connect to the VPN, sys-vpn stops providing any communication other than ping. I can ping an IP address like 8.8.8.8, but I cannot ping a domain like google.com.
What additional settings are needed? The VPN works perfectly fine within sys-vpn.
I used ProtonVPN and referred to this page to execute the following commands within sys-vpn:
Sounds like a DNS issue if you can ping an IP, but not a FQDN. I seem to recall running into something similar with my setup. Forgive me if you’ve already checked these things, but I thought I’d try to help.
Package - Make sure you’ve installed the qubes-core-agent-networking package (apt list --installed|grep qubes-core-agent-networking to check; apt install qubes-core-agent-networking to install). I built everything from minimal templates; not sure if you did too.
Hostfile - Take a peek at your /etc/resolv.conf file (cat /etc/resolv.conf) and see what nameservers are listed. I have a public DNS IP (like 8.8.8.8) in addition to two LAN DNS IPs.
Other - Open the Qube Manager and look at sys-vpn’s settings–particularly under Advanced (tab). Make sure Provides network is checked. You may need to shut down the VM before you can adjust this setting.
NetVM - Make sure the network setting of the AppVM you want to use with sys-vpn is set to use sys-vpn (In Qube Manager, right-click the AppVM, select Network, then select sys-vpn).
It works inside sys-vpn because it uses the /etc/resolv.conf file for its DNS requests, but when the requests come from other qubes they use the internal qubes DNS IPs (10.139.1.1 10.139.1.2) and this is managed by nftables.
What you need to do is to update the dnat-dns chain inside the qubes table so that the DNS requests are redirected to the correct DNS IP.
Since it updates the /etc/resolv.conf file, you should be able to adapt this script:
I see, so I just need to modify the dnat-dns chain. The script you provided, but OpenVPN does not seem to change the values in /etc/resolv.conf even when executed.
If you know the DNS IP to use and can confirm that it won’t change, you can just flush the chain and add the nat rule when the qube starts in /rw/config/rc.local.
Something like that should work:
nft flush chain ip qubes dnat-dns
nft add rule ip qubes dnat-dns meta l4proto { tcp, udp } ip daddr { 10.139.1.1, 10.139.1.2 } th dport 53 dnat to <Proton DNS IP>
I don’t know it. I can see the IP address of the ProtonVPN server written in the OpenVPN configuration file. However, it seems that the DNS server has a different IP address. When I input the IP address written in the configuration file into the command you provided, it doesn’t redirect me.
They seem to have a few, I’m not sure if you can use one for every connection.
Do you see any errors related to update-resolv-conf.sh when you start openvpn? Is it part of the openvpn client configuration?
No, I have never seen any errors occur. update-resolv-conf.sh is not part of OpenVPN; it is a script distributed by ProtonVPN. this page: How to manually configure OpenVPN for Proton VPN in Linux | Proton VPN Proton states that this script is needed to ensure that DNS is configured correctly.
Do you see any up/down line in your openvpn config?
I tried the script they provide with another vpn provider and it works fine, the resolv.conf file is being edited correctly.
If you start openvpn with the configuration, you should be able to see the script being executed in the logs.
No, I was mistaken. The nameserver IP had changed to 10.98.0.1. I misunderstood because even after stopping OpenVPN, it didn’t revert back to nameserver 10.139.1.1 and nameserver 10.139.1.2.
It seems that the DNS IP addresses are always constant, so the command you provided solved the problem. Thank you! I struggled for a long time to set up sys-vpn, thanks to you, I finally got it working.