VPN Help with OpenVPN

User Support
1

Hey folks, I am newer user of qubes. I have been trying to use a VPN and went though the steps carefully from Contents/vpn.md at master · Qubes-Community/Contents · GitHub under the " Set up a ProxyVM as a VPN gateway using iptables and CLI scripts" steps. I seem to be running into this when I test my initial VPN connection, and can’t seem to ping anything (google, cnet, etc) until I kill the openvpn client. This is the result I get when checking my VPN connection:

user@sys-vpn-pia-Mexico:/rw/config/vpn$ sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn
Mon Jan 25 16:34:58 2021 WARNING: file ‘pass.txt’ is group or others accessible
Mon Jan 25 16:34:58 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Mon Jan 25 16:34:58 2021 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Mon Jan 25 16:34:58 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]77.81.142.52:501
Mon Jan 25 16:34:58 2021 Attempting to establish TCP connection with [AF_INET]77.81.142.52:501 [nonblock]
Mon Jan 25 16:34:59 2021 TCP connection established with [AF_INET]77.81.142.52:501
Mon Jan 25 16:34:59 2021 TCP_CLIENT link local: (not bound)
Mon Jan 25 16:34:59 2021 TCP_CLIENT link remote: [AF_INET]77.81.142.52:501
Mon Jan 25 16:34:59 2021 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Mon Jan 25 16:34:59 2021 [mexico406] Peer Connection Initiated with [AF_INET]77.81.142.52:501
Mon Jan 25 16:35:00 2021 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
Mon Jan 25 16:35:00 2021 OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
Mon Jan 25 16:35:00 2021 TUN/TAP device tun0 opened
Mon Jan 25 16:35:00 2021 /sbin/ip link set dev tun0 up mtu 1500
Mon Jan 25 16:35:00 2021 /sbin/ip addr add dev tun0 10.7.19.2/24 broadcast 10.7.19.255
Mon Jan 25 16:35:00 2021 WARNING: OpenVPN was configured to add an IPv6 route over tun0. However, no IPv6 has been configured for this interface, therefore the route installation may fail or may not work as expected.
Mon Jan 25 16:35:00 2021 Initialization Sequence Completed

Can someone help me understand what is or is not happening here?

2

It looks as if you’ve created the tunnel correctly for IPv4, albeit with
some warnings - permission on the pass.txt file, and caching passwords
in memory.
You have not created an IPv6 tunnel, because the configuration is lacking.
https://community.openvpn.net/openvpn/wiki/IPv6 may help.

I do not know if you are using IPv6 in Qubes - look at
https://qubes-os.org/doc/networking where IPv6 is discussed
If you are not, then remove the IPv6 configuration from the ovpn file.

2 Likes
3

Thank you for pointing me in the right direction, this seems to solve the problem, I added these two lines to the openvpn-client.ovpn file, I believe it turns off the IPV6 as you mentioned.

pull-filter ignore “ifconfig-ipv6”
pull-filter ignore “route-ipv6”

I can report that my connection to the VPN seems to be working now. Thanks again.

5

Ok I have the vpn working all the way up to the point where I edit the “qubes-firewall-user-script” to add this :

#!/bin/bash

Block forwarding of connections through upstream network device

(in case the vpn tunnel breaks):

iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP

Accept traffic to VPN

iptables -P OUTPUT ACCEPT
iptables -F OUTPUT

Add the qvpn group to system, if it doesn’t already exist

if ! grep -q “^qvpn:” /etc/group ; then
groupadd -rf qvpn
sync
fi
sleep 2s

Block non-VPN traffic to clearnet

iptables -I OUTPUT -o eth0 -j DROP

Allow traffic from the qvpn group to the uplink interface (eth0);

Our VPN client will run with group qvpn.

iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT

Any idea why adding this breaks my connection? I can’t ping anything etc. If I don’t do this step at all, then everything works, but I realize I won’t have leak protection.