Sorry for the delay in replying, was tied up earlier.
Well you put me on the right track, Thank you!
It was somewhat connected so deceived me a bit… (My fault obviously, I should have looked a bit closer.)
It did have an IP from their network assigned I was taking that as functioning but it apparently wasn’t binding to the interface so their was nothing to route through. I switched to the config for a different location and it came right up.
Both of the locations closest to me when I use the OpenVPN files for them there’s always messages on my router complaining about a few deprecated options it uses related to ns_type and compression, however it works fine. Hence I disregarded it here. I’m guessing PFSense is using an older version of OpenVPN so it still works.
I also thought that was universal to the provider so never bothered trying elsewhere.
However the OVPN config for a location in another region I’m using now. Had no such warnings and it came right up without incident.
Quick question though, I added setenv vpn_dns '9.9.9.9 1.1.1.1' to the config file I’m using now as I did before.
However I see this in the ruleset:
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.1 tcp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.2 udp dport 53 dnat to 10.139.1.2
ip daddr 10.139.1.2 tcp dport 53 dnat to 10.139.1.2
}
Shouldn’t I be seeing the two DNS servers from the config file on the right hand side now that everything is fully functional?
Totally unrelated question:
But do you have any links to a reliable source for setting up something that can handle DNS over TLS? On this VM or on a separate one, everything I’m finding pre-dates 4.2.
I was thinking I may clone this whole setup and possibly just setup a resolver on this VM and then use setenv vpn_dns '127.0.0.1 see how that works.
Or figure out how to setup something on sys-firewall-vpn instead of messing with this (firewall added after the VPN was working I didn’t want to overly complicate troubleshooting haha).
Check the qubes-vpn-handler service and openvpn log in your VPN qube.
Make sure that you’ve edited the correct config file /rw/config/vpn/vpn-client.conf and you’ve restarted the qubes-vpn-handler service or your VPN qube after the edit.
I’ve also fixed the bug in the Qubes-vpn-support due to which only the first VPN DNS was used for primary and secondary Qubes OS virtual DNS servers:
You can update your Qubes-vpn-support if you need this.
I have many .ovpn files. I renamed them all to .conf using the rename program.
I put the .conf files in the vpn directory (in rw/config/). I ran the script to set things up in the template.
Then I opened a new sys-openvpn qube based on this template. I did not see VPN was up. Nothing happened.
I had been using a qube that provides network with network-manager-openvpn installed and network-manager and then used a drop-down menu for different files. This worked well, but when it dropped, it did not close the connection and revealed my real IP.
Is there something I am doing wrong? Is there a way to use network manager so I can see the different vpn options? I would like sys-openvpn to block connection if the vpn drops.
I do not yet understand IP tables.
I also created a service called vpn-handler-openvpn in the template. That service is not listed in sys-openvpn.
I would rather have the sys-openvpn show the options in network manager so I can select what I would like and for my credentials to be saved. I would also prefer that sys-openvpn is disposable so if that qube is hacked it is less likely to still be hacked after a restart.
I updated qubes-vpn-ns and that definitely did something, it’s picking up DNS entry in the config files and says it’s going to use those two DNS servers.
However I still see these NAT entries:
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.1 tcp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.2 udp dport 53 dnat to 10.139.1.2
ip daddr 10.139.1.2 tcp dport 53 dnat to 10.139.1.2
}
So I went ahead and flushed/created the modified NAT entries myself based on the commands in the updated script and they do show up until the service restarts and get overwritten.
However it didn’t seem to have any effect anyway the AppVM still uses the VPN providers servers anyway.
sudo nft flush chain ip qubes dnat-dns
sudo nft add rule ip qubes dnat-dns iifgroup 2 ip daddr 10.139.1.1 tcp dport 53 dnat to 9.9.9.9
sudo nft add rule ip qubes dnat-dns iifgroup 2 ip daddr 10.139.1.1 udp dport 53 dnat to 9.9.9.9
sudo nft add rule ip qubes dnat-dns iifgroup 2 ip daddr 10.139.1.1 tcp dport 53 dnat to 1.1.1.1
sudo nft add rule ip qubes dnat-dns iifgroup 2 ip daddr 10.139.1.1 udp dport 53 dnat to 1.1.1.1
Out of curiosity when I also tried adding a line after all of the above temporarily to your updated script to see if the array was being populated and whether the if statement was true in my case.
And sure enough this echo statement spit out two lines, one for each server I specified, so it has the values, so I’m not sure how the other NAT entries keep getting populated.
if [[ $i < ${#vpn_dns_ip4[@]} ]] ; then
echo ${vpn_dns_ip4[$i]}
nft add rule ip qubes dnat-dns iifgroup 2 ip daddr ${qubes_dns_ip4[$i]} tcp dport 53 dnat to ${vpn_dns_ip4[$i]}
I created sys-vpn-dvm (whatever you want to call it haha), and made it a disposable template, and after I had everything working.
Then I just created a DispVM using the above as it’s template.
As far all your config files I assume one of them is named vpn-client.conf ?
What’s the status of qubes-vpn-handler?
EDIT:
Are you talking about disposable template?
If not then read next:
Did you follow the readme correctly?
TemplateVM e.g. debian-12
AppVM (ProxyVM) e.g. sys-openvpn
You need to put them inside your AppVM and not in TemplateVM. And you need to rename or make a link from your myvmpconfig.conf to vpn-client.conf:
Copy the VPN config files from your service provider to the ProxyVM’s ‘/rw/config/vpn’ folder, then copy or link the desired config to ‘vpn-client.conf’:
You need to add this service to your AppVM and not to TemplateVM:
Next, add vpn-handler-openvpn to the ProxyVM’s Settings / Services tab by typing it into the top line and clicking the plus icon. Do not add other network services such as Network Manager.
You need to add killswitch. Like this but replace iptables rules with nftables:
You can also use Qubes OS firewall to restrict your VPN qube connections only to your VPN server IP:port:
Seems like /usr/lib/qubes/qubes-setup-dnat-to-ns is being called for some reason. But it should be called only once during qube startup and not on every network change.
Check the qubes-network and qubes-network-uplink services logs in sys-vpn journalctl.
What changes did you make to default debian-12-minimal template?
I can’t find any qubes-vpn-handler service in fedora-38-xfce template.
Failed to enable unit: Unit file qubes-vpn-handler.service does not exist.
Failed to start qubes-vpn-handler.service: Unit qubes-vpn-handler.service not found.
I must be something missing. VPN connection works (GitHub - 1cho1ce/Qubes-vpn-support at replace-iptables-with-nftables) but the service itself is not installed. I even added qubes-vpn-handler manually to the ProxyVM Services (custom…). Do I need debian as a template or a minimal version?