I’ve been using the VPN setup from tasket/Qubes-vpn, which has been workin fine for years, but recently stopped working.
I’m on Qubes 4.1 and the VM is Fedora-37.
When running openvpn directly, it works fine, but the auto setup througn Qubes service is failing:
qubes-vpn-setup[2130]: iptables: Bad rule (does a matching rule exist in that chain?).
Any ideas how to debug this?
Add this line:
set -x
At the begginning of these files after the #!/bin/bash or #!/bin/sh line:
/rw/config/qubes-vpn-ns
/rw/config/proxy-firewall-restrict
Restart VPN service:
sudo systemctl restart qubes-vpn-handler.service
Check the log and find out which line of code is causing this issue
sudo journalctl -u qubes-vpn-handler.service
Thank you. Seeing these logs:
Oct 20 14:00:58 crow-tmp systemd[1]: qubes-vpn-handler.service: Scheduled restart job, restart counter is at 1.
Oct 20 14:00:58 crow-tmp systemd[1]: Stopped qubes-vpn-handler.service - VPN Client for Qubes proxyVM.
Oct 20 14:00:58 crow-tmp systemd[1]: Starting qubes-vpn-handler.service - VPN Client for Qubes proxyVM...
Oct 20 14:00:58 crow-tmp qubes-vpn-setup[1406]: iptables: Bad rule (does a matching rule exist in that chain?).
Oct 20 14:01:00 crow-tmp qubes-vpn-setup[1409]: iptables: Bad rule (does a matching rule exist in that chain?).
Oct 20 14:01:02 crow-tmp qubes-vpn-setup[1419]: iptables: Bad rule (does a matching rule exist in that chain?).
Oct 20 14:01:02 crow-tmp qubes-vpn-setup[1403]: Error: Firewall rule(s) not enabled!
Oct 20 14:01:02 crow-tmp systemd[1]: qubes-vpn-handler.service: Control process exited, code=exited, status=1/FAILURE
Oct 20 14:01:02 crow-tmp qubes-vpn-setup[1420]: STOP-ing network forwarding!
Oct 20 14:01:02 crow-tmp systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'.
Oct 20 14:01:02 crow-tmp systemd[1]: Failed to start qubes-vpn-handler.service - VPN Client for Qubes proxyVM.
Not sure what’s wrong with the iptables (I did not edit those, and it used to work). How can I figure out what’s wrong with the iptables?
It seems that proxy-firewall-restrict script is not being called.
Check if it’s present:
ls -la /rw/config/qubes-firewall.d/
ls -la /rw/config/proxy-firewall-restrict
Can you post the output of:
sudo bash ./install
When you try to install Qubes-vpn-support in debian-12 appvm or template?
It exists:
$ ls -la /rw/config/proxy-firewall-restrict
-rwxr-xr-x 1 root root 1977 Oct 20 14:03 /rw/config/proxy-firewall-restrict
[user@crow-tmp ~]$
Thank you @1choice! I was using fedora-37 (as vm running the vpn and providing network) and tasket script wasn’t working (as described in the original posting of this thread), but after switching to debian11, it works again! (I probably was using older debian before and switched to fedora during my Qubes upgrade without noticing).
I will download debian12 and try again.