I’m no networking expert so there might be something I do very wrong on a newbie level…
Whatever I do when it comes to multiple VPNs, at least two internet access points I always end up with DNS not working!
Right now I’m using Mullvad and while a ping to any domain works fine in a terminal on sys-net any Qube that connects to it IS connected, but without DNS…
Have I gotten something wrong about sys-net itself, or should I maybe rebuild that Qube in case my testing of VPNs has messed something up?
Should I look at running my own DNS server somewhere in my network, or would there be other online DNS servers that are better capable of being reachable by any Qubes regardless of what happens between them and sys-net?
Sorry for this being such a general question but I do expect that I might have gotten bad and incomplete habits around DNS services due to being online since 96 but with no formal training on basics
You have not given any information about how you set up Mullvad, or what
type of VPN you are running,
It sounds as if you set up Mullvad on sys-net, yes?
How did you do this?
What instructions did you follow?
Just want to add that the past months I’ve been trying out different combinations of VPNs, which of course makes for a lot of possible blocks and whatever…
But also I’ve had this happening in general on & off for ages, normally I just set a public DNS manually, which was OK for just getting things working, but that kinda won’t fly if I want to keep things secure?
Also even that is not stable when combining VPNs btw.
What has worked consistently is to use the built in VPNs of Epic & Opera browsers
Without more detail I am flying blind.
It sounds as if you are able to set up the VPN correctly, but that you
are not dealing with Qubes networking correctly.
You don’t say if you have followed any guides or documentation.
By default every qube has DNS servers set to 10.139.1.1 and 10.139.1.2
On the netvm there is a firewall rule in the nat table that captures
that traffic and sends it on upstream to the same address.
This carries on up the chain of netvms until sys-net - there traffic
for those IP addresses is translated to the DNS servers given by the
net connection.
It’s this mechanism that enables you to change netvms without impact on
DNS.
Depending on how you have set up the VPN, it’s possible that you have new rules that block traffic except to the VPN tunnel, but have left
the old DNS rules in place. This would mean that DNS traffic is being
blocked.
It’s also possible that you are not setting the DNS servers provided by
the VPN provider, due to some misconfiguration of the VPN.
The fact that setting a public address works doesn’t help differentiate
these.
What you want is for traffic for 10.139.1.1/2 to be redirected to the
DNS server set by the VPN provider.
I think you should look at the firewall rules wherever you are running
the VPN.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
I assumed that since for some of the VMs I’m connecting to sys-net without sys-firewall that there would be no firewall rules, especially since it often works.
This might be something the same as what I might have been doing through the years, not tracking what is actually going on but rather just setting a public DNS & call it a day…
Right now thinking that maybe trying out variants of sys-net to get the VPNs installed there right could be a way forward long time, that way I’d keep tinkering when I’ve got the time but keep to what works when producing stuff
Will try to read up on modern firewall rules in general too, my very limited knowledge is also outdated with at least a decade…
