Why does a DNS connection "break" when my VPN client reconnects?

gs-542 · January 28, 2024, 1:49pm

I have a StandaloneVM where I’ve setup a Linux GUI VPN client of my VPN provider (call it vpn-vm). I set it up there just like any other normie Linux user would. I’m btw just a normie who wants to install the normal GUI app.

My AppVMs connect to this vpn-vm for their networking.

Most of the time this works just fine. However:

Every time I disconnect (hit “disconnect” in the GUI client) and reconnect (to reconnect to a different country), my AppVMs lose the internet connection.
When this problem occurs, restarting the vpn-vm always solves the problem.

Any ideas what could be happening? I know it’s a DNS issue because on my AppVM “ping 8.8.8.8” works but “ping www.google.com” doesn’t work.

As a normie that’s all I know. Can someone assist pinpointing the problem? I’m on Qubes 4.1.

DVM · January 28, 2024, 1:54pm

What exactly is your VPN setup? Do you use Network Manager?
Are you using OpenVPN or Wireguard?

gs-542 · January 28, 2024, 2:21pm

I’m using the Mullvad GUI client. In my “vpn-vm” settings, I see “network-manager” checkbox is checked. In the Mullvad GUI client, I have Wireguard checked.

Btw, I really want to just continue Mullvad GUI client (instead of doing a purely Terminal-based setup). Indeed it works fine usually. The problem is to figure out why the DNS disconnects as I outlined.

DVM · January 28, 2024, 2:29pm

Wireguard should always use the same DNS IP server (10.64.0.1), so it’s strange that it doesn’t work when you change servers. Network Manager is responsible for DNS working in your setup as it creates rules based on what it sees as DNS. Can you replicate the DNS problem and then run the following command to see if it still uses the correct IP?

sudo iptables -t PR-QBS -S

solene · January 28, 2024, 2:29pm

Could you try to run this command in the vpn qube after disconnecting it?

sudo /usr/lib/qubes/qubes-setup-dnat-to-ns

This update the DNS used by the qubes from the one configured inside the NetVM qube.

gs-542 · January 28, 2024, 2:47pm

Thanks, but all I get is this:

$ sudo iptables -t PR-QBS -S
iptables v1.8.7 (nf_tables): table 'PR-QBS' does not exist
Perhaps iptables or your kernel needs to be upgraded.

(Fedora 38). Maybe you are assuming Qubes 4.2 and/or later Fedoras or non-Fedora?

gs-542 · January 28, 2024, 2:49pm

solene:

Could you try to run this command in the vpn qube after disconnecting it?
sudo /usr/lib/qubes/qubes-setup-dnat-to-ns
This update the DNS used by the qubes from the one configured inside the NetVM qube.

Running this command in my “vpn-vm” seems to be working! Although it takes 10-20 seconds, but it seems to work!

So I guess under the hood for some reason, DNS isn’t automatically being “refreshed” and this command needs to be manually run for the refresh to occur.

Any ideas why this is needed? Although running this command is a massive improvement to having to restart the whole vm (massive time saver), not having to do anything would be the coolest

solene · January 28, 2024, 2:53pm

I guess your VPN app was propagating a new DNS only available through the VPN. So when you disconnect it, the DNS isn’t reachable anymore (you could check which DNS is being used before / after the VPN disconnect and after the command).

I found this command on IVPN on Qubes OS - IVPN Help

DVM · January 28, 2024, 2:54pm

At the end of your main post you said you were running Qubes 4.1 which uses iptables. If the table is not found, it would mean you don’t have it, or you didn’t run the command in the VPN qube, or you are running Qubes 4.2, which uses nftables.