I can not get it to work

[linuxfan1000]

Dear developers of this script/instructions
Dear community

Today I tried to set up the VPN according to the instructions. I tried vpnbook.com with the UDP and TCP files.

I created a TorVPN AppVM based on Debian 10 in which I performed all the setup. When I issue the command

sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass userpassword.txt

I get a lot of output in the terminal:

Sun Aug 30 11:46:44 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Sun Aug 30 11:46:44 2020 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Sun Aug 30 11:46:44 2020 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Aug 30 11:46:44 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]51.68.152.226:53
Sun Aug 30 11:46:44 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Aug 30 11:46:44 2020 UDP link local: (not bound)
Sun Aug 30 11:46:44 2020 UDP link remote: [AF_INET]51.68.152.226:53
Sun Aug 30 11:46:44 2020 TLS: Initial packet from [AF_INET]51.68.152.226:53, sid=ce39753d c1491a69
Sun Aug 30 11:46:44 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Aug 30 11:46:44 2020 VERIFY OK: depth=1, C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com, name=vpnbook.com, emailAddress=admin@vpnbook.com
Sun Aug 30 11:46:44 2020 VERIFY OK: depth=0, C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com, name=vpnbook.com, emailAddress=admin@vpnbook.com
Sun Aug 30 11:46:44 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Sun Aug 30 11:46:44 2020 [vpnbook.com] Peer Connection Initiated with [AF_INET]51.68.152.226:53
Sun Aug 30 11:46:45 2020 SENT CONTROL [vpnbook.com]: 'PUSH_REQUEST' (status=1)
Sun Aug 30 11:46:45 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS  213.186.33.99,dhcp-option DNS  91.239.100.100,route 10.8.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.8.0.38 10.8.0.37,peer-id 15,cipher AES-256-GCM'
Sun Aug 30 11:46:45 2020 OPTIONS IMPORT: timers and/or timeouts modified
Sun Aug 30 11:46:45 2020 OPTIONS IMPORT: --ifconfig/up options modified
Sun Aug 30 11:46:45 2020 OPTIONS IMPORT: route options modified
Sun Aug 30 11:46:45 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Aug 30 11:46:45 2020 OPTIONS IMPORT: peer-id set
Sun Aug 30 11:46:45 2020 OPTIONS IMPORT: adjusting link_mtu to 1625
Sun Aug 30 11:46:45 2020 OPTIONS IMPORT: data channel crypto options modified
Sun Aug 30 11:46:45 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Aug 30 11:46:45 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Aug 30 11:46:45 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Aug 30 11:46:45 2020 ROUTE_GATEWAY 10.137.0.6
Sun Aug 30 11:46:45 2020 TUN/TAP device tun0 opened
Sun Aug 30 11:46:45 2020 TUN/TAP TX queue length set to 100
Sun Aug 30 11:46:45 2020 /sbin/ip link set dev tun0 up mtu 1500
Sun Aug 30 11:46:45 2020 /sbin/ip addr add dev tun0 local 10.8.0.38 peer 10.8.0.37
Sun Aug 30 11:46:47 2020 /sbin/ip route add 51.68.152.226/32 via 10.137.0.6
Sun Aug 30 11:46:47 2020 /sbin/ip route add 0.0.0.0/1 via 10.8.0.37
Sun Aug 30 11:46:47 2020 /sbin/ip route add 128.0.0.0/1 via 10.8.0.37
Sun Aug 30 11:46:47 2020 /sbin/ip route add 10.8.0.1/32 via 10.8.0.37
Sun Aug 30 11:46:47 2020 Initialization Sequence Completed

When I start firefox in the same AppVM and try to check www.showmyip.com nothing happens. Then when I press CTRL+C in the terminal to end the script firefox will load the homepage showing my real IP.

What am I doing wrong?

[tasket]

@linuxfan1000 First, a caveat that if you're running Tor inside that VM it could interfere with openvpn (I realize it could be just the way you named the VM).

The test you're doing with 'openvpn' command probably won't work with domain name addresses because of the special situation of running the test in Qubes. At this stage in setup, its better to have a couple known IP addresses handy and ping them. But if you want to test a domain name anyway, you can try it by running /usr/lib/qubes/qubes-setup-dnat-to-ns after openvpn says 'Initialization Sequence Completed', then try accessing your site.

[linuxfan1000]

Thank you for your reply.

There is no Tor instance running inside that Qube TorVPN in which I had installed openvpn. It was created with the Debian 10 template.

I tried to ping 8.8.8.8 with no success. There is no reply at all, not even a timeout, etc.

I also ran the command /usr/lib/qubes/qubes-setup-dnat-to-ns after the message "Initialization Sequence Completed" and then tried to reach a site in Firefox (not torbrowser) of the TorVPN qube. Nothing. The browser window stays blank.

It works with TCP and UDP servers, right?

Any other idea?

[tasket]

It works with either TCP or UDP.

If this is testing at the end of step 2, then Qubes-vpn-support has no effect on the connection at this point. That's why its there, to show if there are underlying connection problems before continuing with the install.

One thing you might try is pinging something after the VM starts, before you run openvpn.

Another thing is to copy your VPN configs into sys-net VM, and then try the openvpn command and ping from there (but be aware, this means putting your password in an untrusted VM).

[linuxfan1000]

If I do a ping 8.8.8.8 before issuing the command

sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass userpassword.txt

then it works. The above command is what I use to start openvpn, correct? Sorry, I an not a linux guru.

[tasket]

That looks right.

I can't tell without seeing the config file. But one thing that has worked in the past is to add this line to the config file:
redirect-gateway def1

[linuxfan1000]

Please forgive my ignorance. Which config file? I can post it. What is the path to the file?

[tasket]

The one that's specified on the command line: 'vpn-client.conf'

[linuxfan1000]

Here is the content of the vpn-client.conf file:

client
dev tun0
proto udp
remote 51.68.152.226 53
remote pl226.vpnbook.com 53
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
comp-lzo
verb 3
cipher AES-128-CBC
fast-io
pull
route-delay 2
redirect-gateway
<ca>
-----BEGIN CERTIFICATE-----
....
....
.....
.....

[tasket]

Try changing the redirect-gateway line to redirect-gateway def1

[linuxfan1000]

I changed it to redirect-gateway def1 and restarted the qube and started openvpn but that did not fix it either.

Any other idea? Can it really be that difficult?

[tasket]

The vpnbook.com site doesn't provide much help. There is only a very basic command line setup guide for Ubuntu. To me, that says Linux support was an afterthought and they might not have tested it with Linux recently after making server changes (only a guess).

As an alternative, you could try setting it up in the Network Manager GUI. The Qubes documentation page has a vpn guide that mentions how to start that process by enabling NM for the vpn vm, then you can add a vpn connection in NM and tell it to import your vpnbook config file.

Also consider testing the vpn on a regular Linux. I mention this because there's a non-zero chance that something is wrong with Qubes networking on your system, and if it works on say Ubuntu, then you'll know there is probably a Qubes issue.