Mullvad config troubleshooting

[breezoi]

Follow up on the last comment

Quite novice regarding linux OS, so I might be missing something obvious.

Upon running systemctl status qubes-vpn-handler:

● qubes-vpn-handler.service - VPN Client for Qubes proxyVM Loaded: loaded (/usr/lib/systemd/system/qubes-vpn-handler.service; enabled; vendor preset: disable Drop-In: /usr/lib/systemd/system/qubes-vpn-handler.service.d └─00_example.conf Active: inactive (dead) Condition: start condition failed at Thu 2018-04-12 22:09:32 EDT; 23s ago └─ ConditionPathExistsGlob=/var/run/qubes-service/vpn-handler* was not met ~

Pretty sure I've followed the quickstart guide as closely as possible. Double checked all files are where should be need to be. Running Qubes 4.0 Installing on updated appVMs (tried fedora and debian) using Mullvad conf files

Not sure where to go from here

[tasket]

On 04/12/2018 06:51 PM, breezoi wrote:

Quite novice regarding linux OS, so I might be missing something obvious.

Upon running systemctl status qubes-vpn-handler:

● qubes-vpn-handler.service - VPN Client for Qubes proxyVM
Loaded: loaded (/usr/lib/systemd/system/qubes-vpn-handler.service;
enabled; vendor preset: disable
Drop-In: /usr/lib/systemd/system/qubes-vpn-handler.service.d
└─00_example.conf
Active: inactive (dead)
Condition: start condition failed at Thu 2018-04-12 22:09:32 EDT;
23s ago
└─ ConditionPathExistsGlob=/var/run/qubes-service/vpn-handler* was
not met
~

Pretty sure I've followed the quickstart guide as closely as possible. Double checked all files are where should be need to be. Running Qubes 4.0 Installing on updated appVMs (tried fedora and debian) using Mullvad conf files

Not sure where to go from here

It looks like you didn't add the relevant Qubes service "vpn-handler-openvpn" in the VM's Services tab.

--

Chris Laprise, tasket@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[breezoi]

I guess reading through the readme 100 times wasnt enough... thanks

[breezoi]

New error:

Active: activating (auto-restart) (Result: exit-code) since Fri 2018-04-13 17:46:38 EDT; 129ms ago Process: 2156 ExecStopPost=/usr/lib/qubes/qubes-vpn-setup --post-stop (code=exited, status=0/SUCCESS) Process: 2154 ExecStartPost=/usr/lib/qubes/qubes-vpn-setup --post-start (code=exited, status=0/SUCCESS) Process: 2153 ExecStart=/usr/sbin/openvpn --cd /rw/config/vpn/ --config vpn-client.conf --group qvpn --verb 3 --mlock --script-security 2 --up /usr/lib/qubes/qubes-vpn-ns up Process: 2151 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup --pre-start (code=exited, status=0/SUCCESS) Process: 2147 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup --check-firewall (code=exited, status=0/SUCCESS) Main PID: 2153 (code=exited, status=1/FAILURE) ~

I set the netvm of the VPN appVM directly to sys-net and also sys-firewall with same results.

[tasket]

Either netvm setting is fine, and can't cause this error anyway.

Depending on when you downloaded Qubes-vpn-support (it was updated 4-5 days ago)... more recent version will have a qubes-vpn-setup file that is 157 lines long which you can see with the wc command:

wc -l /rw/config/qubes-vpn-setup

Also view the file with less to see if the 'case' section starts with the following:

case "$1" in
--check-firewall)
    for i in 1 2 3; do

If these don't match I'd suggest downloading and installing again into the same VM. The prior revision didn't give the firewall service enough chances to add the rules.

If they match (your installation is up to date), then check that the /rw/config/qubes-firewall.d/90_tunnel-restrict file exists and contains a script. This adds the anti-leak rules to the firewall. You can also view the part of the firewall that is being checked with:

sudo iptables -v -L FORWARD

The rules that --check-firewall is looking for look like this (note the DROP and eth0):

    0     0 DROP       all  --  eth0   any     anywhere             anywhere            
    0     0 DROP       all  --  any    eth0    anywhere             anywhere            

[tasket]

BTW, if you re-install you don't have to re-add the VPN config files and when it asks for VPN username you can just press Ctrl-c to stop instead of re-entering login info.

[breezoi]

Just checked through all of the things you mentioned and it all seems to check out. 157 lines, the case section looks as presented, the 90_tunnel script does exist and contain code, and the aforementioned iptable rules all exist.

Created a fresh proxy appvm in case I butchered something along the learning process, but no luck; same error I last mentioned when running systemctl on the qubes handler. I'm connecting through a wifi adapter that's passed onto sys-net. When the proxy appvm boots it says Ready to link, but that's it.

Thanks for the help!

[tasket]

@breezoi OK, I think we need to look at the actual log output. Do a sudo journalctl -u qubes-vpn-handler | less and scroll to the time index of the latest connection attempt.

[breezoi]

Apr 17 18:13:50 VPN systemd[1]: Starting VPN Client for Qubes proxyVM... Apr 17 18:13:50 VPN su[1241]: (to user) root on none Apr 17 18:13:50 VPN qubes-vpn-setup[1425]: START-ing network forwarding! Apr 17 18:13:50 VPN systemd[1]: Started VPN Client for Qubes proxyVM. Apr 17 18:13:50 VPN openvpn[1424]: Tue Apr 17 18:13:50 2018 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. Apr 17 18:13:50 VPN openvpn[1424]: Options error: --up script fails with '/etc/openvpn/update-resolv-conf': No such file or directory (errno=2) Apr 17 18:13:50 VPN openvpn[1424]: Options error: Please correct this error. Apr 17 18:13:50 VPN openvpn[1424]: Use --help for more information. Apr 17 18:13:50 VPN systemd[1]: qubes-vpn-handler.service: Main process exited, code=exited, status=1/FAILURE Apr 17 18:13:50 VPN qubes-vpn-setup[1437]: STOP-ing network forwarding! Apr 17 18:13:50 VPN systemd[1]: qubes-vpn-handler.service: Unit entered failed state. Apr 17 18:13:50 VPN systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'. Apr 17 18:14:00 VPN systemd[1]: qubes-vpn-handler.service: Service hold-off time over, scheduling restart. Apr 17 18:14:00 VPN systemd[1]: Stopped VPN Client for Qubes proxyVM. Apr 17 18:14:00 VPN systemd[1]: Starting VPN Client for Qubes proxyVM... Apr 17 18:14:00 VPN qubes-vpn-setup[2322]: START-ing network forwarding! Apr 17 18:14:00 VPN systemd[1]: Started VPN Client for Qubes proxyVM. Apr 17 18:14:00 VPN openvpn[2321]: Tue Apr 17 18:14:00 2018 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. Apr 17 18:14:00 VPN openvpn[2321]: Options error: --up script fails with '/etc/openvpn/update-resolv-conf': No such file or directory (errno=2) Apr 17 18:14:00 VPN openvpn[2321]: Options error: Please correct this error. Apr 17 18:14:00 VPN openvpn[2321]: Use --help for more information. Apr 17 18:14:00 VPN systemd[1]: qubes-vpn-handler.service: Main process exited, code=exited, status=1/FAILURE Apr 17 18:14:00 VPN qubes-vpn-setup[2324]: STOP-ing network forwarding! Apr 17 18:14:00 VPN systemd[1]: qubes-vpn-handler.service: Unit entered failed state. Apr 17 18:14:00 VPN systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'. Apr 17 18:14:10 VPN systemd[1]: qubes-vpn-handler.service: Service hold-off time over, scheduling restart. Apr 17 18:14:10 VPN systemd[1]: Stopped VPN Client for Qubes proxyVM. Apr 17 18:14:10 VPN systemd[1]: Starting VPN Client for Qubes proxyVM... Apr 17 18:14:10 VPN qubes-vpn-setup[2339]: START-ing network forwarding! Apr 17 18:14:10 VPN openvpn[2338]: Tue Apr 17 18:14:10 2018 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. Apr 17 18:14:10 VPN openvpn[2338]: Options error: --up script fails with '/etc/openvpn/update-resolv-conf': No such file or directory (errno=2) Apr 17 18:14:10 VPN openvpn[2338]: Options error: Please correct this error. Apr 17 18:14:10 VPN openvpn[2338]: Use --help for more information. Apr 17 18:14:10 VPN systemd[1]: qubes-vpn-handler.service: Main process exited, code=exited, status=1/FAILURE Apr 17 18:14:10 VPN qubes-vpn-setup[2341]: STOP-ing network forwarding! Apr 17 18:14:10 VPN systemd[1]: Failed to start VPN Client for Qubes proxyVM. Apr 17 18:14:10 VPN systemd[1]: qubes-vpn-handler.service: Unit entered failed state. Apr 17 18:14:10 VPN systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'.

[tasket]

Options error: --up script fails with '/etc/openvpn/update-resolv-conf': No such file or directory (errno=2)

@breezoi The script options in the .service file are supposed to override the scripts specified in your ovpn config... but this is somehow not the case and the above error results.

If your config has lines that begin with up and down you can comment them out (add a hash # to the start of the line) and see if that works. At least it could work until I find a long-term solution.

Also, what version of Fedora or Debian are you using?

[tasket]

@breezoi I posted a workaround that should take care of the up/down options automatically. You can try it by installing the new beta4 version in master.

[breezoi]

Stock updated templates that came with Q4.0, fedora 26 and debian 9 Going to give it a shot now.

[breezoi]

Mullvad has both .ovpn (for android) and .conf files. .conf version has the up and down in the script, which is what I was running originally. .ovpn doesn't from what I could tell.

Downloaded the beta4 before these changes. I commented out the up and down with no results. Tried doing the install with the .ovpn file this time and still no dice. I restarted the VM with every change. Have been testing things with the fedora template for now.

Mullvad has a fairly extensive guide to getting it working with Qubes, which might have some relevant information for you? https://www.mullvad.net/en/guides/qubes-os-and-mullvad-vpn/

Here is an updated sudo journalctl -u qubes-vpn-handler | less

r 18 16:20:33 VPN systemd[1]: qubes-vpn-handler.service: Service hold-off time over, scheduling restart. Apr 18 16:20:33 VPN systemd[1]: Stopped VPN Client for Qubes proxyVM. Apr 18 16:20:33 VPN systemd[1]: Starting VPN Client for Qubes proxyVM... Apr 18 16:20:33 VPN qubes-vpn-setup[2317]: START-ing network forwarding! Apr 18 16:20:33 VPN openvpn[2316]: Wed Apr 18 16:20:33 2018 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. Apr 18 16:20:33 VPN openvpn[2316]: Options error: --keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives. Apr 18 16:20:33 VPN openvpn[2316]: Use --help for more information. Apr 18 16:20:33 VPN systemd[1]: Started VPN Client for Qubes proxyVM. Apr 18 16:20:33 VPN systemd[1]: qubes-vpn-handler.service: Main process exited, code=exited, status=1/FAILURE Apr 18 16:20:33 VPN qubes-vpn-setup[2319]: STOP-ing network forwarding! Apr 18 16:20:33 VPN systemd[1]: qubes-vpn-handler.service: Unit entered failed state. Apr 18 16:20:33 VPN systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'. Apr 18 16:20:43 VPN systemd[1]: qubes-vpn-handler.service: Service hold-off time over, scheduling restart. Apr 18 16:20:43 VPN systemd[1]: Stopped VPN Client for Qubes proxyVM. Apr 18 16:20:43 VPN systemd[1]: Starting VPN Client for Qubes proxyVM... Apr 18 16:20:43 VPN qubes-vpn-setup[2376]: START-ing network forwarding! Apr 18 16:20:43 VPN systemd[1]: Started VPN Client for Qubes proxyVM. Apr 18 16:20:43 VPN openvpn[2375]: Wed Apr 18 16:20:43 2018 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. Apr 18 16:20:43 VPN openvpn[2375]: Options error: --keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives. Apr 18 16:20:43 VPN openvpn[2375]: Use --help for more information. Apr 18 16:20:43 VPN systemd[1]: qubes-vpn-handler.service: Main process exited, code=exited, status=1/FAILURE Apr 18 16:20:43 VPN qubes-vpn-setup[2378]: STOP-ing network forwarding! Apr 18 16:20:43 VPN systemd[1]: qubes-vpn-handler.service: Unit entered failed state. Apr 18 16:20:43 VPN systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'. ~

[tasket]

@breezoi Hmmm. I didn't think --keepalive could cause an error (instead of just overriding the ping options).

You can delete it from the .service file to see if it works.

[tasket]

@breezoi This looks like a problem unrelated to Qubes-vpn-support options.

If you can try running openvpn on the command line, that could narrow down where the problem is. I'd expect one or the other (conf or ovpn) configs to define --dev in the file... not including it is pretty unusual. You can try adding --dev tun to the command line, or to the file.

[tasket]

Just FYI, the Mullvad conf zip I'm looking at looks pretty normal. It begins with:

client
dev tun
proto udp

...so that one does specify dev.

[tasket]

As for the Mullvad Qubes howto, I've seen it before and would recommend against using it because it has you hardcode Qubes internal IPs... which can change.

---

BTW the above Mullvad zip I mentioned, I believe the selected platform was "Linux" which makes more sense than "Android".

[breezoi]

It seems we have success! I scrapped the last message regarding the error with TUN/TAP and fell back to the --keepalive issue. Removed the --keepalive section and its variables, rebooted, and qubes-vpn-handler service is active and sequence initialized. Hooked a VM to it, connection loaded the page fine, ran an IP/DNS test and all seems to check off!

Thanks for practically holding my hand through this, tasket!

[tasket]

Thank you for providing so much input. It helps on this end, and I do want to support Mullvad users because Mullvad supports Qubes.

[cobordism]

I have the same issue (the originally reported one).

Regarding: https://github.com/tasket/Qubes-vpn-support/issues/16#issuecomment-380991253 there is no "vpn-handler-openvpn" in the VM's Services tab.