search

tasket / Qubes-vpn-support

VPN configuration in Qubes OS
GNU General Public License v3.0
126 stars 28 forks source link

openvpn-client.service causes reconnection loop #5

Closed jberri closed 7 years ago

jberri commented 7 years ago

Scenario: openvpn-client.service failing test

Given I am running Qubes R3.2.x And I have a VPN-VM configured as follows

    NetVM -> FirewallVM -> VPN-VM(Debian-8 ProxyVM)

And I have the following latest vpn client packages installed in the VPN-VM

    | Packages                      |  
    | network-manager-openvpn-gnome |  
    | openvpn                       |

And my previous non-secure 'openvpn-client.ovpn' file located in '/rw/config/vpn' can successfully establish an openvpn connection with the following properties

    | openvpn-client property | value     |  
    | proto                   | tcp       |  
    | port                    | 80 or 443 |  
    | dev                     | tun       |  
    | verb                    | 5         |  
    | ca crt                  | yes       |  
    | user cert               | yes       |  
    | user key                | yes       |  
    | tls-auth                | yes       |

And I have cloned the 'Qubes-vpn-support-master' git repository into my VPN-VM And my VPN-VM directory structure for '/rw/config' is now as follows

    /rw/config
    ├── NM-system-connections
    │   ├── qubes-uplink-eth0
    │   └── VPN connection 1
    ├── qubes-firewall-user-script
    ├── rc.local
    ├── suspend-module-blacklist
    └── vpn
        ├── ca.crt
        ├── openvpn-client.ovpn
        ├── openvpn-client.service
        ├── qubes-vpn-handler.sh
        ├── ta.key
        ├── user.crt
        └── user.key

And my current secure 'openvpn-client.ovpn' file located in '/rw/config/vpn' contains the following 3 extra required entries

    script-security 2
    up '/rw/config/vpn/qubes-vpn-handler.sh up'
    down '/rw/config/vpn/qubes-vpn-handler.sh down'

And the following scripts have been made executable 

    | executable scripts                    |  
    | /rw/config/qubes-firewall-user-script |  
    | /rw/config/rc.local                   |  
    | /rw/config/vpn/qubes-vpn-handler.sh   |

And I restart my VPN-VM And '/etc/systemd/system/' contains a copy of '/rw/config/vpn/openvpn-client.service' When I initiate a VPN connection from a root-terminal with the command

'openvpn /rw/config/vpn/openvpn-client.ovpn'

Then I expect a successful connection to be established to my VPN server with the stdout message

Initialization Sequence Completed

But I do not expect the connection to irritatingly reset itself and then re-establish itself in an infinite loop every 5 flipping seconds with the following stdout messages

    Connection reset, restarting [0]
    TCP/UDP: Closing socket
    SIGUSR1[soft,connection-reset] received, process restarting
    Restart pause, 5 second(s)

Actual results

The annoying loop happens when the rc.local 'systemctl --no-block start openvpn-client.service' command has been issued. A successful persistent connection happens (i.e. no re-connection loop) when the running openvpn-client.service is stopped.

tasket commented 7 years ago

Since vpn-support isn't designed to run alongside Network Manager, so you should disable NM or move the vpn setup to a fresh proxyVM that hasn't had NM enabled. NM will interefere with the connection when it notices tun0 goes up, and the fact that the connection stays up when you stop openvpn-client.service indicates that NM is also configured to establish a vpn link.

Another thing to check for is that the Debian default 'openvpn.service' has been disabled in the template.

tasket commented 7 years ago

Close.