I’m building a “User → Tor → VPN → Internet” setup in my Qubes 4.2 using separate VPN-Gateway method.
I created an AppVM “vpn-ivpn-d12” based on Debian 12, set its NetVM to sys-whonix, checked the option “Provides Network”, and set up OpenVPN connection in it.
But when my Whonix ws AppVM is using it as NetVM (ws AppVM → vpn-ivpn-d12 → sys-whonix → Mirage-firewall → sys-net), DNS queries from ws AppVM always time out. I tried setting up the VPN VM in different ways, including “Set up a ProxyVM as a VPN gateway using iptables and CLI scripts”, and “Qubes-vpn-support”, but nothing works. Currently, only adding “nameserver 10.139.1.1” to /etc/resolv.conf in ws VM seems to work, but I don’t think it’s the right way.
The Wiki (Connecting to Tor before a VPN) states that no DNS configuration is required when using a separate VPN gateway and system DNS should work out of the box, so I’m confused. Is there anything I’m doing wrong?
1 Like
Does (non-DNS), IP work?
Did you exclude yet that Whonix is the source of issues? Meaning…
Did you test if the vpn-ivpn-d12 is functional at all?
qubesdb-read /qubes-primary-dns
10.139.1.1
This actually seems fine.
Could be outdated.
1 Like
I created another VPN VM “vpn-ivpn2-d12” without installing any scripts in it and made some tests. Below are the results.
vpn-ivpn-d12 (installed Qubes-vpn-support and connected to VPN server) as NetVM of ws VM
in vpn-ivpn-d12:
ping 1.1.1.1 - no response after 1 min
nslookup check.torproject.org - "communications error to 10.139.1.1#53: timed out"
in ws VM with default nameserver IP (NetVM IP):
open https://1.1.1.1 in Firefox - worked
nslookup check.torproject.org - "communications error to <NETVM_IP>#53: timed out"
in ws VM with modified nameserver 10.139.1.1:
open https://1.1.1.1 in Firefox - worked
nslookup check.torproject.org - worked
vpn-ivpn2-d12 (only installed OpenVPN, manually connected to VPN server via "sudo openvpn --config vpn.ovpn" command) as NetVM of ws VM
in vpn-ivpn2-d12:
ping 1.1.1.1 - worked
nslookup check.torproject.org - "communications error to 10.139.1.1#53: timed out"
in ws VM with default nameserver IP (NetVM IP):
open https://1.1.1.1 in Firefox - worked
nslookup check.torproject.org - "communications error to <NETVM_IP>#53: timed out"
in ws VM with modified nameserver 10.139.1.1:
open https://1.1.1.1 in Firefox - worked
nslookup check.torproject.org - "communications error to 10.139.1.1#53: timed out"
vpn-ivpn2-d12 without connecting OpenVPN as NetVM of ws VM (only relays ws VM traffic to sys-whonix)
in vpn-ivpn2-d12:
ping 1.1.1.1 - no response after 1 min
nslookup check.torproject.org - worked
in ws VM with default nameserver IP (NetVM IP):
open https://1.1.1.1 in Firefox - worked
nslookup check.torproject.org - "communications error to <NETVM_IP>#53: timed out"
in ws VM with modified nameserver 10.139.1.1:
open https://1.1.1.1 in Firefox - worked
nslookup check.torproject.org - worked
I thought DNS queries sent to Qubes virtual DNS were forwarded to sys-net, so using 10.139.1.1 would cause DNS leak. Was that incorrect? I would like my DNS queries sent through VPN channel.
OK, thanks for clarifying.
1 Like
Test it. Sabotage sys-net DNS. Verify that VMs connected directly have broken DNS. Then check if another VM connected to a VPN VM still can resolve DNS.
2 Likes