Go back to topic: DRAFT OpenVPN VPN setup (4.3)
| ExecStart=/bin/sh -c 'nmcli connection up "$(nmcli connection show | awk & | Environment=GNOME_KEYRING_CONTROL=/run/user/1000/keyring ExecStartPre=sleep 5 ExecStart=/bin/sh -c 'nmcli connection up "$(nmcli connection show | awk '\''/vpn/ { print $1 }'\'' | sort -R | head -n 1)"' [Unit] Requires=gnome-keyring-daemon.service |
| > :point_right: :information_source: This creates a service running as user on boot that selects a random VPN connection and connect to it. # Block non-VPN network using Qubes OS Firewall (aka "killswitch") > :information_source: This method uses the command line version of the firewall as it allows to block both ICMP (ping) and DNS packets, whereas the firewall tab in the qube settings does not block ICMP and DNS. - Start "Terminal Xfce" in dom0 - Type the following commands: - Remove all existing rules for the qube, this is the default qube settings: `qvm-firewall sys-vpn-openvpn reset` - Only accept outgoing traffic toward destination, the example is using destination 1.2.3.4 with proto udp and port 1194 (**adapt to your configuration!**): `qvm-firewall sys-vpn-openvpn add accept dsthost=1.2.3.4 dstports=1194 proto=udp` - Remove the default rule that allows everything since we added a more restrictive one: `qvm-firewall sys-vpn-openvpn del --rule-no 0` ``` |
| > :information_source: Autoconnect on boot can't work if you store the passwords as the user, which is the case in this guide. - In `sys-vpn-openvpn` run a terminal as normal user - Run the following snippet: ``` mkdir -p ~/.config/systemd/user cat << 'EOF' > ~/.config/systemd/user/autoconnect.service [Service] Type=oneshot ExecStart=/bin/sh -c 'nmcli connection up "$(nmcli connection show | awk "/vpn/ { print \$1 }" | sort -R | head -n 1)"' [Install] WantedBy=default.target EOF systemctl --user daemon-reload systemctl --user enable autoconnect ``` > :point_right: :information_source: This creates a service running as user on boot that selects a random VPN connection and connect to it. |
| - Click on "**Save**" | - Click on "**Save**" # Autoconnect > :information_source: For some reasons that still need to be understood, network manager does not offer to auto connect the VPN connection on boot. Trying to use `autoconnect.secondaries" on eth0 did not work either. |
| - Run this command in the terminal that opened: `adduser user netdev` | |
| - | - On the network systray icon, left click, then hover on "**VPN Connections**" then click on "**Add a VPN connection...**"  - On the shown menu, click on "**OpenVPN**" and select "**Imported a saved VPN configuration...**" instead - Click on "**Create...**" - Select the configuration file you sent to the qube, it's under `/home/user/QubesIncoming/...` - When prompted with "**Choose new password for keyring**" click on "**Continue**", you can fill the password fields if you want to add a password to unlock the VPN password but this is useless for most users as the qube is dedicated for the VPN task. You will be asked if you really don't want to use a password, click "**Continue**" - Fill the values for the fields `User name` and `Password` - Click on "**Save**" |