VPN troubleshooting
Tips
If using qubes-vpn, check the VPN service’s log in the VPN VM by running:
sudo journalctl -u qubes-vpn-handler
Always test your basic VPN connection before adding scripts.
Test DNS: Ping a familiar domain name from an appVM. It should print the IP address for the domain.
Use
iptables -L -vandiptables -L -v -t natto check firewall rules. The latter shows the critical PR-QBS chain that enables DNS forwarding.
VPN does not reconnect after suspend
This applies when using OpenVPN.
After suspend/resume, OpenVPN may not automatically reconnect. In order to get it to work, you must kill the OpenVPN process and restart it.
VPN stuck at “Ready to start link”
After setting up OpenVPN and restarting the VM, you may be repeatedly getting the popup “Ready to start link”, but the VPN isn’t connected.
To figure out the root of the problem, check the VPN logs in /var/log/syslog or use journalctl. The logs may reveal issues like missing OpenVPN libraries, which you can then install.
notify-send induced failure
Some VPN guides use complex scripts that include a call to notify-send, yet some images may not contain this tool or may not have it working properly. For instance calling notify-send on a fedora-36 template VM gives:
Failed to execute child process “dbus-launch” (No such file or directory)
To check this tool is working properly run:
sudo notify-send "$(hostname): Test notify-send OK" --icon=network-idle
You should see the info message appear on the top of your screen. If that is the case then notify-send is not the issue. If it is not, and you have an error of some sort you can:
Remove all calls to
notify-sendfrom scripts you are using to start VPNUse another template qube that has a working
notify-sendor find proper guide and make your current template runnotify-sendwork properly.