From 7811443006bc98e84d1037dc4fdfaa7b68b32259 Mon Sep 17 00:00:00 2001
From: Daniel Gonzalez Gasull <gasull@users.noreply.github.com>
Date: Tue, 26 Jun 2018 18:29:55 +0800
Subject: [PATCH 1/5] NM: start VPN automatically, fail-close

When configuring with NetworkManager, make VPN start automatically and fail-close the connection.
---
 configuration/vpn.md | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/configuration/vpn.md b/configuration/vpn.md
index 2326efeb..9fb01e0b 100644
--- a/configuration/vpn.md
+++ b/configuration/vpn.md
@@ -50,11 +50,39 @@ Set up a ProxyVM as a VPN gateway using NetworkManager
 
 3. Set up your VPN as described in the NetworkManager documentation linked above.
 
-4. Configure your AppVMs to use the new VM as a NetVM.
+4. Make your VPN start automatically.
+
+   Edit `/rw/config/rc.local` and add these lines:
+   
+   ```bash
+   # Automatically connect to the VPN
+   nmcli connection up file-vpn-conn passwd-file /rw/config/NM-system-connections/secrets/passwd-file.txt
+   ```
+   You can find the actual "file-vpn-conn" in `/rw/config/NM-system-connections/`.
+   
+   Create directory `/rw/config/NM-system-connections/secrets/` (You can put your `*.crt` and `*.pem` files here too).
+   Create a new file `/rw/config/NM-system-connections/secrets/passwd-file.txt`:
+   ```
+   vpn.secrets.password:XXXXXXXXXXXXXX
+   ```
+   And substitute "XXXXXXXXXXXXXX" for the actual password.
+   The contents of `passwd-file.txt` may differ depending on your VPN settings.  See the [documentation for `nmcli up`](https://www.mankier.com/1/nmcli#up).
+   
+5. Make the network fail-close for the AppVMs if the connection to the VPN breaks.
+
+   Edit `/rw/config/qubes-firewall-user-script` and add these lines:
+   ```bash
+   #    Block forwarding of connections through upstream network device
+   #    (in case the vpn tunnel breaks):
+   iptables -I FORWARD -o eth0 -j DROP
+   iptables -I FORWARD -i eth0 -j DROP
+   ```
+
+6. Configure your AppVMs to use the new VM as a NetVM.
 
    ![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)
 
-5. Optionally, you can install some [custom icons](https://github.com/Zrubi/qubes-artwork-proxy-vpn) for your VPN
+7. Optionally, you can install some [custom icons](https://github.com/Zrubi/qubes-artwork-proxy-vpn) for your VPN
 
 
 Set up a ProxyVM as a VPN gateway using iptables and CLI scripts

From 045e4c7d3ed2db61e333a49bdf7d93eba60735eb Mon Sep 17 00:00:00 2001
From: Daniel Gonzalez Gasull <gasull@users.noreply.github.com>
Date: Tue, 26 Jun 2018 18:37:28 +0800
Subject: [PATCH 2/5] Make it clear that the 2 new steps are optional

---
 configuration/vpn.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configuration/vpn.md b/configuration/vpn.md
index 9fb01e0b..db0f3024 100644
--- a/configuration/vpn.md
+++ b/configuration/vpn.md
@@ -50,7 +50,7 @@ Set up a ProxyVM as a VPN gateway using NetworkManager
 
 3. Set up your VPN as described in the NetworkManager documentation linked above.
 
-4. Make your VPN start automatically.
+4. (Optional) Make your VPN start automatically.
 
    Edit `/rw/config/rc.local` and add these lines:
    
@@ -68,7 +68,7 @@ Set up a ProxyVM as a VPN gateway using NetworkManager
    And substitute "XXXXXXXXXXXXXX" for the actual password.
    The contents of `passwd-file.txt` may differ depending on your VPN settings.  See the [documentation for `nmcli up`](https://www.mankier.com/1/nmcli#up).
    
-5. Make the network fail-close for the AppVMs if the connection to the VPN breaks.
+5. (Optional) Make the network fail-close for the AppVMs if the connection to the VPN breaks.
 
    Edit `/rw/config/qubes-firewall-user-script` and add these lines:
    ```bash

From 349f9ba7e1d5b419117b42b41dac4e4eaaa5a3dc Mon Sep 17 00:00:00 2001
From: Daniel Gonzalez Gasull <gasull@users.noreply.github.com>
Date: Thu, 28 Jun 2018 15:39:31 +0800
Subject: [PATCH 3/5] Add troubleshooting for race condition on step 4

---
 configuration/vpn.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/configuration/vpn.md b/configuration/vpn.md
index db0f3024..bf083728 100644
--- a/configuration/vpn.md
+++ b/configuration/vpn.md
@@ -68,6 +68,8 @@ Set up a ProxyVM as a VPN gateway using NetworkManager
    And substitute "XXXXXXXXXXXXXX" for the actual password.
    The contents of `passwd-file.txt` may differ depending on your VPN settings.  See the [documentation for `nmcli up`](https://www.mankier.com/1/nmcli#up).
    
+   Troubleshooting:  If you notice that the VPN doesn't autostart on hardware bootup but it does when restaring the VPN VM, try adding a slight delay in seconds in `/rw/config/rc.local` before the `nmcli` command, e.g. `sleep 2`.
+   
 5. (Optional) Make the network fail-close for the AppVMs if the connection to the VPN breaks.
 
    Edit `/rw/config/qubes-firewall-user-script` and add these lines:

From 82b14042de5b7266eb8e74697b0f8e0d9bfb9c14 Mon Sep 17 00:00:00 2001
From: Daniel Gonzalez Gasull <gasull@users.noreply.github.com>
Date: Sat, 30 Jun 2018 09:02:42 +0800
Subject: [PATCH 4/5] Update vpn.md

---
 configuration/vpn.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/configuration/vpn.md b/configuration/vpn.md
index bf083728..c7f7386c 100644
--- a/configuration/vpn.md
+++ b/configuration/vpn.md
@@ -55,7 +55,8 @@ Set up a ProxyVM as a VPN gateway using NetworkManager
    Edit `/rw/config/rc.local` and add these lines:
    
    ```bash
-   # Automatically connect to the VPN
+   # Automatically connect to the VPN once Internet is up
+   for i in {1..50}; do ping -c1 1.1.1.1 &> /dev/null && break; done
    nmcli connection up file-vpn-conn passwd-file /rw/config/NM-system-connections/secrets/passwd-file.txt
    ```
    You can find the actual "file-vpn-conn" in `/rw/config/NM-system-connections/`.
@@ -68,8 +69,6 @@ Set up a ProxyVM as a VPN gateway using NetworkManager
    And substitute "XXXXXXXXXXXXXX" for the actual password.
    The contents of `passwd-file.txt` may differ depending on your VPN settings.  See the [documentation for `nmcli up`](https://www.mankier.com/1/nmcli#up).
    
-   Troubleshooting:  If you notice that the VPN doesn't autostart on hardware bootup but it does when restaring the VPN VM, try adding a slight delay in seconds in `/rw/config/rc.local` before the `nmcli` command, e.g. `sleep 2`.
-   
 5. (Optional) Make the network fail-close for the AppVMs if the connection to the VPN breaks.
 
    Edit `/rw/config/qubes-firewall-user-script` and add these lines:

From ac58fb4c9b720295e64ba73fd77a84ce7d1252fc Mon Sep 17 00:00:00 2001
From: Daniel Gonzalez Gasull <gasull@users.noreply.github.com>
Date: Mon, 2 Jul 2018 15:55:53 +0800
Subject: [PATCH 5/5] Use nm-online

---
 configuration/vpn.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configuration/vpn.md b/configuration/vpn.md
index c7f7386c..6e8d3b6c 100644
--- a/configuration/vpn.md
+++ b/configuration/vpn.md
@@ -56,7 +56,7 @@ Set up a ProxyVM as a VPN gateway using NetworkManager
    
    ```bash
    # Automatically connect to the VPN once Internet is up
-   for i in {1..50}; do ping -c1 1.1.1.1 &> /dev/null && break; done
+   nm-online --quiet --wait-for-startup
    nmcli connection up file-vpn-conn passwd-file /rw/config/NM-system-connections/secrets/passwd-file.txt
    ```
    You can find the actual "file-vpn-conn" in `/rw/config/NM-system-connections/`.