VM starting race especially with VPN proxy & loading in order of net-vm stream tree

[beffenc]

Is there any trade-off or reason that VMs are not loaded in the order with which they connect?
i.e. if you have whonix connecting through vpn through firewall through net, then you must delay starting the downstream VMs in the right order or else you will have leaks / race conditions where your tables and routing are lucky to be set up as directed.

So, if the VMs started as they are ordered by netVM tree in Qubes manager, you would not have to deal with that. Is there any downside to starting them consecutively? I can see where it may take longer to load, in which case an option in Qubes Manager could be set to load ordered, or perhaps they could be loaded simultaneously but started ordered?

Worth a shot...

[marmarek]

Is there any trade-off or reason that VMs are not loaded in the order with which they connect?
ie if you have whonix connecting through vpn through firewall through net, then you must delay starting the downstream VMs in the right order or else you will have leaks / race conditions where your tables and routing are lucky to be set up as directed

They are started in that order. But there is no delay (of starting next VM in such chain) for connecting whatever service you are running there. Generally you should setup firewall rules to block everything until your proxy software (whatever it is in that VM) successfully connects. Take a
look at OpenVPN Setup, Revisited Again! thread.

So, if the VMs started as they are ordered by netVM tree in Qubes manager, you would not have to deal with that Is there any downside to starting them consecutively?

It will not fix anything here - what if the first connection fails? Like because of some DNS resolution timeout or whatnot. In that case even if some VM is already running and the next one is just starting, it would not be properly proxied, unless you'll block non-proxied traffic somehow.

For further discussion on this subject I suggest using qubes-users mailing list.

[marmarek]

Is there any trade-off or reason that VMs are not loaded in the order with which they connect?
ie if you have whonix connecting through vpn through firewall through net, then you must delay starting the downstream VMs in the right order or else you will have leaks / race conditions where your tables and routing are lucky to be set up as directed

They are started in that order. But there is no delay (of starting next VM in such chain) for connecting whatever service you are running there. Generally you should setup firewall rules to block everything until your proxy software (whatever it is in that VM) successfully connects. Take a
look at OpenVPN Setup, Revisited Again! thread.

So, if the VMs started as they are ordered by netVM tree in Qubes manager, you would not have to deal with that Is there any downside to starting them consecutively?

It will not fix anything here - what if the first connection fails? Like because of some DNS resolution timeout or whatnot. In that case even if some VM is already running and the next one is just starting, it would not be properly proxied, unless you'll block non-proxied traffic somehow.

For further discussion on this subject I suggest using qubes-users mailing list.