Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upIP not assigned and route not created with new template or cloning #3702
Comments
andrewdavidwong
added
bug
C: templates
labels
Mar 16, 2018
andrewdavidwong
added this to the Release 3.2 updates milestone
Mar 16, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
jpbrown-15 commentedMar 15, 2018
Qubes OS version:
Qubes release 3.2 (R3.2)
Affected component(s):
Fedora 26 Template (and every template since Fedora 23) along with cloning Debian-8 to make Debian-9 and attempting to use them as the template under a proxyVM or netVM.
Steps to reproduce the behavior:
Create a ProxyVM to support a VPN per the instructions: https://www.qubes-os.org/doc/vpn/
a) Create a new template or install one from the repository:
Option repository: from Dom0: sudo qubes-dom0-update qubes-template-fedora-26
https://www.qubes-os.org/doc/templates/fedora/
Option create new Debian-9: https://www.qubes-os.org/doc/template/debian/upgrade-8-to-9/
b) Use the new Fedora 26 or Debian 9 template and follow the rest of the instructions to create a VPN
qube as a ProxyVM.
Start or restart the ProxyVM after the VPN is configured. You may need to disable NetworkManager if the VPN is not connecting to your VPN provider. Note, I needed to disable NetworkManager in both Fedora-26 and Debian-9 in my tests so that openvpn could establish the network connection.
Observe the network configuration with /sbin/ifconfig -a and netstat -rn. At this point you should see the VPN is connected and routes have been added to the tun interface.
Configure a different qube such as work or personal to point at the new VPN qube and start that qube.
Once the qube has launched, review the network in the new VPN qube. Notice that:
a) ifconfig -a now reports a new vif interface (e.g. vif5.0) however you will observe that there is no IP
address assigned.
b) netstat -rn reports all the routes, but will not show the new vif interface
Expected behavior:
The launching of the upstream qube (work or personal) that initiated the add of the vif interface to the VPN qube should plumb both the ip address of the gateway that the upstream qube expects and establish the route.
Actual behavior:
Both the ip address and the route are not established within the VPN proxyVM even though the interface is defined.
General notes:
To observe the correct behavior, change the template vm from Fedora 26 or Debian 9 to Fedora 23 or Debian 8 (using the templates included with the original Qubes 3.2 installation). Both of the stock templates correctly assign the ip address and plumb the full interface and route. However the Fedora 26 template from the repository (and prior attempt to use Fedora 24) failed in the same way. Cloning Debian-8 (that works fine as a ProxyVM template) and making the Debian-9 template produce the same failure. Because Fedora 23 has long been unsupported and prior attempts to get Fedora 24 and 25 have failed, I have switched the NetVM's to Debian-8.
Additional note: Both the work and personal qubes in this example are using the Fedora 26 template.
The VPN qubes sends traffic to the sys-firewall.
Final note: I run Qubes 3.2 within VirtualBox on a Ubuntu host and have for 1.5 years. Attempts to make Qubes 4.0 RCx have not been successful in launching any of the NetVM's -- I can install and launch Qubes 4.0, but even changing the vm type to pv fails to launch a NetVM so Qubes 3.2 is my only viable option currently to run qubes-os.
Related issues: