/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VPN VM fails with ipv6 disabled #3961

Open
nil0x42 opened this Issue Jun 5, 2018 · 1 comment

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0 updates
3 participants
@nil0x42 @tasket @andrewdavidwong
@nil0x42

nil0x42 commented Jun 5, 2018

Qubes OS version:

R4.0

Affected component(s):

Steps to reproduce the behavior:

1 - create a sys-vpn VPN qube, as described in documentation:

https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts

(sys-firewall is used as NetVM)

2 - disable ipv6 on sys-vpn:

tested the following ways:

add net.ipv6.conf.all.disable_ipv6 = 1 in sys-vpn's /etc/sysctl.conf file
OR
disable ip6 feature explicitly in vm:
root@dom0 # qvm-features sys-vpn ipv6 '' (as described in https://www.qubes-os.org/doc/networking/#ipv6)

Expected behavior:

have VPN running normally, and ip addr returning no ipv6 address on sys-vpn qube.

Actual behavior:

VPN does not start

General notes:

After investigating a bit, VPN does not start because if is called exactly as explained here:
https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts

so VPN is called on /rw/config/rc.local with /rw/config/vpn/qubes-vpn-handler.sh as up script.
And this script (qubes-vpn-handler.sh) have the following line in it:
iptables -t nat -F PR-QBS
so VPN start fails, because PR-QBS does not exist when ipv6 is disabled with one of the methods mentioned above.

also, after looking into /var/log/xen/console/guest-sys-spn.log
i found the following line, probably related to the issue:

[FAILED] Failed to start Qubes base firewall settings.
See 'systemctl status qubes-iptables.service' for details.

Related issues:

@andrewdavidwong andrewdavidwong added bug C: other labels Jun 6, 2018

@andrewdavidwong andrewdavidwong added this to the Release 4.0 updates milestone Jun 6, 2018

@tasket

This comment has been minimized.

Show comment
Hide comment
@tasket

tasket Jun 8, 2018

What template and version of qubes-core-agent?
I was unable to reproduce this using qubes-core-agent 4.0.28 (debian-9) or 4.0.30 (fedora-28) using the qubes-tunnel code which has a similar up script with identical iptables -F command. PR-QBS is present and the qubes-iptables.service status is active/success. I also tried both methods of disabling ipv6.

It sounds like @nil0x42 was hit by the #3939 bug by coincidence when disabling ipv6. If that's the case then updating qubes-core-agent to 4.0.30 might prevent qubes-iptables.service from failing and resolve the issue.

tasket commented Jun 8, 2018

What template and version of qubes-core-agent?
I was unable to reproduce this using qubes-core-agent 4.0.28 (debian-9) or 4.0.30 (fedora-28) using the qubes-tunnel code which has a similar up script with identical iptables -F command. PR-QBS is present and the qubes-iptables.service status is active/success. I also tried both methods of disabling ipv6.

It sounds like @nil0x42 was hit by the #3939 bug by coincidence when disabling ipv6. If that's the case then updating qubes-core-agent to 4.0.30 might prevent qubes-iptables.service from failing and resolve the issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment