New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Qubes 4.1 - VPN over Tor netvms: ARP request does not get resolved properly #7123
Qubes 4.1 - VPN over Tor netvms: ARP request does not get resolved properly #7123
Comments
They cause all sorts of regressions, of which QubesOS/qubes-issues#7123 is just the most recent. In the future, Qubes OS should switch to pure layer-3 links between qubes, with no layer-2 addressing at all. That is for another day, however.
why is this marked as closed, it seems alot of people are having the same issue, me included. Are we all expected to implement this hacky workaround everytime? |
Are you sure you use up to date packages? The update linked above should fix the issue. |
forgive me, how can I do that? |
you can check package version with you can install updates as in https://www.qubes-os.org/doc/how-to-update/#routine-updates |
yes that's as I thought, although it says I don't have any updates.. I am now forcing “Enable updates for qubes without known available updates,” |
|
My initial issue still occurs, probably because after running updates nothing is updated/ or the updates haven't fixed the issue As a consequence I cannot resolve.. the original issue, to clarify my issue is using this config for PROXY-VM. However using my VPN provider config file VPN tests fine, connects and stays up, although after implementing @tasket Qubes-vpn-support or @andrewdavidwong script above and restarting proxy-vm I get continuous "RESOLVE: Cannot resolve host address: xxxx.yyyyy.net" this issue occurs using either script in fedora 34 and Debian 11. The VM will then most often fail to shutdown even after multiple attempts and has to be killed, very occasionally after restarting the proxy-vm it will connect although briefly and will return to not being able to resolve the host address. |
Did you check package versions as per #7123 (comment)? If package versions are outdated / there's a newer package version available but updates don't work for you then that's a separate issue and should be resolved as per the usual https://www.qubes-os.org/support/ process and not in this ticket which has a narrow scope. |
I don't have the new packages and according to qubes update tool there are no updates, fortunately its a pretty new install of rc3 so I will reinstall with the new 4.1 stable and try to install any further updates from there. Thanks for getting back to me even though you are a whonix dev, kind of you. |
I am experiencing the same issue fresh 4.1 install latest updates - and yes i verified latest version qubes core agent the arp workaround fixes it |
This looks like missing Proxy ARP on the upstream side. Does this reproduce with a non- In any case, I think I may have a workaround using a custom C program. |
The routing table should point at specific IP as a gateway, so proxy ARP should not be needed. At some point we used to have just
If making networking work requires "custom C program", something went really wrong. IOW, please don't, lets find a proper solution. |
Nevermind, the workaround does not work. |
"VPN over TOR" will work under Qubes 4.1 if you put a firewall-vm between the vpn-proxy and sys-whonix. Best regards. |
Summary of the problem:
In the long term, I think the best solution is to switch from Ethernet links to point-to-point links. Qubes uses them as point-to-point links anyway, and the current situation keeps causing problems. |
With this setup "app-vm -> vpn-proxy -> firewall-vm-2 -> sys-whonix -> firewall-vm-1 -> sys-net" I did not see any breakage. The VPN is routed over the onion circuit without any problems. Everything seems to work very stable without leaks or breaks. |
@DemiMarie : whilst enabling Proxy ARP in sys-whonix might be a workaround for this, I don't see why arp got involved in this issue in the first place. Following up on @marmarek 's thoughts i did dig a bit deeper and i do believe today that the root cause for this issue is a Reproduce
-> This is very weird since downstream perfectly knows what the next-hop for WorkaroundDownstream does not fall back to arp requests if the scope of the
and downstream starts sending icmp messages again:
ConclusionI am by no means an expert on linux routing. But sending ARP requests for any hosts sounds just wrong. So I am not quite sure if an ARP proxy in sys-whonix is the correct solution for this. Also I don't fully understand why the routing decision is affected that much by the scoping of the next hop route. I also don't know the reason why qubes adds a |
@Enteee Thanks! I will be able to come up with a patch based on that. |
@Enteee what name and email address would you like me to use in the Suggested-by in the commit message? |
@DemiMarie the commit looks good. Thanks for patching this! 🚀 |
You’re welcome! Thanks for figuring out the problem! That was the hard part; changing the shell script was trivial. |
Seems like fix by @DemiMarie (thanks!) QubesOS/qubes-core-agent-linux#384 didn't land in any packages yet? I am wondering why there aren't any notifications by Qubes bot that packages were built and upload to Qubes repository? |
A user on an updated system reported to still have the old version of network/setup-ip. That means not having received the changes in PR QubesOS/qubes-core-agent-linux#384 yet. After manually updating |
Yeah i would also really welcome it if the change from the pull request could be released as a new version of qubes-core-agent-linux. |
Host scope means "only valid within this host", which is certainly not correct for Xen virtual devices. Link scope means "only valid in the context of this link", which is correct. Fixes: QubesOS/qubes-issues#7123. Suggested-by: Ente <ducksource@duckpond.ch> (cherry picked from commit 0220911)
In Qubes R4.2 at least |
Qubes OS release
Qubes 4.1 RC2
Brief summary
A VPN Gateway over Tor worked fine with Qubes 4.0.
It does not work with Qubes 4.1 anymore. ARP requests aren't proxied properly.
Steps to reproduce
Configure VPN gateway as described in the Contrib docs.
Configure the Tor gateway according to the steps described in Whonix docs.
Then:
Qubes 4.0 -> OK
Qubes 4.1 -> No resolution
Expected behavior
Same behavior as Qubes 4.0
Actual behavior
ARP requests are not getting proxied properly / do not receive the MAC address fe:ff:ff:ff:ff:ff of the corresponding netVM.
Sample from user
aUsername
:, whereas 212.129.0.80 in this case is the of the remote VPN gateway.
aUsename
also mentions a fix:This manual correction has not been necessary with Qubes 4.0.
The Whonix maintainer states here, there haven't been related changes in the Whonix configuration:
Related issues
The text was updated successfully, but these errors were encountered: