I've finished my conversion of all VM's to debian-8 (and isolating USB,
the sound card, etc.). (Next is dom0, and maybe the replacing the
hypervisor, but that's another story. :) )
The last hiccup was getting OpenVPN working in debian-8 in a ProxyVM. It
would connect, but then get stupid and hangup.
Turns out the problem is that OpenVPN 2.3.4 included with Debian-8, will
fail to add a default static route to the VPN provider ("route add w.x.y.z
gw 10.137.2.1 eth0" kinda thing) if the netmask of the WAN interface is
255.255.255.255. (There's some bug post out there related to this.)
Without the route, all traffic, including traffic intended to the VPN
provider, gets stuff into the tun0 VPN pipe, which wedges it.
If you're quick, you can add the route at the right time to save the
connection. But the right solution is fixing the netmask.
If you change the wan IP netmask to 255.255.255.0, then when OpenVPN
connects, the static route gets added, and the VPN connection stays up.
However, the default seems to get changed back on next AppVM boot. I
think the qubes Vm startup code is grabbing the netmask from qubesdb
(qubesdb-read /qubes-netmask), and I think dom0 is setting that statically
in the code. (I don't see it in qvm-prefs, qubesdb, xenstore, and haven't
had time to dig further.)
I can see why Qubes would choose 255.255.255.255, since VM link adapters
can't access others on their subnet directly, but have to bounce through
their netvm (a good thing, security-wise).
However, using 255.255.255.0 should be harmless, since you can still only
directly access 10.137.*.1 anyway; and it would avoid messing up Debian's
OpenVPN connections. (Admittedly working around an OpenVPN but, but an
easy and harmless fix.)
fedora23 uses OpenVM 2.3.13 which doesn't seem to suffer from this problem.
I tried grabbing an OpenVM from backports, but there wasn't anything newer.
Cheers,
-d
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/8d42cf40f8974d4b57c871890262a7a5.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.
