I've finished my conversion of all VM's to debian-8 (and isolating USB, the sound card, etc.). (Next is dom0, and maybe the replacing the hypervisor, but that's another story. :) )
The last hiccup was getting OpenVPN working in debian-8 in a ProxyVM. It would connect, but then get stupid and hangup. Turns out the problem is that OpenVPN 2.3.4 included with Debian-8, will fail to add a default static route to the VPN provider ("route add w.x.y.z gw 10.137.2.1 eth0" kinda thing) if the netmask of the WAN interface is 255.255.255.255. (There's some bug post out there related to this.) Without the route, all traffic, including traffic intended to the VPN provider, gets stuff into the tun0 VPN pipe, which wedges it. If you're quick, you can add the route at the right time to save the connection. But the right solution is fixing the netmask. If you change the wan IP netmask to 255.255.255.0, then when OpenVPN connects, the static route gets added, and the VPN connection stays up. However, the default seems to get changed back on next AppVM boot. I think the qubes Vm startup code is grabbing the netmask from qubesdb (qubesdb-read /qubes-netmask), and I think dom0 is setting that statically in the code. (I don't see it in qvm-prefs, qubesdb, xenstore, and haven't had time to dig further.) I can see why Qubes would choose 255.255.255.255, since VM link adapters can't access others on their subnet directly, but have to bounce through their netvm (a good thing, security-wise). However, using 255.255.255.0 should be harmless, since you can still only directly access 10.137.*.1 anyway; and it would avoid messing up Debian's OpenVPN connections. (Admittedly working around an OpenVPN but, but an easy and harmless fix.) fedora23 uses OpenVM 2.3.13 which doesn't seem to suffer from this problem. I tried grabbing an OpenVM from backports, but there wasn't anything newer. Cheers, -d -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8d42cf40f8974d4b57c871890262a7a5.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.