OpenVPN and debian-8
31 views
Skip to first unread message
johny...@sigaint.org
Dec 17, 2016, 1:28:01 PM12/17/16
to qubes...@googlegroups.com
I've finished my conversion of all VM's to debian-8 (and isolating USB,
the sound card, etc.). (Next is dom0, and maybe the replacing the
hypervisor, but that's another story. :) )
The last hiccup was getting OpenVPN working in debian-8 in a ProxyVM. It
would connect, but then get stupid and hangup.
Turns out the problem is that OpenVPN 2.3.4 included with Debian-8, will
fail to add a default static route to the VPN provider ("route add w.x.y.z
gw 10.137.2.1 eth0" kinda thing) if the netmask of the WAN interface is
255.255.255.255. (There's some bug post out there related to this.)
Without the route, all traffic, including traffic intended to the VPN
provider, gets stuff into the tun0 VPN pipe, which wedges it.
If you're quick, you can add the route at the right time to save the
connection. But the right solution is fixing the netmask.
If you change the wan IP netmask to 255.255.255.0, then when OpenVPN
connects, the static route gets added, and the VPN connection stays up.
However, the default seems to get changed back on next AppVM boot. I
think the qubes Vm startup code is grabbing the netmask from qubesdb
(qubesdb-read /qubes-netmask), and I think dom0 is setting that statically
in the code. (I don't see it in qvm-prefs, qubesdb, xenstore, and haven't
had time to dig further.)
I can see why Qubes would choose 255.255.255.255, since VM link adapters
can't access others on their subnet directly, but have to bounce through
their netvm (a good thing, security-wise).
However, using 255.255.255.0 should be harmless, since you can still only
directly access 10.137.*.1 anyway; and it would avoid messing up Debian's
OpenVPN connections. (Admittedly working around an OpenVPN but, but an
easy and harmless fix.)
fedora23 uses OpenVM 2.3.13 which doesn't seem to suffer from this problem.
I tried grabbing an OpenVM from backports, but there wasn't anything newer.
Cheers,
-d
the sound card, etc.). (Next is dom0, and maybe the replacing the
hypervisor, but that's another story. :) )
The last hiccup was getting OpenVPN working in debian-8 in a ProxyVM. It
would connect, but then get stupid and hangup.
Turns out the problem is that OpenVPN 2.3.4 included with Debian-8, will
fail to add a default static route to the VPN provider ("route add w.x.y.z
gw 10.137.2.1 eth0" kinda thing) if the netmask of the WAN interface is
255.255.255.255. (There's some bug post out there related to this.)
Without the route, all traffic, including traffic intended to the VPN
provider, gets stuff into the tun0 VPN pipe, which wedges it.
If you're quick, you can add the route at the right time to save the
connection. But the right solution is fixing the netmask.
If you change the wan IP netmask to 255.255.255.0, then when OpenVPN
connects, the static route gets added, and the VPN connection stays up.
However, the default seems to get changed back on next AppVM boot. I
think the qubes Vm startup code is grabbing the netmask from qubesdb
(qubesdb-read /qubes-netmask), and I think dom0 is setting that statically
in the code. (I don't see it in qvm-prefs, qubesdb, xenstore, and haven't
had time to dig further.)
I can see why Qubes would choose 255.255.255.255, since VM link adapters
can't access others on their subnet directly, but have to bounce through
their netvm (a good thing, security-wise).
However, using 255.255.255.0 should be harmless, since you can still only
directly access 10.137.*.1 anyway; and it would avoid messing up Debian's
OpenVPN connections. (Admittedly working around an OpenVPN but, but an
easy and harmless fix.)
fedora23 uses OpenVM 2.3.13 which doesn't seem to suffer from this problem.
I tried grabbing an OpenVM from backports, but there wasn't anything newer.
Cheers,
-d
Chris Laprise
Dec 17, 2016, 6:26:44 PM12/17/16
to johny...@sigaint.org, qubes...@googlegroups.com
On 12/17/2016 01:27 PM, johny...@sigaint.org wrote:
> I've finished my conversion of all VM's to debian-8 (and isolating USB,
> the sound card, etc.). (Next is dom0, and maybe the replacing the
> hypervisor, but that's another story. :) )
>
> The last hiccup was getting OpenVPN working in debian-8 in a ProxyVM. It
> would connect, but then get stupid and hangup.
>
> Turns out the problem is that OpenVPN 2.3.4 included with Debian-8, will
> fail to add a default static route to the VPN provider ("route add w.x.y.z
> gw 10.137.2.1 eth0" kinda thing) if the netmask of the WAN interface is
> 255.255.255.255. (There's some bug post out there related to this.)
>
(the latter has openvpn 2.3.11). There may be a quirk in the way your
VPN service specifies routing info (if it does at all) which triggered
the bug.
Chris
Reply all
Reply to author
Forward
0 new messages