Networking freezing and impossible to restore without reboot
22 views
Skip to first unread message
Evastar
May 14, 2018, 5:23:54 PM5/14/18
to qubes...@googlegroups.com
Hello,
I still have issues with my proxy/vpn-vms. Something happens, maybe my vpn lose connection or not (I don't know). I only know that at some point from timee to time all my AppVms lose network and it's not possible to restore networking without restarting VPN-VM and all connected VMs. Any solutions? How to simplify this process?
It's very uncomfortable every time to restart all AppVMs.
And I wrote that I don't know VPN loses connection or not. When I open VPN-proxy-vm terminal I see that it's CONNECTED to VM, but maybe it's after reconnection. But after that I don't know how to force all AppVMs(connected to this proxy) to restore network!
Thank you!
Chris Laprise
May 14, 2018, 5:46:53 PM5/14/18
to Evastar, qubes...@googlegroups.com
doc, that config can have problems recovering from a disconnected link.
If you used a recent version of Qubes-vpn-support or qubes-tunnel,
restarting the service is simple:
sudo systemctl restart qubes-vpn-handler
or
sudo systemctl restart qubes-tunnel
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Chris Laprise
May 14, 2018, 7:55:30 PM5/14/18
to Evastar, qubes-users
On 05/14/2018 06:23 PM, Evastar wrote:
>> Its important to know how you set up the VPN VM. If you used the Qubes
>>
>> doc, that config can have problems recovering from a disconnected link.
>> If you used a recent version of Qubes-vpn-support or qubes-tunnel,
>> restarting the service is simple:
>> sudo systemctl restart qubes-vpn-handler
>> or
>> sudo systemctl restart qubes-tunnel
>
> Thanks for your quick answer. I use my own vpn setup based not on openvpn, but ethervpn. This qube come from 3.2. I use the same old code. I wrote it based on old openvpn code. This code add routes on startup, then iptables fules for DNS some other rules to prevent traffic leak. The same as UP handler from qubes-doc do.
>> Its important to know how you set up the VPN VM. If you used the Qubes
>>
>> doc, that config can have problems recovering from a disconnected link.
>> If you used a recent version of Qubes-vpn-support or qubes-tunnel,
>> restarting the service is simple:
>> sudo systemctl restart qubes-vpn-handler
>> or
>> sudo systemctl restart qubes-tunnel
>
>
> There are no "recovering setup". How to add this?
>
> Need to delete rules added by this then execute this again? Is it recovery?
> iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
> iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr
>
> I re-checked qubes vpn doc. It's almost the same, but no up/down handler. I setup rules at rc.local. At 3.2. I do not have this problem. When my VPN loss connection then it always work after my VPN client reconnected.
>
Posting back to qubes-users...
Probably there is someone who is familiar with ethervpn who can better
help you.
My advice is to monitor the ethervpn log for warnings/errors when the
blockage occurs. Then perhaps a simpler solution will become clear.
If you are using the same firewall rules as the Qubes doc, try
commenting-out the parts for 'OUTPUT'.
As for the DNAT rules, delete & re-add should only be necessary if the
DNS server changes. Also, when blockage occurs you can try pinging a
known IP address (not domain name) from an appVM; if it doesn't work
then DNAT is probably not the issue.
Finally, if you find the solution involves restarting the ethervpn
client, you may want to run it with 'systemd-run --unit' to give you
better control over the process. You could even try running it with
qubes-tunnel using a drop-in file for the service (see 00_example.conf
and manpages for systemd.unit "overriding vendor settings").
Evastar
May 15, 2018, 3:37:24 AM5/15/18
to qubes...@googlegroups.com
> Posting back to qubes-users...
Sorry for direct message. Now, I use web-based mail it set direct answer by default :(
A little more information. When it goes to "no network state" then I seeing at my ethervpn with "ip route list" (as I remember) that all vif+ interfaces show as "down". It is the problem. I do not know how to reconnect them and remove "down" mark.
>
> Finally, if you find the solution involves restarting the ethervpn
> client, you may want to run it with 'systemd-run --unit' to give you
> better control over the process. You could even try running it with
> qubes-tunnel using a drop-in file for the service (see 00_example.conf
> and manpages for systemd.unit "overriding vendor settings").
>
Chris Laprise
May 15, 2018, 8:16:40 AM5/15/18
to Evastar, qubes...@googlegroups.com
Qubes or in ethervpn. Since other Qubes users don't seem to be reporting
this symptom, I'd guess that ethervpn is mistakenly including the vif
interfaces with tun/tap whenever a link goes down or restarts. (The vif,
tun and tap interfaces look similar in the sense that they're all
virtual.) Its probably worth reporting this behavior on the ethervpn
forum/list.
You might also try writing a small script to bring the vif interfaces up.
Evastar
May 15, 2018, 7:52:11 PM5/15/18
to qubes...@googlegroups.com
> If the vif interfaces are going down, that suggests a bug either in
> tun and tap interfaces look similar in the sense that they're all
And other question. You are advanced user and you must know.
I'm trying to use this script to get correct gatewayIP to setup routes.
IP="$(ip addr | grep 'vpn_vpn' -A0 | tail -n1 | awk '{print $2}' | cut -f1 -d'/')"
(vpn_vpn is "dhclient vpn_vpn" )
"ip addr" print output: 192.168.30.10/24, this command give me 192.168.30.10, but I need to find somehow and add to variable 192.168.30.1 then I want to use it with this command:
ip route add default via $IP
So sure, I don't know why it's report .10/24 and not .1/24
Maybe you know where/how to get correct IP? My regular setup works with hard-coded 192.168.30.1, but I want to parse it on the fly.
Thanks
Evastar
May 15, 2018, 8:01:22 PM5/15/18
to qubes...@googlegroups.com
And 2th question:
Do you know how to restore all connections after proxyvm reboot. Yes, it's not possible to reboot it from qubes manager, but I can reboot it with terminal. Then, maybe, some simple steps exists to reconnect all AppVMs? This would help me a lot. It's my simpler to reboot only proxyVM vs all vms.
Chris Laprise
May 17, 2018, 12:56:15 PM5/17/18
to Evastar, qubes...@googlegroups.com
On 05/15/2018 07:51 PM, 'Evastar' via qubes-users wrote:
>
>
>> If the vif interfaces are going down, that suggests a bug either in
>
> Today it happens again and now I open terminal at ethervpn and write "route". It freeze, not totally freeze, but it print line by line output of this command and every line took ~10 seconds to print. Maybe it's because I use imported ethervpn from 3.2. backup? Something happens :(
Try adding '-n' option to route so it won't try to look up names for
>
>
>> If the vif interfaces are going down, that suggests a bug either in
>
> Today it happens again and now I open terminal at ethervpn and write "route". It freeze, not totally freeze, but it print line by line output of this command and every line took ~10 seconds to print. Maybe it's because I use imported ethervpn from 3.2. backup? Something happens :(
each IP address.
>
>> tun and tap interfaces look similar in the sense that they're all
>
> I don't know how to check this.
the behavior to the ethervpn people.
>
> And other question. You are advanced user and you must know.
>
> I'm trying to use this script to get correct gatewayIP to setup routes.
>
> IP="$(ip addr | grep 'vpn_vpn' -A0 | tail -n1 | awk '{print $2}' | cut -f1 -d'/')"
>
> (vpn_vpn is "dhclient vpn_vpn" )
>
> "ip addr" print output: 192.168.30.10/24, this command give me 192.168.30.10, but I need to find somehow and add to variable 192.168.30.1 then I want to use it with this command:
> ip route add default via $IP
>
> So sure, I don't know why it's report .10/24 and not .1/24
>
> Maybe you know where/how to get correct IP? My regular setup works with hard-coded 192.168.30.1, but I want to parse it on the fly.
>
> Thanks
Chris Laprise
May 17, 2018, 1:05:45 PM5/17/18
to Evastar, qubes...@googlegroups.com
On 05/15/2018 08:01 PM, 'Evastar' via qubes-users wrote:
>
> And 2th question:
>
> Do you know how to restore all connections after proxyvm reboot. Yes, it's not possible to reboot it from qubes manager, but I can reboot it with terminal. Then, maybe, some simple steps exists to reconnect all AppVMs? This would help me a lot. It's my simpler to reboot only proxyVM vs all vms.
The way I'm familiar with involves re-setting the netvm of each
>
> And 2th question:
>
> Do you know how to restore all connections after proxyvm reboot. Yes, it's not possible to reboot it from qubes manager, but I can reboot it with terminal. Then, maybe, some simple steps exists to reconnect all AppVMs? This would help me a lot. It's my simpler to reboot only proxyVM vs all vms.
downstream VM after the proxyVM has rebooted.
One way you could achieve this is with my 'findpref' script in dom0:
https://github.com/tasket/Qubes-scripts
$ findpref -p netvm sys-vpn sys-vpn
Reply all
Reply to author
Forward
0 new messages