Reattaching firewall vm to untrusted vm without killing the untrusted vm.

42 views
Skip to first unread message

bill...@gmail.com

unread,
Feb 16, 2020, 12:34:41 PM2/16/20
to qubes-users
Qubes folk,

So, I have a debian-based untrusted vm that is attached to a mullvad
vpn through Sweden; the mullvad vpn gets its networking from sys-
firewall (i.e. sys-net -> sys-firewall -> mullvad-vpn -> untrusted vm.

I have another "local" vm that is directly attached to sys-firewall
(i.e sys-net -> sys-firewall -> local vm).  Nothing other than sys-usb
starts automatically on boot.

The mullvad-vpn is a standalone vm, set up per the Qubes mullvad
instructions, while the untrusted and local vms are based on the
debian-10 template.

I'm running Qubes release 4.0.2.

When I change locations without rebooting the box and switch wireless
networks, the sys-net, sys-firewall, and local vms automatically
update.  Unfortunately, the mullvad-vpn vm does *not* update
automatically.  In order to get networking on the untrusted vm, I have
to kill it *and* the mullvad-vpn vm, and restart them -- which means I
have to kill any running apps, which is a pain when I'm doing big image
tasks in the background.

Is there a way to tell a standaloneVM like my mullvad-vm to either
update automatically, or a command to get it to re-set its networking
to a changed sys-firewall vm?

Thanks,

billo

bill...@gmail.com

unread,
Feb 16, 2020, 12:40:28 PM2/16/20
to qubes-users
As an aside, these are the instructions I used to set up the mullvad vpn.


Chris Laprise

unread,
Feb 16, 2020, 12:50:39 PM2/16/20
to qubes...@googlegroups.com, bill...@gmail.com
This refusal to change in the mullvad vm could be due to a common
openvpn behavior where it tries to revive the current connection over a
5 minute period. This is good for a VPN server, but for a PC it will
look like it is unable to re-connect.

The Qubes-VPN-support tool sets a max openvpn timeout of 40 seconds; on
average it will re-connect in about 20 sec. after losing the old connection:

https://github.com/tasket/Qubes-vpn-support

--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

pillule

unread,
Feb 16, 2020, 3:45:28 PM2/16/20
to qubes-users

On Sun, Feb 16 2020, bill...@gmail.com wrote:

> Qubes folk,
>
> So, I have a debian-based untrusted vm that is attached to a mullvad
> vpn through Sweden; the mullvad vpn gets its networking from sys-
> firewall (i.e. sys-net -> sys-firewall -> mullvad-vpn -> untrusted vm.
>
> I have another “local” vm that is directly attached to sys-firewall
> (i.e sys-net -> sys-firewall -> local vm). Nothing other than sys-usb
> starts automatically on boot.
>
> The mullvad-vpn is a standalone vm, set up per the Qubes mullvad
> instructions, while the untrusted and local vms are based on the
> debian-10 template.
>
> I’m running Qubes release 4.0.2.
>
> When I change locations without rebooting the box and switch wireless
> networks, the sys-net, sys-firewall, and local vms automatically

> update. Unfortunately, the mullvad-vpn vm does not update


> automatically. In order to get networking on the untrusted vm, I have

> to kill it and the mullvad-vpn vm, and restart them – which means I


> have to kill any running apps, which is a pain when I’m doing big image
> tasks in the background.
>
> Is there a way to tell a standaloneVM like my mullvad-vm to either
> update automatically, or a command to get it to re-set its networking
> to a changed sys-firewall vm?
>
> Thanks,
>
> billo

Hi,

You can switch the ’netvm’ of any VM on the fly with Qubes Manager or
via command line
`[user@dom0 ~]$ qvm-prefs “vmname” netvm none`
then switch back when ready.


Reply all
Reply to author
Forward
0 new messages