Freshly installed + configured VPN Gateway VM won't shutdown

qube_bert · October 11, 2021, 1:24pm

hi folks,

stock, updated Qubes 4.0 with KDE installed according to the forum here (It’s great).

I set up a a ProxyVM as a VPN gateway using iptables and CLI scripts following the instructions here exactly, using the Debian 10 template. I tried twice to reduce the possibility of human error.

github.com

Qubes-Community/Contents/blob/master/docs/configuration/vpn.md#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts


How To make a VPN Gateway in Qubes
==================================

<div class="alert alert-info" role="alert">
  <i class="fa fa-info-circle"></i>
  <b>Note:</b> If you seek to enhance your privacy, you may also wish to consider <a href="/doc/whonix/">Whonix</a>.
  You should also be aware of <a href="https://www.whonix.org/wiki/Tunnels/Introduction">the potential risks of VPNs</a>.
</div>

Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.

Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)

### NetVM

The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:

- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)

This file has been truncated. show original

It seems to work fine, AppVMs connected to it seem go through the VPN when tested by ipleak and a visual network monitor.

The VPN Gateway won’t shut down however, and must be killed after choosing the “wait” prompt several times.

The log for the VPN Gateway at /var/log/xen/console has many lines with “A stop job is running for Qubes misc post-boot actions” at the end.

Searching for variations of this error message got nothing.

Any hints or pointers from someone who’s got a moment?

A secondary issue that arose is that either the VPN Gateway VM or the AppVM connected to it appear to be making connections to IP adresses other than the VPN servers, according to a visual network monitor AppVM the VPN Gateway VM is connected to.

ppc · October 11, 2021, 1:37pm

I don’t know how to fix this but can you create second topic so it easier to find

qube_bert · October 13, 2021, 9:43am

The second topic is basically the common question on the forum: How to definitively configure a firewall setup so that only connections that the user wants are made?

Having searched everything on the forum that may be related over the last couple of months I’m still not clear, and far from confident that some firewall won’t fall open or something. Even power users appear to be having trouble with this.

Back to the main topic:

Does anyone have any pointers on how to troubleshoot the log error message "A stop job is running for Qubes misc post-boot actions” - there seems to be nothing online.

The VPN Gateway VM seems to be operating fine apart from throwing that error message and needing to be killed to shutdown.

qube_bert · October 27, 2021, 2:42am

I’m surprised that nobody seems to have seen this error message. There’s nothing searchable about it.

Could anyone outline the troubleshooting steps to investigate the issue on qubes?

S9qPsAMNuW4ax5EF5 · October 27, 2021, 7:31am

post-boot-actions means that you should probably look at the way systemd stops services when the computer shuts down. Most likely some service is broken that depends on “qubes misc post-boot-actions.target” or something like this and the broken service doesn’t react to SIGKILL. Thus the shutdown process can’t reach the shutdown target, can’t continue the shutdown and thus won’t finish shutting down until you kill the VM. (though that’s just my speculation from the error message, could be that I’m totally wrong about this )

qube_bert · October 29, 2021, 8:15am

appreciate the thoughtful reply.

It’s just a level above my abilities though

The point of the OP, I guess, is that I followed the vpn guide linked in the OP and got the VM shutdown error. Then repeated the process 3 times carefully and got the same error and behaviour.

Searching the error message gave nothing that seemed relevant. I’m surprised that it hasn’t come up on the forum before.

4.0 is installed here - Maybe updating the stock versions of debian or fedora is the next step?

Or maybe update to 4.1?

icequbes1 · October 29, 2021, 12:50pm

What’s in your /rw/config/rc.local file? Make sure it executes commands that “return”.

When the qube is up and running, see if there’s anything out of ordinary in sudo systemctl status qubes-misc-post.