Internet shuts down after a few minutes – firewall suspected

Internet shuts down after a few minutes – firewall suspected

Hi there,

I’m on Q4.2.4 with structure

Sys.net – Firewall-EXT - VPN1 – VPN2 - Firewall-INT – to VMs

After 2-4 minutes the internet connection via LAN (no WLAN activated) breaks down.

When I start the terminal for the following machines

Sys.net – Firewall-EXT - VPN1 – VPN2

Ping of e.g. 8.8.8.8 is possible, only on Firewall-INT it’s dead.

System template: fedora-41-xfce, No rules established

Suddenly on my first installation the problem occurred, then I made a backup reinstalled the OS completely and restored only my own created VMs.

What I noticed: When starting the OS and the clicking on “service”, “sys-firewall-INT” is not marked in BOLD, but only normal letters. Maybe this is a hint, that it is not initialized properly. Can this be true?

When I restart only the “sys-firewall-INT” it appears in BOLD letters.

Maybe its necessary to start it up delayed to the other VMs - Sys.net – Firewall-IN - VPN1 – VPN2? How can this be done?

To avoid that I tried the following:

After starting the machine I openend a terminal on Firewall-INT and started a ping 8.8.8.8 to keep the machine busy with permanently being in touch with internet.

Sometimes it worked and I could work several hours, sometimes after 4 minutes the connection is lost and all VMs are cut off from internet.

• MTU rate in LAN1: I went down from 1200 to 900 – no effect
• Adusting some values like:

Edit /etc/syctl.conf, create file 99-keepalive.conf and add the values

Net.ipv4.tcp_keepalive_time = 7200

Net.ipv4.tcp_keepalive_intvl = 7500

Net.ipv4.tcp_keepalive_probes = 9

„sudo sysctl – p“ to apply

Also changed:

Edit in /etc/sysctl.d/ file 99-sysclt.conf with:

Net.ipv4.tcp_keepalive_time = 7200

Net.ipv4.tcp_keepalive_intvl = 7500

Net.ipv4.tcp_keepalive_probes = 9

Run the commands to save changes:

echo “net.ipv4.tcp_keepalive_time = 7200” | sudo tee -a /etc/sysctl.conf

echo “net.ipv4.tcp_keepalive_intvl = 7500” | sudo tee -a /etc/sysctl.conf

echo “net.ipv4.tcp_keepalive_probes = 9” | sudo tee -a /etc/sysctl.conf

The description said that changing the values that way would be permanently but after a restart I checked the files and my inserted values vanished.

Is the firewall disposable?

So why does that VM always shut down the internet connection? Has anyone a clue – and a solution?

Hope, someone has a solution.

KR Peter

Check if your ping is going through the VPN tunnel in VPN2 qube instead of going directly.
If your VPN in the VPN2 qube is dead and you have a firewall rule there that is blocking forward connections outside of VPN tunnel, then that could explain why ping works in the VPN2 qube itself and doesn’t work in the Firewall-INT qube.

@Kubatori

Yes this is correct.
Maybe you should check if you’ve chained your appvm’s netqube’s correct.

AppVM Netqube set to Firewall INT → Firewall INT Net Qube → set to VPN2 … etc.

The Firewall INT should boot up automatically when you start the appvm - if they are chained correct.

Hi there,

thx for your tip. The VMs, VPNS and Firewalls are connected correctly. When the startup is done, the Firewall-EXT often is not coloured in BOLD. When I restart it, then its BOLD.

Thank you for your proposal. If there should be a rule then the connection from VPN2 to FW-INT would be permanently blocked and not after 4 minutes. I did not establish any rule in any of the listed VMs. I checked out FW-INT - settings - Firewall and there are no rules.

If your VPN in the VPN2 qube disconnects after 4 minutes and the firewall rules in the VPN2 qube are configured to block the forward connections outside of VPN tunnel, then the internet will work for the VPN2 qube itself, but it’ll be blocked for the qubes connected to it.
Check that your VPN connection works in the VPN2 qube when this problem occurs.

Hi,

strange, this posting does not appear in the forum.

What have I done?

Sys-net = FW-EXT = VPN1 = VPN2 = FW –INT

I started at the back and linked over Network properties FW-INT to VPN-2, next VPN2 toVPN1, next VPN1 toFW-EXT and FW-EXT to Sys-net.

Qubes has a VPN VM installed. I installed the conf file, copied the VPN qube and installed another conf file.

Did you just use wirecard or also open-VPN files?

I’ve never heard of nesting, searched for it but did not find a suitable explanantion. I suppose my way is chaining.

I did not establish any FW rules. Is that necessary or optional? The strang thing is that that the connection works for 4 minutes and then breaks down. If there would be a rule the problem would start from the beginning.

Actually I just played with different VPNs of the same company and as you say I’ll try the VPN from another provider and see if it works out.

Yes, this should work with wireguard. The setup your using is nested. A nested VPN is basically a VPN inside a VPN just like your setup. It provides double encryption. But you need to make sure your DNS is configured correct (your VPN providers DNS) otherwise this setup can leak your DNS, which you don’t want.

Please check this first:

Go to your sys-firewalls and sys-vpn’s → settings → advanced tab and check if provides network is checked. If not check it.

THIS IS AN EXAMPLE OF THE SETUP

I am by no means an advanced Qubes user so please don’t take my word for it and read Solene’s excellent guide: * Wireguard VPN setup

SYS-NET

FW-EXT → VPN1 + ADDRESS + VPN2 IP ADDRESS

1. qvm-firewall [appvm / sysvm name] add --before [rule number] accept proto=[udp/tcp] dsthost=[ip addrress VPN 2] dstports=[port number] comment=[insert comment]
2. qvm-firewall [appvm / sysvm name] add --before [rule number] accept proto=[udp/tcp]
   dsthost=[ip addrress VPN 1] dstports=[port number] comment=[insert comment]
3. qvm-firewall [appvm / sysnetvm name] add specialtarget=dns
4. qvm-firewall [appvm / sysnetvm name] drop icmp
5. qvm-firewall [appvm / sysnetvm name] drop

• → Qubes menu → VPN2 → setting → netqube: select SYS-NET → provides network: yes

VPN1 → VPN1 + ADDRESS + VPN2 IP ADDRESS

1 .qvm-firewall [appvm / sysvm name] add --before [rule number] accept proto=[udp/tcp] dsthost=[ip addrress VPN 2] dstports=[port number] comment=[insert comment]
2.qvm-firewall [appvm / sysvm name] add --before [rule number] accept proto=[udp/tcp]
3. dsthost=[ip addrress VPN 1] dstports=[port number] comment=[insert comment]
4. qvm-firewall [appvm / sysnetvm name] add specialtarget=dns
5. qvm-firewall [appvm / sysnetvm name] drop icmp
6. qvm-firewall [appvm / sysnetvm name] drop

• → Qubes menu → VPN1 → setting → netqube: select FW-EXT → provides network: yes

VPN2 → VPN2 ADDRESS

1. qvm-firewall [appvm / sysvm name] add --before [rule number] accept proto=[udp/tcp] dsthost=[ip addrress VPN 2] dstports=[port number] comment=[insert comment]
2. qvm-firewall [appvm / sysnetvm name] add specialtarget=dns
3. qvm-firewall [appvm / sysnetvm name] drop icmp
4. qvm-firewall [appvm / sysnetvm name] drop

• → Qubes menu → VPN2 → setting → netqube: select VPN1 → provides network: yes

FW-INT → VPN2 ADDRESS

1. qvm-firewall [appvm / sysvm name] add --before [rule number] accept proto=[udp/tcp]
2. dsthost=[ip addrress VPN 2] dstports=[port number] comment=[insert comment]

• → Qubes menu → FW-INT → setting → netqube: select VPN2

APP-VM
→ Qubes menu → app-vm → settings → netqube select FW-INT

I’m not sure about the setting for FW-INT, maybe someone else can advise on that

Here is some info on types of VPN setups

1. Nested VPN

What it is: Two (or more) VPN clients run on the same device (or inside a VM/container on that device).
How traffic moves:
Device → Inner VPN (Provider B) → Outer VPN (Provider A) → Internet
Key points:
    Gives you full control over each provider and protocol.
    Often causes routing conflicts; many mobile OSes allow only one active VPN tunnel, so true nesting usually works only on desktops or within VMs.
    Adds extra latency and CPU load because packets are encrypted twice. 

2. Chained (Double‑Hop) VPN

What it is: The provider links two of its own servers back‑to‑back. From the user’s perspective there is still just one VPN client.
How traffic moves:
Device → Single tunnel to Server 1 → Server 1 forwards (re‑encrypts) to Server 2 → Internet
Key points:
    No routing conflicts on the client side.
    You’re limited to the provider’s preset hop pairs.
    Slightly higher latency, but setup is trivial for the user.

3. Cascaded VPN

What it is: The user stacks multiple independent VPNs across separate network layers (router, VM, separate device).
How traffic moves:
Device → First VPN (Provider A, e.g., on router) → Second VPN (Provider B, e.g., on laptop/VM) → … → Internet
Key points:
    Maximum flexibility: you pick each hop’s provider, location, and protocol.
    Requires extra hardware or virtualization (router firmware, VM, etc.).
    May encounter double‑kill‑switch issues and higher cumulative latency

Source: Lumo private AI

Did you fix it?

Hi there,

sorry I’ve ve been out fort he weekend and just returned. Thank you for that many tips. I will try it next week and then tell you what happenend.

KR

I have not set any rules in any qube. How can I check that? “Check that your VPN connection works in the VPN2 qube when this problem occurs.”

1. Please check this first:

Go to your sys-firewalls and sys-vpn’s → settings → advanced tab and check if provides network is checked. If not check it.

In the VPNs I can activate that feature under “Services” but in the firewalls it is not available. When I click on custom, no features are shown.

2. Are these commands for the terminal?
   1 .qvm-firewall [appvm / sysvm name] add --before [rule number] accept proto=[udp/tcp] dsthost=[ip addrress VPN 2] dstports=[port number] comment=[insert comment]
   2.qvm-firewall [appvm / sysvm name] add --before [rule number] accept proto=[udp/tcp]

3. dsthost=[ip addrress VPN 1] dstports=[port number] comment=[insert comment]
4. qvm-firewall [appvm / sysnetvm name] add specialtarget=dns
5. qvm-firewall [appvm / sysnetvm name] drop icmp
6. qvm-firewall [appvm / sysnetvm name] drop

What means “comment=[insert comment]”?

The firewall already provides network access by default, so it’s already checked.
But in your sys-vpn this should also be switched on.

A comment is a reminder for you which vpn you are using. Example: comment=personal-qube-proton-usa-lax-wg-002. It’s a handy way to see which vpn you are using in which qube.

I suggest you rebuild your setup and follow Solene’s guide → see the link above. I managed to get my setup working following that guide and I assume many other people.

Hi. Good news. Very good news! I took the VPNs from another provider - and it works perfectly! Your solene hint was also very good. I’ll harden the system with that informations.
So I thank you very much!

Oh I forgot one question to the Solene script:
He only uses one VPN, me 2 in a row nested. both have a different endpoint.
FW-Out = VPN1 = VPN2 = FW-IN
Question: I think that VPN2 will be the endpoint. so do I have to adapt the endpoint of VPN1 with the endpoint data from VPN2 (IPaddress and port)?

Configure both VPNs independently, each VPN have their own endpoint, that does not matter whether you nest A in B or B in A or do not nest them at all.

She Qubes OS allows you to use a single VPN or stack them infinitely (it’s not usable and useless but you get the point), so configuring one VPN or two VPNs is the same on Qubes OS.

Congrats

I’m very happy it worked out for you

Once again: Thanks a lot. You’re great!