Networking Broken in 4.1 Default Templates

Continuing the discussion from Tor > VPN connection issues - only in 4.1 - multiple test configurations & vpn providers:

Please see the 2nd post in this thread for the Template issue description. This first post is only to offer clarification how I came to the conclusion that the real problem is Template related and not VPN related.

I first noticed some odd networking issue back in alpha 4.1 releases and every release I picked up after through at least a month after beta continued to have the same issues.

Primary Issue (which lead to this template problem discover) VPN’s have issues connecting when connected after a TOR (sys-whonix) connection.

It seems to me, from a number of additional testings I did (see linked post above as well as 2nd post in this thread) that the problem has nothing to do with 4.1 specifically and instead entirely lies within the templates that come with 4.1 (or maybe the way they are installed/networked when installed via template dnf download).

I can’t tell you if this affects all templates. But it definitely affects Fedora 33 & 34 & Debian 10 installed from 4.1

I will explain the reason I believe the templates themselves are the issue in the post immediately following this one, first let me just repeat the actual issue from my other thread.

This is what works and does not work in a new 4.1 installation with templates fd33, fd34, deb10 installed (have not tried deb11 yet)

Assuming I have 2 VPN Qubes we will call VPN1 and VPN2 .

Working

NET > FW > VPN1 > AppVM
NET > FW > VPN2 > AppVM
NET > FW > VPN1 > VPN2 > AppVM
NET > FW > VPN2 > VPN1 > AppVM
NET > FW > VPN1 > SYS-WHONIX > AppVM
NET > FW > VPN2 > SYS-WHONIX > AppVM

Not Working

NET > FW > SYS-WHONIX > VPN1 > AppVM
NET > FW > SYS-WHONIX > VPN2 > AppVM
NET > SYS-WHONIX > VPN1 > AppVM
NET > SYS-WHONIX > VPN2 > AppVM

All of the above with identical Qube configs and layouts 100% work on 4.0

Whonix doesn’t seem to be part of the issue, I have a 4.1 Whonix 15 installed and it’s not breaking the networking.

Now, the reason I believe the templates are the actual issue here, whether it be the way they are built, some default networking settings inside them or perhaps something to do with the way 4.1 installs new templates from the repository - any of these could be the cause. But why I think it’s the templates is because:

After much frustration I decided to just copy over my base templates from an older Qubes 4.0 installation of mine. Copied the exact same templates, Fedora 33 & Fedora 34, unmodified, fresh installed using Qubes 4.0 and then “backed up” and restored to my Qubes 4.1.

I then changed my specific VPN VM’s to use those restored templates instead of the built in 4.1 ones and - voila! no more network problems.

Not only did this solve issues with VPN, but guess what, another seemingly unrelated older thread regarding Trezor (crypto hardware wallet) communication between Qubes using some socat commands was also fixed by my simply swapping in these restored 4.0 templates workaround

Trezor & Monero Wallet issues reported for 4.1 - fixed by workaround

Another user with same issues as me (Tor > VPN problem in 4.1)

I also tested this all with fedora 33, fedora 33 minimal & debian 10. Retoring older templates fixes the networking issues in all cases.

I’m not well verse enough in networking protocols in Linux to figured out what exactly might be causing all of this.

Maybe there’s a common theme here aside from it working in 4.0. Is vpn set to UDP instead of TCP?

No, VPN issues are not the problem, they have already been 100% ruled out. The exact same VM transferred back & forth between Qubes 4.0 & 4.1 always works in all scenarios in 4.0 and does not in 4.1 - unless you also copy the TemplateVM’s over from 4.0 as well. And I’m talking fully freshly installed TemplateVM’s in all cases with no changes.

Please see the other thread this one is linked to at the top for further issues attempting to troubleshoot the VPN aspect, before I realized this is not the problem at all and why I started a different topic focused thread.

Working Workaround: For anyone else who is experiencing similar issues as mentioned in my 2nd post, I have a working workaround that I have been using for well over a month now without any issues.

Quite simply, copy TemplateVM’s over from Qubes 4.0.

  • Hop on Qubes 4.0, download a fresh TemplateVM of Fedora 33, 34, Debian 10, 11.
  • Run all the standard updates on that template.
  • Make a backup of it to a USB or wherever.
  • Import them into Qubes 4.1
  • Can run standard updates once again if you wish.
  • Set those restored VM’s as your primary networking VM’s for all your VPN’s or other services which you are having network issues - and voila, issues resolved.

Now, with RC1 there has been some recent new issues installing Template & dom0 updates if you don’t use the built in Templates that you install directly from 4.1 for whatever reason, so make sure you keep, at the very minimum, a Fedora 34 that’s been installed directly from Qubes 4.1 and set that as your main “sys-firewall” base template or else you may not be able to install updates.

Hopefully though, my goal with this thread is that we can resolve whatever problem is in the default 4.1 templates that is causing/blocking certain network processes as mentioned above, TOR > VPN, or other inter-qube communications (like Monero wallets or Trezor bridges) from correctly functioning as they do (and as one would expect them to) in Qubes 4.0