Proxy VM loses routes for downstream Qubes after a while

Hi all,

I’m using a debian-11 proxy VM which I set up using the guide (more or less) to connect a couple of Qubes to an F5 VPN we use at work. I say “more or less” because the F5 VPN client for Linux is weird, and I need to use a browser to manually establish the VPN session, etc. But basically I use the first method in the community guide. I’m on an up-to-date QubesOS 4.1 box by the way.

Anyway, when I first boot QubesOS, I launch the proxy VM and establish the VPN connection. Then I launch my other Qubes that depend on that connection, and the routing is all fine and happy for a while. I can browse to intranet resources, ssh to hosts in private IP space at work, etc. However, after a while (maybe a day or two), the routes for those dependent Qubes just go away. I have no idea why.

I decided to take a look at the state of the system when the routing was happy, and try to manually restore it when the routing next started to fail. The critical routing is of course on the proxy VM, so I did a ‘sudo route’ in a terminal on there to get a look at it in the happy state, and stored that output in a text file. Then when the routing stopped working, I did another ‘sudo route’ on there and compared the tables. Sure enough, the two host routes for my other Qubes that need to talk through the VPN had vanished.

The happy news is that I was able to manually put them back (more on this below), and then connectivity resumed as expected from those two Qubes. But any ideas why they are just going away after a while?

If anyone else finds themselves in the same spot, hopefully this following bit will be useful. The commands I used to restore those routes from a terminal on the proxy VM were as follows:

sudo route add -host 10.137.0.23 dev vif12.0

The two critical bits to know are the dependent Qube’s IP address, in this case it was 10.137.0.23, and the virtual interface name, which was vif12.0. I’m not sure how to discover that virtual interface info once things have gone bad (anyone have a tip for that?), but if you capture the route information as described above while things are working you should have what you’ll need.