Qubes Inplace upgrade from 4.1-4.2 issues

I got the same results for sys-firewall, the proxyvm im having issues with and sys-net.

Changing my dvm to sys-firewall, im able to connect to websites fine. However my proxy vms are not able to connect

I can confirm the issue is only with vpn vms

How did you configure your VPN qube?

Most are configured like this: Using network manager, i added the .ovpn config files with user name and password. Then i went into firewall settings for that qube and added the IPs.

The one odd ball is riseup vpn. They dont give out ovpn config files for it so i defaulted to using the app which never gave me issues on 4.1.

I also have mac address randomization set to every start via a script.

Do you have any firewall rules add/remove (using iptables of nft) in the config file?

I havent touched iptables/nftables at all

Not by yourself, there could be iptables commands in .ovpn config.


Ohh. How can i check this?

Check the content of .ovpn file and see if there are any iptables there.
Or any up/down scripts.

‘Doesnt exist or is private’


1 Like

I dont see any. Checked 2 vpn providers .ovpn files

Can you ping from your VPN qube?

ping quad9.com

Im not getting any pings on either.

I think i found the culprit however. In another thread it mentioned mac address randomization is causing some issues. I used this guide (Anonymizing your MAC address)

After deleting the 50-macrandomize.conf, it works.

But this presents a problem because i need mac address randomization.

Ps. Brb

There is no use in randomizing the MAC address of virtual interfaces in VMs. Only randomizing the MAC address of your physical network controller in e.g. sys-net make sense.
The MAC addresses are only seen withing the same physical segment e.g between between sys-vpn and sys-firewall. The VPN provider won’t be able to see the MAC address of the virtual interface in the VM just based on the network packets.

1 Like

What if i have an application running in vm1, and my setup is sys-net → sys-firewall → sys-vpn → vm1.

Some applications are able to read hardware identifiers right? Would applications in this scenario be able to read mac address? If so, which ones?

The app running locally in VM will be able to read the MAC address of its virtual interface.
This MAC address is the same for all qubes 00:16:3e:5e:6c:00:

1 Like

Makes sense. Thank you so much foe your time!

This is done by default under Qubesos sys-net since a really long time under paid grant work (wifi) but not wired connection. I agree: there is no use randomizing mac outside of sys-net. The reason is that mac addresses are only used on physical layer of TCP/IP: only switches and router directly connected to your machine will see it, no other device (misconception of what a mac address is and what it is used for).