Qubes-network doesn't work in Arch

qubes-network doesn’t work in Arch.
Today I started move my network-connected AppVMs to ArchLinux.
I got archlinux-minimal template from qubes.3isec.org.
And no network connection in AppVMs ever, except when AppVM connected directly to sys-net.

]$ systemctl status qubes-network
○ qubes-network.service - Qubes network forwarding setup
Loaded: loaded (/usr/lib/systemd/system/qubes-network.service; enabled; preset: enabled)
Active: inactive (dead)
Condition: start condition failed at Tue 2023-03-14 18:56:03 UTC; 12min ago
└─ ConditionPathExists=/var/run/qubes-service/qubes-network was not met

I fix pacman.conf to work pacman with qubes-proxy, I setup pikaur (AUR helper) to work with qubes-proxy. And It works properly.
I have no idea how to fix network In AppVM.
When I add unman’s Arch repository I install qubes-vm-networing packages and get this:

]$ sudo systemctl status qubes-network
● qubes-network.service - Qubes network forwarding setup
Loaded: loaded (/usr/lib/systemd/system/qubes-network.service; enabled; preset: enabled)
Active: active (exited) since Tue 2023-03-14 19:25:00 UTC; 13min ago
Process: 478 ExecStart=/usr/lib/qubes/init/network-proxy-setup.sh (code=exited, status=0/SUCCESS)
Main PID: 478 (code=exited, status=0/SUCCESS)
CPU: 5ms
Mar 14 19:25:00 archlinux-surfing-dvm systemd[1]: Starting Qubes network forwarding setup…
Mar 14 19:25:00 archlinux-surfing-dvm systemd[1]: Finished Qubes network forwarding setup.

But no network connection.Ping doesn’t work.
I install virgin Arch template again and try to run ping in AppVM. And it doesn’t work.

Please help.

Hi Vanhar,

I’m not sure to understand your setting, is it a failure in your AppVM and in your NetVM?
Can you add a small ascii diagram with details about each VM (template, IP setting OK or FAIL ?

Ex:

myAppVM       --> sys-firewall    --> sys-net
archlinux,OK      debian-11, OK       debian-11, OK

In my ArchLinux based AppVM (daily-archlinux-reading), qubes-network also fails, but my AppVM IP setting works. In my ArchLinux TemplateVM, pacman -Syu works.

[user@daily-archlinux-reading ~]$ systemctl status qubes-network
○ qubes-network.service - Qubes network forwarding setup
     Loaded: loaded (/usr/lib/systemd/system/qubes-network.service; enabled; preset: enabled)
     Active: inactive (dead)
  Condition: start condition failed at Tue 2023-03-14 22:00:02 UTC; 10min ago
             └─ ConditionPathExists=/var/run/qubes-service/qubes-network was not met
[user@daily-archlinux-reading ~]$ systemctl cat qubes-network
# /usr/lib/systemd/system/qubes-network.service
[Unit]
Description=Qubes network forwarding setup
ConditionPathExists=/var/run/qubes-service/qubes-network
Before=network.target
After=network-pre.target qubes-iptables.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/qubes/init/network-proxy-setup.sh
ExecStop=/usr/lib/qubes/init/network-proxy-stop.sh

[Install]
WantedBy=multi-user.target

[user@daily-archlinux-reading ~]$ pacman -Qo /usr/lib/systemd/system/qubes-network.service
/usr/lib/systemd/system/qubes-network.service is owned by qubes-vm-core 4.1.37-16

[user@daily-archlinux-reading ~]$ less /usr/lib/qubes/init/network-proxy-setup.sh
[user@daily-archlinux-reading ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:aa:bb:cc:dd:00 brd ff:ff:ff:ff:ff:ff
    inet 10.137.0.74/32 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::2aa:bbff:fecc:dd00/64 scope link 
       valid_lft forever preferred_lft forever
[user@daily-archlinux-reading ~]$ ip route
default via 10.138.3.247 dev eth0 onlink 
10.138.3.247 dev eth0 scope host onlink 
[user@daily-archlinux-reading ~]$ ping -c1 10.138.3.247
PING 10.138.3.247 (10.138.3.247) 56(84) bytes of data.
64 bytes from 10.138.3.247: icmp_seq=1 ttl=64 time=0.406 ms

--- 10.138.3.247 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.406/0.406/0.406/0.000 ms
[user@daily-archlinux-reading ~]$ curl -I https://archlinux.org/
HTTP/2 200 
server: nginx
date: Tue, 14 Mar 2023 22:30:02 GMT
content-type: text/html; charset=utf-8
content-length: 24536
...

My AppVM, with debian-11 based sys-firewall and sys-net :

[user@dom0 ~]$ qvm-ls daily-archlinux-reading
NAME                     STATE    CLASS  LABEL   TEMPLATE          NETVM
daily-archlinux-reading  Running  AppVM  yellow  tpl-archlinux-41  sys-firewall

@Vanhar Please read the error message -
start condition failed at Tue 2023-03-14 22:00:02 UTC; 10min ago
ConditionPathExists=/var/run/qubes-service/qubes-network was not met

If you touch that file then the service will start correctly.

The file will be automatically created if you use qvm-features to
enable the service in the qube.
But is this what you want? - read the description:
qubes-network.service - Qubes network forwarding setup
Are you trying to use Arch as sys-firewall?
Your complaint seemed to be that you did not have network access from
arch qubes. That is a different case.

Thanks for answers. I use Arch VM as AppVM, not NetVM.
As NetVMs I use Debian 11.

One example

archlinux debian-11 debian-11 debian 11
archlinux-surfing-dvm → sys-fw-vpn → sys-vpn → sys-net
(sys-fw-vpn uses as sys-firewall)

In Whonix and Debian templates there is no networking issues.
I muddle qubes-network service with some other service. Of course, I don’t need qubes-network for usual networking.

@archlinux-surfing-dvm user]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:5e:6c:00 brd ff:ff:ff:ff:ff:ff
inet 10.137.0.90/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe5e:6c00/64 scope link
valid_lft forever preferred_lft forever

Looks like all IP settings are OK.

I will try to reinstall NetVMs later.

Check the next shown in my post, show your route and try to ping the gateway.

Do a test with a basic chain : archlinux-surfing → sys-firewall → sys-net.

Also read the firewall rules in your archlinux (sudo iptables -L), and compare with a workable debian-11 AppVM.

Gateway ping doesn’t work.
But when arch appvm connected without sys-vpn, ping to some internet server works.
Iptables rules are identical.
NetVMs reinstalling didn’t help
I see some issue with other fresh installed or recovered templates. And I have old issue with dom0 updating.
So I think the reason of all problems is some strange dom0 issue. I will try to discover what is it.
Probably I will reinstall Qubes OS on weekend, to avoid breakage of everything.

Pls don’t spend you time for replying. I write new info on weekend. Thanks for help.

Before you reinstall, you should consider whether your VPN or Tor
gateway supports ICMP at all.
Don’t tie yourself in knots about something that may be out of your
control.

1 Like