Hello, it has come to my attention that many users moving towards 4.2 had issues with their 4.1 VPN qube upgraded or newly created qube(s). After some troubleshooting I thought I’d share what worked and what didn’t.
I followed @Pawelek85 's guide and the one created by @solene here. Having prior knowledge on the topic as I created all of my sys-* qubes on 4.2 based on minimals I installed the required packages (will come to that later).
After some troubleshooting I had 3 vpn templates, one based on debian-12-xfce working great and two cloned from debian-12-minimal with different packages. One of the minimal vpn template had a lot of remaining junk after I tried multiple packages but that didn’t affect it since I had the vpn qube working, however no connection was made from the AppVM connected to it.
My setup usually includes a vpn firewall ( AppVM → VPN qube → vpn qube firewall → sys-firewall) to manage the authorized IPs the VPN can reach, to make sure if the VPN gets compromised somehow, it still cannot reach anything besides what the firewall allows it to access (thanks to qvm-firewall configurations made from dom0)
From what I could observe, nftables may or may not be the culprit. What I know for sure if the qubes-firewall-user-script (located at /rw/config/) from Solene’s guide translating the previously made iptables killswitch, made the VPN unaccessible somehow. I tried with iptables afterwards with the same poor results.
Now, for those who are looking for the required packages for their wireguard VPN’s on minimal templates:
- debian-12-minimal requires
qubes-core-agent-networking qubes-core-agent-network-manager wireguard resolvconf iptables
Notes:
Do not add the --no-install-suggests
or --no-install-recommends
options as this will break things. Optionally you can install xfce4-notifyd
for VPN notifications.
The networking packages install openresolv
which conflicts with resolvconf
so it uninstalls it.
- fedora-38-minimal requires
qubes-core-agent-networking qubes-core-agent-network-manager wireguard-tools xfce4-notifyd
Notes: I didn’t test the dependencies thoroughly but it should work better out of the box than debian-12-minimal.
If somebody wants to troubleshoot even further I made sure to list all installed packages ( apt list | grep installed
) from the minimal debian templates that you can find in the two attached documents (provided in .gz archive since the forums don’t seem to allow txt files, use gzip -d filename).
failing-vpn-template-02.txt.gz (10.4 KB)
working-vpn-template-01.txt.gz (6.0 KB)
Do note that I am using kitty
as a terminal.
kitty
's dependencies are as follows:
kitty-shell-integration kitty-terminfo libc6 (>= 2.34) libdbus-1-3 (>= 1.9.14) libharfbuzz0b (>= 1.6.0) liblcms2-2 (>= 2.2+git20110628) libpng16-16 (>= 1.6.2-1) libpython3.11 (>= 3.11.0) librsync2 (>= 2.3.1) libssl3 (>= 3.0.0) libwayland-client0 (>= 1.20.0) libx11-6 (>= 2:1.2.99.901) libx11-xcb1 (>= 2:1.8.4) libxkbcommon-x11-0 (>= 0.5.0) libxkbcommon0 (>= 1.0.0) python3 (<< 3.12) python3.11 zlib1g (>= 1:1.1.4)
Having the recommended packages I also have kitty-doc libcanberra0
with the respective dependencies:
libjs-sphinxdoc (>= 5.2)
libasound2 (>= 1.0.16) libc6 (>= 2.33) libltdl7 (>= 2.4.7) libtdb1 (>= 1.2.7+git20101214 libvorbisfile3 (>= 1.1.2) sound-theme-freedesktop