Is your qube a service qube with “Provides network” option enabled?
The qubes-firewall-user-script script is only executed for the qubes with qubes-firewall service enabled (it’s enabled by default for qubes with “Provides network” option enabled).
I guess you need to configure the TCP MSS Clamping in your router as well.
I was not aware that I needed to enable the qubes-firewall service. Thanks for the info! I can confirm that after adding the service, the firewall command is now listed via nft list table ip qubes. This might be an interesting detail for @solene to add. The problem here might be that this is enabled by default, but not for VMs based on minimal templates. Not sure about that.
I thought that the firewall command had to be in every VM that I wanted to use my sys-vpn service VM with. So I set the firewall script in the VM where I launch my browser, NOT in the VM that has the Wireguard connection (sys-vpn). Is this wrong? I don’t understand why I should set my browser VM to provide the network.
My connection looks like this: browserVM ↔ sys-vpn ↔ sys-firewall ↔ sys-net. I have the firewall service/nft rule set in the browserVM. Does it belong in sys-vpn itself instead? Confused about this.
I set my own MTU fix for each VM I use to connect to a sys-vpn VM, such as my browserVM.
Thanks for your time and help!
You need to add this firewall rule just in the sys-vpn, not in every qube connected to sys-vpn.
If Path MTU Discovery is not working correctly between your router and sys-vpn then you need to clamp the MSS in your router as well.
Thanks again for your time. Two new discoveries:
I set the firewall rule in sys-vpn, but the service was still not enabled by default (maybe because it is based on fedora 40 minimal). qvm-service sys-vpn qubes-firewall on solved the problem.
Even with the firewall rule enabled (and confirmed with ntf list table ip qubes it shows up in the custom-forward chain) my browserVM1 does not work. My second browserVM2 with my fix and based on the same sys-vpn VM works fine. browserVM1 also shows MTU 1500 with ip link show eth0. What am I doing wrong?
Solene’s setup is strictly supiror to mine if it works, because I would not need to set the MTU fix in each browserVM (sys-vpn connected VM).
How can I continue troubleshooting? Have you tried Fedora Minimal or are you running the bloated Fedora-40-XFCE VM? Maybe I am missing a package?
It should be enabled by default if “Provides network” option is set:
qubes-firewall
Default: enabled only in ProxyVM
Even if it’s not listed in the Settings → Services tab it still should be enabled in the qube.
Maybe this:
You can use tcpdump in the qube connected to sys-vpn to see which MSS is used:
Run tcpdump:
sudo tcpdump
Run curl to get some website:
curl https://debian.org
Check the output of tcpdump:
IP X.X.X.X.X > 151.101.194.132.https: Flags [S], seq X, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
IP 151.101.194.132.https > X.X.X.X.X: Flags [S.], seq X, ack X, win 65535, options [mss 1412,nop,nop,sackOK,nop,wscale 9], length 0
Thanks again for your help! So I did what you said with a VM set up according to this guide and then once with my 1280 MTU fix. The results are as follows:
What is the difference between the first row and the second row?
What is the interpretation of the result?
Did you check it in the qube connected to sys-vpn?
Check it in the qube connected to the net qube of sys-vpn (e.g. sys-firewall) to see what MSS will be reported there.
What website is broken for you when you don’t use your ip link set dev eth0 mtu 1280 MTU fix?
Try to curl this website instead of debian.org.
I tested in my browserVM which is connected to sys-vpn. Is this correct?
Basically every page is broken. Google works for some reason. DuckDuckGo.com, Speedtest.net and many others (all I tested) don’t work. Well, they partially load and break. So they work half.
Yes.
Check the same with browserVM connected to the net qube of sys-vpn (e.g. sys-firewall) and see what MSS will be there.
02:47:29.441574 IP TEMPNET.59712 > 151.101.130.132.http: Flags [S], seq 552503776, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
02:47:29.624672 IP 151.101.130.132.http > TEMPNET.59712: Flags [S.], seq 3150086529, ack 552503777, win 65535, options [mss 1240,nop,nop,sackOK,nop,wscale 9], length 0
This is my browserVM (TMPNET) connecting directly to sys-firewall (hence skipping sys-vpn)
What is the interpretation of the result?
Did you remove your MTU fix ip link set dev eth0 mtu 1280 from browserVM?
Yes!
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group 1 qlen 1000
Do you want the same result with the MTU 1280 fix?
No.
Do you have this MTU fix in your sys-firewall/sys-net or in router?
For some reason your working MSS is reported to be 1240.
Yes, I am very confused about this.
I am using pfSense and my VPN interface settings are: MTU 1420, MSS 1280.
When I set my MTU 1280 fix in my browserVM everything works fine.
With Solene’s MSS clamp in sys-vpn nothing really works. The pages load and then break.
I don’t know why is your MSS set to 1280 in the router. Did you set it manually or is it set in the VPN config in the router?
In any case, the proper way would be to add the TCP MSS clamp in your router config as well.
I am new to this and followed my VPN provider’s recommendation for pfSense. What is your suggestion?
This:
So what that means? What settings?
I don’t have pfSense so no idea. If it has nftables then add the same nftables rule as in the guide.
If I can’t adjust the settings. What are the recommended values?