qubes-issues add IPv6 support to Qubes-Whonix

Qubes OS release

Qubes R4.1

Brief summary

A user using a mobile ISP that provides IPv6 addresses only, reported that Whonix is unable to connect. [1] [2]

[1] https://forums.whonix.org/t/4g-mobile-internet-only-gives-ipv6-address-so-no-internet-route-for-kvm-how-to-solve/19854 [2] While the report is about Non-Qubes-Whonix, the same would happen with Qubes-Whonix.

Steps to reproduce

Use a IPv6 only ISP.
Attempt to use Whonix.

Expected behavior

Functional connectivity.

Actual behavior

Broken connectivity.

Discussion.

I am working on adding IPv6 support to Whonix. Some Qubes specific questions...

      LOCAL_NET="\
            127.0.0.0/24 \
            10.137.0.0/16 \
            10.138.0.0/16 \
         "

      WORKSTATION_DEST_SOCKSIFIED="\
        10.137.0.0/16 \
        10.138.0.0/16 \
        10.152.152.10 \
      "

Any IPv6 versions?

    ## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
    #$iptables_cmd -A output -f -j REJECT --reject-with icmp-admin-prohibited
    $nftables_cmd add rule inet filter output ip frag-off "&" 0x1fff != 0 counter reject

Useful for IPv6? What would be the equivalent?

  if qubes_primary_dns="$(qubesdb-read /qubes-primary-dns 2> /dev/null)"; then
    #$iptables_cmd -A output -p udp --dport 53 --dst "$qubes_primary_dns" -j ACCEPT
    $nftables_cmd add rule inet filter output ip daddr "$qubes_primary_dns" udp dport 53 counter accept
    counter=$((counter + 1))
  fi

  if qubes_secondary_dns="$(qubesdb-read /qubes-secondary-dns 2> /dev/null)"; then
    #$iptables_cmd -A output -p udp --dport 53 --dst "$qubes_secondary_dns" -j ACCEPT
    $nftables_cmd add rule inet filter output ip daddr "$qubes_secondary_dns" udp dport 53 counter accept
    counter=$((counter + 1))
  fi

qubesdb-read /qubes-primary-dns will remain IPv4 only?

  $nftables_cmd add rule inet filter output skuid "$UPDATESPROXYCHECK_USER" ip daddr 10.137.255.254-10.137.255.254 tcp dport "$qubes_updates_proxy_port" counter accept

What range would that be for IPv6?

May 28 '24 18:05 adrelanos

Please note that this issue tracker (qubes-issues) is not intended to be a place for fielding questions. Instead, we have other venues meant for asking questions, asking for help, and having discussions. In this case, it sounds like qubes-devel would be most appropriate. (By contrast, the issue tracker is more of a technical tool intended to support our developers in their work.) Thank you for your understanding.

May 29 '24 02:05 andrewdavidwong

This issue has been closed as "not applicable." Here are some common examples of cases in which issues are closed as not applicable:

Help and support requests (please see Help, support, mailing lists, and forum)
Questions (please see Help, support, mailing lists, and forum)
Discussion issues (please see Help, support, mailing lists, and forum)
Bug reports for behavior that is already working as intended
Enhancement requests to improve things that are already working as intended
Issues that rest on mistaken assumptions or misunderstandings
Issues that do not provide enough information
Issues that are not actionable

We respect the time and effort you have taken to file this issue, and we understand that this outcome may be unsatisfying. Please accept our sincere apologies and know that we greatly value your participation and membership in the Qubes community.

Regarding help and support requests, please note that this issue tracker (qubes-issues) is not intended to serve as a help desk or tech support center. Instead, we've set up other venues where you can ask for help and support, ask questions, and have discussions. By contrast, the issue tracker is more of a technical tool intended to support our developers in their work. We thank you for your understanding.

If anyone reading this believes that this issue was closed in error or that the resolution of "not applicable" is not accurate, please leave a comment below saying so, and we will review this issue again. For more information, see How issues get closed.

May 29 '24 02:05 github-actions[bot]

That seems a bit overly bureaucratic to me. Not sure you seen my user name? As you know, I am a developer.

The non-support of IPv6 by Qubes-Whonix at time of writing is a, depending on your look at it, a missing feature and due to some users now claiming to only have IPv6 addresses assigned and no IPv4 even a bug that should be fixed and is now realistic to fix.

Also I am the one to work on it.

I am using the C: Whonix tag to see tickets related to Qubes-Whonix to see where there are bugs that I can fix, features to implement.

I could have phrased this as a bug report or feature request and then ask these questions later (because that's what happens during work of developers on tickets, comments, questions, answers, coordination) but that seems overly bureaucratic.

Please re-open.

May 30 '24 13:05 adrelanos

On Thu, May 30, 2024 at 06:23:54AM -0700, Patrick Schleizer wrote:

That seems a bit overly bureaucratic to me. Not sure you seen my user name? As you know, I am a developer.

The non-support of IPv6 by Qubes-Whonix at time of writing is a, depending on your look at it, a missing feature and due to some users now claiming to only have IPv6 addresses assigned and no IPv4 even a bug that should be fixed and is now realistic to fix.

Also I am the one to work on it.

I am using the C: Whonix tag to see tickets related to Qubes-Whonix to see where there are bugs that I can fix, features to implement.

I could have phrased this as a bug report or feature request and then ask these questions later (because that's what happens during work of developers on tickets, comments, questions, answers, coordination) but that seems overly bureaucratic.

Please re-open.

It seems a Whonix bug (or feature) - usually requests for information and discussion are sent to the qubes-devel list. This is what you have done in the past.

May 30 '24 13:05 unman

@adrelanos: I've reopened this issue at your request, but it would be very helpful for everyone if you could use one of the issue templates (whichever one you see fit) so that others can understand it. When opening a new issue, a good heuristic is to imagine that it could eventually be (re)assigned to someone new who joins the project in the future. Issues should be comprehensible to others (at the very least, other team members, but ideally also to community developers and contributors).

May 31 '24 21:05 andrewdavidwong

Thank you, much appreciated! I updated the text above and made it a proper bug report. (Not sure about bug report versus enhancement.)

Jun 01 '24 17:06 adrelanos

I updated the text above and made it a proper bug report.

Thank you!

(Not sure about bug report versus enhancement.)

This one could go either way, but to me it seems more like an enhancement request, because IPv6 support does not exist in Qubes-Whonix yet, so there is no expectation that it should work. It's a feature that needs to be added first. If IPv6 were already supported but were malfunctioning in some way, that would be a bug.

Jun 02 '24 01:06 andrewdavidwong

@adrelanos

      LOCAL_NET="\
            127.0.0.0/24 \
            10.137.0.0/16 \
            10.138.0.0/16 \
         "

      WORKSTATION_DEST_SOCKSIFIED="\
        10.137.0.0/16 \
        10.138.0.0/16 \
        10.152.152.10 \
      "

Any IPv6 versions?

For dispvms: ${qubes_ipv6_prefix}::a8a:${vm.dispid}/128
For others: ${qubes_ipv6_prefix}::a89:${vm.qid}/128

https://github.com/QubesOS/qubes-core-admin/blob/be94b3987dcc8f95cdec8456724bf69bfed77d70/qubes/vm/mix/net.py#L234

As these are /128 addresses, there is no routing inside the subnet. Instead there are individual route to peers added.

the qubes_ipv6_prefix defaults to fd09:24ef:4179:0000 and looks configurable (which I guess implies that relevant config needs to be read dynamically instead of hardcoded in qubes-whonix?).

You can also see some more user-facing functions in qubes-core-admin net.py.

  if qubes_primary_dns="$(qubesdb-read /qubes-primary-dns 2> /dev/null)"; then
    #$iptables_cmd -A output -p udp --dport 53 --dst "$qubes_primary_dns" -j ACCEPT
    $nftables_cmd add rule inet filter output ip daddr "$qubes_primary_dns" udp dport 53 counter accept
    counter=$((counter + 1))
  fi

  if qubes_secondary_dns="$(qubesdb-read /qubes-secondary-dns 2> /dev/null)"; then
    #$iptables_cmd -A output -p udp --dport 53 --dst "$qubes_secondary_dns" -j ACCEPT
    $nftables_cmd add rule inet filter output ip daddr "$qubes_secondary_dns" udp dport 53 counter accept
    counter=$((counter + 1))
  fi

qubesdb-read /qubes-primary-dns will remain IPv4 only?

This looks relevant: https://github.com/QubesOS/qubes-core-admin/pull/558

I also see there is an open PR for IPv6 support in Whonix Firewall:

https://github.com/Whonix/whonix-firewall/pull/10

Jun 23 '25 00:06 3nprob

the qubes_ipv6_prefix defaults to fd09:24ef:4179:0000 and looks configurable (which I guess implies that relevant config needs to be read dynamically instead of hardcoded in qubes-whonix?).

This is just bringing data from https://github.com/Whonix/whonix-firewall/pull/10#discussion_r2176145940 to here for avoidance of confusion, but I don't think that qubes_ipv6_prefix is configurable.

I'm not really enough of a network person to understand what's going on in the virtual DNS PR, but it looks related and possibly useful.

Jul 02 '25 21:07 ArrayBolt3

This looks relevant: https://github.com/QubesOS/qubes-core-admin/pull/558

Yes, and also needs resolving conflicts...

Jul 06 '25 20:07 marmarek