qubes-issues icon indicating copy to clipboard operation
qubes-issues copied to clipboard

Published 20 hours ago verified publisher icon QubesOS

After recent update, Windows HVM can no longer network through Whonix gateway

Open unman opened this issue 6 months ago • 3 comments

How to file a helpful issue

Qubes OS release

4.2.4

Brief summary

A number of users on the Forum report that Windows HVM can no longet network through Whonix. HVM that worked previously have stopped working.

Steps to reproduce

Use Windows HVM with sys-whonix as netvm, networking enabled. Update Whonix

Expected behavior

Networking in the Windwos qube will continue to work.

Actual behavior

Forum user jxadceno reports: however suddenly after updating whonix-gateway all networking to the HVM is broken, showing "Unidentified network".

User dexter05 reports: sys-whonix -> windows HVM (not working after last update, worked fine for years) sys-whonix -> sys-vpn -> windows HVM (works fine, go figure) The Windows error code is 10060. Winsock timeout error.

Additional information

Forum thread is in User Support - "Windows HVM + sys-whonix networking suddenly broken"

unman avatar Jun 05 '25 13:06 unman

This looks to be related to arp_ignore=2 setting (/proc/sys/net/ipv4/all/arp_ignore and similar in per-interface directory). Setting it to 0 in both places fixes the issue.

marmarek avatar Jun 10 '25 00:06 marmarek

arp_ignore=2 is set since https://github.com/Kicksecure/security-misc/commit/c37f4efadf8f046168732871172cb66f58eb7c78, but that's 6 months old change, not exactly recent update. Maybe there is some other part of the puzzle.

marmarek avatar Jun 10 '25 01:06 marmarek

It still works with arp_ignore=1, it's 2 that is problematic:

     - 2 - reply only if the target IP address is local address
      configured on the incoming interface and both with the
      sender's IP address are part from same subnet on this interface

Since the network is set to /32, the last condition isn't met.

marmarek avatar Jun 10 '25 01:06 marmarek

Changing arp_ignore=2 to arp_ignore=1 has now been documented: https://www.whonix.org/wiki/Other_Operating_Systems#Gateway_configuration

@marmarek I assume since you were able to establish that this worked, that you have a Windows qube already? If so, could you test these instructions and make sure they work? I can install Windows in a qube for testing if that's preferable, but would prefer to avoid that since it'll take a lot of time.

ArrayBolt3 avatar Jul 01 '25 01:07 ArrayBolt3

Actually no, I used Linux HVM to reproduce the issue, just used QEMU-emulated network (as non-QWT Windows does) by adding xen_emul_unplug=unnecessary option on Linux cmdline. You'll end up with two network interfaces then and the QEMU-emulated one should normally work (but due to arp_ignore doesn't).

marmarek avatar Jul 01 '25 15:07 marmarek

Ah, ok. I'll give it a shot then.

ArrayBolt3 avatar Jul 01 '25 15:07 ArrayBolt3

could you test these instructions

  1. Run: sudo /etc/sysctl.d/99_user.conf

Missing editor command, or was it supposed to be sudoedit?

marmarek avatar Jul 01 '25 15:07 marmarek

mmm, missing editor command, good catch.

ArrayBolt3 avatar Jul 01 '25 16:07 ArrayBolt3

https://forum.qubes-os.org/t/windows-hvm-sys-whonix-networking-suddenly-broken/34017/26

Closable?

adrelanos avatar Jul 21 '25 10:07 adrelanos