This is a known issue. Fixed in 4.0. Remove separate service for starting default NetVM · Issue #2533 · QubesOS/qubes-issues · GitHub. Probably wontfix for 3.2.
If sys-whonix is set as default_netVM and it has an upstream firewall / proxyVM, then both VMs will automatically start concurrently when Qubes boots. This doesn’t allow time for qubes-firewall-user-script to detect network change and allow forwarding rules for sys-whonix. sys-whonix will have no connectivity unless another VM connects or disconnects to proxyVM.
Workaround:
- (not recommended) set default_netVM to another netVM. May result in clearnet leaks due to user error.
- induce change in proxyVM network by setting sys-whonix netVM to something else and back or by connecting / disconnecting other VMs to proxyVM
- manually execute
qubes-firewall-user-scriptin proxyVM - reboot sys-whonix