KVM Kicksecure VM default installation no networking

59mpci2GJ5xlHhY · May 8, 2020, 10:30pm

I have configured Kicksecure & Whonix VMs in KM, Whonix networking worked fine, but Kicksecure does not seem to have working network access, using the default network. sdwdate and apt-get or anything internet related do not work.

I followed installation documentation exactly as described and utilizing the KVM-Whonix documentation for the steps that were lacking on kicksecure docs.

I think I read in the development forum that networking is not complete in kicksecure for kvm so if it is not suppose to be working you are free to delete this thread I was just under the impression that networking would be working already.

59mpci2GJ5xlHhY · June 14, 2020, 11:21pm

Update: As of Kicksecure KVM 15.0.1.3.4 Release networking is working with no problems.

59mpci2GJ5xlHhY · June 25, 2020, 6:51pm

Update: That was working on Manjaro, however using a minimal debian install (no desktop environment or default system tools from netinst) and then installing kicksecure-cli I get no networking in kvm kicksecure or whonix.

What I’ve tried so far:
Installing and enabling the default ufw
Installing proprietary network card driver
sudo apt-get install ebtables iptables dnsmasq
Installing the latest versions of kvm kicksecure & whonix

HulaHoop · June 27, 2020, 11:57am

Is the ‘default’ network running? Check that it is.

Also if that fails, make sure you install all the needed packages listed on the wiki even though they depend on a GUI. I haven’t tested Kicksecure on a headless system. There is only one kicksecure version for KVM that can be used headlessly like Whonix.

59mpci2GJ5xlHhY · June 28, 2020, 1:44am

virsh -c qemu:///system net-start default

Returns: network is already active

There are no needed packages listed on the wiki for kicksecure.

Unless you’re talking about KVM

sudo apt-get install qemu-kvm libvirt-daemon-system libvirt-clients virt-manager gir1.2-spiceclientgtk-3.0

I installed all of these.

To clarify, my host operating system is debian/kicksecure distro morphed together, during the debian installation i used the netinst and installed with no extras (no desktop environment or default system tools) however I installed the dependencies for everything I needed after, including a window manager and xorg.

When I installed kicksecure I used this command as per the wiki page:

sudo apt-get install --no-install-recommends kicksecure-cli

However, again to clarify in KVM I am running the regular GUI version of whonix & kicksecure vms. Neither of them are making a network connection in the vm, upon booting the kicksecure vm for example I get the “network disconnected” error msg popping up and on whonix I get an endless 2% whonixcheck status.

HulaHoop · June 28, 2020, 4:34pm

Yes

I see. I’m guessing it has to do with the virtual bridge being down.
Can you install the packages listed on the Debian page and see if it works?

https://wiki.debian.org/KVM#Libvirt_default_network

In order for things to work this way you need to have the recommended packages dnsmasq-base, bridge-utils and iptables installed.

59mpci2GJ5xlHhY · June 28, 2020, 6:23pm

bridge-utils was not installed so I installed it, rebooted and tried again.

I notice now that on the bottom right of the kicksecure-VM where it shows the network status, I could click it and it offers the option “wired connection 1”

I selected it and it just showed loading and didn’t succesfully connect, I tried running apt-get update while it was doing that and I received the error

Something wicked happened resolving ‘127.0.0.1:9050’ (-9 - Address family for hostname not supported)

HulaHoop · June 28, 2020, 7:19pm

One thing at a time. Does Whonix connect now? Kicksecure network config is different and could have problems on its own.

59mpci2GJ5xlHhY · June 28, 2020, 8:28pm

Tested Whonix VM

Anon connection wizard:
Bootstrapping Tor…
Bootstrap phase: Unknown Bootstrap TAG. This is harmless.
Please report this.
2%

Stuck here on 2% again.

HulaHoop · June 28, 2020, 9:35pm

What is the output of sudo ifconfig?

Is the host connecting to the network normally?

I think distro morphing broke something in your host networking along the way. Since I am not able to test it, it might be difficul to know what is happening.

59mpci2GJ5xlHhY · June 28, 2020, 10:48pm

ifconfig output(inside whonix-gateway):

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        ether 52:54:00:39:f7:39  txqueuelen 1000  (Ethernet)
        RX packets 95  bytes 5668 (5.5 KiB)
        RX errors 0  dropped 9  overruns 0  frame 0
        TX packets 117  bytes 78885 (77.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.152.152.10  netmask 255.255.192.0  broadcast 10.152.191.255
        ether 52:54:00:20:2e:62  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 300  bytes 15258 (14.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 300  bytes 15258 (14.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I find that it takes a few minutes after booting for the host to connect to the internet, which is not normal on other distros, however after a few minutes I can connect and I only tested these VMs once it was working.

If there are any tests you’d like me to run or logs to show I’ll do it but I’d appreciate warning if any of the logs will have sensitive contents.

HulaHoop · June 29, 2020, 2:20am

On the host please. That’s where everything is broken.

Also run on the host:

ls /etc/network/interfaces.d/

Sure. make sure you strip out any mac addresses for your baremetal network interfaces before pasting ifconfig output here.

Sounds like DHCP leases are fudged on the host for some reason.

59mpci2GJ5xlHhY · June 30, 2020, 4:01am

enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet xxx.xxx.x.xx netmask xxx.xxx.xxx.x broadcast xxx.xxx.x.xxx
inet6 xxxx::xxxx:xxxx:xxxx:xxxx prefixlen 64 scopeid 0x20
ether xx:xx:xx:xx:xx:xx txqueuelen 1000 (Ethernet)
RX packets 1293 bytes 1097010 (1.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1050 bytes 337403 (329.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 24 base 0x5000

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 401 bytes 289146 (282.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 401 bytes 289146 (282.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

xxx0(vpn): flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet xx.xx.x.x netmask xxx.xxx.x.x destination xx.xx.x.x
inet6 xxxx::xxxx:xxx:xxx:xxxx prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 514 bytes 408961 (399.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 462 bytes 114271 (111.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet xxx.xxx.xxx.x netmask xxx.xxx.xxx.x broadcast xxx.xxx.xxx.xxx
ether xx:xx:xx:xx:xx:xx txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

virbr1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 10.0.2.2 netmask xxx.xxx.xxx.x broadcast 10.0.2.255
ether xx:xx:xx:xx:xx:xx txqueuelen 1000 (Ethernet)
RX packets 243 bytes 12564 (12.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 126 (126.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

virbr2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether xx:xx:xx:xx:xx:xx txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

This directory was empty

This issue where the network takes a few minutes to function on the host was also present the last time I distromorph installed kicksecure, and if I recall correctly I’ve never gotten the vms networking to work on a kicksecure host like this, but last install I couldn’t even boot the vms for reasons that I’ve since fixed.

I’m not sure if this is a problem with the kicksecure installation method or if it’s related to my hardware, vms worked fine on other distros on this hardware though.

HulaHoop · June 30, 2020, 3:25pm

OK all the interfaces exist and are up so that’s not the problem.

Try purging the kicksecure-network-conf package because it can conflict with normal operation of Network manager. Make sure it doesn’t rip out other important packages so networking doesn’t break.

Install wpasupplicant and network manager if you don’t have them.

59mpci2GJ5xlHhY · June 30, 2020, 8:27pm

When I tried to remove kicksecure-network-conf I noticed it was not even installed, so I installed it.

The following additional packages will be installed:
crda dnscrypt-proxy iw libjansson4 libjim0.77 libmbim-glib4 libmbim-proxy
libmm-glib0 libndp0 libnl-genl-3-200 libnm0 libqmi-glib5 libqmi-proxy
libteamdctl0 modemmanager network-manager ppp usb-modeswitch
usb-modeswitch-data wireless-regdb wpasupplicant
Suggested packages:
resolvconf libteam-utils comgt wvdial wpagui libengine-pkcs11-openssl
The following NEW packages will be installed:
crda dnscrypt-proxy iw kicksecure-network-conf libjansson4 libjim0.77
libmbim-glib4 libmbim-proxy libmm-glib0 libndp0 libnl-genl-3-200 libnm0
libqmi-glib5 libqmi-proxy libteamdctl0 modemmanager network-manager ppp
usb-modeswitch usb-modeswitch-data wireless-regdb wpasupplicant
0 upgraded, 22 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,365 kB/10.6 MB of archives.
After this operation, 37.6 MB of additional disk space will be used.
Do you want to continue? [Y/n] Abort.

Rebooted, tested, still didn’t work.

Purged kicksecure-network-conf and rebooted to try again.

Still didn’t work.

On bootup I noticed an error:

Failed to start dchp mask

HulaHoop · June 30, 2020, 8:59pm

Another user is troubleshooting connectivity problems too.
Apparently Debian distinguishes between dnsmasq and dnsmasq-base. Can you make sure both are installed and report back?

So for Kicksecure and Whonix we mask systemd daemons including DHCP to reduce chance of leaks and attack surface. Maybe libvirt depends on it somehow.

I don’t know which of the half dozen systemd network daemons is broken here. There’s systemd-resolve, systemd-networkd @Patrick what services do we mask?

Try installing isc-dhcp-server and see if that solves it.

59mpci2GJ5xlHhY · July 1, 2020, 12:34am

Both are installed

Did not solve it, several programs are failing to even start, I noticed these ones.

dnsmasq failed to start “port 53 already in use”

isc-dhcp-server failed to start

Patrick · July 1, 2020, 11:01am

sudo systemctl list-unit-files --state=masked --no-pager

https://gitlab.com/whonix/kicksecure-network-conf

Disables systemd Predictable Network Interface Names.

Configures DNS by shipping a configuration file /etc/resolv.conf for Kicksecure.

Disables systemd-resolved during boot unless file /etc/dns-enable exists.

Disables systemd-resolved fallback DNS (which by default is set to Google).

Enables DNSCrypt.

sudo netstat -tulpen

…that would be DNSCrypt.

Try non-DNS based networking. (connects to check.torproject.org over clearnet)

scurl -H 'Host: check.torproject.org' -k https://116.202.120.181/api/ip