[Q3.2] Concurrent VM Startup can leave Whonix-Gateway with No Connectivity


This is a known issue. Fixed in 4.0. https://github.com/QubesOS/qubes-issues/issues/2533. Probably wontfix for 3.2.

If sys-whonix is set as default_netVM and it has an upstream firewall / proxyVM, then both VMs will automatically start concurrently when Qubes boots. This doesn’t allow time for qubes-firewall-user-script to detect network change and allow forwarding rules for sys-whonix. sys-whonix will have no connectivity unless another VM connects or disconnects to proxyVM.


  1. (not recommended) set default_netVM to another netVM. May result in clearnet leaks due to user error.
  2. induce change in proxyVM network by setting sys-whonix netVM to something else and back or by connecting / disconnecting other VMs to proxyVM
  3. manually execute qubes-firewall-user-script in proxyVM
  4. reboot sys-whonix