Tor Before VPN Broken

I’m having issues with Tor before VPN using the separate VPN gateway configuration.

I’ve configured a VPN using TCP and have verified that it works using sys-firewall as the net vm. I then switch the net vm to sys-whonix and the initial VPN connection works but after that I get 100% packet loss. I’ve monitored eth0 and can see a consistent stream of outgoing ARP requests asking for the MAC address associated with the remote VPN server IP. This is very strange as the correct routes exist for the remote VPN server (VPN server IP via 10.137.0.9 dev eth0) and for sys-whonix (10.137.0.9 dev eth0 scope host onlink). I have verified that the routes are the same when connected to sys-whonix as when connected to sys-firewall, with the IPs adjusted of course).

I’m using qubes 4.1, whonix-gw-16. The last working configuration I had for tor before vpn was with qubes 4.0 whonix-gw-15. I’ve used the exact same configuration for both. OpenVPN version is 2.5.1. This is all inside a debian-11 vm.

I was certain this was an OpenVPN bug until I confirmed it only occurs when connected to sys-whonix. I have no idea how to even begin to move forward.

Generic Bug Reproduction

It appears that many others have been experiencing this issue for quite some time. Crazy to me that Qubes would go ahead and release a “final” version of 4.1 with such ridiculous issues.

For those who stumble across this post I am currently having success by doing:
arp -s REMOTE-VPN-SERVER-IP -i eth0 fe:ff:ff:ff:ff:ff

I have looked into the difference between networking in Qubes 4.0 (where Tor before VPN worked perfectly) and Qubes 4.1 (where it is broken) and the thing that jumps out at me is that in 4.0 the command “ip neigh show” does not include the remote VPN server IP as a neighbor which is to be expected, whereas in Qubes 4.1 the remote VPN server IP is considered a neighbor. From my understanding of networking, this is definitely a bug in 4.1. Given that the tcpdump of eth0 in the vpn gateway is a series of ARP requests trying to resolve this “neighbor” that should not even be considered a neighbor, I think this is definitely something that needs to be explored.

Hopefully someone stumbles upon this and explores further or knows how to put this in front of the correct eyes. I myself have wasted three days on this bullshit and unfortunately need to move on.

1 Like

This isn’t caused by any source code by Whonix.
Qubes issues.
If this shall be fixed, it must be reported to Qubes directly.
As per What to post in this Qubes-Whonix forum and what not.