1. install Fedora minimal template
in dom0:
sudo qubes-dom0-update qubes-template-fedora-38-minimal
2. update template
in dom0, open Qubes Update tool, enable
Enable updates for qubes without known available updates, check fedora-38-minimal and click next
3. clone template
open Qube Manager, find fedora-38-minimal, right-click, choose Clone qube
name it fedora-38-minimal-proxy and hit OK
4. start terminal of new template
in dom0:
qvm-run -u root fedora-38-minimal-proxy xterm
5. install software in template
in template terminal:
dnf install qubes-core-agent-networking iproute clash dnscrypt-proxy
systemctl disable dnscrypt-proxy
poweroff
6. open Create Qubes VM
name: sys-proxy
type: AppVM
template: fedora-38-minimal-proxy
networking: this is for you to decide, perhaps you want to use a VPN qube, default is sys-firewall
tick Launch settings after creation and click OK
tab Advanced, tick Provides network
tab Applications, select XTerm on the left, click > button in the middle
click Apply and OK
7. in dom0 terminal:
qvm-firewall sys-proxy del --rule-no 0
qvm-firewall sys-proxy add drop
qvm-firewall sys-proxy add --before 0 drop proto=icmp
qvm-firewall sys-proxy add --before 0 drop specialtarget=dns
qvm-firewall sys-proxy add --before 0 accept PROXY_IP
qvm-firewall sys-proxy
replace PROXY_IP with your proxy’s IP
last command should show accept → drop DNS → drop ICMP → drop
8. launch sys-proxy terminal
in dom0: qvm-run -u root sys-proxy xterm
9. finish setup
in sys-proxy terminal run:
mkdir -p /rw/proxy/dns /rw/proxy/clash
edit /rw/proxy/dns/dnscrypt-proxy.toml and paste:
listen_addresses = ['127.0.0.1:5353']
max_clients = 250
proxy = 'socks5://127.0.0.1:7891'
timeout = 5000
keepalive = 30
ignore_system_dns = true
netprobe_timeout = 0
cache = true
[static]
[static.quad9_doh]
stamp = 'sdns://AgMAAAAAAAAABzkuOS45LjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoSZG5zOS5xdWFkOS5uZXQ6NDQzCi9kbnMtcXVlcnk'
[static.mullvad_doh]
stamp = 'sdns://AgcAAAAAAAAAAAAPZG9oLm11bGx2YWQubmV0Ci9kbnMtcXVlcnk'
this is a minimal dnscrypt-proxy configuration that doesn’t rely on online serverlists, but those would work as well because it’s using the socks proxy
edit /rw/proxy/clash/config.yaml and paste:
socks-port: 7891
redir-port: 7892
mode: rule
allow-lan: true
bind-address: '*'
dns:
enable: false
proxies:
- name: "socks_proxy"
type: socks5
server: PROXY_IP
port: 1080
# username: username
# password: password
# - name: "http_proxy"
# type: http
# server: PROXY_IP
# port: 80
# # username: username
# # password: password
# # tls: true # https
# # skip-cert-verify: true
rules:
- MATCH,socks_proxy # or http_proxy
replace PROXY_IP and with your proxy’s IP and replace the default port if needed, modify proxy settings as needed
edit /rw/config/rc.local and paste:
sysctl -w net.ipv4.conf.all.route_localnet=1
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d PROXY_IP -j ACCEPT
iptables -t nat -F PR-QBS
iptables -t nat -A PR-QBS -d 10.139.1.1 -p udp --dport 53 -j DNAT --to 127.0.0.1:5353
iptables -t nat -A PR-QBS -d 10.139.1.1 -p tcp --dport 53 -j DNAT --to 127.0.0.1:5353
iptables -t nat -A PR-QBS -d 10.139.1.2 -p udp --dport 53 -j DNAT --to 127.0.0.1:5353
iptables -t nat -A PR-QBS -d 10.139.1.2 -p tcp --dport 53 -j DNAT --to 127.0.0.1:5353
iptables -t nat -A PREROUTING -i vif+ -p udp -j REDIRECT --to-ports 7892
iptables -t nat -A PREROUTING -i vif+ -p tcp -j REDIRECT --to-ports 7892
iptables -I INPUT -i vif+ -p tcp --dport 7892 -j ACCEPT
iptables -I INPUT -i vif+ -p udp --dport 7892 -j ACCEPT
iptables -I INPUT -i vif+ -p tcp --dport 5353 -j ACCEPT
iptables -I INPUT -i vif+ -p udp --dport 5353 -j ACCEPT
clash -d /rw/proxy/clash >/dev/null 2>&1 &
sleep 0.5
dnscrypt-proxy -config /rw/proxy/dns/dnscrypt-proxy.toml >/dev/null 2>&1 &
replace PROXY_IP with your proxy’s IP
download Country.mmdb from here in another VM, move it to sys-proxy’s /rw/proxy/clash directory
it doesn’t actually use it, so you don’t have to keep it up-to-date, but clash refuses to start without it
10. restart sys-proxy, create a new qube with it as its networking qube and test it out!
@bountyforqubeshelp2 try it out and let me know how it works. if it’s good i can post it in Community guides and give you my address