VM → sys-firewall-vpn-> vpn-Mullvad → sys-firewall → sys-net.
The “vpn-mullvad” machine has firewall rules restricting traffic to the vpn servers - so traffic coming out of the VM shouldn’t go anywhere else if I don’t connect to the VPN.
It turned out that I was wrong. Despite not connecting to the VPN, traffic from the VM freely goes out anywhere.
I don’t hide my irritation, because this kind of thing shouldn’t happen. This is a fuckup. Can you tell me what the issue is with this and why there is a leak?
I attach pictures of the configuration. @umman2005@Sven
sys-firewall-vpn should only allow to reach vpn-mullvad on all ports.
vpn-mullvad should only be allowed to reach mullvad servers on the UDP port for your tunnel
I don’t know if mullvad can provide such a list of if they have a dynamic list of servers in which case that make the setup more complicated than listing a few IPs.
With this configuration, sys-firewall-vpn can’t leak anything outside of vpn-mullvad, and vpn-mullvad traffic will be limited to only establishing the tunnel. You can’t have leak with that.
An issue you may have is if vpn-mullvad isn’t allowed to do DNS requests, and you use an hostname for the mullvad remote endpoint, the system won’t be able to resolve the IP of that hostname and connect.
does it still “leak” even if you don’t connect the VPN? (keep the rules in the vpn qube) I’d expect that you lose network, that may mean the mullvadvpn check may be faulty?
What if in the VPN qube network manager applet you “disconnect” its virtual interface? Do you still have internet access? If yes, this would mean that it’s the firewall qube that is leaking, not the vpn qube.
I made the “mullvad-vpn” machine a few months ago on the Fedora-37 template, I was on qubes 4.1 at the time. I followed all the steps in the instructions at this link:
Two months ago I installed qubes 4.2 and then restored the machines from backup. After some time, I stopped the mullvad-vpn machine and switched the template to fedora-38.
In addition, shouldn’t the network be controlled by Xen, as it works with Microsoft’s hyper-v?
If I install clean windows and do not give network permissions, Windows will not access it in any other way. So I guess qubes controls the network settings of VM machines.
I have installed qubes 4.2-rc3. Release Candidate, and in the meantime, there was an error that compromised the basic security of qubes…
In a terminal in the qube VPN, if you run curl https://ifconfig.me with the VPN connected, and when disconnected.
Do you have the same result? If so, is it your ISP IP in both case?
On my VPN qube, I get this result for instance. My setup is super easy, I just block all traffic in the firewall tab in the qube settings, enable network-manager service and I added my VPN config.
# vpn enabled
user@sys-vpn ~> curl https://ifconfig.me
1.2.3.4⏎ # (I obfuscated the IP for the forum)
# vpn disabled
user@sys-vpn ~> curl https://ifconfig.me
curl: (7) Failed to connect to ifconfig.me port 443 after 133 ms: Couldn't connect to server
You know my answer.
When I connect to vpn, curl returns ip mullvad.
When I disconnect from vpn, then curl returns ip ISP.
I did the test on vm “vpn-mullvad” which has rules set up.
Qubes I use on a daily basis and I do not hide the urgency. I will delve into the details of the firewall documentation on the qubes website.
Say - what qubes configuration do you have? Also qubes 4.2 + Fedora-38 template?
Exactly, and I’m using a wireguard VPN but that shouldn’t have any impact here.
ok!
For some reasons, it seems the firewall in the qube isn’t applied correctly
What do you have in /rw/config/qubes-firewall-user-script? (if there is something)
Did you change something in sys-firewall? The qube firewall settings are applied in a qube’s net qube, which issys-firewall for your VPN qube. Something in /rw/config/qubes-firewall-user-script or /rw/config/rc.local which could have introduce an issue in the firewall.
