4.2 vpn problems please help

Please any guide how to setup wireguard and openvpn to work under 4.2. After upgrade all vpn loses.

Actually, I need instructions how to fix this script from iptables to new firewall

case "$1" in

# To override DHCP DNS, assign static DNS addresses with 'setenv vpn_dns' in openvpn config;
# Format is 'X.X.X.X  Y.Y.Y.Y [...]' with quotes.
if [[ -z "$vpn_dns" ]] ; then
    # Parses DHCP options from openvpn to set DNS address translation:
    for optionname in ${!foreign_option_*} ; do
        unset fops; fops=($option)
        if [ ${fops[1]} == "DNS" ] ; then vpn_dns="$vpn_dns ${fops[2]}" ; fi

iptables -t nat -F PR-QBS
if [[ -n "$vpn_dns" ]] ; then
    # Set DNS address translation in firewall:
    for addr in $vpn_dns; do
        iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
        iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr
    su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user
    su - -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user

su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user


and second file I’m originally using at 4.1

cat qubes-firewall-user-script 

# This script is called in AppVMs after every firewall update (configuration
# change, starting some VM etc). This is a good place to write own custom
# firewall rules, in addition to autogenerated ones. Remember that in most cases
# you'll need to insert the rules at the beginning (iptables -I) for it to be
# effective.

#<----->Block forwarding of connections through upstream network device
#<----->(in case the vpn tunnel breaks):
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP

You can see an example of how to convert rules from iptables to nftables here:

1 Like

There is a iptables-translate command that tells you the nftables command for a given iptables command.


I can connect to vpn now, but without qubes-firewall-user-script. This anti leak from proxy-firewall-restrict file don’t work at all. Not possible to connect if installed or an connect (notification show) by vpn not work

What commands do you have there?

If you can’t convert the firewall to nftables yourself, create a new qube, install and use this instead:

Tried with this:

I’m using 3rd party service in some vms, like mullwad. It receive configs from server, so I need other workaround. Simple anti leak script to place at qubes-firewall-user-script as I did at 4.1

It works with most VPN providers.

The script assumes that you run openvpn process under qvpn group with --group qvpn option:

And it assumes that the tunnel interface created by openvpn will be set to group 9:

In the openvpn up script:

1 Like

Yes, it run under qvpn the same like previous R4.1 script. Seems the problem that tunnel not set to group 9. Thank, for your example, I will try :slight_smile:

What tempalte are you using for your vpn qube? I also faced an issue where my vpn qubes stopped working after an upgrade to 4.2. In my case I’m using minimal templates. After switching to full fedora-38 templates vpn is working again. So I suspect with the new 4.2 release I’m missing some package in my minimal template.