Ahh I did find a difference:
# your command
echo "qubes.ConnectTCP +5901 remote-admin @default allow target=dom0" | sudo tee - /etc/qubes/policy.d/30-remote-admin.policy
# my command
echo "qubes.ConnectTCP +5901 remote-admin @default allow target dom0" | sudo tee - /etc/qubes/policy.d/30-remote-admin.policy
Ah. That was it, then! But don’t forget to change +5901 to +5900 in this and the following command
Ahh yes
grep -r 'remote-admin' /etc/qubes-rpc/
/etc/qubes-rpc/policy/-:qubes.ConnectTCP +5901 remote-admin @default allow target dom0
OK. That’s my fault. the tee command shoudn’t have the - dash. I have fixed it in the guide now.
I get
[user@dom0 policy] ll
-rw-r--r-- 1 root root 63 Sep 28 22:58 -
...
So can I savely delete this file?Yes. You were the one creating with my wrong tee command. And I don’t have it on my Qubes system. So you’re good to go.
It has those permissions because you created it with sudo.
That did it. So the correct command is
echo "qubes.ConnectTCP +5900 remote-admin @default allow target=dom0" | sudo tee /etc/qubes/policy.d/30-remote-admin.policy
?
Yes!
Allright. In your guide step 1. has a double space between tee and /etc/.... Is this important?
No that shouldn’t matter. I’ve just fixed it now.
Thanks! It’s working now:)
One last question: Is this guide outdated: (Firewall | Qubes OS)?
It is stated there to create a file in /etc/qubes-rpc/policy/qubes.ConnectTCP rather than /etc/qubes/policy.d/30-remote-admin.policy.
Fantastic! 
My overall goal is to access dom0 via vnc from the outside world. (I’m aware of the security risks.)
I have configured a wireguard gateway into my local network and want to expose a port of my qubes desktop computer to the local network for vnc access. (so sys-net → sys-firewall → remote-admin) .
Are you aware of a good guide?
I have found this (Firewall | Qubes OS)
and this ([Contribution] qvm-expose-port · Issue #4028 · QubesOS/qubes-issues · GitHub) but this may be also outdated.
Well, because you’re punching a hole so big in this Qubes system then maybe you could run this in sys-net rather than remote-admin and have a way easier time exposing that qube.
Yes, sure. How do I do that ie. which guide should I follow?
Just do the same thing but instead of remote-admin, replace with sys-net. And then find out how you can expose a server on sys-net if it doesn’t aready.
Mind opening an issue or PR for that?
Here you go Adapt to new policy format by deeplow · Pull Request #1270 · QubesOS/qubes-doc · GitHub, but it should be reviewed by someone in the know about policy formats as I haven’t tested that.