Communication between qubes multiple hops

I’d like to make 2 qubes/domains to communicate each other with iptables.
I used this link but still not working: Firewall | Qubes OS

Now, I don’t use sys-firewall for them, I’m using sysfirewall-vpn-tor.
I added that iptables rules in all of them:

  • sys-firewall
  • sys-vpn-ie
  • sys-vpn-tor

and allowing INPUT for source in qube 2, but still I can’t ping it from qube 1.

Is it there something else that I need to do?

I want to point to that I can’t ping anything actually … .e.g google.com
But I’m having internet [can surf via Browser]

Qube 1: Kali [from a debian template]
Qube 2: Lab

if I’m using sys-firewall I’ll be able to do so … but not if I’m using multiple hops - sys-firewal → vpn → tor

deleted

What netvm are these two Qubes attached to? Is it the same? It has to be the same, otherwise it won’t work.

Yes same.;
Are on a custom netvm that will go as described above:

  • tor [sys-whonix] → vpn → net-firewall

I know if 'll switch to only net-firewall it will work but I want to make this working with this config.
Is it there a way?

Yes same.;
Are on a custom netvm that will go as described above:

  • tor [sys-whonix] → vpn → net-firewall

I know if 'll switch to only net-firewall it will work but I want to make this working with this config.
Is it there a way?

I have no idea what you are trying to do.
Before you said:
sys-firewal → vpn → tor
And now you say:
tor [sys-whonix] → vpn → net-firewall

You were asked which netvm the qubes were attached to, and you didnt
answer that question. Answer that question.

I dont recommend changing firewall rules at random, as you seem to have
done. Revert the changes that you have made.
Identify the qube that both qubes are using as their netvm. That is
where you will need to make changes. No where else.

You mean:

qube a → sys-whonix → sys-vpn → sys-firewall → sys-net
qube b ----^

Right? In which case I thing sys-whonix might be blocking your attempts. An easy way to check is to clone sys-firewall into sys-tor-firewall and set it’s netvm to sys-whonix and connect your qubes a & b to sys-tor-firewall.

That should work then, but you loose the stream isolation of whonix/tor because both qube’s traffic will go through sys-tor-firewall which is the only qube whonix will see.

If you do want stream isolation and the connection between the qubes is a specific port only you could try and use the qubes.ConnectTCP method:

1 Like

@Sven yes you’re right.
So what I did is:

  • I created a sys-vpnie-tor qube based on whonix-gw-15 template with NetVM sys-vpn-ie
  • sys-vpn-ie is a vpn qube - based on fedora template with NetVM based on sys-firewall

Qube A and B are based [both] on sys-vpnie-tor

Now, using that connection that you said is not so helpfull because:

  • Qube A is Kali
  • Qube B is a lab machine with lots of ports opened for learning [metasploitable right now, as I’m noob on Kali and PenTesting]
    and that will mean first add lost of ports there and second to change them when I’ll go to another lab

Is it there a better way with that setup?

Yes

  1. Undo all firewall changes you previously made in various qubes as @unman recommended
  2. Create a proxy qube based on Fedora and set it’s netvm to sys-vpnie-tor
  3. Connect Qube A and Qube B to the new proxy qube
  4. Configure Qube B to accept connections on all ports from Qube A as described in the documentation
  5. Configure the new proxy qube to allow all connections from Qube A to Qube B

Depending on your use case also:

  1. Configure Qube A to accept connections on all ports from Qube B as described in the documentation
  2. Configure the new proxy qube to allow all connections from Qube B to Qube A

If you don’t mind me asking: since this is “just” a lab, why do you bother to connect them to the internet at all? You can set the new proxy qubes netvm to ‘’ and your lab will still work. It’ll effectively be an internal network without connection to the Internet. What do you hope to achieve by connecting it to TOR?

Whohoo. That worked.

Because there are lots of things that I don’t understand so I’m using Kali to search on the internet.

Thank you