Connect another computer through a cube system to the internet using a USB Ethernet Adapters (or in any other way)
Setup:
First computer:
Desktop with qubes 4.1 installed (kernel 6.4.7-1)
The motherboard has 1 internet (LAN) connector and a lot of USB. (no wifi)
Connection to the internet is through the internet(LAN) connector.
The connection chain is as follows:
Internet ← Kinetic router <–ethernet cable <–sys net ( internet controller is enabled ( in devices section)) <–sys-firewall ← vpn-qube ← vpn-qube-firewall
All other working qubes are connected to vpn-qube-firewall.
The second computer:
Dell laptop based on win 11 without internet connector (LAN).
Available accessories :
suitable internet cable
USB Ethernet Adapter x2 (win 10 and cubes without any problems they identify these adapters (in cubes I see the adapter in the section USB)).
Finding a solution:
For Windows, it is possible to create such a connection.
I tried to search for information in the documentation and on the forum but did not find a ready solution.
Is it possible to organize such a connection for a qube-based system?
It’s certainly possible. However, you didn’t indicate if you are using a USB qube or not. In any case, you could connect one of those USB Ethernet adapters to your Qubes machine and sort out things so that the adapter can be passed to a new sys-net qube dedicated to handling that connection. Then you can create a second sys-net, map that USB Ethernet adapter to it and point it at sys-firewall for its upstream connection. You may need to add a NAT to that sys-net to provide for routability to your secondary machine, but that’s pretty much all there is to it.
If you are presenting your adapter through your USB Qube, you would not need the new sys-net set up as an HVM, but without a USB Qube, you would need to configure that sys-net as HVM to present the hardware USB adapter to it.
There have been a few thread on exactly this subject.
You dont say if you want the Windows laptop to also be restricted to the
VPN.
The principle is simple:
You create a qube which you configure as a router - how you do this
will depend on the template you use.
Many problems that people have in Qubes are actually not Qubes specific.
This is one of those.
You can find many guides online to creating a router.
The only Qubes specific part here is that you have to change the
nftables rules in the qube, and enable routing, and you will have to do
this using the mechanisms in /rw/config. (You could use bind-dirs but I think that would be more complicated than needed)
You can use rc.local to enable routing, and scripts in qubes-firewall-user-script to set up the nft nat rules.
Although you have many USB ports, it’s worth checking to see how many
USB controllers you have.
If you have many, it would be worth attaching one directly to your
routing qube. If you do not, then you can try passing through the USB
device from sys-usb to the router qube.
I would start simply, to check that you can get a USB adapter attached
to the routing qube, and ping from the Windows laptop to the routing
qube.
Once you have that working, configure the router, and test
configuration.
Then make sure that you have working configuration save so that it will
survive reboot of the routing qube.
Attach the router where you will.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
I bought a separate network card, now I can add a separate internet controller to my cube.
This is roughly how I see the workflow at the moment:
Internet ← Kinetic router <-ethernet cable <-sys net (first internet controller is enabled ( in devices section)) <-sys-firewall ← vpn-qube ← vpn-qube-firewall<- sys lan(second internet controller)<-ethernet cable<-usb adapter<win-pc
The only Qubes specific part here is that you have to change the
nftables rules in the qube, and enable routing, and you will have to do
this using the mechanisms in /rw/config. (You could use bind-dirs but I think that would be more complicated than needed)
You can use rc.local to enable routing, and scripts in qubes-firewall-user-script to set up the nft nat rules.
Maybe somewhere I can find examples of configuring such a bridge for qubes? I couldn’t see examples in the faq.
Many problems that people have in Qubes are actually not Qubes specific.
This is one of those.
In general we prefer not to duplicate material that’s available
elsewhere - this obviously isnt the case for Community Guides.
You can find many guides online to turning a machine in to a router.
Once you have chosen the template you will be using for the router
qube, find instructions for the relevant distribution.
The only Qubes specific part is that you have to make sure that any
changes you make to the root filesystem will persist after a reboot.
There are two basic mechanisms for this in Qubes - using bind-dirs
or using script under /rw/config.
For example, in Debian, you will want to enable forwarding - you can do this
by setting net.ipv4.ip_forward = 1 in /etc/sysctl.conf
This is a case where bind-dirs will help to make that change persistent.
Then you will want to set appropriate forwarding rules using
iptables/nftables.
You can best do this by creating the scripts under
/rw/config/qubes-firewall.d, or in /rw/config/qubes-firewall-user-script
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
