Creating a "Virtual LAN" to connect AppVMs to ServiceVMs

Hi there,

My problem:

  • For testing and developing I need some AppVMs to connect to some ServerVMs.
  • Normally they shall be completely separated from external connections.
  • Some times they need external access.


  • “pgClientVM” runs pgAdmin and some LibreOffice apps, which need to connect to a PostgreSQL-Server “pgServerVM”.
  • A “webServerVM” shall present some facts out of the “pgServerVM.”
  • The “webClientVM” shall browse the “wwwServerVM”.
  • From time to time the “pgClientVM” has to report to external machines
  • Sometimes the “pgServerVM” needs to replicate with an external PostgreSQL server.

As I see a great risk in fiddling with the Qubes firewall rules, I want to separate my problem of inter-Qubes-networking from the outgoing network traffic.

The idea:

  • external networking for those VMs the default way (sys-firewall / sys-net)
  • internal networking by adding a virtual interface to all 4 VMs
    • configured similar to the first one
  • creating a second Firewall-VM “intFirewallVM”
    • a dedicated virtual interface per connected App- or Server-VM
    • nftable-rules and routing as needed
  • the virtual interfaces work in a separated address range similar to the 10.137.x.y for the external interfaces


  • The general security of the Qubes system will not be touched.
  • It will be a general solution for many developer problems.
  • Once the configuration is fiddled out, it will be easy to add more and/or different clients or servers.
  • The needed rules for routing and nftables can easily being checked, because of the separated address range.

Create a collection of scripts, completed by a “handbook” how to use the scripts in a secure way.

You can do this with qrexec:

Here’s an example:

1 Like

As I see, qrexec and qvm-run are the tools to implement the needed commands later.

My idea to get to a working solution would be to fiddle out the needed configuration steps as a list of commands what have to be run one by one in dom0 or the different vms.

Some commands need to be run once, like adding the 2nd virtual interface to a client- or server-vm. Others will have to be run each time a virtual machine will get started, especially the dynamic configuration of the internal firewall.

Many of these steps are similar to those which happen when starting a vm and connect it to the default sys-firewall. Does anyone know where to find a schedule of this, so we can do a little copy and paste?

No, it could be used for communication between VMs instead of using networking.
For example, if you need to connect from pgClientVM to PostgreSQL-Server that’s running on 5432 port in pgServerVM, then you need to setup qrexec in these two VMs as described in my link but just change the port number and then in pgClientVM you’ll connect to PostgreSQL-Server using local address and the connection will be passed to PostgreSQL-Server in pgServerVM.

Ok, now I see what you want.

Yes, it’s possible and it would do its work for this special purpose.

My idea for this topic is different:

There are many people, who know how to work with standard tools, they have got their LAN, servers and some client machines which connect to them and a firewall to connect this all to the outside world.

I want to give them an easy way to rebuild this on a Qubes host. If we do it the Qubes’ way, they won’t be able to switch easily from one environment to the other and back, without special knowledge. The greater problem: They can’t discuss problems what may occur with fellows in their company.