Hello,
I am attempting to set up the following configuration:
sys-net → sys-firewall → vpn → vpn-firewall → appvm
I am working on configuring the firewall rules for the vpn-firewall using qvm-firewall. However, I am having issues. I have tried to allow the VPN IP, port, DNS, and ICMP, as well as create apart rules to accept the local IP of the vpn qube, port, DNS, and ICMP. While I can successfully ping google.com and 1.1.1.1, I am unable to open Google in Firefox.
Can someone give me a hint on how to set this up correctly? I want to allow only VPN traffic from the VPN through the VPN firewall to the appVM.
Thank you!
MSQLI
January 26, 2025, 6:52pm
2
See relevant section. Might help until someone more knowledgeable jumps in.
barto
January 26, 2025, 7:07pm
3
I recommend reading this thread .
Even if your VPN is not using wireguard, the qvm-firewall hardening method described by @solene is valid.
1 Like
Hi guys,
Thank you for your help. The provided guides only work for the VPN Qube. I am trying to set up the VPN firewall so that it only accepts VPN traffic and drops any other traffic. So far no luck, I have used the solene firewall rule but it didn’t work.
qvm-firewall vpn-firewall add accept dsthost=(endpoint)
qvm-firewall vpn-firewall del --rule-no 0
solene
January 26, 2025, 10:21pm
5
It didn’t work in which way, is it blocking too much or not enough?
Can you share the output of qvm-firewall qube-name
?
It’s blocking too “much”. For example I just want to access the internet and it doesn’t work, the page doesn’t load. Pinging does work.
Output of vpn-firewall
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 accept <endpoint_vpn_ip_wireguard>/32 - - - - - -
Just to clarify this is a net → firewall → vpn → vpn-firewall → appvm. Configuring on vpn-firewall
solene
January 26, 2025, 11:07pm
7
You have a DNS issue in the VPN qube.
Hmm, I tried different dns options and still the same issue
I’ve updated my firewall rules and still no change.
I can ping 1.1.1.1 and google.com but I can’t enter google.com via firefox…
qvm-firewall vpn-firewall
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 accept <endpoint_vpn_ip_wireguard>/32 - - - - - -
1 accept - icmp - - - - -
2 accept - - - dns - - -
solene
January 27, 2025, 8:16am
9
The extra rules are not useful, the VPN prevents traffic to go there.
Can you try to type this in the VPN qube, if using DNS 9.9.9.9 if fine for you for a test:
DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"
if it works, it means your VPN qube is not able to provide DNS to other qubes using it as a netvm. We could sort this out once we know it’s the issue.
It has always been a mess, I need to find a proper solution I guess.
1 Like
Hi,
Thanks for your help,
Those firewall rules for the DNS were already added, I switched from mullvad dns to 9.9.9.9 and still it didn’t work.
If I reset the rules on the vpn-firewall with qvm-firewall everything works so it’s only when I add rules to qvm-firewall to the vpn-firewall
solene
January 27, 2025, 1:37pm
11
Sorry, I misread. if you can ping google.com it means it means DNS is working.
do you try to connect to websites from the vpn qube, or a qube using the vpn as its netvm?
I try to connect to the websites via an appvm, using the vpn-firewall as its netvm
VPN ↔ VPN-Firewall ↔ AppVM (firefox: google.com )
solene
January 27, 2025, 3:39pm
13
does it work from the VPN firewall?
Yes, I am on mirageos firewall though but I assume dns works because it can passthrough everything without any firewall rules
solene
January 27, 2025, 3:45pm
15
can you try to run this in the vpn firewall and try to use the appvm?
DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"
My edit didn’t go through on the previous post, anyways forgot to mention that I run the firewall on mirageos. I cant add that to mirage firewall.
solene
January 27, 2025, 4:12pm
17
the firewall rules must be applied on the VPN qube, not the VPN firewall
These rules are currently applied to VPN qube, no change still the same issue.
DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"
I can’t run the rules you sent on the MirageOS vpn firewall, so it might be a mirageos firewall issue?
solene
January 27, 2025, 4:42pm
19
Sorry, I meant the qvm-firewall
rules.
Running the following firewall rules on the VPN qube and VPN-firewall qube
qvm-firewall vpn
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 accept <endpoint_wireguard_ip>/32 - - - - - -
Still having the same issue.