This thread has been difficult to follow, and I don’t have any experience using a VPN with Qubes, so there’s not much I can add to what @unman has already said.
However, I’ll add some foundational knowledge that I’ve learned when it comes to using firewall rules:
- Firewall rules for “someqube” are enforced on the netvm/proxyvm that “someqube” is connected to.
- That netvm/proxyvm qube must have the ability to resolve hostnames, or it will not allow traffic from “someqube” to flow.
If your goal is to only allow www.google.com from AppVM, there should be a FirewallVM in-between VPN VM and AppVM,
Wifi VM < VPN VM < Firewall VM < App VM
The firewall rules should then be configured in AppVM’s Qube Settings / Firewall.
Then, to make sure point two is not a factor, look at the logs on Firewall VM, specifically journalctl -u qubes-firewall.
If there exists a message such as “Failed to parse rules, blocking traffic”, this condition must be rectified. How can it happen?
- VPN VM did not connect to the remote server quick enough such that a DNS request resolves successfully
- VPN VM has issues responding to DNS for some other reason.
- VPN VM DNS server just didn’t respond
If it is a timing condition, open a terminal in FirewallVM and do sudo systemctl restart qubes-firewall while observing the journal to force the firewall to try again.