Firewall1 < VPN < Firewall2 < AppVM?

I’ve been using a VPN Qube (aka sys-vpn, ProxyVM, etc.) for a while, connecting several Qubes/VMs to it. And then it struck me that this is could be breaking the security model of Qubes OS because several Qubes should connect to a firewall Qube which enforces the isolation, rather than to a VPN Qube. Right? Or am I missing something here?
Should this be the right configuration?:
sys-net < sys-firewall < VPN Qube < sys-firewall2 < AppVM?

I think your way is interesting, however you will not isolate the vpn traffic streams this way.
Ultimately, traffic going through any machine will connect to your assigned VPN.
If you are looking to increase security and privacy, then put sys-whonix directly behind the vpn and before the sys-net.

For me, if you look at my Qubes Network post, I have this config for the qubes following:

personal → sys-vpn2 → sys-firewall → sys-net

This is my config for this VM

My question is exactly about this issue. Is that configuration that you use @HPOA909 breaking Qubes OS security especially if multiplle Qubes / AppVMs connect to sys-vpn2 directly, and not to a firewally VM prior?

This will entirely depend on how you have configured nftables in the
The default nftables for any qube that provides network, prohibit traffic
between attached downstream qubes. This will be the case for your
Depending on what changes you have made to that setup (and there must be
some), you may have removed that restriction. No one can answer that for
you, without knowing what your nftables set-up looks like.
Similarly, without knowing what your new nftables looks lie, no one can
say whether your sys-vpn is enforcing qubes firewall. If it is, then
sys-firewall2 is redundant: if not, it is necessary.

One point to bear in mind is that the qubes firewall provides NAT - if
you use a sys-firewall2, then all traffic arriving at the VPN qube will
appear to originate from sys-firewall2, so you cant do any fine grained
work on the VPN qube.
Similarly, the sys-firewall will only see traffic originating from VPN
Qube, which allows it to be a VPN enforcer, but not much more.

To sum up -it depends.


Thank you @unman.

I’ve built the VPN Qube as a VPN gateway using iptables and CLI scripts, based on the following instructions:

I guess this means that iptables were modified, and VPN Qube where iptables were modified is unable to fulfill the same function as sys-firewall. Right?

I also note this related documentation text about using a VPN Qubes and setting up firewalls:

Thanks, mate. This will be an issue about the internal RAM that has been soldered before sold to me as brand new back then the price was $899.

You can install GUFW in the firewall VM. You can have multiple firewall VM’s connected to NET VM.
Qubes will give you some complaint notification but will abide.

If you have an independent VM (non Qubes) you can install firwalld which is dynamic. You start a program and the helper will adapt the firewall. Yes you have to know how and is a lot of work!

By FAR the most important thing is a GPS so you can have the correct time. Even a USB one is good. Currently I use an Apache Server to send the time to the other VM’s.

How are you going to have certificate pinning with Qubes firewall? It’s a dude… I would not waste my time with it (I did already… spend to much time on it).

I have no idea what you are trying to say.
The Qubes firewall provides basic functionality - it doesn’t pretend to
do anything more.
If you want more features then of course, you install a firewall
that provides those features.
For most users the Qubes firewall serves the main purpose of helping to guard
against user mistakes.