Hello,
The socat command is functioning correctly, but after rebooting my Fedora 41 AppVM, it fails to start and ends up freezing and crashing. It displays an error indicating that it cannot connect to qrexec agent.
You forgot to add & which makes it run in the background so:
socat TCP-LISTEN:1143,fork EXEC:"qrexec-client-vm default user.protonmail-imap" &
1 Like
Thanks for pointing that out! I want to use the wiki post at the top as the authoritative source, and it looks like the original poster used qvm-connect-tcp rather than socat. Do you have any experience with that? I’m a little confused by the invocation because it passes “::1143”. The help text for this command is:
$ qvm-connect-tcp --help
Invalid port provided
Usage: /usr/bin/qvm-connect-tcp [localport]:[vmname]:[port]
Bind localport to another VM port using the qubes.ConnectTCP RPC service.
So it looks like it’s only specifying a remote port, but not a local port ar a vmname to connect to… how does it know what service should be bound to this port? Maybe it uses localhost and the same-numbered port as defaults if they are omitted? The underlying script is:
#!/usr/bin/bash --
set -e
[[ "$DEBUG" == "1" ]] && set -x
LOCALPORT="$(echo "$1" | cut -d ':' -f1)"
DOMAIN="$(echo "$1" | cut -d ':' -f2)"
PORT="$(echo "$1" | cut -d ':' -f3)"
print_usage() {
cat >&2 <<USAGE
Usage: $0 [localport]:[vmname]:[port]
Bind localport to another VM port using the qubes.ConnectTCP RPC service.
USAGE
}
check_port() {
[[ "$1" -ge 1 ]] && [[ "$1" -le 65535 ]]
}
if [ $# -lt 1 ] ; then
print_usage
exit 1
fi
[[ -z "$PORT" ]] && { echo "Please provide PORT"; exit 1; };
[[ -z "$LOCALPORT" ]] && LOCALPORT="$PORT"
if check_port "$PORT" && check_port "$LOCALPORT"; then
if [ -n "$DOMAIN" ]; then
msg="Binding TCP '$DOMAIN:$PORT' to 'localhost:$LOCALPORT'..."
else
msg="Binding TCP '@default:$PORT' to 'localhost:$LOCALPORT'..."
fi
echo "$msg"
su=""
if test "$LOCALPORT" -le 1023; then
su="sudo"
fi
${su} socat TCP-LISTEN:"$LOCALPORT",reuseaddr,fork EXEC:"qrexec-client-vm \'$DOMAIN\' qubes.ConnectTCP+$PORT" &
else
echo "Invalid port provided"
print_usage
exit 1
fi
So it looks like qrexec-client-vm will get an empty string instead of a valid domain name.
I tried using qvm-connect-tcp, but I got a denied policy error. It’s a bit confusing because I’m not sure what qvm-connect-tcp is for since you can only choose a port. I think you can connect those AppVMs through the Qubes policy, but I need to look into it more. The original post should be updated (I updated it). There is a thread here which explains it more in detail Understanding how qvm-connect-tcp works under the hood
1 Like
Seems like the piece I was missing was the default target in the RPC policy… which would probably also solve the policy denied error you were getting. It would probably be cleaner to use the QubesOS-provided script (they’re setting at least one option, reuseaddr, that wasn’t included in my invocation and that might be important for some edge case) but that would require more updates to set the policy correctly.
1 Like
I agree that we should use qvm-connect-tcp and that indeed requires an update for the policies, but I have no idea why it’s denying.
Hello @skyvine
qubes.ConnectTCP +1143 <Qube that recieves the mail> @default allow target=<Qube Proton Bridge>
This works with qvm-connect-tcp ::1143
Set this up via Firewall | Qubes OS
I want to update the guide with the new policies and use qvm-connect-tcp. Do you agree with this plan?
Looks good to me!
1 Like