I recommend you to acquire some networking knowledge before trying anything. You may inadvertently expose your system to network threats if you do not understand what you are doing.
That’s why I asked for a brief guide.
I’ve already got that you were talking about the sys-firewall, as it’s the netvm of my qube. But if you were referring to my concerns regarding multiple IPs, then what knowledge should I look for? I don’t really understand how general networking knowledge will help me with this, because as far as I’m getting it, all the traffic should come from one source to the sys-net and then redistributed across qubes.
This section in firewall guide explains how to proceed Firewall | Qubes OS
Did the 4.2 version work? 4.2 stopped using iptables and now uses notables
So my net VM’s are sys-net>sys-firewall>sys-vpn>webserver hosting app. Do I need to add / modify your script to ensure the port is exposed for the other machine? I’ll have to look at it closely. I’ve tracked a lot of your posts you know your stuff I am impressed. I been struggling with what should be a simple task. I have a openvpn server with dynamic DNS installed on my router. Should I just have the external machine connect there then use 443 to authenticate with web server and work off that?
If you want to expose the service through the vpn, you just need to forward the packets up to the sys-vpn, no need to care about it on sys-firewall or sys-net as it’s encapsulated by the VPN
so my vpn on sys-vpn is mullvad and sends all traffic over vpn. i already have a vpn router that has dyn dynamic dns. I tested my pc with the router ovpn config file and all is good. I figured being inside my network was good enough for me to just connect to the appvm over 443 and host a local webserver that launches the app. this seems simpler. After running your script will i able to do this?
There are various scripts available which modify the firewall rules down
the chain of qubes to the server.
An alternative which you may find easier is to run qvm-connect-tcp on
sys-net. This will directly connect a port on sys-net (or any other
qube where it is run ) to a specified port on the target qube without
passing through the firewalling chain.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
This is so great to read!. Do you have any written tips/guides anywhere how to setup self-hosted searx(ng) instance (dispvm, or any other kind)?
Sorry, I never wrote about this. Maybe later.
It is a named disposable VM based on a AppVM that host the configuration files etc, based on archlinux template .
Basically, the whole configuration of the qube is just that:
[user@server-searxng-app ~]$ cat /rw/config/rc.local
#!/bin/sh
sudo chmod +x /home/user
sudo chmod +r /home/user
sudo chmod -R +x /home/user/searxng
sudo chmod -R +r /home/user/searxng
nft add rule ip qubes custom-input ip saddr 10.137.0.69 tcp dport 80 ct state new counter accept
systemctl enable redis
systemctl start redis
systemctl enable nginx
systemctl start nginx
sudo mkdir /etc/searxng/
sudo cp /home/user/settings.yml /etc/searxng/
sudo cp /home/user/limiter.toml /etc/searxng/
sudo cp /home/user/rewrite-hosts.yml /etc/searxng/
cd /home/user/searxng
git stash
git pull
sudo -H ./utils/searxng.sh install user
echo -e "\n\n\n\n\n" | sudo -H ./utils/searxng.sh instance update
echo -e "\n\n\n\n\n\n" | sudo -H ./utils/searxng.sh install uwsgi pyenv
sudo systemctl enable uwsgi@searxng
sudo systemctl start uwsgi@searxng
[user@server-searxng-app ~]$ cat /rw/config/qubes-bind-dirs.d/50-user.conf
binds+=( '/usr/local/searxng' )
binds+=( '/etc/nginx/nginx.conf' )
Can be improved a lot. Some of the things are not needed. etc …
No one can access this VM except a “nginx” qube, and the nginx qube can be accessed from internet using my modification of the script “qvm-portfwd-iptables”.
1 Like
Thanks a lot. I am terribly interested in this, so when you provide some more detailed guide, I’ll be the first to get it. I am not sure this valuable but short info you provided,would be enough for a total noob like me regarding nginx…
For one year and a half I am self hosting my domain “neowutran.ovh” on my computer.
It is a set of around 20 VM.
I started to document how it work (for a subpart of the servers vm) here: https://neowutran.ovh/qubes/articles/homeserver.pdf
For the moment it is mostly just technical infos / scripts specific to QubesOS.
I welcome feedback on how to improve the setup or documentation, and if there are better way to do some of the things I am doing, any bad things I have done regarding qubes security, …
6 Likes
Awesome, thanks!
I am using Qubes OS for my personal home server—not because I should, but because I can. This has been a wonderful learning experience that has improved my Linux, networking, and cybersecurity skills. My setup is as follows:
Gateway → sys-wan → sys-firewall-1 → sys-vpn-1 (Tailscale with Mullvad) → sys-firewall-2 → sys-lan → Wi-Fi router
sys-nas-1 → sys-firewall-2
sys-jellyfin → sys-proxy-2 (nginx) → sys-proxy-1 (cloudflared) → sys-firewall-3 → sys-vpn-2
All system Qubes are disposable minimal templates. I chose this setup because my family and I watch Jellyfin through Kodi, and I wanted to respect Cloudflare’s Terms of Service while not completely restricting Jellyfin to my tailnet. I run Kodi, Steam, and emulators via an HVM with GPU passthrough, so the server also functions as a smart TV with gaming capabilities.
It took much longer than I would like to admit to determine everything I needed to do to accomplish this, but once I did, it was extremely rewarding. I have a deep respect and appreciation for the Qubes OS developers and community, and I simply want to thank you all for making me a better nerd.
Did a major update to my documentation/explaination
2 Likes
Thanks!
Can you share the docs here? The domain seems to be failing.
1 Like
homeserver.pdf.gz (844.6 KB)