I would appreciate someone fixing my config. Read below for the issues.
/rw/config/rc.local
#!/bin/bash
groupadd -rf qvpn
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP
iptables -I OUTPUT -o eth0 -j DROP
ip6tables -I OUTPUT -o eth0 -j DROP
iptables -I OUTPUT -o eth0 -m owner --gid-owner qvpn -j ACCEPT
ip6tables -I OUTPUT -o eth0 -m owner --gid-owner qvpn -j ACCEPT
sg qvpn -c "openvpn --cd /rw/config/vpn/ --config client.conf --daemon"
notify-send "$(hostname): Starting VPN..." --icon network-idle
/rw/config/vpn/qubes-vpn-dns-handler
#!/bin/bash
vpndns1="10.0.0.242"
case "$1" in
up)
iptables -t nat -F PR-QBS
iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $vpndns1
iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $vpndns1
sed -i 's/^/#/' /etc/resolv.conf
echo "nameserver $vpndns1" >> /etc/resolv.conf
notify-send "$(hostname): VPN up" --icon network-idle
;;
down)
notify-send "$(hostname): VPN down" --icon dialog-error
;;
esac
-
Are my iptables rule sufficient to prevent traffic going outside the tunnel? From my understanding I’m blocking forwarding through the eth0 interface (connections originating from connected qubes) and output through the eth0 interface (connections originating from inside qube) except for processes running under qvpn group (OpenVPN).
-
I have no name resolution after the tunnel is established. resolv.conf contains only the VPN DNS address (10.0.0.242). OUTPUT chain is policy ACCEPT. The ‘redirect-gateway def1’ directive sets default routes to the tunnel interface. Pinging the DNS address works. Why is DNS not working?
output of ip route
0.0.0.0/1 via 10.8.19.1 dev tun0
default via 10.138.19.43 dev eth0 onlink
10.8.19.0/24 dev tun0 proto kernel scope link src 10.8.19.14
10.138.19.43 dev eth0 scope host onlink
128.0.0.0/1 via 10.8.19.1 dev tun0
<public ip> via 10.138.19.43 dev eth0
output of iptables -L -v
Chain OUTPUT (policy ACCEPT)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any eth0 anywhere anywhere owner GID match qvpn
0 0 DROP all -- any eth0 anywhere anywhere
- When the tunnel goes down there’s no DNS resolution because resolv.conf contains VPN DNS servers but no tunnel is established. Establishing new tunnel will fail because I use multiple endpoints with the ‘remote-random’ directive so I first need to reestablish working DNS by reverting to the sys-firewall DNS servers but that will cause DNS leaks, so I need a way to disable DNS forwarding temporarily. Does flushing the PR-QBS table disable DNS forwarding? Would this work?
/rw/config/vpn/qubes-vpn-dns-handler, changing back to initial DNS servers on tunnel disconnect
#!/bin/bash
vpndns1="10.0.0.242"
case "$1" in
up)
iptables -t nat -F PR-QBS
iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $vpndns1
iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $vpndns1
# Comment initial nameservers
sed -i 's/^/#/' /etc/resolv.conf
echo "nameserver $vpndns1" >> /etc/resolv.conf
notify-send "$(hostname): VPN up" --icon network-idle
;;
down)
# Disable DNS forwarding, switch to initial DNS servers
iptables -t nat -F PR-QBS
sed -i '/^[^#]/d;s/^#//' /etc/resolv.conf
notify-send "$(hostname): VPN down" --icon dialog-error
;;
esac
Thank you for your help
Edit: Sorry, question 3 doesn’t make sense I think. If PR-QBS points to the VPN DNS but there’s not tunnel any DNS request will just fail.