Help: Proxy Qube to LAN Service (SSH) with QRExec from VPN Qube?

Greetings. I use Qubes behind a VPN-VM 99% of the time, but recently I have needed access to another system on my local network. As I understand it, configuring firewall & openVPN rules/settings to allow me to simply & directly access my local network is a bad idea security wise.

I have seen it suggested that one create a separate AppVM for their LAN access, but that’s no good, I require regular access to files that need to remain in the VM’s that are always behind the VPN.

What I’m trying to do:
The idea I’ve come up with is to use some combination of the following tools: qrexec/qubes-rpc policies, combined with either socat or proxycommand/proxyjump and create a “lan-relay” qube where I run one of those mentioned services, and then via a qubes-rpc policy, configure some kind of tunnel or proxy from the “work” vm (behind VPN) to the “lan-relay” VM which is able to connect to the LAN.

So essentially my thought is:
qubes-rpc policy:

lan-relay work allow
work lan-relay allow

I have an SSH server running on LAN, lets say it’s at

lan-relay can connect to this no problem, already tested.
Also, I can successfully send commands from work qube to the lan-relay.

From there I’m not quite sure what tools or setup I need to do to make it so I can actually ssh from the work qube THROUGH some socat style tunnel (or proxycommand) to be able to access that LAN SSH from the work qube.

I’ve been trying to figure out for hours how to configure this setup but I am not familiar enough with the tools needed to do this.

I would like that as long as lan-relay qube is running, that I can run some command on the work qube to SSH through it, but if it’s offline then that command obviously wouldn’t/shouldn’t work.

Anyone able to add some insight to this problem or give me some specific commands to use?

Much appreciated!


After many many hours I have figured out the correct commands to make it work. The setup is fairly simple but also limited in it’s functionality as I can’t use it to connect to any other PC’s; it’s specifically for the one system that I need to SSH into.

As mentioned above, in the Qubes RPC policy folder
in dom0:
/etc/qubes-rpc/policy → create descriptive file such as: lan.SSH with following contents:

lan-relay work allow
work lan-relay allow

of course rename the VM’s to match your own

in lan-relay:
/usr/local/etc/qubes-rpc → create same file (lan.SSH) as above, but inside that one place:

socat - TCP:

where the IP matches the local lan IP you’re connecting to and the 2222 matches the SSH port

in work:
/rw/config/rc.local → add the following line

socat TCP-LISTEN:2222,fork EXEC:"qrexec-client-vm lan-relay lan.SSH" &

^ I don’t believe the port does not need to be the same in this one, but I have left it so for simplicity

That command will run once you restart work qube and open a link between the two qubes which routes though to the LAN.

Then to connect via ssh you simply connect to “localhost” and the specified port as so:

ssh -i /path/to/keyfile -p 2222 user@localhost

Done. Simple. Works.

If anyone has any additional insight to improve upon this setup - say that would allow you to connect to ANY ssh server you wanted from the lan-relay by specifying some argument - I would love to see your tips in a response below.

Or any other improves at all. But for now, this does the primary job I want/need it to do.