Preamble:
Greetings. I use Qubes behind a VPN-VM 99% of the time, but recently I have needed access to another system on my local network. As I understand it, configuring firewall & openVPN rules/settings to allow me to simply & directly access my local network is a bad idea security wise.
I have seen it suggested that one create a separate AppVM for their LAN access, but that’s no good, I require regular access to files that need to remain in the VM’s that are always behind the VPN.
What I’m trying to do:
The idea I’ve come up with is to use some combination of the following tools: qrexec/qubes-rpc policies, combined with either socat or proxycommand/proxyjump and create a “lan-relay” qube where I run one of those mentioned services, and then via a qubes-rpc policy, configure some kind of tunnel or proxy from the “work” vm (behind VPN) to the “lan-relay” VM which is able to connect to the LAN.
So essentially my thought is:
qubes-rpc policy:
lan-relay work allow
work lan-relay allow
I have an SSH server running on LAN, lets say it’s at 192.168.1.10:2222
lan-relay can connect to this no problem, already tested.
Also, I can successfully send commands from work qube to the lan-relay.
From there I’m not quite sure what tools or setup I need to do to make it so I can actually ssh from the work qube THROUGH some socat style tunnel (or proxycommand) to be able to access that LAN SSH from the work qube.
I’ve been trying to figure out for hours how to configure this setup but I am not familiar enough with the tools needed to do this.
I would like that as long as lan-relay qube is running, that I can run some command on the work qube to SSH through it, but if it’s offline then that command obviously wouldn’t/shouldn’t work.
Anyone able to add some insight to this problem or give me some specific commands to use?
Much appreciated!