How can i migrate my vpn-scripts from f38(iptables) f39(nftables)?

I use f38 template to run appvm with vpn, I’m trying to migrate now to f39 but I don’t know how to modify the scripts from iptables to nftables, i would like your help to transform the scripts below so that they can work on f39.

On AppVM(VPN) with fedora-38 template i have 3 files:

  1. /rw/config/rc.local
  2. /rw/config/vpn/
  3. /rw/config/qubes-firewall-user-script


VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'

#    Add the `matrix` group to system, if it doesn't already exist

if ! grep -q "^matrix:" /etc/group ; then
     groupadd -rf matrix
     su - -c 'notify-send "$(hostname) Creating matrix" --icon=network-server' user
sleep 1s
su - -c 'notify-send -u critical "$(hostname) entering matrix..." --icon=network-server' user

# matrix
sg matrix -c "$VPN_CLIENT $VPN_OPTIONS"


set -e
export PATH="$PATH:/usr/sbin:/sbin"

case "$1" in

# To override DHCP DNS, assign DNS addresses to 'vpn_dns' env variable before calling this script;
# Format is 'X.X.X.X  Y.Y.Y.Y [...]'

if [[ -z "$vpn_dns" ]] ; then

    # Parses DHCP foreign_option_* vars to automatically set DNS address translation:

    for optionname in ${!foreign_option_*} ; do
        unset fops; fops=($option)
        if [ ${fops[1]} == "DNS" ] ; then vpn_dns="$vpn_dns ${fops[2]}" ; fi

iptables -t nat -F PR-QBS
if [[ -n "$vpn_dns" ]] ; then

    # Set DNS address translation in firewall:

    for addr in $vpn_dns; do
        iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
        iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr
    su - -c 'notify-send -u critical "WELCOME !" "$(hostname): ON." --icon=network-idle' user
    su - -c 'notify-send "$(hostname): ON, no DNS!" --icon=dialog-error' user


su - -c 'notify-send -u critical "TANGO DOWN !" "$(hostname): OFF !" --icon=dialog-warning' user

# Restart the VPN automatically

sleep 3s
sudo /rw/config/rc.local





#    Block forwarding of connections through upstream network device
#    (in case the vpn tunnel breaks):
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP

#    Accept traffic to VPN
iptables -F OUTPUT

#    Block non-VPN traffic to clearnet
iptables -I OUTPUT -o eth0 -j DROP

#    Allow traffic from the `matrix` group to the uplink interface (eth0);
#    Our VPN client will run with group `matrix`.
iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner matrix -j ACCEPT

Do you have Qubes OS 4.1 or Qubes OS 4.2?
The switch from iptables to nftables happens when switching the Qubes OS versions, not when switching template versions. So if you’re using Qubes OS 4.1 then both fedora-38 and fedora-39 templates will still have iptables and if you have Qubes OS 4.2 then both templates should have nftables.

so… im using fedora 38 on qubes 4.2.1 and is working… didnt know about that…and i migrated my appvpm using a backup from qubes 4.1 and is working… i was thinking that the problem was from templates… and the f38 template has both… nft and iptables… so i dont need to change nothiing?

Since you’re using Qubes OS 4.2 then you need to switch the iptables to nftables.
And it’s better to use the fresh template installed from Qubes OS repository instead of upgrading your old fedora-38 template in-place since you have iptables installed there and maybe some other legacy things that could break something.
You can check this post as an example:

apparatus i want to do it on fresh template, just need someone to convert those iptables codes to nftable

Check the link in my previous post, the scripts there are the same as yours and converted from iptables to nftables.