How to make VM be accessible by devices on local network?

I run a HTTP server for development on 0.0.0.0:8080 in a VM but it can’t be accessed by a phone on same local network. I think it’s because of only the sys-net VM connects to the router directly but I don’t want to run the HTTP server on sys-net VM.

this might help

Port forwarding to a qube from the outside world

Too completed for me because I am not familiar with iptables.

 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.x.x -j DNAT --to-destination 10.137.0.6
iptables v1.8.4 (legacy): host/network `192.168.x.x' not found

And it can’t be accessible even if I run http server on sys-net.

Hi @Rhys-Hussain

You might find the qubes-network-server readme informative if you haven’t seen it yet. The example in Setting up your first server under Qubes network server looks a lot like your usecase.

I have tried it but it can only be accessed by other VMs connect to sys-net, it can’t be accessed by other physical devices in same router.

it can’t be accessed by other physical devices in same router.

Sorry, I don’t understand this part. Please elaborate.

My understanding is Qubes network server should make your VM accessible
to other machines on the same network that sys-net is connected.

My guess is a (networking?) configuration issue or my misunderstanding.

1 Like

I’m pretty sure there is a way to do it. Other Qubes users have set up similar networks for local storage and other applications. Sorry I can’t help you because my networking knowledge is weak and Qubes makes it even more difficult because the Qubes approach to security makes it more client-oriented.

192.168.1.6 isn’t in the router(192.168.1.1) list after I assign 192.168.1.6 to httpServer VM so it can’t be accessed by other device(192.168.1.2) under same router.

This might be helpful.

Thank you for your reply.
I think it’s difficult to make VM be accessible by other devices as it’s opposed to the design rule of Qubes OS. Temporarily I opened a VPS and run my service on it although it’s not needed if I use other systems but I can endure it for the security that Qubes OS provides.

You might be able to get it working by configuring iptables in your VMs. Maybe a good excuse to learn iptables? :slight_smile: Good luck.

You might like to look at this script

It allows you to tunnel through the Qubes network stack to a target port
on a specified qube.
(It assumes a Debian based target qube, just because.)
Run it in dom0 like this:
./in add TARGET tcp 80
And it should configure the networking so that external port 80
connects to port 80 on the TARGET qube.

You can also specify ports on the external interface, like this:
./in add TARGET tcp 80 80
./in add TARGET2 tcp 80 81

And there’s a handy ./in delete TARGET tcp 80 to strip out the new
firewall rules.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.

I found this video, it did a good job demystifying those iptable commands.
Wanted to see if i could spin up a simple OpenSpeedTest server and see if i could route traffic to the VM.
Straight away the server got an error “Failed to get IP address using port 3000”, so not sure if qubes even lets VMs run as servers? Was using Fedora-34

Would be nice if there was just a simple GUI way to make VMs servers and set who can connect.

Talk to me on Matrix @ruddo:rudd-o.com for more.

Fundamentally, if you have set in your networked VM an IP address that does not conflict with something else on your LAN segment, it should just work. The machine will not appear in the router list, because the IP has been statically set in Qubes, not in the router.

If it doesn’t work to ping your networked VM from, say, a laptop in the same LAN, talk to me over Matrix.