How to use nft to make appvm discoverable inside lan network?

User Support General
1

So, this is the scenario:

WIFI-ROUTER (192.168.15.1)

DEVICES CONNECTED

DEVICE 01: SMARTPHONE (192.168.15.100)
DEVICE 02: TABLET (192.168.15.101)
DEVICE 03: WINDOWS-LAPTOP (192.168.15.102)
DEVICE 04: QUBES-LAPTOP (192.168.15.103 [WIRELESS]) / (192.168.15.104 [ETHERNET])

All devices are running KDE CONNECT, they can communicate with each other, except the AppVM from qubes-laptop.

QUBES-LAPTOP & APPVM DETAILS

Laptop:
Qubes: 4.2.3
Kernel: 6.6.63-1

AppVM config:
Name: appvm-kde
Template: Debian-12
AppVM Virtual Address: 10.137.0.47

virtual qubes network:
Wifi-Router <-> sys-net-wifi(10.137.0.35) -> sys-firewall-wifi(10.138.22.216) -> appvm-kde(10.137.0.47)

What i have to do to make kde-connect on appvm discoverable and interacting with the other devices in the same network?

Do i need to enable network-manager and provides-network in appvm and use nft?

2

I have a feeling that you’ll need to allow TCP & UDP port range 1714-1764 into your AppVM for this to work.

Once you do that, and understanding what it actually means for you to open ports directly into your AppVM, that should work.

Source:

https://userbase.kde.org/KDEConnect

3

Unfortunately, the discovery uses UDP broadcast packets, they have to be generated for the LAN network, not inter qubes network. I’m not sure how to rewrite this, but it must be possible.

Seems this work networking - Forward UDP Broadcast packet with nftables - Unix & Linux Stack Exchange , I guess you would have to do this for each netvm in the path between the appvm and sys-net. Be prepared to fire up tcpdump to debug this.

1 Like
4

I’ll try to write a script to automate this, I actually need this for network printer discovery (port udp/5353) and I forgot about kde connect too :sweat_smile:

1 Like
5

I guess, if you can set up a static IP address (and give a static lease on the dhcp for the phone), you do not need to go through this. You could even use a VPN between your qube and your phone, (afaik I did it in the past, unrelated to Qubes OS)

6

the problem is, i dont have knowledge to do that… i would aprreciate if you could make this script, thank you! but until that i will use kde only on other devices… :frowning:

1 Like
7

I spent 2 hours on this and didn’t came up with something working.

There are broadcasts packets used on both sides + some avahi daemon, it’s actually a lot more complicated than I expected. I haven’t even been able to get the two kdeconnect to see each other (not even speaking about pairing them) :confused:

I used mdns-repeater but it didn’t seem to relay anything, I haven’t been able to understand why.

8

The following guide solves the discoverability problem for LocalSend, so I imagine it should apply here as well.

2 Likes
9

i tried setting up a wireguard-vpn with “wg tunnel” on my android phone, and connected directly to from the app-vm running kde connect, but something in the firewalling of the appvm makes this not work :sob:

if anyone has any pointers on how to crack the app-vm open towards the wireguard, i’d be very happy!

10

Hello, I had some similar issue, and I would like to share how I solved it, as it could help.

I have a gaming standalone vm with Steam installed. And I would like to play on my connected TV with SteamLink. When installed on an android TV, steamlink broacast a message on udp port 27036 to discover PC running Steam. As my Steam application is on the VM it can be discovered until I made a dnat to it.

On internet, you find some solution to enable dnat, so you can join your VM on this udp 27036 port from another PC on your local netwwork. It worked fine for me, when I tested from another PC, but the broadcas from the android TV still does not work. As it is a broadcasted message, it seems that whatever you make in nftable on this message (change destination adress, forward, dnat…), on the ethernet layer of the message, it is still a broadcast, and you are never allowed to propagate a broadcast from a subnetwork to another network. The only I add to make it work was to copy the message.

So I create a a chain in the prerouting:
sudo nft add chain qubes steamlink-mangle-broadcast '{ type filter hook prerouting priority mangle +2 ; policy accept; }'

First rule is to change the destination address if it is a broadcast from the local network having udp port 27036 as destination. Second tule is to duplicate the message.

sudo nft add rule qubes steamlink-mangle-broadcast iifname ens6 ip saddr 192.168.1.0/24 ip daddr 255.255.255.255 udp dport 27036  counter  ip daddr  set 10.137.0.41
sudo nft add rule qubes steamlink-mangle-broadcast iifname ens6 ip saddr 192.168.1.0/24 ip daddr 10.137.0.41 udp dport 27036  counter dup to 10.137.0.41

Then it works.
And when your VM is discovered, communication can be established with usual dnat


sudo nft add chain qubes steamlink-dnat-fedoraGame '{ type nat hook prerouting priority filter +1 ; policy accept; }'

sudo nft add rule qubes steamlink-dnat-fedoraGame iifname ens6 ip saddr 192.168.1.0/24 ip daddr 192.168.1.97 udp dport 27031 ct state new,established,related counter dnat 10.137.0.41:27031

sudo nft add rule qubes steamlink-dnat-fedoraGame iifname ens6 ip saddr 192.168.1.0/24 ip daddr 192.168.1.97 tcp dport {27036, 27031} ct state new,established,related counter dnat 10.137.0.41

sudo nft add rule qubes custom-forward iifname ens6 ip saddr 192.168.1.0/24 ip daddr 10.137.0.41 udp dport 27031 ct state established,related,new counter accept

sudo nft add rule qubes custom-forward iifname ens6 ip saddr 192.168.1.0/24 ip daddr 10.137.0.41 tcp dport {27036, 27031} ct state established,related,new counter  accept

Hope it could help someone