I have a super niche problem, whenever I use the cyber security platform HackTheBox and connect to their OpenVPN servers (which allows you to connect/try to hack their VM servers) and try to do anything from the server that sends a request back to my qube using my tun0 IP it is not received. If I use a traditional OS on my host and use Qemu/Virtualbox for my pentesting VM I can receive requests from the server without any issue, leading me to believe this has something to do with the structuring of QubesOS’s networking. I’m not sure if anyone here will know what the issue could be, but might as well ask. If anyone has any idea on why this problem is occuring be your input would be super appreciated.
Are you running the OpenVPN configuration in the same qube (where you’re doing the pentest) or in a dedicated one?
I’m running it in the same qube
I found this post where a person is having the same issue as me, but they are using a dedicated VM for the OpenVPN connection.
Can you explain in more details what’s not working? How do you connect to the VPN configuration and how do you test that your VPN work?
I am unable to do any pentest involving reverse shell, or anything that does a network request back to my pentest vm (qube)
I think this may be due to the way QubesOS’s networking is set up, but I’m not sure.
I noticed this is QubesOS specific, because I do not have this issue when using QEMU/Virtualbox.
I connect to the vpn by doing
openvpn <file_name> inside of the pentest qube, and connecting to the server works fine, meaning that the vpn is working. However, anything involving a network request back to my qube from the server does not work.
I wouldn’t expect this to be an issue because I am using the ‘tun0’ interface which is inside of the VM and it shouldn’t be affected by QubesOS’s networking qube feature, but I’m assuming something under the hood in QubesOS won’t let the network connection work, or maybe some firewall issue is messing me up.
the issue is with the default iptable configuration of your qube.
If you are using QubesOS R4.1, i recommand you to use this script Qubes-os port forwarding to allow external connections · GitHub .
If R4.2 you could use that, but it need review/testing Qubes-os port forwarding to allow external connections · GitHub
Alright I get it now. I used to do some Pentest a few years ago using Qubes and I had to flush the iptables rules for my reverse shell to work.
Maybe this can work?
sudo iptables -I INPUT -i tun0 -j ACCEPT