@mmmm Two last tipps I can think of given your provided information:
1.) Above script was written for Qubes OS 4.1. With installation of v4.2 I just noticed, that iptables has been dropped in favor of nftables (sorry). iptables apparently stills exists in the Fedora 38 Xfce template, but not in Debian 12 Xfce template. So I guess, it depends on what template sys-net has on your system.
Below script works for me in 4.2 using nft:
#!/bin/sh
if_lan=<your LAN network interface> # see ip -a
ip=$(ip -f inet addr show $if_lan | sed -En -e 's/.*inet ([0-9.]+).*/\1/p')
port=53317
case $1 in
start)
qvm-connect-tcp ::$port
nft add rule ip qubes custom-input ip daddr $ip tcp dport $port ct state new accept
;;
stop)
pkill -f "socat TCP-LISTEN:$port"
nft flush chain ip qubes custom-input
;;
*)
>&2 echo "usage: $0 start|stop"
exit 1
;;
esac
Note: You should adjust the line nft flush chain ip qubes custom-input if you have other port forwarding rules you want to keep, when stopping this script.
2.) As you mentioned VPN usage: pay attention to not use localsend with VPN. This should look similar to:
localsend --netvm--> sys-firewall --netvm--> sys-net --> LAN