I have two VMs, one VM is running vpn software and the second VM has the first VM set as a gateway, the second VM can access the internet through the vpn inside the first VM. But there is a problem, if the vpn software in the first virtual machine manually disconnects, the second virtual machine will directly access the internet using the real IP. I want to make the first VM’s vpn disconnected so that all the other VM’s can’t access the internet.
If anyone can help me with this, please leave an xmr billing address or contact info after solving the problem, and I will use Monroe coins as a thank you, although the amount isn’t much. Thanks to everyone who participated in this topic!
You can add VPN kill switch to only allow traffic through VPN.
Sorry, the vpn software I’m using doesn’t have this feature, I need to implement it manually, otherwise I wouldn’t have come here asking for it.
What is your VPN software?
A vpn software that is not open source, paid but very fast.
I don’t know how your VPN software works, but in general VPN is creating a tunnel interface and you can add forward rules to your firewall in VPN qube to allow connections to this tunnel interface from qubes connected to VPN qube and reject all other connections.
Is it convenient to contact via element? I would like you to give me a specific instruction to solve the problem.
If your VPN is connecting to static IP:port then you can limit VPN qube connections to this IP:port like this:
And you can block forward traffic outside of the VPN like this:
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP
Do I just need to disable all eth0 traffic? Set it inside the vpn qube or inside another qube?
You need to disable eth0 forward traffic and you also need to redirect all DNS traffic from qubes connected to your sys-vpn to your VPN DNS server or it’ll go to Qubes OS default DNS server in sys-net or some other qube before sys-vpn.
You need to set it inside vpn qube.
Also note that this guide works for Qubes OS 4.1 and older but won’t work for Qubes OS 4.2 because iptables was replaced with nftables and you’ll need to change the firewall commands for nftables.
You should simply:
- connect vpn VM to some new qube (e.g.
sys-vpn-only) that you can make by cloningsys-firewallor creating manually. - And this
sys-vpn-onlyyou should connect tosys-firewallor evensys-net(to lower CPU usage).
This way you will have the same situation as you have now, but then you can add firewall rules for the qube, like that (In dom0):
qvm-firewall sys-vpn-only add accept 1.2.3.4 tcp 443
qvm-firewall sys-vpn-only drop
where instead of 1.2.3.4 you should provide IP of you vpn server, tcp/udp - protocall you are using and 443 should be replaced with the port of vpn server. You can provide multiple lines for various IPs and ports.
To check configuration, use qvm-firewall sys-vpn-only list
This way you will have access only to this vpn server. If your vpn software dies or exits, all qubes connected to your vpn VM will not have internet access.
After all the configuration that you will get:
your-user-qube → your-vpn-qube → sys-vpn-only → sys-firewall → sys-net
or
your-user-qube → your-vpn-qube → sys-vpn-only → sys-net
You can also apply qvm-firewall rules directly to the vpn qube, but it is a bit less reliable as I understand and less flexible.
Failed, my vpn provides dynamic ip, so I can’t restrict outbound by setting public ip, is there any other way?
You can use this guide to block forward traffic and redirect DNS:
Please, next time ask for support providing more relevant details on your problem.
I want to kill the switch function by setting 0.0.0.0 and adding firewall rules for vpn ports, is it possible?
Yes, it’s possible, just use 0.0.0.0/0 address.
The problem has been solved, from a private message from a forum user. The solution was to ask the vpn provider for all the public ips and then set them to firewall out, thanks to everyone involved!
So, that what you were told: block requests with qvm-firewall using whitelist.
And it is not a solution, you just changed the task conditions again.
Is that any different from what @apparatus suggested a few posts ago @Felicia ?
1 Like
It varies, if I set 0.0.0.0 in the firewall plus the port for the vpn, the VM will just not be able to access the network.