This tutorial shows how to configure Mullvad OpenVPN with Qubes using the Debian 12 template. In the “Add DNS hijacking rules” section they set up iptables that prevent any data from downstream Qubes going anywhere other than the tunnel. This does not work in Qubes 4.2, because of the switch to nftables. I tried translating the rules to nftables using iptables-translate, but that doesn’t work, because the tables coming out of the translation don’t exist.
I tried various tutorials to understand how nftables works, but I can’t grasp how it works. There also doesn’t seem to be much documentation on how nftables is set up in Qubes, yet.
Does anyone know how to write the iptables rules from the tutorial using nftables?
Thanks, I saw that already, unfortunately, there are not many details collected there yet. The closest information I found related to VPNs is this: Replace iptables with nftables by 1cho1ce · Pull Request #71 · tasket/Qubes-vpn-support · GitHub
That seems to be very close to what I need to do, but it’s not entirely clear how it works. It uses interface groups, but they are not defined in /etc/group/iproute2 as they usually are. I assume Qubes defines these somehow when a new interface is created. It seems lo is 0, downstream is 1 and upstream is 2. But I couldn’t find out yet where exactly they get defined.