Mullvad VPN App 4.2 setup guide

[user@sys-vpn ~]$ sudo nft list chain ip qubes nat
table ip qubes {
chain nat {
type nat hook prerouting priority dstnat; policy accept;
iifname “vif*” tcp dport 53 dnat to 10.64.0.1
iifname “vif*” udp dport 53 dnat to 10.64.0.1
}
}
[user@sys-vpn ~]$

This is what i get in the VPN Qube

Did you add counter to the rules in VPN qube?

Yes this is what i have currently

DNS=10.64.0.1
nft add chain qubes nat { type nat hook prerouting priority dstnat; }
nft add rule qubes nat iifname == “vif*” tcp dport 53 dnat “$DNS” counter
nft add rule qubes nat iifname == “vif*” udp dport 53 dnat “$DNS” counter
nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop

There was an error, counter was in the wrong place.
These ones are right:

DNS=10.64.0.1
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 counter dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 counter dnat "$DNS"

ok i fixed up the script, and run
[user@sys-vpn ~]$ sudo nft list chain ip qubes nat
table ip qubes {
chain nat {
type nat hook prerouting priority dstnat; policy accept;
iifname “vif*” tcp dport 53 counter packets 0 bytes 0 dnat to 10.64.0.1
iifname “vif*” udp dport 53 counter packets 0 bytes 0 dnat to 10.64.0.1
}
}
[user@sys-vpn ~]$

Try to make some DNS requests in your AppVM connected to this VPN qube.
Like open some site or ping quad9.net.
Then check the counter.

yes i did that running ping 9.9.9.9 and quad9.net and also tried to load a page on the browser, while running the script, same results 0 bytes ?

What’s the output of this command in dom0?

qvm-firewall qubename

Change qubename to the name of your AppVM where you’re testing the connection.

Also change:

nft add chain qubes nat { type nat hook prerouting priority dstnat\; }

to

nft add chain qubes nat { type nat hook prerouting priority dstnat -1\; }

And try again after VPN qube restart.

[axe@dom0 ~]$ qvm-firewall work
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET
0 accept - - - - -
[axe@dom0 ~]$

Sory couldnt copy past this one, but this is pretty much the output

yes just changed this but still not working

Just FYI, you can copy dom0 clipboard like this:

Run these commands in your work qube for a test:

echo 'nameserver 9.9.9.9' > /etc/resolv.conf
ping -c 2 9.9.9.9
ping -c 2 quad9.net

And what’s the output of this command in dom0?

qvm-firewall vpnqubename

Change vpnqubename to the name of your VPN qube.

ok here is the results in the work qube

[user@work ~]$ echo ‘nameserver 9.9.9.9’ > /etc/resolv.conf
ping -c 2 9.9.9.9
ping -c 2 quad9.net
bash: /etc/resolv.conf: Permission denied
PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.
64 bytes from 9.9.9.9: icmp_seq=1 ttl=58 time=31.5 ms
64 bytes from 9.9.9.9: icmp_seq=2 ttl=58 time=26.6 ms

— 9.9.9.9 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 26.576/29.052/31.529/2.476 ms
ping: quad9.net: Temporary failure in name resolution
[user@work ~]$

and in the dom0 im getting the same empty results after running qvm-firewall sys-vpn

[axe@dom0 ~]$ qvm-firewall sys-vpn
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 accept - - - - - - -
[axe@dom0 ~]$

You need to add sudo, I forgot about it, check these command again:

echo 'nameserver 9.9.9.9' | sudo tee /etc/resolv.conf
ping -c 2 9.9.9.9
ping -c 2 quad9.net

[user@work ~]$ echo ‘nameserver 9.9.9.9’ | sudo tee /etc/resolv.conf
ping -c 2 9.9.9.9
ping -c 2 quad9.net
nameserver 9.9.9.9
PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.
64 bytes from 9.9.9.9: icmp_seq=1 ttl=58 time=26.6 ms
64 bytes from 9.9.9.9: icmp_seq=2 ttl=58 time=26.5 ms

— 9.9.9.9 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 26.511/26.538/26.565/0.027 ms
ping: quad9.net: Temporary failure in name resolution
[user@work ~]$

And still no change in dom0

Can you run these commands in VPN qube:

sudo nft flush chain ip qubes nat
sudo nft flush chain ip qubes dnat-dns

And try to run these commands in your work qube?

echo 'nameserver 9.9.9.9' | sudo tee /etc/resolv.conf
ping -c 1 quad9.net

here are the results in the work qube

[user@work ~]$ echo ‘nameserver 9.9.9.9’ | sudo tee /etc/resolv.conf
ping -c 1 quad9.net
nameserver 9.9.9.9
ping: quad9.net: Temporary failure in name resolution
[user@work ~]$

Restart VPN qube and then run this command in VPN qube:

sudo nft chain ip qubes forward '{ policy accept ; }'

Then run this command in your work qube:

ping -c 1 quad9.net

ok did those steps.

and this is still the result in the work qube

[user@work ~]$ ping -c 1 quad9.net
ping: quad9.net: Temporary failure in name resolution
[user@work ~]$

Run this command in VPN qube:

sudo nft insert rule qubes custom-forward log

Then run this command in VPN qube to view the firewall logs:

sudo journalctl -f

And then run this command in your work qube:

ping -c 1 quad9.net

What’s the output of the journalctl command in VPN qube after the ping?