[user@sys-vpn ~]$ sudo nft list chain ip qubes nat
table ip qubes {
chain nat {
type nat hook prerouting priority dstnat; policy accept;
iifname “vif*” tcp dport 53 dnat to 10.64.0.1
iifname “vif*” udp dport 53 dnat to 10.64.0.1
}
}
[user@sys-vpn ~]$
This is what i get in the VPN Qube
Did you add counter to the rules in VPN qube?
Yes this is what i have currently
DNS=10.64.0.1
nft add chain qubes nat { type nat hook prerouting priority dstnat; }
nft add rule qubes nat iifname == “vif*” tcp dport 53 dnat “$DNS” counter
nft add rule qubes nat iifname == “vif*” udp dport 53 dnat “$DNS” counter
nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
There was an error, counter was in the wrong place.
These ones are right:
DNS=10.64.0.1
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 counter dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 counter dnat "$DNS"
ok i fixed up the script, and run
[user@sys-vpn ~]$ sudo nft list chain ip qubes nat
table ip qubes {
chain nat {
type nat hook prerouting priority dstnat; policy accept;
iifname “vif*” tcp dport 53 counter packets 0 bytes 0 dnat to 10.64.0.1
iifname “vif*” udp dport 53 counter packets 0 bytes 0 dnat to 10.64.0.1
}
}
[user@sys-vpn ~]$
Try to make some DNS requests in your AppVM connected to this VPN qube.
Like open some site or ping quad9.net
.
Then check the counter.
yes i did that running ping 9.9.9.9 and quad9.net and also tried to load a page on the browser, while running the script, same results 0 bytes ?
What’s the output of this command in dom0?
qvm-firewall qubename
Change qubename to the name of your AppVM where you’re testing the connection.
Also change:
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
to
nft add chain qubes nat { type nat hook prerouting priority dstnat -1\; }
And try again after VPN qube restart.
[axe@dom0 ~]$ qvm-firewall work
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET
0 accept - - - - -
[axe@dom0 ~]$
Sory couldnt copy past this one, but this is pretty much the output
yes just changed this but still not working
Just FYI, you can copy dom0 clipboard like this:
Run these commands in your work qube for a test:
echo 'nameserver 9.9.9.9' > /etc/resolv.conf
ping -c 2 9.9.9.9
ping -c 2 quad9.net
And what’s the output of this command in dom0?
qvm-firewall vpnqubename
Change vpnqubename to the name of your VPN qube.
ok here is the results in the work qube
[user@work ~]$ echo ‘nameserver 9.9.9.9’ > /etc/resolv.conf
ping -c 2 9.9.9.9
ping -c 2 quad9.net
bash: /etc/resolv.conf: Permission denied
PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.
64 bytes from 9.9.9.9: icmp_seq=1 ttl=58 time=31.5 ms
64 bytes from 9.9.9.9: icmp_seq=2 ttl=58 time=26.6 ms
— 9.9.9.9 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 26.576/29.052/31.529/2.476 ms
ping: quad9.net: Temporary failure in name resolution
[user@work ~]$
and in the dom0 im getting the same empty results after running qvm-firewall sys-vpn
[axe@dom0 ~]$ qvm-firewall sys-vpn
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 accept - - - - - - -
[axe@dom0 ~]$
You need to add sudo, I forgot about it, check these command again:
echo 'nameserver 9.9.9.9' | sudo tee /etc/resolv.conf
ping -c 2 9.9.9.9
ping -c 2 quad9.net
[user@work ~]$ echo ‘nameserver 9.9.9.9’ | sudo tee /etc/resolv.conf
ping -c 2 9.9.9.9
ping -c 2 quad9.net
nameserver 9.9.9.9
PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.
64 bytes from 9.9.9.9: icmp_seq=1 ttl=58 time=26.6 ms
64 bytes from 9.9.9.9: icmp_seq=2 ttl=58 time=26.5 ms
— 9.9.9.9 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 26.511/26.538/26.565/0.027 ms
ping: quad9.net: Temporary failure in name resolution
[user@work ~]$
And still no change in dom0
Can you run these commands in VPN qube:
sudo nft flush chain ip qubes nat
sudo nft flush chain ip qubes dnat-dns
And try to run these commands in your work qube?
echo 'nameserver 9.9.9.9' | sudo tee /etc/resolv.conf
ping -c 1 quad9.net
here are the results in the work qube
[user@work ~]$ echo ‘nameserver 9.9.9.9’ | sudo tee /etc/resolv.conf
ping -c 1 quad9.net
nameserver 9.9.9.9
ping: quad9.net: Temporary failure in name resolution
[user@work ~]$
Restart VPN qube and then run this command in VPN qube:
sudo nft chain ip qubes forward '{ policy accept ; }'
Then run this command in your work qube:
ping -c 1 quad9.net
ok did those steps.
and this is still the result in the work qube
[user@work ~]$ ping -c 1 quad9.net
ping: quad9.net: Temporary failure in name resolution
[user@work ~]$
Run this command in VPN qube:
sudo nft insert rule qubes custom-forward log
Then run this command in VPN qube to view the firewall logs:
sudo journalctl -f
And then run this command in your work qube:
ping -c 1 quad9.net
What’s the output of the journalctl command in VPN qube after the ping?