Yes, the script will capture the DNS edited in /etc/resolv.conf
and update the nftables rules.
Could you edit the guide to make the change?
Sure. Do you want me to put in the original script or do you want the more compact idea I talked about in my previous post?
I think using /usr/lib/qubes/qubes-setup-dnat-to-ns
is better in case Qubes OS will change something related to DNS handling in the future.
I agree, using the Qubes OS scripts feels less hacky. The compact version would be better IMO
I wonder if this is required for Proton VPN as well, it should, right?
Actually, it would be nice if this âdns watchâ was a qubes os service we could enable in the qube! Iâll fill a github issue to ask it as a request, and try to figure an implementation.
I agree that this would be the best script to implement, but Iâve done some testing and while it works fine on Debian, it doesnât on Fedora. qubes-setup-dnat-to-ns
always uses systemd-resolved on Fedora, and only falls back to reading /etc/resolv.conf
if it cannot reach the systemd service (which is why it works on Debian, since the service does not exist). This means that the DNS IP is not updated in the nftable dnat-dns chain when changing options in the application, which makes the script useless on Fedora. The original script works on both distributions, so even if itâs not the best, maybe itâs better to use it for now?
No idea, never used their app and if I remember correctly, they seem to rely on Network Manager anyway. So Qubes should update the IP with the VPN up/down event I guess.
That would be a good idea, yes. It would make a lot of services work out of the box.
indeed, but Mullvad VPN app also create an entry in network manager IIRC
sure, please go ahead
Probably. They list ânetwork-managerâ as supported, but I donât remember the app using it even when it was enabled.
Itâs now available in the guide.
Ok I just used this script and everything is working fine with fedora 39.
I tested with changing the dns filters in the app, then restarting the sys-vpn qube, everything works great now.
insert this script into /rw/config/rc.local
sudo systemctl restart systemd-resolved
sudo /usr/lib/qubes/qubes-setup-dnat-to-ns
you just added it and it works? great you need to restart the qube when you make changes though, not sure if itâs a big deal for you.
yeah thats the only problem, I can live with that, but if the DNS could change on the fly without restarting the qube that would be great, it seems to only effect the DNS filtering in the app that you have to restart the qube,
I have updated the guide with a script that does just that. Check out the âFix DNSâ part to get it.
ahh nice, i didnt see that. perfect thanks
Did you manage to successfully install the mullvadapp into an appvm? I tried the guide you shared, but it didnât work. I also tried this
sudo mkdir -p /rw/config/qubes-bind-dirs.d
echo -e âbinds+=( '/opt/mullvad-vpn)\nbinds+=( â/etc/opt/mullvad-vpnâ )â | sudo tee /rw/config/qubes-bind-dirs.d/50_user.conf >/dev/null
Thanks for this guide
I updated the post on PrivSec: Using Mullvad VPN on Qubes OS | PrivSec - A practical approach to Privacy and Security
It uses systemd path now
I think you might wanna switch to using a systemd path setup instead of inotify
and rw/config/rc.local
. It will be much cleaner
I didnât write that part, feel free to send an update
i created a mullvad app qube, but I have problems with the dns. The same problem that you have described in this guide. ivpn guideIf you have time you can upload the section again for a mullvad qube? @solene
if ! grep âQUBES OSâ /opt/ivpn/etc/firewall.sh >/dev/null
then
sudo sed -i â/-set_dns/a
#QUBES OS - specific operation
systemctl restart systemd-resolved || echo âError: systemd-resolvedâ
/usr/lib/qubes/qubes-setup-dnat-to-ns || echo âError: failed to run /usr/lib/qubes/qubes-setup-dnat-to-nsââ /opt/ivpn/etc/firewall.sh
fi
Did you try the âFix DNSâ part of the guide?
Yes it works very well now, but only until the MTU step. Just like the first attempt, after I finished the MTU step, Iâve got the dns problem again. As before the fix dns step. The app itself has an MTU setting. What is the value for this setting?
I also built a kill swich with the qvm firewall. Does it make sense in addition to qvm firewall to configute the kill swichstep?