How do i setup networking between two VMs, while also keeping one VM connected to the outside world?:
I have two VMs, A and B. Both have sys-firewall as their net cube and both can connect to a device on my LAN (file server/print sever) and www. However, i also want A to connect to B directly. Both A and B have their internal IP address 10.137.0.*, but they are unable to communicate over this network.
Can this be done, and if so, how?
I haven’t been able to find much info about this in the documentation, and i have only found one related article on the forum.
Basically, you need to figure the IP address of both qubes, it’s shown in their respective qubes settings, and they must share the same netvm (otherwise it’s get more complicated).
In your case, traffic from A to B will pass through the netvm sys-firewall, so what needs to be done:
on B: allow A to connect
on sys-firewall: allow A and B to talk to each other
The documentation tells that:
on B: run sudo nft add rule qubes custom-input ip saddr <IP address of A> ct state new,established,related counter accept
on sys-firewall: run sudo nft add rule ip qubes custom-forward ip saddr <IP address of A> ip daddr <IP address of B> ct state new,established,related counter accept
Thank you solene, i just read that article and i was just about to reply to my own post. I didn’t find it earlier.
Then i do have one remaining question; Does the IP address assigned to a VM change at any point? The article describes adding nft rules using IP addresses, so if either of the ‘client’ or ‘server’ VMs IP address changes, comms would obviously break.
One could likely create an entry for ‘client’ and ‘server’ in /etc/hosts, but that would also require manual updating. Can one then instead instruct Qubes to give specific VMs a static IP?
The IPs do not change until you change the qube’s netvm. Although I’m not sure what would happen if you change the netvm back and forth, maybe the old IP would be reassigned
You could make a script in dom0 that run both commands on respective qubes, as dom0 knows the IPs of each.
Another solution would be to use ConnectTCP RPC call, which allows to expose a TCP port of a qube to other qubes using xen channels, this does not even require to do networking or having a NetVM.
It’s really practical when you need regular use of a TCP port between qubes, like hosting something on a qube to be used on another. I should write a guide about ConnectTCP because it’s not really intuitive
Since a rename isn’t actually a rename in the classical sense of the word, a rename in Qubes is a clone, the clone is given the new name, and once the clone is finished the VM with the old name is deleted.
