New Script to Setup Wireguard Connection in Qubes

Hey I just wanted to share this script recently published on Github that automates the process of setting up a wireguard vpn connection on Qubes OS.

Unfortunately, it does not have any leak prevention measures (i.e. fails open) and lacks any visual feedback notifications (e.g. “link up”, “link down”). Nonetheless, I have found it immensely useful and maybe others here will too.

2 Likes

I havent looked ta the script but failing open is unacceptable.

New update. According to the author it fails closed.

Also regarding fail safe, it actually handles this as long as it is only used for network provider qubes as documented in the readme, and not as an app qube. If you look closely at the firewall forward rules it only allows traffic from the lan interface flowing to the wireguard interface. That means that if the wireguard interface is down, the traffic flowing from the lan is dropped. This can be verified with tools like tcpdump by taking down the wg tunnel. If you see that this is not the case it is a bug and I will fix it.
There is nothing preventing the VPN qube itself from talking to the WAN if the wireguard tunnel is down, but this is by design and intended from my side. The intention is to make sure the clients behind the VPN qube stays protected even if the tunnel is down

The author has updated the github repo page with a better explanation. It fails closed. I wish i could correct the first post.