I, like many other qubes users, use mullvad, on 4.1 i set up a few proxyVMs that, in /rw/config/rc.local would select a wireguard configuration file at random from a specified directory - These worked very well.
I have read a number of the posts on the switch to nftables in 4.2 and how this stops the wg configuration files working with wg-quick up…
While experimenting with various ways to remedy this i found that if i installed iptables into a debian-12 template (that already has nftables installed) then wg-quick (and by extension my rc.local files) work again just fine and do not “seem” to be leaking.
Is there a good reason to not do this? Does it cause a leak i have not found or pose any other security/privacy risk? I am not an expert in this area so any information on potential issues would be welcome.
wg-quick should work on 4.2, only iptables support is dropped, so if you have iptables rules (maybe triggered by wg-quick?) you would have to rewrite them.
One reason the Mullvad-generated .conf file would stop working on 4.2 is that the PostUp and PreDown fields include non-custom iptables commands if “Enable kill switch (Linux only)” is enabled during generation (https://mullvad.net/account/wireguard-config/). The user might not know what these iptables commands are for if they’re just following instructions- that they’re optional, that they’re for the killswitch, and that they can instead be implemented through other means with nftables.