Thank you for the detailed guide and scripts!
A couple of ideas:
- After setting up the qube described in the guide as sys-vpn, set it to provide disposable template, create a named disposable sys-vpn-2 based off sys-vpn, and use sys-vpn-2 as the NetVM. If doing so, sys-vpn should have “Provides networking” disabled, and sys-vpn-2 should have it enabled.
- If using Qubes 4.1, use Firewall iptables rules as described here:
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP