Internet<–sys-net<–sys-firewall<–vpn qube<–vpn qube firewall<-- cube for ad filtering and telemetry<–rdp qube client(lan connection)<-- win 11 dedicated server
What I tried:
1)opensnitch -It filters requests within a cube, but it is not clear how to add the ability to filter the next connected cube (rdp qube).
2)Pi-Hole - The installation happens correctly, but it does not filter requests within a cube, nor for the following cube (rdp qube)
Is there any guide on how to set up dns for Pi-Hole for qubes 4.2.2? When searching the forum I found only for 4.1
Maybe I should try some other solution?
I’m not sure I understand your setup, but have faced similar issues working with opensnitch and pi-hole to filter outgoing traffic from upstream qubes. The opensnitch GUI interface with the ability to view events in realtime and create rules on the fly works perfectly for filtration purposes, but would probably require a few tweaks to work within a proxy qube. Seems like this should be possible though…
Might be worth looking into Privoxy and Squid as well.
There’s a person here @tannerlambert who created a tool so users can create scripts to solve problems in Qubes with setups, similar to unman’s tool but with scripts anyone can create.
This would be a great way to test Kuhbs. I would like to be able to get pihole to work. I tried it before and gave up. I probably did it wrong.
I like unman’s tool but I think Kuhbs could make new community guides much easier to implement
I haven’t tried this, but with opensnitch Nodes it looks like you can run an opensnitch daemon in upstream qubes (rdp) and have the traffic filtered with the opensnitch GUI in a downstream qube (firewall). Doesn’t look like you would need to add a separate qube for filtering and could even manage nftables with the GUI.
Is there a reason why opensnitch wouldn’t work in a netvm? I understand it’s bad practice (why would you do that so close to a NetVM where any escalation of priv could lead to the firewall being altered) but I don’t understand why it wouldn’t be possible. (I’m not questioning you and just don’t know why you are right.)
in a netvm, it will only see “qube source” (but will show its lan IP only) wants to reach “destination : port”, this is not really useful
in a qube, you can allow rules per programs, so you can allow programX to reach this or this server, the granularity level is way better.
I’ve been a bit busy and will continue to work on kuhbs in about a month. I am very happy to provide free suppport for anyone willing to try it. Pls PM me and we can maybe all just meet in a group chat for that.
I managed to get Opensnitch Nodes to work and wrote it up as a community guide to save others a few of the headaches that I ran into trying to adapt the instructions to Qubes. You can save some time by starting there.