在中国,畅快使用Qubes OS,不优雅,但简单(Qubes OS in China bypass GFW, not elegant, but simple!)

GFW是挡住众多中国用户的主要原因之一,虽然fedora可以使用metalink自动选取最快的镜像源,唯独whonix没有解决办法,可少了whonix加持,Qubes OS的乐趣少了很多。经过这段时间的搜索和总结,我最终配置了一个非常简单,但能用,可不够优雅的解决办法。

GFW is one of the main reasons to block many Chinese users, although fedora can use metalink to automatically pick the fastest mirrors, only whonix has no solution, but less whonix plus, Qubes OS is much less fun. After some time searching and summarizing, I finally configured a very simple, but working, but not elegant enough solution.

现阶段,我可以放心关闭openwrt软路由,直接接网线无痛使用whonix,使用的梯子是Clash-Verge-rev。你可以选择任何你熟悉的梯子,只需要修改对应的端口号即可。

以下解释全部基于Clash-Verge-rev这个软件,默认端口号7897。

At this stage, I can safely turn off the openwrt soft route, and directly connect to the network cable to use whonix painlessly, using the ladder is Clash-Verge-rev. You can choose any ladder you are familiar with, and just need to change the corresponding port number.

The following explanations are all based on the program Clash-Verge-rev, default port number 7897.

方案解释 explanation

首先感谢论坛puddin的帖子,我这个实现就是基于他的方法二,只是少了sing-box配置(因为原帖子中ing-box配置不成功,懂的兄弟可以指点)。与原帖相比,无法直接修改netvm访问代理网络,需要在对应的qubes中简单配置,后面会解释。

First of all, thanks to forum puddin’s post, my implementation is based on his method 2, just less sing-box configuration (because the ing-box configuration in the original post was not successful, brothers who know can point out). Compared with the original post, it is not possible to directly modify netvm to access the proxy network, you need to simply configure in the corresponding qubes, which will be explained later.

首先,需要准备2个qubes,一个是firewall-proxy,一个是clashVM,默认sys-firewall是dvm,重启配置文件会丢失,所以我重新建立了一个专用的firewall vm。

First of all, you need to prepare 2 qubes, one is firewall-proxy, one is clashVM, the default sys-firewall is dvm, reboot configuration file will be lost, so I re-established a dedicated firewall vm.

第一步:配置防火墙端口穿透,可以参考官方教程。

(假设:personal的IP是10.137.0.1,Clashvm的IP是10.137.0.2 )

Step 1:Configure firewall port penetration, you can refer to the official tutorial.
(Assumption: Personal’s IP is 10.137.0.1, Clashvm’s IP is 10.137.0.2 )

进入firewall-proxy,输入:

sudo nft add rule ip qubes custom-forward ip saddr 10.137.0.1 ip daddr 10.137.0.2 ct state new,established,related counter accept
sudo nft add rule ip qubes custom-forward ip saddr 10.137.0.2 ip daddr 10.137.0.1 ct state new,established,related counter accept

进入personal,输入:
sudo nft add rule qubes custom-input ip saddr 10.137.0.2 ct state new,established,related counter accept

进入ClashVM,输入:
sudo nft add rule qubes custom-input ip saddr 10.137.0.1 ct state new,established,related counter accept

第二步,启动ClashVM中的Clash-verge-rev,并打开“允许LAN”选项。

我使用的是appimage版本,并打开了自动启动和静默启动两个选项。

Step 2: Open Clash-verge-rev in ClashVM and turn on the “Allow LAN” option.
I’m using the appimage version and have turned on both auto-start and silent-start options.

第三步,进入personal中输入:

ALL_PROXY=socks://10.137.0.2:7897 curl ip.me
如果返回一个IP地址,就算成功了,你可以在Clash中切换节点,这个IP地址应该会变化。

(如果一切顺利,第一步中的配置需要写进firewall-proxy的“~/rw/config/qubes-firewall-user-script”和personal、ClashVM的"~/rw/config/rc.local")记得去掉sudo

最后配置:

一切基础设施做好,sys-whonix中设置代理地址是ClashVM的IP和7897这个端口号,在本次例子中,ClashVM的IP是10.137.0.2。

在personal中,不想全局使用代理,可以在浏览器中下载Proxy SwitchyOmega之类的插件,IP地址和端口号同样是ClashVM的10.137.0.2和7897。

如果想要终端走代理,我的方案是:
alias con="export https_proxy=http://10.137.0.2:7897 http_proxy=http://10.137.0.2:7897 all_proxy=socks5://10.137.0.2:7897"
只需要在终端执行con,接下来的命令就都是走代理数据了。

Step 3, go to personal and type:
ALL_PROXY=socks://10.137.0.2:7897 curl ip.me
If it returns an IP address, it’s a success, and you can switch nodes in Clash and that IP address should change.
(If all goes well, the configuration in step 1 needs to be written into firewall-proxy’s “~/rw/config/qubes-firewall-user-script” and personal, ClashVM’s “~/rw/config/ rc.local”.

Finally, all the infrastructure is done, the proxy address is set in sys-whonix to be the IP of ClashVM and the port number 7897, in this example, the IP of ClashVM is 10.137.0.2.
In personal, if you don’t want to use the proxy globally, you can download a plugin like Proxy SwitchyOmega in your browser, and the IP address and port number will be the same 10.137.0.2 and 7897 of ClashVM.
If you want the terminal to go proxy, my solution is:
alias con="export https_proxy=http://10.137.0.2:7897 http_proxy=http://10.137.0.2:7897 all_proxy=socks5://10.137.0.2:7897"
Just run con in the terminal and the next commands will all go proxy data.

不足 & 注意事项 Shortcomings & Cautions

1、无法像配置好sing-box那样直接更换netvm就实现走代理,如果新开一个vm需要走代理,还需要在firewall和几个qubes中进行端口穿透设置。
2、占用资源感觉还是有点多,因为我使用的是图形版的clash-verge-rev,配置简单,但占用内存还是有点大,如果有命令行工具就更好了。 根据我的使用经验,如果personal这个qubes一直开启,我也完全可以把这个vm作为代理qubes,只是不知道有没有安全问题,所以还没有做。

注意:sys-whonix中不用单独配置穿透,只需要在firewall-proxy和ClashVM中添加它的IP就行,在图形化界面中填写对应的IP和7897端口号就行。

1: can not be configured as good sing-box as directly replace netvm to realize go proxy, if a new vm need to go proxy, you need to firewall and a few qubes in the port penetration settings.

2:occupy resources still feel a little too much, because I use the graphical version of the clash-verge-rev, configuration is simple, but still occupy a little too much memory, if there is a command line tool would be better. According to my experience, if the qubes of personal is always on, I can also totally use this vm as a proxy qubes, I just don’t know if there are any security issues, so I haven’t done it yet.

Note: You don’t need to configure penetration separately in sys-whonix, just add its IP in firewall-proxy and ClashVM, just fill in the corresponding IP and 7897 port number in the GUI.

尾巴

qubes os的体验非常棒,但一些特殊的原因,中国用户使用起来处处受阻,普通的VPN貌似在国内都失效了。另外,国外开发者又不太会遇到相关问题,所以全网关于GFW的教程也很少,我这也是东拼西凑配置出来的方案,能用,但就像标题说的,不够优雅。如果你有更好的方案,欢迎讨论,我只希望这篇帖子可以帮助到一些人。
The qubes os experience is great, but for some special reasons, Chinese users are blocked from using it everywhere, and normal VPN seems to be invalid in China. the whole network about GFW tutorials are also very few, I’m this is also a scrambled configuration out of the program, can be used, but as the title says, not elegant enough. If you have a better program, welcome to discuss, I just hope this post can help some people.

Translated with DeepL.com
参考链接: How to bypass the GFW on Qubes OS when you’re in China / 如何在Qubes OS上翻墙 - Community Guides - Qubes OS Forum (qubes-os.org)

4 Likes

nihao,

please allow me to contribute to your thread with another solution that worked for me.

I had the pleasure to play around with GFW too and the major VPN companies couldn’t do the job well (servers were faster blocked than deployed) and Tor didn’t work well either.
But Wireguard and SSH did very well.

So if you could find a VPS-Hosting company (I don’t name mine now but I could access it in clearnet) set up a standard OS (Debian, Ubuntu, Almalinux), install Wireguard or use a SSH-Tunnel (for fast access) on a custom port (don’t use the standard port) and you can get stable internet access.
Please note that whatever I tried, I had to tunnel another VPN through the Wireguard-Tunnel to get some services working and I’ve no idea if this is due some DPI-Blocking of GFW or just a misconfiguration. So please note this could be an issue, but if you managed to make this setup, you’re an advanced user and can work around this too (tunnel-through-tunnel configuration).

Hope that helps

Edit: VPS could be located in Singapore or Hong-Kong.


nihao、

请允许我为您的主题贡献我的另一个解决方案。

我也有幸玩过 GFW,主要的 VPN 公司都不能很好地完成任务(服务器被阻止的速度比部署的速度还快),Tor 也不能很好地工作。
但是,Wireguard 和 SSH 做得很好。

因此,如果你能找到一家 VPS 托管公司(我现在不知道它的名字,但我可以通过 clearnet 访问它),安装一个标准操作系统(Debian、Ubuntu、Almalinux),安装 Wireguard 或使用 SSH 通道(用于快速访问),使用自定义端口(不要使用标准端口),你就可以获得稳定的互联网访问。
请注意,无论我做了什么尝试,我都必须通过 Wireguard 通道使用另一个 VPN 才能使用某些服务。因此,请注意这可能是一个问题,但如果您成功完成了此设置,那么您就是高级用户,也可以解决这个问题(通过隧道配置)。

希望对您有所帮助

编辑:VPS 可以位于新加坡或香港。