[qubes-users] wireguard anti leak

I’m successfully run wireguard now with new Fedora kernel. But have the trouble with leak. Previous openvpn solution use specific qvpn group to prevent leaks. What is about wireguard? How to setup everything to prevent leaks if tunnel will down?

Seems it works with rules below. Is it enough to prevent all leaks? Openvpn has more rules or other rules only drop traffic from proxyvm? Should I worry about this traffic? Is it the way to block it like openvpn solution from docs do for wireguard? Thanks

iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP

воскресенье, 17 января 2021 г. в 21:48:37 UTC, evado...@gmail.com:

Simply put a firewall VM in front of your VPN VM and only allow the target VPN servers via qvm-firewall. Note that the GUI allows DNS and ICMP by default IIRC, i.e. you'll have to use qvm-firewall directly to implement your rules.

This way you'll avoid messing with the Qubes firewall internals.

1 Like