It’s just a change of the filename used in this step:
So you would create the file /etc/qubes-rpc/policy/qubes.ConnectTCP+8888 instead of editing etc/qubes-rpc/policy/qubes.ConnectTCP. I believe that all this change does is make the configuration a bit more secure by preventing my-qube from connecting to any ports on my-proxy other than 8888. You will still need the Firefox proxy edit.
It don’t see why it wouldn’t work - but I don’t have much experience with VPN’s (in general or in Qubes OS). Let me know if you get it working!
Thank you @Rooftop for your answers. I have one more question. Would you know how to setup Thunderbird in my-qube running, for example, Gmail IMAP (Ports 993 and 465, I believe)
You need to enable networking in my-qube (ie. set Networking to sys-firewall in Qube Settings) and then select Limit outgoing internet connections and add firewall rules to allow access the required addresses/hostnames for ports 993 and 465 (or whatever ports are required).
For a service like GMail that uses multiple IP addresses, you may need to set the address to * (if allowing connections on ports 993 and 465 to any host is acceptable to you).
Web browsing will still be forced to go via the proxy as you haven’t allowed ports 80/443 through the firewall.
Thank you for the reply. I tried the following and failed to get Thunderbird with a Gmail account to work. It failed to connect to the Internet. Would you know what I did wrong?
It just occurred to me that for Gmail, Thunderbird might need you to login in to your Google account via the web - try changing the connection settings in Thunderbird (under Preferences, scroll down to Network & Disk Space) to use localhost port 8888 as the HTTP/HTTPS proxy.
Thunderbird acts as if there’s no internet. That’s it. It cannot reach gmail.
I had tried that before asking you about Thunderbird. While the calendar provider did work via port 8888 and my-proxy (calendar is not google), the IMAP email failed to sync. It behave as if it was not connected to the internet.
It’s a bit more complicated than my setup, but does have the advantage of allowing you run use one proxy VM for multiple App VM’s (each with its own set of rules).
I haven’t tried it (my simple setup is adequate for my needs), but I though I’d mention it in case anyone else is interested…
No. I have my account already set-up and then I tested the proxy. When I tried to route Thunderbird via my-proxy, I checked the logs and they did not register a (denied) request other than the request for the calendar (via 8888).
Ok. I have confirmed that gmail access does work with the firewall settings you have.
However…
Setting up a new Gmail account while using the proxy didn’t work - thunderbird tried to contact a number of sites, and even after white-listing many of them, it still seemed to not work, possibly because of point 2 below.
I don’t know how Gmail authenticates (OAuth?) and I don’t know if that can be made to work with the proxy setup.
Unfortunately, I have no interest in using Gmail, so I’m not very motivated to try fixing this problem
P.S. The way I got it to work for testing was by manually configuring thunderbird using the settings here and then “allowing insecure applications” in my google settings - not something I would necessarily recommend…
).
can I simply do: