Route ALL Qubes traffic through VPN

gerthrude · January 19, 2025, 3:15pm

I have a VPN qube set up with all the proper firewall rules and such.

Now, since I am a new Qubes user, my greatest concern is that traffic will still leak through at some point in my system, for example through Dom0 updates (fixed that already)

What generally has to be done so that nothing leaks through?

anone381 · January 19, 2025, 3:34pm

Use killswitch with qvm-firewall

qvm-firewall <qube> reset
qvm-firewall <qube> add accept <vpn_ip> dstports=<vpn_port> proto=tcp
qvm-firewall <qube> del --rule-no 0

After executing script above the result of qvm-firewall <qube> command should looks like:

NO  ACTION  HOST            PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  10.137.0.33/32  tcp       4500     -               -          -       -

This method guarantees no leaks for you setup

solene · January 19, 2025, 4:54pm

Traffic from netvm before the VPN (= closer to sys-net in the chain) won’t be covered by the VPN, and they do some network operations for themselves like checking for updates for the linux distribution it’s running + checking updates on Qubes OS repository.

In addition, you need to configure updates to be done through the vpn qube, otherwise it’s using sys-firewall or sys-net.

whoami · January 20, 2025, 7:29am

So, simply do this:

and afterwards this

qubes-prefs updatevm <my-vpn-qube>
qubes-prefs clockvm <my-vpn-qube>

correct?

barto · January 20, 2025, 9:02am

If you want to be 100% sure that no traffic bypasses the VPN… run the VPN tunnel upstream, outside Qubes. Maybe use a Raspberry Pi and run PiHole there too, for good measure. Then you use the Pi as a router and protect your whole network.
Just saying.

whoami · January 20, 2025, 9:53am

I would like to log this as Option B:
Preferably for stationary use. Secure, simple but you have to setup and carry a PI (and power supply) with you.

Back to option A: five-liner in dom0

qvm-firewall <vpn-qube> reset
qvm-firewall <vpn-qube> add accept <vpn_ip> dstports=<vpn_port> proto=tcp
qvm-firewall <vpn-qube> del --rule-no 0
qubes-prefs updatevm <vpn-qube>
qubes-prefs clockvm <vpn-qube>

Anything missing?

DVM · January 20, 2025, 10:19am

If you are concerned about update checks (all qubes check for updates by default), run the following on the qubes running outside the VPN chain:

qvm-service <qube> qubes-update-check off

MSQLI · January 22, 2025, 4:46pm

opnsense or pfsense firewall on a cheap PC between your router and PC, it is near impossible to prevent qubes from leaking

quantum · January 22, 2025, 5:09pm

A number of routers permit the installation of VPN(s), so some to all of the attached devices can be directed through those desired.

catacombs · January 22, 2025, 5:31pm

Can someone illuminate using, Tor “pluggable transport” in this context.

solene · January 22, 2025, 5:34pm

which context?

“pluggable transport” are protocols to get into Tor when you are blocked. It is not recommended to use pluggable transports when you do not need to.

FranklyFlawless · January 23, 2025, 2:28am

Tor pluggable transports are used for circumventing censorship to access the Tor network, so they are not relevant regarding network traffic leaks in this topic.