Route qube traffic transparently through a proxy qube (Qubes R4.1 and R4.2)

glockmane · September 17, 2024, 6:34pm

What about this?

apparatus · September 17, 2024, 6:35pm

i guess it wasn’t updated for Qubes OS 4.2.
You can use sing-box in the qube to proxify its traffic.
You can use proxy as outbound and tun as inbound.

glockmane · September 17, 2024, 6:38pm

Like this?

apparatus · September 17, 2024, 6:41pm

Yes, something like this, but you’ll need to change iptables rules to nftables rules.

glockmane · September 17, 2024, 6:52pm

Started with cloning the repo and translating with deepL, hopefully I can get it work and create a fresh community guide for it… Maybe you can help with translating the ip table rules to nft…

github.com

glockmane/qubes-proxy_2024/blob/main/README.md

# Qubes Proxy

This is a program to install a proxy network tool ([sing-box](https://sing-box.sagernet.org/)) in Qubes OS, designed to help Qubes OS users break through the blockade in a heavily censored network environment and give Qubes OS the ability to connect to the Tor network.

The project's main repository is on [sourcehut](https://git.sr.ht/~qubes/proxy) and is mirrored on [GitHub](https://github.com/hexstore/qubes-proxy).

## How it works

It provides a web service box based on the isolation mechanism of Qubes OS. It cleverly utilizes the global DNS IPs (10.139.1.1 and 10.139.1.2) of Qubes OS as the IPs of the tun devices and lets the traffic pass through it to provide a proxy network for other applications or service boxes.

## Usage scenarios

It can work in these scenarios and perhaps you have your own!

- sys-net <- sys-firewall <- **sys-proxy** <- AppVM(s)
- sys-net <- **sys-proxy** <- sys-firewall <- AppVM(s)

## Prerequisite

- Qubes OS

This file has been truncated. show original

glockmane · September 17, 2024, 6:55pm

I see there is an install.sh which refers to a restrict-firewall script which contains the iptables rules…

glockmane · September 18, 2024, 2:42pm

Okay, translated most of the rules, but there are lines which I’m not able to translate with my current knowledge, can someone help?

I marked the lines with a “!” prefix.

github.com

glockmane/qubes-proxy_2024/blob/main/restrict-firewall

#!/bin/sh

##################################################################
##
##  proxy-restrict-firewall
##  Configure Qubes firewall for use with a proxy such as OpenVPN.
##
##  Note: For customization, add rules to a filename in firewall.d
##  other than '90_proxy-restrict'.
##
##################################################################

# Export Qubes DNS nameserver NS1 and NS2
. /var/run/qubes/qubes-ns

# Fallback to obtaining environment variables
ns=$(grep -v '^#' /etc/resolv.conf | grep nameserver | awk '{print $2}')
if [ -z "${NS1}" ]; then
  NS1=$(echo "${ns}" | cut -d " " -f 1)  # 10.139.1.1
fi

This file has been truncated. show original

rookie · April 25, 2025, 8:29pm

Is anyone knowledgeable willing to update this for fedora41 instead of fedora-38-minimal? I had the fedora-38-proxy(not minimal) setup and it used to work, but it started being very slow 6-8 months ago, and today I tried to swap the template from sys-proxy qube from fedora-38-proxy to fedora-41-proxy, and it’s not working at all. with fedora-38-proxy it works but extremely slow (2 kbps). Any thoughts/other solutions to run socks in a qube? Essentially I need Thunderbird to access the internet through a socks5 server that uses username and password. Thank you to everyone contributing!