Setting up a ProxyVM (e.g. sys-vpn) to all other AppVMs

I do not know.can you teach me how use one ProxyVM to all AppVM,I try a lot of times, but I was failed.

Create the ProxyVM.
Then change the netvm for all qubes except those upstream from the
to ProxyVM.

So if your ProxyVM is connected to sys-firewall, change the netvm for
all the other qubes except sys-firewall to ProxyVM.
You can change the netvm using the Qube Manager, or at the command
line like this:
qvm-prefs <qube> netvm ProxyVM

I was asked to evaluate application firewalls in Qubes.
If you want to try opensnitch, there are signed packages available from
the repositories at for Debian qubes, and
Install the opensnitch packages in a Template, and you can try out a host
based application firewall. It will trigger on outgoing connections,
identify the application, and prompt for action.
You can also have the alerts aggregated on an upstream netvm, and have
that as the GUI. It’s a simple configuration: the documentation is good,
but I could help out if you are having problems.

It isn’t perfect - sometimes the GUI will trigger after the first
packet - but it’s the best ready made solution I found.
Another huge caveat is that (as with all host based solutions), you have
to remove passwordless root from the qube, otherwise an attacker could
easily kill the service.

Worth trying it out.

thank for your reply again.
Here are some details.
The vpn is not work at my country.But a organization invent a software that can proxy my traffic.
this is it’s software address:GitHub - v2rayA/v2rayA: A Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel :rocket:
I use debian 10 as template to create a proxyVM. v2ray only can work at local system.I want v2rayA to proxy other appVM’s traffic, so I use v2rayA to set
and then I create a other appVM that use the proxyVM as network.
Here is a familiar example’s address:Qubes OS学习::新建一个APPVM作为网关,转发远端SOCK5流量_dieju8330的博客-CSDN博客
he was successful. I try a lot of times.But I was failed.

You could try something like this:

set -e
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" ^> /dev/null && pwd )"
qvm-run -p debian-10 'sudo apt-get install openvpn -y'
qvm-run -p debian-10 'sudo systemctl disable openvpn.service'
qvm-shutdown debian-10 --wait
if qvm-check sys-vpn 2> /dev/null; then
        echo sys-vpn exists already
        qvm-create -t debian-10 --prop=autostart=True --prop=provides_network=True --prop=include_in_backups=False -l green sys-vpn

qvm-run -p sys-vpn 'sudo mkdir /rw/config/vpn'
qvm-run -p sys-vpn 'wget -O "" && unzip'
qvm-copy-to-vm sys-vpn $DIR/files/
qvm-run -p sys-vpn 'sudo mv /home/user/QubesIncoming/dom0/ /rw/config/vpn/'
qvm-run -p sys-vpn 'sudo chmod +x /rw/config/vpn/'
qvm-copy-to-vm sys-vpn $DIR/files/common.ovpn
qvm-run -p sys-vpn 'sudo mv /home/user/QubesIncoming/dom0/common.ovpn /rw/config/vpn/'
qvm-run -p sys-vpn 'sudo cp /home/user/ivpn-openvpn-config/Switzerland.ovpn /rw/config/vpn/openvpn-client.ovpn'
qvm-run -p sys-vpn 'sudo sed -i /$auth-user-pass/d /rw/config/vpn/openvpn-client.ovpn'
qvm-run -p sys-vpn 'sudo cat /rw/config/vpn/common.ovpn | sudo tee -a /rw/config/vpn/openvpn-client.ovpn'
qvm-copy-to-vm sys-vpn $DIR/files/qubes-firewall-user-script
qvm-run -p sys-vpn 'sudo mv /home/user/QubesIncoming/dom0/qubes-firewall-user-script /rw/config/'
qvm-run -p sys-vpn 'sudo chmod +x /rw/config/qubes-firewall-user-script'
qvm-copy-to-vm sys-vpn $DIR/files/vpn.rc.local
qvm-run -p sys-vpn 'sudo mv /home/user/QubesIncoming/dom0/vpn.rc.local /rw/config/rc.local'
qvm-run -p sys-vpn 'sudo chmod +x /rw/config/rc.local'
qvm-run sys-vpn 'printf "username\npassword" | sudo tee /rw/config/vpn/pass.txt'
qvm-shutdown sys-vpn --wait
qvm-start sys-vpn
qvm-prefs fedora-32-dvm netvm sys-vpn
qvm-prefs sys-whonix netvm sys-vpn

Then you would have a file called common.ovpn that looks like this:

script-security 2
up ' up'
down ' down'
redirect-gateway def1
auth-user-pass pass.txt

And then you can copy, qubes-firewall-user-script and rc.local from here

Don’t run code you find on the internet unless you understand what it does

1 Like

thank for you reply.But any vpn is not work at my location

Not sure what you mean by this?

There are many countries where use of a VPN is illegal, or restricted.
In China and Russia, for example, use is restricted. In Iraw, they are

In these countries, users will look for an alternative.


I really wonder what is the definition of a VPN in those countries?
(mainly because encryption is NOT in the original definition of a VPN )

do they ‘fire’ about any kind of encrypted traffic?
or just a few specific well know service?

what about:

  • SSH port forward
  • SSH based SOCKS proxy
  • TLS based Proxy
  • TOR
  • TLS based RDP session

In my experience of a country where use is restricted -
the aim is to make it difficult, not impossible, and the laws are
aimed at local residents, not visitors.
SSH didn’t work at all, neither TOR. My usual VPN worked fine. I was told
this varies depending on region.

I have visited a country where such use is illegal - literally nothing
worked. No doubt it is possible to circumvent - I had no means to

1 Like

moderation comment: @fvweSDSDVCFV it seems you are posting a message repeatedly (last time was a full quote of it with a formatting issue).

I have now removed the duplicates. If you’re having issues with the discourse interface, please follow the discobot tutorial or message me.

Sounds like you need a bridge from Tor
Their protocol looks like Mozilla SSL as far as I remember, can probably request one on 443.

One of my plans if I ever end up behind a firewall like that again would be to use stunnel to wrap a vpn connection. Will be a bit slower but will just look like a really long running ssl connection. I guess it would be more ideal if there was some way of masking your vpn traffic as gaming because it would have a much more similar traffic profile.

1 Like