Setting up qvm-firewall for VPN wireguard connection

Singer · January 2, 2024, 11:01am

I have a Wireguard configuration file that contains a domain and a port:

Endpoint = xxxdomain.com:4865

This VPN connection is active in the AppVM sys-vpn. Now I would like to restrict the network to this connection. To do this, I found the IPv6 address for the domain and set up a redirect from the domain to the IP in sys-vpn in /etc/hosts and entered the IP in the GUI settings of sys-vpn as the only permitted destination. Sys-net is configured for IPv6 traffic using the command “qvm-features sys-net ipv6 1”.

Until then, everything worked fine. But then I used qvm-firewall to edit sys-firewall, to which sys-vpn is connected:

0 accept {IP}/128 tcp 1-57000
1 accept {IP}/128 udp 1-57000
2 drop - - - - - -

Unfortunately, the VPN connection does not work with this setting. Not even after I redirected the domain to the IP in sys-firewall in /etc/hosts.

Would anyone know what the problem is?

DVM · January 2, 2024, 11:07am

Can you try to accept the ICMP protocol?

solene · January 2, 2024, 12:48pm

If I understand, you want to prevent qubes using the VPN NetVM qube to do networking when the VPN is off?

You need this:

Singer · January 2, 2024, 4:11pm

Yes, thank you, now it works: 0 accept {IP}/128 icmp

Singer · January 2, 2024, 4:17pm

It is more than that. I want to prevent sys-firewall from being compromised via a compromised sys-net. Therefore, only the most necessary traffic should take place between sys-net and sys-firewall. What would be the best thing to do?

solene · January 2, 2024, 4:19pm

By default, the qubes firewalls are rejecting all incoming traffic, so I guess there is nothing to do more.

If sys-net is compromised, the attacker will only be able to communicate with sys-firewall which is configured to not accept any incoming connection. However, they could manipulate all the traffic passing by, but if you use a VPN or encrypted connections like https / ssh / anything using TLS, they can’t do much.