SSH and Mullvad VPN

Hawk · April 15, 2024, 7:31am

I installed sys-vpn from the unamn repository [1], and everything works smoothly. However, I need this setup [2]: I need to connect to an SSH server in sys-vpn. All I need is an nftables rule that allows sys-vpn to connect to the SSH IP. Previously, I used this rule [3] with this setup [4]. Can anybody help write a rule that opens a hole in the firewall rules to enable SSH access in sys-vpn [1]?

@unman

[1] https://qubes.3isec.org/tasks.html
[2] SSH and Mullvad VPN
[3]
iptables -I OUTPUT 1 -d 193.138.218.71 -j ACCEPT
iptables -I INPUT 1 -s 193.138.218.71 -j ACCEPT
[4] GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS

apparatus · April 15, 2024, 7:46am

You can try this:

sudo nft add rule ip qubes custom-input ip daddr 193.138.218.71 accept

solene · April 15, 2024, 7:54am

Is sys-vpn using qvm-firewall to restrict sys-vpn network? If so, you should use qvm-firewall to allow reaching your ssh server.

Hawk · April 15, 2024, 12:45pm

Edit /rw/config/firewall.nft and add these lines:

table ip qubes {
    chain custom-input {
        type filter hook output priority 0;
        ip daddr 193.138.218.71 accept;
        drop;
    }
}

Reboot sys-vpn, and SSH should work with this setup [1][2].

For times when SSH disconnects, use this script:


while true; do
  pidof_ssh=$(pidof ssh)
  if [[ -z $pidof_ssh ]]; then
    sshpass -p "mullvad" ssh -f -N -D 1234 mullvad@193.138.218.71
  fi
  sleep 7
done

[1] https://qubes.3isec.org/tasks.html
[2] SSH and Mullvad VPN