Awesome!
So how do I do #1?
Awesome!
So how do I do #1?
I am getting little uneasy here. Now that i booted up my pc and launched the vms forgetting to manually go to the mullvad vpn and launch the vpn, now the app vms happily connected to internet WITHOUT mullvad vpn. Mullvad vpn proxy vms all has the killswitch enabled.
How can i live without being able to trust, sometimes the killswitch seems to work, sometimes it doesnât work and sometimes the whole proxy vm doesnât provide internet.
OK I must have been doing it all wrong all the time I think I found out why.
This part
Now we will add firewall rules to redirect DNS requests to 10.64.0.1 (the DNS on the VPN server) for all AppVMs that use the MullvadVPN ProxyVM.
Make sure that you have started an AppVM that has the Networking set to MullvadVPN, otherwise the âvifâ IP address will not be visible.
Still in the MullvadVPN Terminal:
ip a | grep eth0
So the problem is, when i type âip a | grep eth0
â in the mullvad vpn terminal, it only gives this:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group 1 qlen 1000
inet 12.117.0.51/22 scope global eth0
It doesnât tell me the mullvad address like it should so I canât get the hijacking rules, maybe this is why the killswitch never works? any help please
Are you using Qubes OS 4.1 or Qubes OS 4.2?
My qubes version is 4.2.
I just tought, that maybe the killswitch problem couldâve been caused because i didnât have auto start on bootup on the mullvad vpn qube, but nope. It still happily connects without vpn tunnel, even tho the mullvad vpns wireguard is not actually yet manually booted up (shouldnât have access to internet at this point because of killswitch), the config file has killswitch enabled.
Something weird is going on and I canât point out what is happening, because sometimes the mullvad setup works normally, (killswitch, internet provide to other qubes and so on) and sometimes it doesnât work like that, or some parts not work example killswitch or internet provide even if I do the mullvad proxy vm installation exactly the same way from start to finish.
So can someone say am I thinking of the impossible, or should it actually work like this when mullvad vpn has killswitch enabled:
The app vm shouldnât be able to connect to internet in anyway when it has networking set to â mullvad vpn with killswitch on?
This guide is using iptables instead of nftables so this may cause the problems.
You should apply proper nftables rules in a way that is supported by Qubes OS 4.2.
Is there a way to allow/pass traffic to local network IP addresses?
I got local networking part way there, hopefully someone can help me get the rest of the way.
In the wireguard .conf file I added the following to the [Interface] section
PreUp = ip route add 192.168.1.0/24 via 10.138.38.62 dev eth0
PostDown = ip route del 192.168.1.0/24 via 10.138.38.62 dev eth0
10.138.38.62 is sys-firewallâs IP address.
And in the /rw/config/qubes-firewall-user-script I made an exception for my local network (commented out the originals)
#iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -o ! -s 192.168.1.0/24 eth0 -j DROP
#iptables -I FORWARD -i eth0 -j DROP
iptables -I FORWARD -i ! -s 192.168.1.0/24 -j eth0 DROP
So now I can partially reach computers on my network, meaning I can pingâŚbut I still canât ssh or browse websites hosted on my local network for some reason (such as my routers web interface)âŚhopefully someone smarter than me might be able to tell me why, Iâve gone as far as I can with google and chat gpt!
Are you trying to access the local services using domains instead of IP addresses?
Did you maybe configure Qubes OS firewall in Qube Settings â Firewall to block all connections except the VPN IP address?
I am using IP adress not domain names. For example I can ping 192.168.1.1 but cant ssh root@192.168.1.1
And sys-firewall is in default settings so doesnât block connections any additional connections (that I know of) . I have some qubes that use sys-firewall as the NetVM rather than my MullvadVPN qube (banking and such).
Do you have Qubes OS 4.1 or 4.2?
Are these the exact rules that youâve used? Thereâs an error here, but since ping works but everything else donât then it shouldnât be related.
I guess correct rules for iptables should be like this:
iptables -I FORWARD -o eth0 ! -d 192.168.1.0/24 -j DROP
iptables -I FORWARD -i eth0 ! -s 192.168.1.0/24 -j DROP
Thanks apparatus I appreciate your recommendations! Iâm on 4.2. I made your changes to no avail, but then the ping issue reminded me that Mullvadâs guide on their website mentioned some commands that needed to be added via dom0 using the qvm-firewall command.
in dom 0, I entered:
qvm-firewall MullvadVPN add --before 0 accept dsthost=192.168.1.0/24
And now it appears to be working: I can ssh to 192.168.1.1, browse webservers and on my local network, and all other traffic goes through the VPN. Thanks for helping me figure this out!
PS. I had tried previously using the QubesManager gui and adding 192.168.0/24 to the list of permitted outbound connects on the firewall tab, but it didnât work (as explained in the mullvad guide on their website)âŚI think because adding it here just puts it at the end of the list which puts it after the rule that drops anything left over. Using the command line so I can use ââbefore 0â was the fix I was missing!
If youâre using Qubes OS 4.2 then you need to change iptables rules to nftables rules, because Qubes OS 4.2 use nftables instead of iptables.
Iâm not sure your iptables rules are working at all.
thanks for reply. can you say do I have to put the âinet ip addressâ that I get with command âip a | grep eth0
â to replace the â1.2.3.4â part?
And just replace sys-vpn with my vpn qube name?
Iâm just wanting to be sure so I donât destroy anything now since I got my vpn qube finally working
Change 1.2.3.4 to your VPN server IP address from the VPN config.
Yes.
Yes this is awesome. Finally i got the working setup and killswitch and all
Easiest is probably to directly look into your vpn configuration file, for example remote
in case of OpenVPN. Also see: Using Mullvad VPN in Qubes | Micah Lee .
And yes, replace sys-vpn
with your VPN qube. (Note, in case you created a disposable vpn template - say sys-vpn-dvm
: pay attention to actually reference the named disposable - say sys-vpn-disp
. )