When I execute: sudo nano /rw/config/qubes-firewall-user-script
There is a notice that says:
This script is called at AppVM boot if this AppVM has the qubes-firewall service enabled. It is executed after the empty chains for the Qubes firewall
are created, but before rules for attached qubes are processed and inserted.
How are iptables rules supposed to work then, if there is no mention in the guide to add qubes-firewall service?
doesnât run automatically at boot time. You have to manually run it. Does anyone know how to run this script to automatically start Qubes services (not just for VPN)?
I added network-manager service in the qube setting. Then, from command line I added Wireguard config file using nmcli.
nmcli connection add type wireguard con-name server-wg0 ifname wg0 autoconnect yes
# nmcli connection import type wireguard file my-WG-conf-file
# nmcli connection up my-connection
Now the network manager auto starts after reboot, and the tunnel will be up. Network manager will also add a new icon for the VPN in the top bar.
how do you go about changing the server once this is done? you can change the proxy location but not the main server youâre connecting to as far as i can tell. So if you get poor speeds through the first server you have to do these steps all over again? Qubes should definitely find a better way to implement privacy VPNs as if youâre running Qubes thatâs probably pretty important to you.
Could you in theory, create multiple âmullvadVPNâ Qubes like âMullvadVPN1, MullvadVPN2â etc. with different servers and assing them to different Qubes and just set each net-qube to which server you want for that particular Qube?
Hmmm⌠why waste 100+ Mb of hdd/ssd/nvme for a few bytes of config? This does not sound like an endorsement for QubesOS!
It would make more sense to have an âendpoint pickerâ in the same NetVM.
They are applied, but fails as PR-QBS chain is missing.
You can verify that by running sudo /rw/config/qubes-firewall-user-script-iptables as unprivileged user in your VPN qube returning the following error to STDOUT:
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
I came to this thread because I noticed wireguard wasnt automatically starting, so I had to add the setenforce 0 and setenforce 1 lines to rc.local.
My next issue is DNS leak. On the MullvadVPN template there is no leak according to mullvad.net/check. The current official instructions on the mullvad website donât have the part about installing the mullvad browser extension to setup the proxy.
So, it all seems to work now. Just summarizing my experience in case anyone runs into the same problem that I did. Thanks to Pawelek85 for the instructions and fiddler for the workaround.
Questions -
what are the security implications of these work arounds, if any?
Is there still a DNS leak in my Personal VM when using software other than firefox?
If the firewall rules are correct, it should work as expected. You can also add your VPN entry IP address to your VPN qube firewall to make sure that only requests going to the VPN IP can pass through (including DNS requests since they use the VPN tunnel).
You can look there for an example (follow the cli steps if you want more restrictive rules):
Hello. For some reason iâm having hard time getting this command to show the vif address as it should. One time it went good and showed the ip address, but not anymore⌠Is it safe to use the vpn connection without doing this dns hijacking part?