I am getting little uneasy here. Now that i booted up my pc and launched the vms forgetting to manually go to the mullvad vpn and launch the vpn, now the app vms happily connected to internet WITHOUT mullvad vpn. Mullvad vpn proxy vms all has the killswitch enabled.
How can i live without being able to trust, sometimes the killswitch seems to work, sometimes it doesn’t work and sometimes the whole proxy vm doesn’t provide internet.
OK I must have been doing it all wrong all the time I think I found out why.
This part
Add DNS hijacking rules
Now we will add firewall rules to redirect DNS requests to 10.64.0.1 (the DNS on the VPN server) for all AppVMs that use the MullvadVPN ProxyVM.
Make sure that you have started an AppVM that has the Networking set to MullvadVPN, otherwise the “vif” IP address will not be visible.
Still in the MullvadVPN Terminal:
To find out your MullvadVPN_local_IP address, run ip a | grep eth0
So the problem is, when i type “ip a | grep eth0” in the mullvad vpn terminal, it only gives this:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group 1 qlen 1000
inet 12.117.0.51/22 scope global eth0
It doesn’t tell me the mullvad address like it should so I can’t get the hijacking rules, maybe this is why the killswitch never works? any help please
I just tought, that maybe the killswitch problem could’ve been caused because i didn’t have auto start on bootup on the mullvad vpn qube, but nope. It still happily connects without vpn tunnel, even tho the mullvad vpns wireguard is not actually yet manually booted up (shouldn’t have access to internet at this point because of killswitch), the config file has killswitch enabled.
Something weird is going on and I can’t point out what is happening, because sometimes the mullvad setup works normally, (killswitch, internet provide to other qubes and so on) and sometimes it doesn’t work like that, or some parts not work example killswitch or internet provide even if I do the mullvad proxy vm installation exactly the same way from start to finish.
This guide is using iptables instead of nftables so this may cause the problems.
You should apply proper nftables rules in a way that is supported by Qubes OS 4.2.
I got local networking part way there, hopefully someone can help me get the rest of the way.
In the wireguard .conf file I added the following to the [Interface] section
PreUp = ip route add 192.168.1.0/24 via 10.138.38.62 dev eth0
PostDown = ip route del 192.168.1.0/24 via 10.138.38.62 dev eth0
10.138.38.62 is sys-firewall’s IP address.
And in the /rw/config/qubes-firewall-user-script I made an exception for my local network (commented out the originals)
#iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -o ! -s 192.168.1.0/24 eth0 -j DROP #iptables -I FORWARD -i eth0 -j DROP
iptables -I FORWARD -i ! -s 192.168.1.0/24 -j eth0 DROP
So now I can partially reach computers on my network, meaning I can ping…but I still can’t ssh or browse websites hosted on my local network for some reason (such as my routers web interface)…hopefully someone smarter than me might be able to tell me why, I’ve gone as far as I can with google and chat gpt!
Are you trying to access the local services using domains instead of IP addresses?
Did you maybe configure Qubes OS firewall in Qube Settings → Firewall to block all connections except the VPN IP address?
I am using IP adress not domain names. For example I can ping 192.168.1.1 but cant ssh root@192.168.1.1
And sys-firewall is in default settings so doesn’t block connections any additional connections (that I know of) . I have some qubes that use sys-firewall as the NetVM rather than my MullvadVPN qube (banking and such).
Are these the exact rules that you’ve used? There’s an error here, but since ping works but everything else don’t then it shouldn’t be related.
I guess correct rules for iptables should be like this:
iptables -I FORWARD -o eth0 ! -d 192.168.1.0/24 -j DROP
iptables -I FORWARD -i eth0 ! -s 192.168.1.0/24 -j DROP
Thanks apparatus I appreciate your recommendations! I’m on 4.2. I made your changes to no avail, but then the ping issue reminded me that Mullvad’s guide on their website mentioned some commands that needed to be added via dom0 using the qvm-firewall command.
And now it appears to be working: I can ssh to 192.168.1.1, browse webservers and on my local network, and all other traffic goes through the VPN. Thanks for helping me figure this out!
PS. I had tried previously using the QubesManager gui and adding 192.168.0/24 to the list of permitted outbound connects on the firewall tab, but it didn’t work (as explained in the mullvad guide on their website)…I think because adding it here just puts it at the end of the list which puts it after the rule that drops anything left over. Using the command line so I can use ‘–before 0’ was the fix I was missing!
If you’re using Qubes OS 4.2 then you need to change iptables rules to nftables rules, because Qubes OS 4.2 use nftables instead of iptables.
I’m not sure your iptables rules are working at all.
Easiest is probably to directly look into your vpn configuration file, for example remote in case of OpenVPN. Also see: Using Mullvad VPN in Qubes | Micah Lee .
And yes, replace sys-vpn with your VPN qube. (Note, in case you created a disposable vpn template - say sys-vpn-dvm: pay attention to actually reference the named disposable - say sys-vpn-disp. )