VPN instructions for 4.2

oijawyuh · September 3, 2023, 9:06am

Hi. Are the following instructions " ProxyVM as a VPN gateway using iptables and CLI scripts" still valid for Qubes 4.2? Or should iptables be changed to nftables? But what would that mean practically? What modifications should be made? Thank you.

github.com

Qubes-Community/Contents/blob/master/docs/configuration/vpn.md#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts


How To make a VPN Gateway in Qubes
==================================

<div class="alert alert-info" role="alert">
  <i class="fa fa-info-circle"></i>
  <b>Note:</b> If you seek to enhance your privacy, you may also wish to consider <a href="/doc/whonix/">Whonix</a>.
  You should also be aware of <a href="https://www.whonix.org/wiki/Tunnels/Introduction">the potential risks of VPNs</a>.
</div>

Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.

Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)

### NetVM

The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:

- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)

This file has been truncated. show original

moonlitOrca · September 3, 2023, 7:34pm

I also would like to know how this is handled. I have been using VPN qubes in 4.1 running mullvad based on their instructions here, but I saw in the above mentioned github post that the firewall is changing a bit in 4.2. Does anyone have information on practical application?

DVM · September 3, 2023, 7:45pm

iptables based rules for VPNs are not working anymore in 4.2, that’s one of the reason why I’m still on 4.1. There is an open pull request on github for qubes-vpn-support port to nftables but I don’t really know the status of it:

github.com/tasket/Qubes-vpn-support

Replace iptables with nftables

tasket:master ← 1cho1ce:replace-iptables-with-nftables

opened 07:01PM - 25 May 23 UTC

1cho1ce

+106 -41

Qubes dropped iptables support and replaced it with nftables: https://github.co…m/QubesOS/qubes-core-agent-linux/commit/28b95535c7cbd15543c804e822c0e4c997f5966e This pull request replaces iptables with nftables. Removed `allow established input` rules from `proxy-firewall-restrict` since they are already present in nft tables ip/ip6 qubes. TODO: Need to think of a better way to check in `--check-firewall` in `qubes-vpn-setup` script if the forward drop rules are present (or `proxy-firewall-restrict` script finished successfully).

code9n · September 5, 2023, 7:55pm

I’ve also been trying to get a vpn to work in Qubes 4.2 rc3

Trying to get an openvpn file to work using Qubes vpn support by Taskett:

But in a Fedora app qube it does not work, nor does any kill switch function. Web requests in an app qube just pass straight through the vpn qube.

In Debian it doesn’t work either but does block any internet connection.

In Fedora I got this error message when using the test command in Link Testing and Troubleshooting section of the README:

( GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS ) :

[user@sys-vpn vpn]$ sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass userpassword.txt
2023-09-05 07:55:00 DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2023-09-05 07:55:00 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2023-09-05 07:55:00 WARNING: cannot stat file ‘userpassword.txt’: No such file or directory (errno=2)
Options error: --auth-user-pass fails with ‘userpassword.txt’: No such file or directory (errno=2)
Options error: Please correct these errors.
Use --help for more information.
[user@sys-vpn vpn]$

This worked very well in 4.0 and 4.1.

moonlitOrca · September 7, 2023, 12:32am

I do have at least some bright news for the guidance aspect in the future: I reached out to mullvad, a company that runs a VPN based in sweden and who also publishes guide pages (as noted in my above post) specifically for using their VPN in qubes, and they informed me that they are aware of the switch in qubes 4.2 to nftablles and they are already planning to create a guide once the official release of 4.2 is complete. Still, it would be awesome to get some guidance on how to use a VPN in the interim. I looked through the syntax for policies a bit, but I don’t really understand how to integrate that into qubes itself.

qubes · October 8, 2023, 3:24am

Hi, guys, any update on this situation? Do we have nftables based rules that can Tor before VPN? I’m looking for alternative to tasket’s Qubes-vpn-support. My daily work depends on this and it’s the only reason I can’t move on to 4.2.

code9n · October 14, 2023, 1:50pm

Yes this is the only thing stopping me upgrading to 4.2 as well. No vpn no 4.2.

Just tried remaking a tasket ‘Qubes vpn support’ qube but it still doesn’t work . . .

Does anyone know how to get a vpn working in 4.2?

Thanks.

solene · October 14, 2023, 1:52pm

Works fine for me Wireguard VPN setup

1choice · October 14, 2023, 1:54pm

You can try my PR:

code9n · October 14, 2023, 5:17pm

That’s great. Thanks @solene and @1choice, I’ll give one or both a try.

Tezeria · October 15, 2023, 4:10pm

@solene , do you know you’re amazing?!

solene · October 15, 2023, 4:20pm

Thanks

qub411 · October 16, 2023, 12:18am

Gave this a go in debian-12. Still getting the following error in the app VM when it starts:

iptables: Bad rule (does a matching rule exist in that chain?

This was after (1) doing the template install and (2) doing the app VM setup

1choice · October 16, 2023, 4:53am

I’ve just tried it with both template and AppVM install and with OpenVPN and Wireguard and it worked.
Are you sure that you’re using the Qubes-vpn-support with my patches?
You need to either download zip from this link:
GitHub - 1cho1ce/Qubes-vpn-support at replace-iptables-with-nftables
Or if you’re using git then:

git clone https://github.com/1cho1ce/Qubes-vpn-support.git
cd Qubes-vpn-support
git checkout replace-iptables-with-nftables

Or just:
git clone -b replace-iptables-with-nftables https://github.com/1cho1ce/Qubes-vpn-support.git

innout · October 16, 2023, 5:22am

Wow. This is amazing! Thank you!

Tezeria · October 16, 2023, 1:05pm

So, as I understand it, it will no longer be possible to use openvpn with qubes 4.2 unless you use this script? Do I understand?

1choice · October 16, 2023, 2:49pm

No, you can use OpenVPN in Qubes OS 4.2 even without this script. You just need to replace iptables rules with nftables rules.

Tezeria · October 16, 2023, 3:04pm

ok, nice
thanks for your answer @1choice

qub411 · October 18, 2023, 3:43am

Bit more debugging here. Yes I am definitely using your patched version, and I’m re-creating the app VM from scratch. After installing and restarting this I get the following error:

Oct 18 12:56:23 test-vpn-new qubes-vpn-setup[1384]: Error: No such file or directory
Oct 18 12:56:23 test-vpn-new qubes-vpn-setup[1384]: list chain ip qubes custom-forward
Oct 18 12:56:23 test-vpn-new qubes-vpn-setup[1384]: ^^^^^
Oct 18 12:56:23 test-vpn-new qubes-vpn-setup[1383]: Traceback (most recent call last):
Oct 18 12:56:23 test-vpn-new qubes-vpn-setup[1383]: File “”, line 46, in
Oct 18 12:56:23 test-vpn-new qubes-vpn-setup[1383]: File “”, line 9, in main
Oct 18 12:56:23 test-vpn-new qubes-vpn-setup[1383]: IndexError: list index out of range
Oct 18 12:56:23 test-vpn-new qubes-vpn-setup[1371]: Error: Firewall rule(s) not enabled!

Any ideas why?

1choice · October 18, 2023, 5:14am

It seems that you’re using minimal template but you don’t have required packages installed.
I think for debian-12-minimal it should be:
apt install qubes-core-agent-networking qubes-core-agent-network-manager wireguard openvpn xfce4-notifyd