VPN instructions for 4.2

Hi. Are the following instructions " ProxyVM as a VPN gateway using iptables and CLI scripts" still valid for Qubes 4.2? Or should iptables be changed to nftables? But what would that mean practically? What modifications should be made? Thank you.

2 Likes

I also would like to know how this is handled. I have been using VPN qubes in 4.1 running mullvad based on their instructions here, but I saw in the above mentioned github post that the firewall is changing a bit in 4.2. Does anyone have information on practical application?

iptables based rules for VPNs are not working anymore in 4.2, that’s one of the reason why I’m still on 4.1. There is an open pull request on github for qubes-vpn-support port to nftables but I don’t really know the status of it:

I’ve also been trying to get a vpn to work in Qubes 4.2 rc3

Trying to get an openvpn file to work using Qubes vpn support by Taskett:

But in a Fedora app qube it does not work, nor does any kill switch function. Web requests in an app qube just pass straight through the vpn qube.

In Debian it doesn’t work either but does block any internet connection.

In Fedora I got this error message when using the test command in Link Testing and Troubleshooting section of the README:

( GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS ) :

[user@sys-vpn vpn]$ sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass userpassword.txt
2023-09-05 07:55:00 DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2023-09-05 07:55:00 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2023-09-05 07:55:00 WARNING: cannot stat file ‘userpassword.txt’: No such file or directory (errno=2)
Options error: --auth-user-pass fails with ‘userpassword.txt’: No such file or directory (errno=2)
Options error: Please correct these errors.
Use --help for more information.
[user@sys-vpn vpn]$

This worked very well in 4.0 and 4.1.

I do have at least some bright news for the guidance aspect in the future: I reached out to mullvad, a company that runs a VPN based in sweden and who also publishes guide pages (as noted in my above post) specifically for using their VPN in qubes, and they informed me that they are aware of the switch in qubes 4.2 to nftablles and they are already planning to create a guide once the official release of 4.2 is complete. Still, it would be awesome to get some guidance on how to use a VPN in the interim. I looked through the syntax for policies a bit, but I don’t really understand how to integrate that into qubes itself.

1 Like