VPN instructions for 4.2

Mirai · September 27, 2024, 9:01pm

… I do have a setup with open ports

Qube(dom0 connectTCP +XXXXX …) → vpn (open-port) → vpn → sys-firwall → sys-net .

Whats affected here and how ? I still don’t think I have ever seen a leaked ip here (I am not testing this particular config that often tho…)

apparatus · September 27, 2024, 9:04pm

I don’t understand your setup based on this:

Describe it in more details.
But at least for this:

Qube(dom0 connectTCP +XXXXX …)

This shouldn’t be affected because connectTCP will open port only for localhost connection and it’s not opened for external connections.

You may be affected if you’ve allowed incoming connections from any interface in the firewall rules.

The patched issue is not about IP leak. Its about a possibility of the VPN server connecting to the service running in the qube connected to sys-vpn.

Mirai · September 27, 2024, 9:08pm

in the vpn qube I have in /rw/config/rc.local the folloing:

nft add rule qubes custom-input tcp dport XXXXX accept
qvm-connect-tcp XXXXX:@default:XXXXX

And then in dom0 a policy under /etc/qubes/policy.d/30-user-networking.policy
with:

qubes.ConnectTCP +XXXXX openport-vpn @default allow target=qube

I have the vpn-qube with the open ports behind a vpn-qube with no open ports

Have I configured port forwarding the wrong way ?
I am using qubes-vpn-support for both vpn qubes.

apparatus · September 27, 2024, 9:20pm

You don’t need this rule, qvm-connect-tcp will work without it because it’s a localhost connection and all localhost connections are allowed by default.

Mirai · September 27, 2024, 9:25pm

I assume I am leaking ipv6 dns with this setup ?
What’s the best way to test this setup / how did you test?

apparatus · September 27, 2024, 9:38pm

Right now there is no IPv6 Virtual DNS support in Qubes OS so the firewall rules related to it are just for the future when it’ll be implemented.
If you’ve enable the IPv6 support for your qubes then you’ll have to redirect the IPv6 DNS from the qubes connected to sys-vpn using something like this in sys-vpn:

nft add rule ip6 qubes dnat-dns iifgroup 2 tcp dport 53 dnat to YOUR_VPN_IPV6_DNS
nft add rule ip6 qubes dnat-dns iifgroup 2 udp dport 53 dnat to YOUR_VPN_IPV6_DNS

Mirai · September 27, 2024, 9:41pm

Ah got it. Currently I don’t have to do anything. Hopefully qubes-vpn-support is better maintained when virtual IPv6 DNS comes for Qubes OS

Thanks for your help as always!