Vpn port forwarding

chocolatephoenix · June 14, 2023, 12:31am

I have trouble getting port forwarding to work.

My setup is:
appvm → ivpn-gui → sys-firewall → sys-net

I am not sure what exactly I have to do, even after reading Firewall | Qubes OS

I even tried it in a normal FedoraWorkstation(ISO install(Fedora+VPN → sys-firewall…) but still doesn’t work.

Obviously I just want to forward the port from the VPN to a program in the appvm.

DVM · June 14, 2023, 9:40am

Maybe this can help you?

github.com/QubesOS/qubes-issues

qubes-tunnel: Port forwarding

opened 11:15AM - 10 Nov 20 UTC

closed 04:00PM - 03 Apr 21 UTC

Warthog-Capital

T: enhancement help wanted P: default C: contrib package

**The problem you're addressing (if any)** My VPN allows forwarding incoming co…nnections on certain ports (aka port forwarding). If I run the VPN client directly in my AppVM, port forwarding works and my application can be reached from the outside. The [qubes-tunnel](https://github.com/QubesOS-contrib/qubes-tunnel) contrib package does not allow port forwarding so it doesn't allow the user to run servers or P2P applications that require open ports through the tunnel. **Describe the solution you'd like** Allow the user to configure a list of TCP+UDP ports on which incoming connections will be forwarded to the AppVM, and extend the docs to show how to make the AppVM allow incoming connections from sys-vpn on those ports. **Where is the value to a user, and who might that user be?** Any user who wants to run servers or P2P applications behind a VPN, for example a torrent client. **Describe alternatives you've considered** Users who want to do this can not use the qubes-tunnel package and need to run the VPN client directly inside the AppVM, without the security benefits of a split setup. **Additional context** Posted on the Qubes Discourse and Reddit, but nobody was able to help: - https://www.reddit.com/r/Qubes/comments/jn9opj/need_help_forwarding_vpn_ports_through_qubestunnel/gb06tk6/ - https://qubes-os.discourse.group/t/need-help-forwarding-ports-through-qubes-tunnel/1357 I am using Debian 10 as sys-vpn because the qubes-tunnel package is not available for the F32 template yet. **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** I tried transferring the [article on port forwarding in the Qubes docs](https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world) to qubes-tunnel, but failed. I don't want to accidentally break the security of qubes-tunnel by messing around with the firewall rules without knowing what I am doing. **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** None that I am aware of.

fiddler · June 14, 2023, 3:13pm

edit: sorry please remove if possible, I posted in the wrong thread

chop · July 1, 2023, 12:56pm

I still have issues with the script you linked. My setup goes like this:
sys-net → sys-firewall → vpn-A → vpn-B → app-vm

As far as I understand I shouldn’t have to touch vpn-A?
Port forwarding from vpn-B to app-vm should work right?

DVM · July 1, 2023, 3:40pm

You can try this instead if you have issues with what I linked before:

chop · July 2, 2023, 5:51pm

Nope, don’t even get a connection between vpn-B and appvm with this. I really have no idea what I should do. This is probably an issue with the double vpn configuration. vpn-A does not support port-forwarding and icmp is dropped in it’s (qubes) firewall.

DVM · July 2, 2023, 6:50pm

Port forwarding can’t work if the VPN setup is not working from the beginning. What’s happening in the client AppVM? Can you ping a domain or an IP from the terminal?

chop · July 2, 2023, 6:57pm

vpn works fine (just no portforwarding) . Also I get a connection via netcat between vpn-B and appvm when i open the ports in the appvm(first script you linked), just not with the qrexec method you mentioned. Just portforwarding from the outside world is not working correctly I would guess (first script)

DVM · July 2, 2023, 7:03pm

If port forwarding comes from vpn-b, then it should work with qrexec. Make sure that the port in allowed through the VPN interface (iptables/nft), that qvm-connect-tcp is running on the same exact port and that your dom0 qrexec rule is correct, example:

qubes.ConnectTCP +62547 sys-vpn @default allow target=myappvm

I have this setup actually and it works (I only have 1 VPN qube but it should work too if the port comes from the last VPN in the chain).

oijawyuh · July 2, 2023, 7:50pm

ivpn.net is putting an end to port-forwarding. I assume this is what you’re using as you mentioned ivpn-gui. Mullvad had already ended port-forwarding. Both have cited misuse and inability to crackdown on misuse due to no-logging.

chop · July 4, 2023, 11:05am

Create vpn-B, standard new wireguard tasket qube in a normal app-vm
create policy in qubes os:

sudo vim /etc/qubes/policy.d/30-user-networking.policy

[add:]

qubes.ConnectTCP +XXXXX vpn-B @default allow target=appvm

in vpn-B

sudo vim /rw/config/rc.local

[add-at-the-bottom:]

  iptables -I INPUT -p tcp --dport XXXXX -j ACCEPT
  qvm-connect-tcp XXXXX:@default:XXXXX

create appvm (standard app-vm just networking set to vpn-B)
reboot Qubes-OS
in appvm

nc -l XXXXX
curl ip.me

in another qube connected to another vpn

nc [ip-address] XXXXX

Doesn’t work

DVM · July 4, 2023, 5:02pm

Make sure that nc is listening on the right port (sudo netstat -nltp), on some version it binds to a random one even if you do that command.
I just tried with an AirVPN setup using the following VPN script and it works: GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS

sys-vpn:

sudo iptables -I INPUT -p tcp --dport 11111 -j ACCEPT
qvm-connect-tcp 11111:@default:11111

AppVM:

nc -l 11111

sudo netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:11111           0.0.0.0:*               LISTEN      2723/nc

Other AppVM with other VPN:

nc x.x.x.x 11111
Send "test"

On first AppVM side:

nc -l 11111
test

Since all VMs are independent, you can restart them without rebooting your computer.

chop · July 5, 2023, 1:30am

checked it is listening on the correct port.

I am also using AirVPN with tasket (vpn-B), could you tell me what exact configuration you generated?
Maybe you could also try a double vpn configuration like me? (for good measure also with a different vpn provider)

AppVM:

nc -lv 11111

vpn-B :

echo test | nc x.x.x.x 11111

nc x.x.x.x 11111
Send "test"

gives me timeout error

I don’t have to reboot when I add/edit policys in dom0

/etc/qubes/policy.d/30-user-networking.policy

?

DVM · July 5, 2023, 11:25am

I used the generator available here: Config Generator - AirVPN
I selected “Linux”, “Wireguard” and 1 server.

I was using that setup too, Mullvad first and then AirVPN last in the chain (sys-net → sys-firewall → sys-mullvad → sys-airvpn → AppVM)

If you use tasket scripts, you can’t access internet from inside the VM. Use 2 AppVM:

One connected to the AirVPN ProxyVM (the one you have set in dom0 for target), it will listen for incoming packets (nc -l 11111)
One connected to another network/VPN, it will connect to the remote IP and port (nc x.x.x.x 11111)

Qrexec rules are “loaded” instantly, you don’t need to reboot for them to be used.

chop · July 6, 2023, 10:35pm

I created a new config like yours (just changed the MTU to 1280)
Did you modify the port settings in airvpn?

I can still install software and curl in the tasket-vm?

and sorry I meant to say that I used the appvm for listening

I only have to open the firewall via iptables on vpn-B right? (Not the appvm)

I still get the timeout error in the connect-to-port-vm (I am using the mullvad-wireguard guide for this vm)

And just to verify you are using Qubes 4.1 ?

How can I verify that the qrexec policy loaded/working? (they need to end in “.policy” right?)

DVM · July 7, 2023, 9:37am

The configuration was never edited after downloading it from the generator.

Well, that’s strange. It shouldn’t work unless you allowed it somehow.

Yes.

Yes I’m running 4.1

If the policy is there, it will work. Add your networking related policy in /etc/qubes/policy.d/30-user-networking.policy

chop · July 7, 2023, 10:38am

I meant under airvpn org/ports. Selecting tcp only or something (where you get the port)

The only “unsual” thing I have done is create a sym link from vpn-client.conf to the home directory.
I have installed tasket on multiple different machines and I was always able to curl. Am I somehow to stupid to set up tasket / is tasket not properly working for me?

DVM · July 7, 2023, 11:03am

My ports are assigned to my AirVPN “device”. All the other settings are default.

It seems that when Wireguard is used, it allow external traffic so it’s a “normal behavior”. The qubes traffic is still routed through the VPN so it’s fine.

chop · July 7, 2023, 11:17am

mmmh so what should I do now to continue toubleshooting?

DVM · July 7, 2023, 11:24am

Can you explain in detail how you did your setup from start to finish (Template type, command used and what was edited/installed in VM and dom0)?

I’ve done this setup 3 times so far with newly generated WG configuration and port and it worked each time. Something is missing somewhere in your setup so we need to know where’s the issue.