Vpn port forwarding

I have trouble getting port forwarding to work.

My setup is:
appvm → ivpn-gui → sys-firewall → sys-net

I am not sure what exactly I have to do, even after reading Firewall | Qubes OS

I even tried it in a normal FedoraWorkstation(ISO install(Fedora+VPN → sys-firewall…) but still doesn’t work.

Obviously I just want to forward the port from the VPN to a program in the appvm.

Maybe this can help you?

edit: sorry please remove if possible, I posted in the wrong thread

I still have issues with the script you linked. My setup goes like this:
sys-net → sys-firewall → vpn-A → vpn-B → app-vm

As far as I understand I shouldn’t have to touch vpn-A?
Port forwarding from vpn-B to app-vm should work right?

You can try this instead if you have issues with what I linked before:

Nope, don’t even get a connection between vpn-B and appvm with this. I really have no idea what I should do. This is probably an issue with the double vpn configuration. vpn-A does not support port-forwarding and icmp is dropped in it’s (qubes) firewall.

Port forwarding can’t work if the VPN setup is not working from the beginning. What’s happening in the client AppVM? Can you ping a domain or an IP from the terminal?

vpn works fine (just no portforwarding) . Also I get a connection via netcat between vpn-B and appvm when i open the ports in the appvm(first script you linked), just not with the qrexec method you mentioned. Just portforwarding from the outside world is not working correctly I would guess (first script)

If port forwarding comes from vpn-b, then it should work with qrexec. Make sure that the port in allowed through the VPN interface (iptables/nft), that qvm-connect-tcp is running on the same exact port and that your dom0 qrexec rule is correct, example:

qubes.ConnectTCP +62547 sys-vpn @default allow target=myappvm

I have this setup actually and it works (I only have 1 VPN qube but it should work too if the port comes from the last VPN in the chain).

ivpn.net is putting an end to port-forwarding. I assume this is what you’re using as you mentioned ivpn-gui. Mullvad had already ended port-forwarding. Both have cited misuse and inability to crackdown on misuse due to no-logging.

  1. Create vpn-B, standard new wireguard tasket qube in a normal app-vm

  2. create policy in qubes os:

    sudo vim /etc/qubes/policy.d/30-user-networking.policy


qubes.ConnectTCP +XXXXX vpn-B @default allow target=appvm

  1. in vpn-B

    sudo vim /rw/config/rc.local


  iptables -I INPUT -p tcp --dport XXXXX -j ACCEPT
  qvm-connect-tcp XXXXX:@default:XXXXX
  1. create appvm (standard app-vm just networking set to vpn-B)

  2. reboot Qubes-OS

  3. in appvm

nc -l XXXXX
curl ip.me
  1. in another qube connected to another vpn

nc [ip-address] XXXXX

  1. Doesn’t work

Make sure that nc is listening on the right port (sudo netstat -nltp), on some version it binds to a random one even if you do that command.
I just tried with an AirVPN setup using the following VPN script and it works: GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS


sudo iptables -I INPUT -p tcp --dport 11111 -j ACCEPT
qvm-connect-tcp 11111:@default:11111


nc -l 11111

sudo netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 *               LISTEN      2723/nc

Other AppVM with other VPN:

nc x.x.x.x 11111
Send "test"

On first AppVM side:

nc -l 11111

Since all VMs are independent, you can restart them without rebooting your computer.

1 Like

checked it is listening on the correct port.

I am also using AirVPN with tasket (vpn-B), could you tell me what exact configuration you generated?
Maybe you could also try a double vpn configuration like me? (for good measure also with a different vpn provider)


nc -lv 11111

vpn-B :

echo test | nc x.x.x.x 11111

nc x.x.x.x 11111
Send "test"

gives me timeout error

I don’t have to reboot when I add/edit policys in dom0



I used the generator available here: Config Generator - AirVPN
I selected “Linux”, “Wireguard” and 1 server.

I was using that setup too, Mullvad first and then AirVPN last in the chain (sys-net → sys-firewall → sys-mullvad → sys-airvpn → AppVM)

If you use tasket scripts, you can’t access internet from inside the VM. Use 2 AppVM:

  • One connected to the AirVPN ProxyVM (the one you have set in dom0 for target), it will listen for incoming packets (nc -l 11111)
  • One connected to another network/VPN, it will connect to the remote IP and port (nc x.x.x.x 11111)

Qrexec rules are “loaded” instantly, you don’t need to reboot for them to be used.

1 Like

I created a new config like yours (just changed the MTU to 1280)
Did you modify the port settings in airvpn?

I can still install software and curl in the tasket-vm?

and sorry I meant to say that I used the appvm for listening

I only have to open the firewall via iptables on vpn-B right? (Not the appvm)

I still get the timeout error in the connect-to-port-vm (I am using the mullvad-wireguard guide for this vm)

And just to verify you are using Qubes 4.1 ?

How can I verify that the qrexec policy loaded/working? (they need to end in “.policy” right?)

The configuration was never edited after downloading it from the generator.

Well, that’s strange. It shouldn’t work unless you allowed it somehow.


Yes I’m running 4.1

If the policy is there, it will work. Add your networking related policy in /etc/qubes/policy.d/30-user-networking.policy

1 Like

I meant under airvpn org/ports. Selecting tcp only or something (where you get the port)

The only “unsual” thing I have done is create a sym link from vpn-client.conf to the home directory.
I have installed tasket on multiple different machines and I was always able to curl. Am I somehow to stupid to set up tasket / is tasket not properly working for me?

My ports are assigned to my AirVPN “device”. All the other settings are default.

It seems that when Wireguard is used, it allow external traffic so it’s a “normal behavior”. The qubes traffic is still routed through the VPN so it’s fine.

1 Like

mmmh so what should I do now to continue toubleshooting?

Can you explain in detail how you did your setup from start to finish (Template type, command used and what was edited/installed in VM and dom0)?

I’ve done this setup 3 times so far with newly generated WG configuration and port and it worked each time. Something is missing somewhere in your setup so we need to know where’s the issue.

1 Like