Vpn port forwarding

chop · July 7, 2023, 11:27am

Okay will do. Thanks for sticking with me. I will reply in ~10 hours have something to do right now.

DVM · July 7, 2023, 12:16pm

I have some time so I’ll write all the steps I’ve taken to make this work, if you follow it you should be able to make it work.

Create a new device on AirVPN
Create a new port and assign it to the previously created device (My port will be 11111)
Clone the Debian-11 template and name it something like “debian-11-vpn”

Start the template and install both wireguard and openresolv

sudo apt update && sudo apt install wireguard-tools openresolv

Turn off the template
Create a new AppVM based on debian-11-vpn named sys-airvpn
In “Advanced”, check “Provides network” and add a new custom service “vpn-handler-wg”
Start the AppVM and git clone the following repo: git clone https://github.com/tasket/Qubes-vpn-support
Run sudo mkdir -p /rw/config/vpn, go in the repo directory and run sudo bash ./install (leave everything empty when asked)
Run this command: sudo mv /rw/config/qubes-vpn-handler.service.d/10_wg.conf.example /rw/config/qubes-vpn-handler.service.d/10_wg.conf
Go on the AirVPN configuration generator page and create a new wireguard configuration (Linux → Protocol Wireguard → Select a single server (will be “Dalim” for me) → Download)
Move the config file to sys-airvpn
On sys-airvpn, install the configuration: sudo cp /path/to/file.conf /rw/config/vpn/vpn-client.conf
Restart sys-airvpn, once restarted open a terminal and check if you have a handshake using sudo wg
Create a new AppVM called “CLIENT”, based on Fedora and set “sys-airvpn” as netvm
Open a dom0 terminal and edit the following file: vi /etc/qubes/policy.d/30-user-networking.policy
```
qubes.ConnectTCP +11111 sys-airvpn @default allow target=CLIENT
```

On sys-airvpn, edit the file sudo vi /rw/config/rc.local and add the following lines before exit 0

# Port forwarding
iptables -I INPUT -p tcp --dport 11111 -j ACCEPT
qvm-connect-tcp 11111:@default:11111

Restart sys-airvpn
Start the CLIENT AppVM, get the current external IP address curl ipinfo.io and then run the following command: nc -l 11111
Start a new DispVM, it needs to be on a different network (other VPN or direct internet access)
In this DispVM, run this command: nc <External IP from CLIENT> 11111
Write “Test” then send with “enter”
“Test” should appear on AppVM CLIENT

With all of that you should be able to get this working. Replace 11111 with your assigned port and then change “CLIENT” to another VM when you get this working first.

chop · July 7, 2023, 10:21pm

Thanks will try this now. Regarding notable changes in dom0:

I tried to get graphics-passtrough working (https://github.com/Qubes-Community/Contents/blob/master/docs/customization/gaming-hvm.md) (didn’t get it working)
so I patched xen:

github.com

Qubes-Community/Contents/blob/master/docs/customization/gaming-hvm.md#patching-stubdom-linux-rootfsgz

# Create a Gaming HVM

## Hardware

To have an 'HVM' for gaming, you must have

-   A dedicated GPU. By dedicated, it means: it is a secondary GPU, not
    the GPU used to display dom0. In 2023, 'Nvidia' and 'Amd' GPU work.
    Not tested with Intel GPUs.

-   A screen available for the gaming 'HVM'. (It can be a physical
    monitor or just to have multiple cables connected to the screen and
    switching between input source)

-   Dedicated gaming mouse and keyboard.

-   A lot of patience. GPU passthrough is not trivial, and you will need
    to spend time debugging.

## IOMMU Group

This file has been truncated. show original

Regarding installed software I HAD installed i3 and a localization package.

chop · July 8, 2023, 12:11am

Sorry that this is a bit badly written (very tired) I followed your Instuction pretty much exactly

What I have done:

install wireguard-tools and openresolv in clean Debian-Template
create new device on airvpn
create a new port and asign it to the device
create a new appvm based on the template: sys-airvpn
provides network, and added vpn-handler-wg to the appvm (network to a mullvad-guide proxy-vm)
Cloned tasket, created the folder, cd into it, installed it.
Created a new config (Linux > Wireguard > choose the device (you forgot that point)> single server)
renamed 10_wg.conf.example to 10_wg.conf
moved the vpn-config to sys-airvpn and mv it to /rw/config/vpn
changed MTU of the config to 1280
restart the sys-airvpn and checked for handshake
created a new appvm called “CLIENT” based on Fedora and set networking to sys-airvpn
In dom0 edit the file /etc/qubes/policy.d/30-user-networking.policy
add: qubes.ConnectTCP +11111 sys-airvpn @default allow target=CLIENT
In sys-airvpn, edit /rw/config/rc.local and add at the end of the file but before exit 0:


    systemctl --no-block start qubes-vpn-handler.service

    # Port forwarding
    iptables -I INPUT -p tcp --dport 11111 -j ACCEPT
    qvm-connect-tcp 11111:@default:11111

    exit 0

restart sys-airvpn
start CLIENT, get the current ip and start nc -l 11111
start other app-vm (behind another mullvad-guide proxy-vm)
nc x.x.x.x 1111
type “test”
It’s f working!!!

Holy shit I have halfheartedly tried to get this working for years no idea what I was always doing wrong (I still don’t know what I did wrongly) but I finally got this working.

Thank you so much!!!

DVM · July 8, 2023, 12:41am

Glad it’s working for you now!