they are all enabled by default, which creates interesting results but you certainly want to uncheck the “automatically connect at boot” for each of them.
1 Like
not sure to understand, do you mean in this case all is using at same time? if yes i think the websites can get angry? for this reason you advise my to uncheck "“automatically connect at boot”.
About ““automatically connect at boot” how i can do it? i read your guide but didnt understandrd because from gui in sys-vpn i have "“automatically connect at boot” only for the Appvm right? i can’t select a single connections… mmm
thank you
@solene with “automatically connect at boot” docyou mean the flag fron gui first tab in the sys-vpm Appvm?
In this case i need to connect 1 vpn of mychoise manually right?
Thank you
I mean the setting in network manager when you open the VPN settings.
Ah found it, editing “the network icon on the panel” select wireguard connections that i don’t want use, and from setting deselect “connect automatically with priority”, is it right? if yes maybe you can put this note into the guide so for noobie will be more clear?
Than i have a question for you:
What if we leave “automatically connect with priority” but change priority?
es: vpn1 priority 0, vpn2 priority 2 etc.
do you know whats happen in this case? priority is like a fallback?
i thoght to do in this way, because if vpn1 is offline (server manteinance) pc maybe can automatically route to vpn2? or it doesnt work in this way?
sorry if i do a lot of questions, just to understand and maybe improve / have more options for the guide depends of users goal.
thanks so much
and, i have a question about last part of guide “Hardening (optional)
Killswitch and Prevent DNS leak” why need to do this step if we already do the following commmand con qvm-firewall in dom0? thank you
qvm-firewall sys-vpn reset # (1)
qvm-firewall sys-vpn add accept dsthost=1.2.3.4 # (2)
qvm-firewall sys-vpn del --rule-no 0 # (3)
This is an extra layer of safety. It could be useful if qvm-firewall are reset for whatever reason, or if you make a mistake like using a netvm that does not support firewall rules (like a custom qube or sys-whonix).
# Redirect all the DNS traffic to the preferred DNS server
DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"
Where does this section go? Into /rw/config/qubes-firewall-user-script?
Also shouldn’t it be enough to set
qvm-firewall "$HOSTNAME_TARGET" add --before "$counter" drop specialtarget=dns
qvm-firewall "$HOSTNAME_TARGET" add --before "$counter" drop proto=icmp
to prevent dns leaks?
Also to switch currently running configs you should just be able to run this again after boot
RANDOM_VPN=$(nmcli connection show | awk '/wireguard/ { print $1 }' | sort -R | head -n 1)
nmcli connection up "$RANDOM_VPN"
without complications?
Should work there too, but I’m not sure under which circumstances this script is started? Isn’t it required to enable the qubes-firewall service in the settings?
The command above will redirect incoming DNS requests to the server you want, this is different from blocking the DNS requests done from the VPN qube. It’s a “catch DNS queries” rule that will take all DNS queries from the qubes using this VPN qube as their netvm and redirect them to the place you want.
I think this part could be greatly improved, I still don’t really understand how DNS works in Qubes OS, so I came with this which works fine but is not really elegant…
no, some piece of code would be needed to stop the VPN before enabling a new one.
# disconnect
CURRENT_VPN=$(nmcli connection show | grep wg- | awk '$NF ~ /wg/ { print $1 }')
nmcli connection down "$CURRENT_VPN"
sleep 1
# connect
RANDOM_VPN=$(nmcli connection show | awk '/wireguard/ { print $1 }' | sort -R | head -n 1)
nmcli connection up "$RANDOM_VPN"
1 Like
Currently there are way to many fragmented solutions for VPN setups. Wish there would be a more official solution. Used qubes-vpn-support until recently but somehow something went wrong with a new Qube and I am too lazy to fix it, especially regarding how it’s abandoned at this point anyway.
Will this guide work with ipv6 vpn servers?
Maybe, you would have to enable IPv6 support in all qubes from the VPN qube to sys-net. The firewall rules should be duplicated for IPv6 too.
I like how much less complex this guide is but in qubes-vpn-support this is the “killswitch” (I know it’s still iptables) Qubes-vpn-support/files-main/proxy-firewall-restrict at master · tasket/Qubes-vpn-support · GitHub
Do these 2 lines really provide the same level of security?
Also you mean to activate the qubes-firewall in the service tab correct ?
I’m not sure it’s useful. Now I’m writing about it, I think this makes the qubes firewall script restarted when you change the netvm or something like that 
this does the same thing to me
What does happen if you up 2 connections at the same time? Does is just error out?
nmcli connection up "$RANDOM_VPN"
I have no idea how Network Manager / Linux handles this. I tried to understand and gave up.
From last experiment, networks break, first guess is that both VPN are trying to forward data through each other, which does not work.
Alright thanks for your time. Will set this up now.
I think removing network manger from this guide would be a good choice. It seems to be too complicated and bloated just to setup a VPN, especially from a minimal template.
Using wg-quick instead should be fairly easy no? If I have the time I will try that. As far as I can tell there is no reason to use network-manager?
Okay this works easily with wg-quick. Pls tell me if I missed something critical
- Debian minimal template:
apt install qubes-core-agent-networking wireguard wireguard-tools alacritty libnotify-bin notification-daemon unzip resolvconf - If network manager is installed apply
WireGuard - ArchWiki - in rc.local
wg_conf_location="/home/user/wireguard"
mkdir -p /etc/wireguard
if [ -d "$wg_conf_location" ]; then
chmod -R 0600 "$wg_conf_location" && chmod 0700 "$wg_conf_location"/ && chown -R root:root "$wg_conf_location"
cp "$(find "$wg_conf_location" -type f -print0 | shuf -z -n 1 | tr -d '\0')" "/etc/wireguard/current.conf" && \
systemctl start wg-quick@current.service
fi
- Add wireguard configs into dir “$wg_conf_location”
- Adding rules into the wiregaurd config like this would probably supply even more security? (taken from IVPN guide it’s not nftables)
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
How can I apply these rules to the current interface?
No wait these drop all outgoing packets to eth0?
So it should be fine?
the interface in a qube that goes toward sys-net in the chain is always eth0
Yes, you can use wg-quick
Sorry I meant current in the sense the interface created from current.conf.
Wg-quick works nice.