Software version sadly don’t matter. I just does not work…
I now created an install script and helper scripts for a network manager qube (3-5 step). Instead of rc.local it uses a separate systemd service. I could share it if your are interested
If anybody has any idea why Protonvpn does not work properly with wg-quick pls do tell. Mullvad works without issues. Icmp works and once a single curl request also got through.
I would really like to avoid network manager. The template is like twice the size.
Did you try this @Mirai ?
Sorry when I mentioned above that software version don’t matter I meant that I tried fedora and debian.
Please can you make one guide for openvpn ? and to work with qubes r4.3
and must be leak proof and everything
@solene hello! how to create firewall if endpoint=domain name:port, for example, engage.cloudflareclient.com:2408 ?
just type engage.cloudflareclient.com in the address field of the firewall. It will be resolved by the qube’s netvm at startup, if the IP change over time, it won’t work until you reload the firewall rules, I don’t remember the command, maybe qvm-firewall --reload from dom0.
1 Like
That’s correct, qvm-firewall --reload VM_NAME will refresh the DNS names. Can be put in a crontab entry and run every N minutes (5? 10? 15? 60? - depending on the use case).
@solene I would extremely appreciate that if you test wireguard someday with protonvpn again that you would also quickly try if wg-quick works for you. Just if you feel like it, can also wait a couple months
Tested with
- WireGuard
- GNU/Linux platform
- VPN accelerator checked (default), no “moderate NAT” or “NAT-PMP”
- Chose a germany server
Qube created:
- appvm with fedora 43
- providing network
- service “network-manager” enabled
- Copy/pasted the conf in a file
nmcli conn import type wireguard file test.conf
It’s working fine for me.
I didn’t try implementing the DNS redirect or killswitch.
1 Like
Were you replying to me?
I meant geting the connection up via something like this:
chmod -R 0600 "$wg_conf_location" && chmod 0700 "$wg_conf_location"/ && chown -R root:root "$wg_conf_location" && \
cp "$(find "$wg_conf_location" -type f -print0 | shuf -z -n 1 | tr -d '\0')" "/etc/wireguard/current.conf" && \
systemctl start wg-quick@current.service
and not nmcli.
Yes, I was replying to you, and I indeed used nmcli 
duuuh
I’ll try in a few hours
1 Like
It works perfectly fine for me using wg-quick up $config_file, however DNS was not working, I tried two solutions and both worked:
- changing /etc/resolv.conf in the AppVM to something reachable over the internet
- using the DNS redirect nft rules in the qube where wireguard is established
I also added the killswitch snippet, it works really fine.
I also double checked
- I stopped Network Manager while playing with wg-quick
- there is no network after
wg-quick down testconfig - all network is going through the wireguard interface
1 Like
Thanks a lot, seems like there is indeed an error in how I setup my templates / setup scripts. But I do wonder why mullvad works and proton does not…
I also once tried to setup dns like this:
cat <<'EOF' > /rw/config/qubes-firewall-user-script
#!/bin/sh
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
# ---
# Redirect all the DNS traffic to the preferred DNS server
DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"
# ---
EOF
Is that what you have done to get dns working?
Yes I copied and pasted exactly the content from the guide.
If you still have the qube setup could you try if this maybe is an issue with starting it up via systemd?
You have no issues with the MTU?
Did you use the wg-quick systemd template to start it?
Yes. You can copy any wireguard config to /etc/wireguard and then immediately start it up with
systemctl start wg-quick@$config_name.service
Do you have resolvconf or openresolv installed?
As always I can get a connection inside the qube (vpn up) but every qube connected to it fails.
Okay seems like this is a dns issue. Setting /etc/resolv manually in the qubes after it works. But it does not make a difference whatever I try to set in the vpn qube itself…