Wireguard VPN setup

Community Guides
125

I didn’t know about GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS but I don’t really understand what it brings compared to a simpler setup using NetworkManager :slight_smile:

There are many ways to achieve a vpn qube, I provided a pretty vanilla one.

126

Works fine with debian-12-minimal based disposable. The only packages you need to install are qubes-core-agent-networking and qubes-core-agent-network-manager --no-install-recommends.

In disposable template set killswitch firewall rules and import configs. The only difference from fedora is that you need to import wireguard configs as root and setup autoconnect from the command line. Use the command nmcli c to list connections and nmcli connection modify <connection-name> autoconnect no to disable autoconnect. Leave only one vpn connection with enabled autoconnect or it wouldn’t work at startup.

Also, you need to autostart network manager in disposable template by choosing custom in Services tab and manually typing network-manager in.

3 Likes
127

This was the last thing I was missing in the guide - gonna try it out later. Thanks @Isolator!

128

I do not recommend this one. It is much more cumbersome to setup. Then if you forget to install it again when doing template upgrades, the killswitch won’t be enforced without any warning…

Overall, the setup in this guide is the best of all guides I have tried.

1 Like
129

The correct way to install qubes-vpn-support is inside an AppVM. If the configuration is set up correctly with the appropriate qube service, it will not be possible to reach the outside, even if qubes-vpn-handler ends up in a failed state, because the nftables/iptables rules are set up and only the group 9 interface can forward packets upstream (which doesn’t exist unless the VPN is working).

I agree that this guide is simpler, but I prefer the hardening with interface groups provided by qubes-vpn-support and the fact that I don’t have multiple network managers in my widget bar for all my different vpn qubes.

2 Likes
130

To configure killswitch + (DNS) leak protection + ICMP/ping blocking + protection in case of sys-vpn compromise, you can alternatively execute a three-liner in dom0, no nft/iptables needed:

qvm-firewall sys-vpn reset # (1)
qvm-firewall sys-vpn add accept dsthost=1.2.3.4 # (2)
qvm-firewall sys-vpn del --rule-no 0 # (3)

(1) resets firewall to one single rule accepting everything
(2) whitelists specific VPN gateway IP
(3) removes rule (1), so there is just one whitelisted IP from (2) left

Everything else is blocked safely outside sys-vpn.

4 Likes
131

this is already explained in the guide by using the firewall GUI :slight_smile:

132

Not quite I think :wink: . Using the firewall GUI as described in your guide, Qubes still allows any ICMP or DNS requests outside VPN. If you don’t do further hardening via iptables/nft, this might end up with DNS or ping leaks. The only way to block DNS/ICMP with Qubes’ firewall is to use qvm-firewall CLI and remove wildcard rule for everything (accept) and dns special target + icmp, if exists. Above is a reproducible way to catch all cases consistently by first resetting firewall and then applying whitelist rules.

You can recheck with qvm-firewall sys-vpn list. End result should look similar to

NO  ACTION  HOST              PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  1.2.3.4/32        -         -        -               -          -       -
3 Likes
133

indeed! I’ll add this to the guide :+1:

3 Likes
134

Now, the guide looks a bit unclear to me. Maybe it is better to explicitly mark it as a ‘VPN hardening’ chapter with two subchapters

A1: ‘3-liner quick hardening’ and
A2: ‘Hardening with nft’

If not, it is not clear (for newbies) that one harding is enough.

135

That’s indeed confusing…

But they do different things :confused: I’ll think about how to rework this part.

136

I added a snippet of code to pick a random VPN at the qube start :slight_smile:

Direct link :arrow_right: Wireguard VPN setup

1 Like
137

this seems kind of ridiculous, I would change to another vpn provider, where its quick and easey, don’t need taskets setup , starts with a M

138

@Clodius you above comment is a bit enigmatic. What is ridiculous. With an M? What’s quick an easy in other providers? I don’t get it…

139

in the past I used the tasket way, it was fine, but seems things have changed for a basic setup, just works

140

Hi! I have successfully used wg cube customized according to the guide in cube 4.1. Now I have upgraded to os 4.2 and faced a problem.
My setup:
internet<sys-net<sys-firewall<vpn1-vless<vpn1-firewall<vpn2-wg<vpn2-firewall
In the sys-firewall/vpn1-vless cubes, ping service/dns works fine.

vpn2-wg is powered by fedora 38. From settings only imported wg configuration, dns/firewall unchanged.
In vpn2-wg inside the cube ping/dns work. I can open the site.
Next I try to add firewall cube, but inside this cube ping and dns are not working.
What could be the problem?

Screen qubes network

photo_2024-03-17_03-49-54 (2)
photo_2024-03-17_03-49-54 (2)960×1280 247 KB

photo_2024-03-17_03-49-54
photo_2024-03-17_03-49-54960×1280 234 KB

141

This is most probably due to the change of iptables to nftables (in Qubes OS 4.2). Follow the link(s) here for more info:

In the guide above you see the vpn nftable configuration or my preferred solution without nftables just use the Qubes firewall settings in the terminal: Wireguard VPN setup

142

did you upgrade all your templates?

143

I did a clean install of the OS. After that I updated all templates to the actual version.
All cubes are created from scratch.

144

Just curious, in Qubes case, what are the advantages of using Wireguard instead of OpenVPN?