Wireguard VPN setup

etaz · February 29, 2024, 7:37am

This was the last thing I was missing in the guide - gonna try it out later. Thanks @Isolator!

deeplow · February 29, 2024, 4:00pm

I do not recommend this one. It is much more cumbersome to setup. Then if you forget to install it again when doing template upgrades, the killswitch won’t be enforced without any warning…

Overall, the setup in this guide is the best of all guides I have tried.

DVM · February 29, 2024, 4:55pm

The correct way to install qubes-vpn-support is inside an AppVM. If the configuration is set up correctly with the appropriate qube service, it will not be possible to reach the outside, even if qubes-vpn-handler ends up in a failed state, because the nftables/iptables rules are set up and only the group 9 interface can forward packets upstream (which doesn’t exist unless the VPN is working).

I agree that this guide is simpler, but I prefer the hardening with interface groups provided by qubes-vpn-support and the fact that I don’t have multiple network managers in my widget bar for all my different vpn qubes.

etaz · February 29, 2024, 9:11pm

To configure killswitch + (DNS) leak protection + ICMP/ping blocking + protection in case of sys-vpn compromise, you can alternatively execute a three-liner in dom0, no nft/iptables needed:

qvm-firewall sys-vpn reset # (1)
qvm-firewall sys-vpn add accept dsthost=1.2.3.4 # (2)
qvm-firewall sys-vpn del --rule-no 0 # (3)

(1) resets firewall to one single rule accepting everything
(2) whitelists specific VPN gateway IP
(3) removes rule (1), so there is just one whitelisted IP from (2) left

Everything else is blocked safely outside sys-vpn.

solene · February 29, 2024, 11:01pm

this is already explained in the guide by using the firewall GUI

etaz · March 1, 2024, 6:41am

Not quite I think . Using the firewall GUI as described in your guide, Qubes still allows any ICMP or DNS requests outside VPN. If you don’t do further hardening via iptables/nft, this might end up with DNS or ping leaks. The only way to block DNS/ICMP with Qubes’ firewall is to use qvm-firewall CLI and remove wildcard rule for everything (accept) and dns special target + icmp, if exists. Above is a reproducible way to catch all cases consistently by first resetting firewall and then applying whitelist rules.

You can recheck with qvm-firewall sys-vpn list. End result should look similar to

NO  ACTION  HOST              PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  1.2.3.4/32        -         -        -               -          -       -

solene · March 1, 2024, 9:01am

indeed! I’ll add this to the guide

whoami · March 4, 2024, 8:30pm

Now, the guide looks a bit unclear to me. Maybe it is better to explicitly mark it as a ‘VPN hardening’ chapter with two subchapters

A1: ‘3-liner quick hardening’ and
A2: ‘Hardening with nft’

If not, it is not clear (for newbies) that one harding is enough.

solene · March 9, 2024, 9:27am

That’s indeed confusing…

But they do different things I’ll think about how to rework this part.

solene · March 9, 2024, 9:30am

I added a snippet of code to pick a random VPN at the qube start

Direct link Wireguard VPN setup

Clodius · March 10, 2024, 4:53am

this seems kind of ridiculous, I would change to another vpn provider, where its quick and easey, don’t need taskets setup , starts with a M

deeplow · March 10, 2024, 12:18pm

@Clodius you above comment is a bit enigmatic. What is ridiculous. With an M? What’s quick an easy in other providers? I don’t get it…

Clodius · March 11, 2024, 8:16pm

in the past I used the tasket way, it was fine, but seems things have changed for a basic setup, just works

greenweb · March 17, 2024, 1:18am

Hi! I have successfully used wg cube customized according to the guide in cube 4.1. Now I have upgraded to os 4.2 and faced a problem.
My setup:
internet<sys-net<sys-firewall<vpn1-vless<vpn1-firewall<vpn2-wg<vpn2-firewall
In the sys-firewall/vpn1-vless cubes, ping service/dns works fine.

vpn2-wg is powered by fedora 38. From settings only imported wg configuration, dns/firewall unchanged.
In vpn2-wg inside the cube ping/dns work. I can open the site.
Next I try to add firewall cube, but inside this cube ping and dns are not working.
What could be the problem?

Screen qubes network

whoami · March 17, 2024, 5:47am

This is most probably due to the change of iptables to nftables (in Qubes OS 4.2). Follow the link(s) here for more info:

In the guide above you see the vpn nftable configuration or my preferred solution without nftables just use the Qubes firewall settings in the terminal: Wireguard VPN setup

solene · March 17, 2024, 7:39am

did you upgrade all your templates?

greenweb · March 17, 2024, 4:53pm

I did a clean install of the OS. After that I updated all templates to the actual version.
All cubes are created from scratch.

jagnopurka · March 18, 2024, 10:29am

Just curious, in Qubes case, what are the advantages of using Wireguard instead of OpenVPN?

jagnopurka · March 18, 2024, 11:36am

You can automate this with this one-liner:

for con in $(nmcli -g name,type con | grep :wireguard$ | cut -d: -f1); do nmcli con modify "$con" connection.autoconnect no; done

solene · March 18, 2024, 12:52pm

WireGuard is faster (more efficient and can sustain higher speed) than OpenVPN and is stateless.

The stateless feature is important for some users, this implies there are no “connected” tunnel state, data pass through the VPN but if you switch from wifi to 4G for instance, there is no need to stop / restart the service because the remote endpoint doesn’t keep track of the previous session with the previous IP. In case of suspend / resume, there is no such thing as reconnecting too.