Thank you for this awesome guide @solene . I used it successfully on Qubes 4.2 with Fedora 39. I have some suggestions based on my experience with Qubes 4.2:
Regarding Prevent DNS leak:
As mention in post Wireguard VPN setup - #63 by apparatus the ip qubes table already has a chain called dnat-dns.
As you mentioned in post Wireguard VPN setup - #89 by solene there is a Qubes OS helper script. It is located at /usr/lib/qubes/qubes-setup-dnat-to-ns and is called by /etc/NetworkManager/dispatcher.d/qubes-nmhook. It looks for DNS configurations and updates the dnat-dns chain automatically.
I found that by adding the primary and secondary Quad9 DNS servers to the wireguard config file DNS line (comma-separated), they would be added to the dnat-dns chain correctly after restarting the connection. They can also be added to the GUI manually after the config file was imported.
The resulting chain looked like this:
$ sudo nft list chain ip qubes dnat-dns
table ip qubes {
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 9.9.9.9
ip daddr 10.139.1.1 tcp dport 53 dnat to 9.9.9.9
ip daddr 10.139.1.2 udp dport 53 dnat to 149.112.112.112
ip daddr 10.139.1.2 tcp dport 53 dnat to 149.112.112.112
}
}
I recommend configuring both the primary and secondary DNS servers so that both the 10.139.1.1 and 10.139.1.2 IPs are NATed.
I am concerned that creating a new nat chain of type “nat hook prerouting priority dstnat” might conflict with the existing dnat-dns chain in the sense that the ordering will be undefined as explained in this topic: https://unix.stackexchange.com/questions/607358/packet-processing-order-in-nftables .
Therefore my suggestion is to specify the DNS servers in the wireguard configuration file or GUI instead of creating a new chain. Alternatively the existing dnat-dns chain could probably be updated manually, but the Qubes OS helper script might clobber manual changes if DNS servers were configured in the GUI later.
I also noticed that there is no dnat-dns chain for IPv6, which is explained here: https://www.qubes-os.org/doc/networking/#limitations
Currently only IPv4 DNS servers are configured, regardless of ipv6 feature state. It is done this way to avoid reconfiguring all connected qubes whenever IPv6 DNS becomes available or not. Configuring qubes to always use IPv6 DNS and only fallback to IPv4 may result in relatively long timeouts and poor usability. But note that DNS using IPv4 does not prevent to return IPv6 addresses. In practice this is only a problem for IPv6-only networks.