Wireguard VPN setup

solene · November 24, 2023, 11:16am

I added a snippet to solve MTU problems with wg tunnels. I just got an issue loading www.duckduckgo.com (and only this server) when using the VPN. A solution was to reduce the MTU of eth0 in the qubes using the VPN, but a better alternative is to add a firewall rule to force the MTU to be smaller. (I found the fix as part of my job at ivpn)

webmazter · December 17, 2023, 3:41am

I’m having some issues connecting to protonvpn’s wireguard servers. Their configuration file provides a private key value of ***** and my fedora template is giving me the error “Key is not of the correct length or format” when I try to connect to it. They do provide a public key.

I don’t know enough about this to know for sure if this is a protonvpn issue or something else.

Tezeria · December 17, 2023, 1:50pm

I don’t understand why you’re talking about the template. The template is just here to install wireguard (if it is not install) then, It’s all happening in the sys-vpn.
You have the public key directly in the config file and DON’T touch it.
Like @solene say, in sys-vpn, just open a terminal where you have your vpn.conf file, then run the command:

nmcli connection import type wireguard file vpn.conf

It’s just what you have to do

It is not just a protonvpn issue, i do the same thing with riseup vpn. All is allright…

webmazter · December 19, 2023, 10:18am

Is it at all possible to accomplish this with Fedora 38 minimal 32 bit? I have very limited resources (only 16 GB ram) so every MB counts.

solene · December 19, 2023, 10:18am

I don’t think 32 bits templates are provided. I have a laptop with 8 GB of memory and I can definitely have a working VPN setup though

Felicia · December 21, 2023, 1:36pm

If wireguard is used, it will not be possible to connect to tor, is there any way to use wireguard in conjunction with tor?

apparatus · December 21, 2023, 1:44pm

You can proxy udp over tcp.
For example this:

sigma · December 23, 2023, 11:51am

solene:

# Redirect all the DNS traffic to the preferred DNS server
DNS=9.9.9.9
iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to "$DNS"
iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to "$DNS"

Can someone explain to me what this does? 9.9.9.9 is quad9 DNS server, does that mean that the DNS requests will be handled outside of VPN if I add this line?

apparatus · December 23, 2023, 12:47pm

The Qubes OS is using “virtual” DNS servers 10.139.1.1/10.139.1.2 for the qubes and the requests to these addresses are redirected from netvm to its next netvm using DNAT firewall rules like this:

$ sudo nft list chain ip qubes dnat-dns
table ip qubes {
        chain dnat-dns {
                type nat hook prerouting priority dstnat; policy accept;
                ip daddr 10.139.1.1 udp dport 53 dnat to 10.139.1.1
                ip daddr 10.139.1.1 tcp dport 53 dnat to 10.139.1.1
                ip daddr 10.139.1.2 udp dport 53 dnat to 10.139.1.2
                ip daddr 10.139.1.2 tcp dport 53 dnat to 10.139.1.2
        }
}

And when these DNS packets arrive to netvm that has netvm set to (none) then by default it’ll get this qubes real DNS servers (e.g. set by user in /etc/resolve.conf or using NetworkManager) and redirect all packets coming to virtual DNS server to the real ones like this:

table ip qubes {
	chain dnat-dns {
		type nat hook prerouting priority dstnat; policy accept;
		ip daddr 10.139.1.1 udp dport 53 dnat to 192.168.1.1
		ip daddr 10.139.1.1 tcp dport 53 dnat to 192.168.1.1
	}
}

And it you don’t redirect all the virtual DNS traffic to the real DNS server (be it 9.9.9.9 or the DNS provided by VPN server) in sys-vpn then this virtual DNS traffic will go through VPN to these “virtual” addresses and most probably DNS just won’t work since these addresses will be unreachable through VPN. This “virtual” DNS addresses leak could show VPN provider that you’re using Qubes OS.

sigma · December 23, 2023, 3:23pm

Sorry, I have very limited networking knowledge.
Why put 9.9.9.9 as the DNS provider? Wouldn’t that leak your real ip?

Tezeria · December 23, 2023, 3:48pm

Because Quad is a DNS Resolver that is known and recognized for its reliability and have an excellent reputation. In addition, it is based in Switzerland. But you can use whatever dns you want.

For sure no, you’re using a vpn

apparatus · December 23, 2023, 3:55pm

The requests to Qubes OS “virtual” DNS from qubes connected to sys-vpn will be redirected to 9.9.9.9 over VPN connection and not to your clearnet. You can replace 9.9.9.9 to DNS server provided by your VPN.

sigma · December 23, 2023, 3:57pm

Can you clarify what would happen if I’m not doing this step? What’s the danger exactly?

solene · December 23, 2023, 3:58pm

You may not have a working DNS, or it may not go through the VPN

Tezeria · December 23, 2023, 4:26pm

@solene , perhaps i’ll be a good thing to have the hardening’s rules with nftables since 4.2 handles more than the nftables?

sigma · December 23, 2023, 4:33pm

Do I leave this as is, or do I need to put IP of the DNS provider?

I meant the last bit of the line above

Tezeria · December 23, 2023, 4:40pm

You leave it as it is, you just change:
DNS=9.9.9.9 with DNS=*IP of the DNS provider*

sigma · December 23, 2023, 4:49pm

Thank you for help. This is very confusing for me, as I’m just used to connecting to a VPN server via GUI and let the VPN do it’s thing in the background.

sigma · December 23, 2023, 5:40pm

solene:

# Prevent the qube to forward traffic outside of the VPN
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP

# Redirect all the DNS traffic to the preferred DNS server
DNS=9.9.9.9
iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to "$DNS"
iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to "$DNS"

Can I use this config for openvpn aswell?

Tezeria · December 23, 2023, 5:47pm

yes