Wireguard VPN setup

Alethia · October 30, 2024, 10:15am

With Fedora 38 template sudo wg looks like:

...
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 51 seconds ago
  transfer: 36.76 MiB received, 2.50 MiB sent

With Fedora 40 the two last lines are not even present, it’s just:

...
  allowed ips: 0.0.0.0/0, ::/0

apparatus · October 30, 2024, 10:30am

Did you try to create a new sys-vpn qube instead of reusing the old sys-vpn qube and just changing its template?

Alethia · October 30, 2024, 10:34am

Actually, I was sure that I had but now when I did again it just worked

I will report back if I find the actual issue but otherwise, guess I must have missed this

Thanks for the help

Alethia · October 30, 2024, 10:57am

Testing a bit more it seems like directly after adding the wireguard connection with nmcli in my brand new sys-vpn I can do curl without problem. But after I restart the sys-vpn it goes back to not being able to connect and then the problem stays.
If I create a sys-vpn2 and do the same thing again then I get a connection right after setting it up, but then again after restart it cannot connect.

solene · October 30, 2024, 10:59am

Maybe now something is stored in /etc or /var which are not persistent in an AppVM.

Alethia · October 30, 2024, 11:00am

I realized that if I do nmcli connection delete [conf] and then add it again with nmcli connection import type wireguard file [conf] then the connection is restored. Maybe the issue is just that it does not autoconnect on startup?

solene · October 30, 2024, 11:01am

what if you enable/start the connection with nmcli?

Alethia · October 30, 2024, 11:04am

Right, that also works

nmcli connection up [conf]

Alethia · October 30, 2024, 11:08am

However if I add the following from the guide:

# DuckDuckGo MTU size connection fix
nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu

# Prevent the qube to forward traffic outside of the VPN
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop

To /rw/config/qubes-firewall-user-script then I lose connection again. Removing the above configuration restores the connection.

solene · October 30, 2024, 11:08am

can you try without the first rule about DDG? if it’s still broken, it may be that the VPN is not used and the killswitch blocks the traffic

solene · October 30, 2024, 11:11am

are you trying FROM the qube vpn, or a qube using the vpn as the netvm? the second rule should not affect the first case

Alethia · October 30, 2024, 11:19am

Ok now it works (with all nft rules including mtu), I don’t know if the VPN was unstable or something… (I’m adding the rules in sys-vpn and also testing curl there)

Thanks for quick replies, hopefully this should work now after creating a startup script for the connection

dradd · November 5, 2024, 8:58am

Thanks for this guide

As newcomer to qubes i would ask

1 - some use srandalone vpn other use it as appvm
What is difference during setup

2- in case of chaining two vpn gubes, should all
firewall killswich scripts be written in both vpns or
only in one qube

3- isn’t it safer to make either vpn qube or sys-net
disposable

4-

Are these rules on tradiddles topic not included in your guide ?
If not which rules exactly are meant .

5- i plan to combine your guide with debian template.
How about minimal templates for vpn to minimize attack surfaces

solene · November 5, 2024, 9:27am

I added some text to the killswitch section if anyone want to proofread.

glockmane · November 5, 2024, 1:55pm

I followed the guide and imported a functional config (using it successfully with Android and Windows App…)… Network Symbol shows the lock but I cannot access the internet and also not the home lan… I have set all the optional things (killswitch, mtu…)… Where could I start a diagnose? Thank you!

apparatus · November 7, 2024, 7:57am

The setup would be the same for app qube and standalone qube based on a template.

For both.

Yes, in that case if the disposable qube will be compromised, it won’t persist.

You can use minimal template, but you need to install the required packages:

apparatus · November 7, 2024, 8:01am

Try to remove the Qubes Firewall rules and check without them.
Try to ping the IP address of the VPN server inside the virtual network in sys-vpn.

wiregu1233w · November 12, 2024, 1:52am

if you follow the settings, everything works without errors, but when connected to the VPN, the Internet does not work, what is the reason for this?

apparatus · November 12, 2024, 8:33am

It could be anything. Most probably a network issue, check that your sys-vpn is not connected to sys-whonix and you’re not trying to connect to wireguard server through Tor.

wiregu1233w · November 12, 2024, 1:34pm

no, there are no problems with the network and it does not connect via the tor, the interface is displayed correctly in the terminal, just when it connects, the Internet no longer works