Wireguard VPN setup

Try to ping some IP address (e.g. ping 9.9.9.9) to make sure that it’s not a problem with DNS.

PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.

such a single line is displayed after entering

Where should I write ‘Prevent DNS leak’ rule?
Is it same qubes-firewall-user-script

Yes.

Same problem with fedora-40. Same problem. How do you solve it other than execute nmcli connection up [conf] every time? Adding this line to rc.local does not work

Use the Qube GUI to set the firewall to the VPN endpoint (this avoids leaks)
Block all traffic outside VPN using command line Qubes OS Firewall

What is the difference between the two things they are doing?

And if I set networking to sys-whonix instead of sys-firewall, will the kill switch be disabled?

Yeah actually I didn’t get it working either with the startup script and am executing that command every time :sweat_smile:
Will troubleshoot it eventually when I have time

wireguard won’t work over sys-whonix

Sorry for OT, but I’m using a handful apps like Wallets or Messengers in different Qubes (Waydroid, Fedore, whonix-workstation) all of them attached to sys-whonix and they seem to work… They have internet connection… Is it cause they use TCP and WireGuard UDP?

yes

Thank you, so if my Application has Internet Connection everything is okay and I don’t have to worry about IP Leaks?

if they are behind sys-whonix, this is supposed to not leak your real public IP.

The surfshark wireguard conf file has url as endpoint.

Endpoint: nl-ams.prod.surfshark.com:51820

The sys-vpn should be able to make one dns request to get ipaddress of the endpoint. Any suggestion on how to set kill switch but for one dns request to get the endpoint ip address.

I doubt this kind of DNS change often, you could resolve it and allow this IP and be done for a long time I guess.

Otherwise, if you handle it using qvm-firewall, it can be resolved every time the firewall is started.

It does change often. There are lot of servers in locations like NYC, Amsterdam and Stockholm.

ping nl-ams.prod.surfshark.com
PING nl-ams.prod.surfshark.com (81.19.208.91) 56(84) bytes of data.

ping nl-ams.prod.surfshark.com
PING nl-ams.prod.surfshark.com (143.244.42.86) 56(84) bytes of data.

ping nl-ams.prod.surfshark.com
PING nl-ams.prod.surfshark.com (146.70.175.85) 56(84) bytes of data.

Are you suggesting resolving ip address from sys-firewall and then transfer the resolved ip ( may be using qrexec?) to sys-vpn for it to initiate wireguard connection using that ip address?

no, I meant using the killswitch at qvm-firewall level, not from the vpn qube itself, I’m not sure how it will work though if there are multiple A records on this hostname, all of them should be used in theory…

I am looking for something more dynamic. Like make a dns call and get ip address and use that ip address to initiate vpn connection.