Wireguard VPN setup

solene · December 16, 2024, 7:56am

I don’t know what you did, but qvm-firewall should display the settings made in Qubes GUI in the Firewall tab.

make sure network-manager service is set in the qube settings. If you use a minimal template, you may have to install it.

squareman · December 16, 2024, 12:07pm

I had been following the guidelines, and the template is not minimal. Can you explain the details of “setting” network-manager in qube settings? I suspect I misunderstood.
For the firewall rules: I don’t know what the GUI does actually. Maybe there’s some bug…

deeplow · December 18, 2024, 8:38am

2 posts were split to a new topic: Wireguard (VPN): Storing private key in vault-vm

squareman · December 19, 2024, 9:43pm

OK, I don’t know what state of mind I was when trying it, but I definitely had made a mistake when starting the network-manager! Still it does not work after having completed the steps, but that’s a different topic now…

squareman · December 19, 2024, 9:56pm

When using wireguard to connect to my home router from “outside”, the router has a dynamic IP address, and the config file has a hostname in the Endpoint = line. So my quess is that the dsthost= in the qvm-firewall command does not expect a hostname, end even if it accepts one, it would resolve the address only once. Is there a solution to this?
The Wireguard app on Android has no problem with this configuration, and I use it to access my home network from outside.

barto · December 20, 2024, 9:29am

There was another discussion recently on this subject. Reloading the firewall with
qvm-firewall --reload QUBE_NAME
will refresh the DNS resolutions.

This is the thread and this is the link to my suggested solution.

anon40932131 · December 20, 2024, 9:51pm

down anyone have an ipv6 only wireguard server?

i am not sure if my router isnt fully supporting ipv6 or qubes does weird magic. when i connect via ipv6 to my router i can icmp ping the router and other devices in my home network, i can curl the routers setup page but its super slow, everything else like ssh to devices does not work.
when i connect via ipv4 everything works just fine.

any idea where to start to investigate?

i only have a public ipv6 and a shared nat ipv4, for my selfhosted services, therefore ipv4 for me always feels like a risk to connect to a different persons device. (maybe my understanding of networking isnt complete here)

anon40932131 · December 20, 2024, 10:28pm

it was MTU (1288 was the sweet spot for my wireguard inside wireguard usecase…)

phuc · December 28, 2024, 3:35pm

First of all, thanks OP and those involved for the guide. This is really impressive. I have followed every step listed, apart from the optional setup of connect to a random VPN at qube start and the some websites aren’t working steps as these are N/A for me.

Can I feel comfortable relying on this setup? An IP leak is a life or death situation for me. I have performed DNS and IP leak tests in Qubes connected to sys-vpn and I don’t see any leaks, even when my internet connection drops.
I was wondering what the difference is between this community guide here and the guide from Mullvad, as of August 2024. The guide from Mullvad I had previously successfully setup in a Fedora 38 AppVM, wireguard is set to autostart and load my config of choice. Whilst the Qubes firewall is set to limit outgoing connections to the Wireguard IP. I followed ever single step in that guide from Mullvad and it worked fine.
What is the advantage of using Fedoras network manager with a wireguard config over setting the wireguard package to autostart your config of choice, as specified in the guide from Mullvad? What futher hardening and IP leak preventions does this guide do better than the guide from Mullvad? I’m not a networking guru, I just want to know how and what this Community guide does better than the one from Mullvad.
The last step in this Community guide refers to the preventing DNS leaks. Am I good to use the defined DNS server, 194.242.2.2 from Mullvad’s suggested DNS severs and then copy those 4 lines into my sys-vpn Qubes firewall script?

solene · December 28, 2024, 3:39pm

I’m not in this situation, but I think I would only trust a setup involving at least 2 systems:

one for the gateway that acts as a firewall to only allow to reach the VPN server and monitor what’s going through (could be a linux livecd), bonus point if you install opensnitch to manually accept each stream (you should see only one for the VPN)
one for qubes os that is connected through the gateway described above

phuc · December 28, 2024, 3:50pm

So this guide for the software level and a Pfsense firewall router for the hardware level.

Now I need just need to sort Pfsense

phuc · January 9, 2025, 2:25pm

Just logged into my system today and sys-vpn “curl https://am.i.mullvad.net/connected” won’t resolve host. I have my sys-whonix routed through sys-vpn and somehow whonix workstations are working fine, even my signal-desktops in fedora41 appvms are working fine routed through sys-vpn but I can’t ping any webpages or get internet over mullvad in anything else. Any ideas?

I tried setting up a new sys-vpn fedora 41 appvm and enabling network manager. then added wireguard vpn.conf via nmcli command but still can’t ping webpages, curl https://am.i.mullvad.net fails too.

edit - just tried following this guide in a fedora 38 appvm but everytime I launch the wireguard conf via network manager I can’t ping anyhting/network goes down.

solene · January 9, 2025, 4:45pm

in whonix, DNS resolution is done using Tor

there may be a DNS issue, I need to understand how to make something that always work

The nftables command to redirect DNS requests to a given DNS server IP can be used as a workaround until then.

phuc · January 9, 2025, 5:42pm

I thought ntfabes was deprecated as of qubes 4.2

I tried following your guide a couple times, I setup a fresh fedora 41 appvm and enabled the network manager service before loading the wireguard .conf

That was all I did, no messing with the firewall or DNS but the moment I load the .conf, internet goes down. I’m used to things breaking when I mess with them but this was working fine for a couple weeks, really odd.

I’m going to try the guide from mullvad, load the conf into the wireguard-tools package instead of using the network manager tool and see if that helps

solene · January 9, 2025, 5:45pm

it’s nftables, and it’s the new thing to replace the old and deprecated iptables

I’m using the guide regularly without issue could you write down the exact steps you do?

phuc · January 9, 2025, 5:51pm

Ohhh nftables is new, ok.

Right so here are my steps:

create fedora 41appvm > set net qube to sys-firewall (not default one)
services tab > enable network manager
get .conf from mullvad wireguard site with linux kill switch enabled, everything else is default for the config from mullvad
copy vpn.conf into /home directory of sys-vpn appvm and ran nmcli connection import type wireguard file vpn.conf
“you are now connected to ethernet conncetion ***** active”
cli > curl https://am.i.mullvd.net/connected… could not resolve host

i’m going try a fresh qube again but yeah, odd stuff

solene · January 9, 2025, 5:56pm

Does it work if you run ping 9.9.9.9 ? I guess there is a DNS problem here. I wonder what they put in the killswitch configuration compared to a regular configuration file

WireGuard should by default route 0.0.0.0/0 (all addresses), so I don’t know what they use in the limited options in the configuration to say it’s a killswitch

phuc · January 9, 2025, 5:57pm

Yeah that works.

Really odd mate, was working fine until I booted my system this morning and I’ve changed nothing.

solene · January 9, 2025, 5:57pm

This is because reaching 9.9.9.9 does not need a DNS query, while doing something using an hostname instead of an IP requires a DNS query. There is a DNS problem here.

phuc · January 9, 2025, 6:01pm

ahh ok

How would you advise to proceed? Use nftable to redirect DNS requests from mullvad to Quad 9?