You can proxy udp over tcp.
For example this:
1 Like
Can someone explain to me what this does? 9.9.9.9 is quad9 DNS server, does that mean that the DNS requests will be handled outside of VPN if I add this line?
The Qubes OS is using “virtual” DNS servers 10.139.1.1/10.139.1.2 for the qubes and the requests to these addresses are redirected from netvm to its next netvm using DNAT firewall rules like this:
$ sudo nft list chain ip qubes dnat-dns
table ip qubes {
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.1 tcp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.2 udp dport 53 dnat to 10.139.1.2
ip daddr 10.139.1.2 tcp dport 53 dnat to 10.139.1.2
}
}
And when these DNS packets arrive to netvm that has netvm set to (none) then by default it’ll get this qubes real DNS servers (e.g. set by user in /etc/resolve.conf or using NetworkManager) and redirect all packets coming to virtual DNS server to the real ones like this:
table ip qubes {
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 192.168.1.1
ip daddr 10.139.1.1 tcp dport 53 dnat to 192.168.1.1
}
}
And it you don’t redirect all the virtual DNS traffic to the real DNS server (be it 9.9.9.9 or the DNS provided by VPN server) in sys-vpn then this virtual DNS traffic will go through VPN to these “virtual” addresses and most probably DNS just won’t work since these addresses will be unreachable through VPN. This “virtual” DNS addresses leak could show VPN provider that you’re using Qubes OS.
1 Like
Sorry, I have very limited networking knowledge.
Why put 9.9.9.9 as the DNS provider? Wouldn’t that leak your real ip?
Because Quad is a DNS Resolver that is known and recognized for its reliability and have an excellent reputation. In addition, it is based in Switzerland. But you can use whatever dns you want.
For sure no, you’re using a vpn
The requests to Qubes OS “virtual” DNS from qubes connected to sys-vpn will be redirected to 9.9.9.9 over VPN connection and not to your clearnet. You can replace 9.9.9.9 to DNS server provided by your VPN.
Can you clarify what would happen if I’m not doing this step? What’s the danger exactly?
You may not have a working DNS, or it may not go through the VPN
@solene , perhaps i’ll be a good thing to have the hardening’s rules with nftables since 4.2 handles more than the nftables?
1 Like
Do I leave this as is, or do I need to put IP of the DNS provider?
I meant the last bit of the line above
You leave it as it is, you just change:
DNS=9.9.9.9 with DNS=*IP of the DNS provider*
Thank you for help. This is very confusing for me, as I’m just used to connecting to a VPN server via GUI and let the VPN do it’s thing in the background.
1 Like
Can I use this config for openvpn aswell?
yes
1 Like
mullvad offers to encapsulate wireguard’s udp to tcp, but still can’t connect to tor.
Oh, I’ve misunderstood. I thought you wanted to connect to wireguard over tor.
Maybe your wireguard VPN provider is blocking connections to tor? You can try to use tor bridge then.
I’m using mullvad and if it’s openvpn mode, I can connect to tor.
Can you connect to clearnet sites If you use wireguard?
If you use wireguard, you can access the normal internet and cannot access tor.
I don’t know what could be the problem then.
Try to contact the mullvad support.