Go back to topic: Wireguard VPN setup
add "provides network access to other qubes"v7 anchor; v7 full version
| Add the rules below in `/rw/config/qubes-firewall-user-script` in `sys-vpn`: | Add the rules below in `/rw/config/qubes-firewall-user-script` in `sys-vpn`, make sure the qube service "qubes-firewall" is enabled in the qube settings: |
| These firewall rules will prevent (at the qube level) routing traffic of the NetVM child qubes through the sys-vpn NetVM. In other words, it blocks network traffic for qubes using sys-vpn as a NetVM if the VPN is not up/working. If sys-vpn qube is compromised, it is possible to remove that rule from the qube (hence the "qube level" rule) and leak the traffic, although if this happens, it is also possible to directly listen to the network traffic going through sys-vpn. A better killswitch solution is to use the qube firewall to block all traffic except the host:port destination required to establish the VPN. The firewall rules are applied on sys-vpn NetVM and can't be modified from sys-vpn itself. Although this is better, it still won't protect a compromised sys-vpn to listen to the traffic passing there (it's is actually impossible to protect). |
| In the settings | In the settings window that popped up, go to the <kbd>Services</kbd>, select `network-manager` from the drop-down list and click <kbd>:heavy_plus_sign: add</kbd>. Then save the settings by clicking <kbd>OK</kbd>. |
| Go your VPN provider and | Go your VPN provider and download a configuration file **for wireguard** (e.g.: `vpn.conf`) |
| > :information_source: This is essentially a **killswitch**. It is a fail-safe that ensures that if your VPN connection fails, it does let anything through.
> :information_source: This | > :information_source: This is essentially a **killswitch**. It is a fail-safe that ensures that if your VPN connection fails, it does *NOT* let anything through. > :information_source: This lets pass DNS requests to internal Qubes OS DNS servers and also ICMP, see the next section if you need to block everything Open the configuration file in a text editor and take note of the IP address right next to `Endpoint`. If the line looks like the following, then you take note of the IP address as `1.2.3.4`. |
| > :information_source: Make sure `fedora- | > :information_source: Make sure `fedora-40` template is installed ([instructions](https://www.qubes-os.org/doc/templates/fedora/#installing)) (so far, this works with fedora 38/39/40 and certainly later versions) |
| > : | > :information_source: If you have multiple VPNs configured in the qube, you may want one to be picked randomly at boot to connect to. |
| ``` | ``` ## Connect to a random VPN at qube start (optional) > :informations_ource: If you have multiple VPNs configured in the qube, you may want one to be picked randomly at boot to connect to. Make sure no VPN are configured for automatic connection at startup, there is a check box in the first tab of the VPN settings for that, it defaults to automatic connection. Add this code to `/rw/config/rc.local` ``` RANDOM_VPN=$(nmcli connection show | awk '/wireguard/ { print $1 }' | sort -R | head -n 1) nmcli connection up "$RANDOM_VPN" ``` |
| > :information_source: This let pass DNS requests to internal Qubes OS DNS servers and also ICMP, see the next section if you need to block everything | |
| Hit <kbd>OK</KBD> to apply and click <kbd>OK</KBD> again to apply the settings. # Block all traffic outside VPN using command line Qubes OS Firewall To configure killswitch + (DNS) leak protection + ICMP/ping blocking + protection in case of `sys-vpn` compromise, you can alternatively execute a three-liner in `dom0`, no `nft`/`iptables` needed: ``` qvm-firewall sys-vpn reset # (1) qvm-firewall sys-vpn add accept dsthost=1.2.3.4 # (2) qvm-firewall sys-vpn del --rule-no 0 # (3) ``` (1) resets firewall to one single rule `accept`ing everything (2) whitelists specific VPN gateway IP (3) removes rule (1), so there is just one whitelisted IP from (2) left Everything else is blocked safely outside `sys-vpn`. |
| ## What you'll need
This guide assumes you are using a VPN service that has wireguard support. | ## What you'll need This guide assumes you are using a VPN service that has wireguard support, most of them do, but you can also add your own if you have a server. > :information_source: ProtonVPN has a free plan, it has limits but gives you a fully working VPN and they support WireGuard. This provider is recommended on [privacyguides.com for being privacy friendly](https://www.privacyguides.org/en/vpn/#proton-vpn) (no logs) |
| nft add rule ip qubes forward tcp flags syn tcp option maxseg size set rt mtu | nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu |
| ### Killswitch > :information_source: You may want to force all qubes traffic to go through the VPN and block non-VPN traffic. | |
| > :information_source: You may want to force all qubes traffic to go through the VPN and block non-VPN traffic. | |
| ### Prevent DNS leak |
| > :information_source: TODO explain why this is needed | |
| > :information_source: You may want to force all qubes traffic to go through the VPN and block non-VPN traffic. | |
| nft add rule qubes custom-forward oifname eth0 counter drop nft add rule ip6 qubes custom-forward oifname eth0 counter drop ``` > :information_source: You may also want to force using a defined DNS server (9.9.9.9 in the current example) and blocking all other DNS servers (this avoids dns leaks) ``` | |
| nft add chain qubes nat { type nat hook prerouting priority dstnat\; } nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS" nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS" |
| After that you're done :partying_face: | After that you're done :partying_face: ## Some websites aren't working This is certainly related to an MTU issue (the packet payload size), I got this issue only with `www.duckduckgo.com` for instance, so it could be very specific. A solution is to force the qubes using the VPN provider qube to use a lower MTU, this can be easily achieved using a firewall rule. Add this to `/rw/config/qubes-firewall-user-script`: ``` nft add rule ip qubes forward tcp flags syn tcp option maxseg size set rt mtu ``` |
| - **networking:** sys-firewall (⚠️ make sure it is NOT “(default) sys-firewall” but instead “sys-firewall) | |
| And then <kbd>OK</kbd>. Then the qube settings window should show up ( | And then <kbd>OK</kbd>. Then the qube settings window should show up (proceed to the next step). |
| Maybe instead of show up will be available to be started from upper left Q / Services. |
| And then <kbd>OK</kbd>. Then the qube settings window should show up (procced to the next step). | And then <kbd>OK</kbd>. Then the qube settings window should show up (procced to the next step). Maybe instead of show up will be available to be started from upper left Q / Services. |
| ``` | ``` <div data-theme-toc="true"> </div> |
| - ☑️ Launch settings after | - ☑️ Launch settings after creation - <kbd>advanced</kbd> (tab) » Provides network access to other qubes And then <kbd>OK</kbd>. Then the qube settings window should show up (procced to the next step). |
| VPN | # Prevent the qube to forward traffic outside of the VPN |
| iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to "$ | # Redirect all the DNS traffic to the preferred DNS server DNS=9.9.9.9 iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to "$DNS" iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to "$DNS" |
| Good news, with fedora-38 the network manager supports Wireguard out of the box! The only thing required are extra firewall rules in the VPN qube, as explained in [the community documentation about VPN](https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md). ## What you'll need This guide assumes you are using a VPN service that has wireguard support. For example, ProtonVPN and Mullvad VPN do support it. But you can also follow this guide to add any other (even your own). ## Create a new qube providing network > :information_source: Make sure `fedora-38` template is installed ([instructions](https://www.qubes-os.org/doc/templates/fedora/#installing)) Menu » Qubes Tools » Create Qubes VM: - **name**: sys-vpn (you pick yours) - **template:** `fedora-38` - **type:** `app qube` (or AppVM) - ☑️ Launch settings after creation (and proceed to the next step) ### Enable service “network-manager” in sys-vpn  In the settings windown that popped up, go to the <kbd>Services</kbd>, select `network-manager` from the drop-down list and click <kbd>:heavy_plus_sign: add</kbd>. Then save the settings by clicking <kbd>OK</kbd>. ## Get your wireguard VPN configuration file Go your VPN provider and either get a download a configuration file **for wireguard** (e.g.: `vpn.conf`) On your VPN provider download the **wireguard** configuration for the server you want to connect to. Here are the download pages for some popular VPN services: [Mullvad](https://mullvad.net/en/account/wireguard-config), [ProtonVPN](account.proton.me/u/0/vpn/WireGuard) ## Use the Qube GUI to set the firewall to the VPN endpoint (this avoids leaks) > :information_source: This is essentially a **killswitch**. It is a fail-safe that ensures that if your VPN connection fails, it does let anything through. Open the configuration file in a text editor and take note of the IP address in right next to `Endpoint`. If the line looks like the following, then you take note of the IP address as `1.2.3.4`. > ``` > Endpoint = 1.2.3.4:5555 > ``` Open the qube settings for `sys-vpn` and navigate to the <kbd>Firewall rules</kbd> tab and set <kbd>:radio_button: Limit outgoing connections to</kbd>.  Then click on <kbd> :heavy_plus_sign:</kbd> to add a new firewall and add your saved IP address(es)  Hit <kbd>OK</KBD> to apply and click <kbd>OK</KBD> again to apply the settings ## Configure your VPN in the Network Manager On the qube on which you downloaded your wireguard configuration (e.g.: `vpn.conf`), open the file explorer where the file was saved. Then right-click a file and <kbd>Copy to another AppVM</kbd> and choose to `sys-vpn` as the target. Open your file manager in `sys-vpn` and find the `<NAME>.conf` file you just copied. It should in the directory `QubesIncoming`. Move it to your home directory. Open the `Terminal` application on your `sys-vpn` qube and run the following command (replacing `<NAME>.conf` with the correct name of the file): ```text nmcli connection import type wireguard file vpn.conf ``` If successful, you should see a notification about successful connection. If that doesn't happen, something may be wrong with your config file:  > :information_source: You should also see an icon with a padlock  in the top-right corner of your screen (system tray). This indicates that your VPN connection is active. Without a padlock, means that it failed to connect. ## Assign a VM to the new Qube network to use the VPN Now that the VPN is configured, for each qube that you want to connect to the VPN, open its settings and set `networking` to `sys-vpn`. If you want this to be the default net qube, then you can set it in the Qubes Global Settings. After that you're done :partying_face: ## Hardening (optional) > :information_source: TODO explain why this is needed Add the rules below in `/rw/config/qubes-firewall-user-script` in `sys-vpn`: | |
| ``` | ``` |
| * Use the Qube GUI to set the firewall to the VPN endpoint (this avoids leak) | |
| ``` | ``` I’d be glad to contribute to a solid documentation about VPN qubes, but I’m not sure to understand where to put the efforts. |
| The only thing required are extra firewall rules in the VPN qube, as explained in [the community documentation about VPN](https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md). | The only thing required are extra firewall rules in the VPN qube, as explained in [the community documentation about VPN](https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md). Basically * Create a new Qube providing network * Enable service "network-manager" in it * Configure your VPN in the network manager * Add the rules below * Assign a VM to the new Qube network to use the VPN |