Hi, Today I needed to use a WireGuard VPN.

Good news, with fedora-38 the network manager supports Wireguard out of the box!

The only thing required are extra firewall rules in the VPN qube, as explained in the community documentation about VPN. Basically

• Create a new Qube providing network
• Enable service "network-manager" in it
• Configure your VPN in the network manager
• Use the Qube GUI to set the firewall to the VPN endpoint (this avoids leak)
• Add the rules below
• Assign a VM to the new Qube network to use the VPN

To add in /rw/config/qubes-firewall-user-script

VPN=9.9.9.9

iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP

iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to "$VPN"
iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to "$VPN"

I’d be glad to contribute to a solid documentation about VPN qubes, but I’m not sure to understand where to put the efforts.