I've searched and seen various threads, but nobody has actually followed-up with what they ended up doing.

First: This does allow a piece of software to read your keyboard and mouse movements.

With that out of the way...

  1. Installing Synergy

Use sudo qubes-dom0-update openssl to install openssl which is a requirement of synergy.

Get the synergy package for Fedora Core (v37 for 4.2) on the dom0. I used the qvm-run -p <qube, like personal> 'tar c <folder with synergy in it>' | tar xv

sudo dnf install <synergy>.rpm

Once that's done, start up Synergy. Enter your serial number when prompted. If it is running, stop the server. Go to Edit -> Preferences. Set Network IP to 127.0.0.1.

Enable Encryption, set Key length to 4096, as it will error if the key is too short. Save. Start the server.

  1. Allow single port connection from forwarding qube to dom0 We need to allow our one port to connect to the dom0 on 127.0.0.1.

Create file /etc/qubes/policy.d/30-synergy.policy with the content: 

qubes.ConnectTCP +24800 sys-synergy dom0 allow
Where 24800 is the default port, and sys-synergy is the qube we will create shortly.

  1. Create qube and setting up Forwarding to dom0

Create a new Qube in Qubes manager - Click New qube, name it sys-synergy, whatever color you feel comfortable with, and whatever template you like. Use sys-firewall (your default hopefully). Check the box for settings.. Check box to start qube on boot.

We are going to use the method covered in the firewall docs and create a systemd service.

Here's the layout: 

user@sys-synergy:~$ cd /rw/config/
user@sys-synergy:/rw/config$ ls -l
total 24
drwxr-xr-x 2 root root 4096 May  2 23:30 network-hooks.d
-rwxr-xr-x 1 root root  484 May  2 23:21 qubes-firewall-user-script
-rwxr-xr-x 1 root root  649 May  3 07:49 rc.local
-rw-r--r-- 1 root root  200 May  2 23:21 suspend-module-blacklist
-rw-r--r-- 1 root root  139 May  3 07:52 synergy@.service
-rw-r--r-- 1 root root  127 May  3 07:51 synergy.socket
user@sys-synergy:/rw/config$ cat rc.local 
#!/bin/sh

# This script will be executed at every VM startup, you can place your own
# custom commands here. This includes overriding some configuration in /etc,
# starting services etc.
#
# Executable scripts located in /rw/config/rc.local.d with the extension
# '.rc' are executed immediately before this rc.local.
# Example:
#  /rw/config/rc.local.d/custom.rc
#
# Example for overriding the whole CUPS configuration:
#  rm -rf /etc/cups
#  ln -s /rw/config/cups /etc/cups
#  systemctl --no-block restart cups
cp -r /rw/config/synergy.socket /rw/config/synergy@.service /lib/systemd/system/
systemctl daemon-reload
systemctl start synergy.socket
user@sys-synergy:/rw/config$ cat synergy.socket 
[Unit]
Description=Forward Synergy to Dom0

[Socket]
ListenStream=0.0.0.0:24800
Accept=true

[Install]
WantedBy=sockets.target

user@sys-synergy:/rw/config$ cat synergy.socket 

[Unit]

Description=Forward Synergy to Dom0

[Socket]
ListenStream=0.0.0.0:24800
Accept=true

[Install]
WantedBy=sockets.target
user@sys-synergy:/rw/config$

  1. Set up firewall rules I'm currently using the "qvm-port-forward" script, which adds rules on sys-synergy, sys-firewall, and sys-net.

On dom0:

qvm-port-forward -a add -q sys-synergy -p 24800 -n tcp

If you have anotehr qube you need to control (like a Windows HVM) - on sys-firewall:

sudo nft add rule ip qubes custom-forward ip saddr <IP of sys-synergy> ip daddr <IP of Windows HVM> ct state new,established,related counter accept

I haven't looked at the rules created directly, and it does have a --persistent flag that can be used to save them. I got this all working yesterday, and wanted to get this out there for those it may help. This was a blocker for me even thinking about using Qubes on a daily basis, as I share my keyboard / mouse between my personal desktop and my work laptop. But I do like the idea of being able to compartmentalize things, so I looked to find a reasonable solution, and I think this works reasonably well. But I also acknowledge that this is still unacceptable for some.

-Matt