tasket
commented
5 years ago @Ranguvar Can regular appVMs communicate through the VPN?
Closed Ranguvar closed 5 years ago
tasket
commented
5 years ago @Ranguvar Can regular appVMs communicate through the VPN?
tasket
commented
5 years ago Oh, I just noticed you set the Update VM to sys-vpn-wg. That generally won't work because the update VM should be downstream from the VPN VM for the link to be fully secured.
It should work if you make a 'provides network' VM set as the Update VM, with its netvm set to sys-vpn-wg. This is how I update over the VPN.
You can try to setup sys-vpn-wg to work as an Update VM, but this means anti-leak doesn't work for updates. Setting nameservers with resolvconf should get it working.
Ranguvar
commented
5 years ago Thanks, making a sys-update VM works great!
It's off-topic for this, but - I'm not sure where exactly the firewalling is done inside of Qubes-vpn-support?
Still, thanks for your work, WireGuard is working great for me!
tasket
commented
5 years ago You can read about the firewall settings here:
https://github.com/tasket/Qubes-vpn-support#about-proxy-firewall-restrict
The basic idea is to forbid any/all forwarding to and from the upstream interface (the virtual eth0). The setup script also checks that these rules are active before starting the vpn.
Note, these rules are controlled by qubes-firewall but they are internal, not the external rules you can set in the Qubes GUI.
After following the recently updated WireGuard guide, everything looks great. However, if I use qubes-prefs to change UpdateVM to sys-vpn-wg, qubes-dom0-update fails with:
"Error: Cannot retrieve repository metadata (repomd.xml) for repository: fedora. Please verify its path and try again Usage: "yumdownloader [options] package1 [package2] [package...]""
Switching back to sys-firewall UpdateVM fixes it.