hkbakke / qubes-wireguard Goto Github PK

Thank you for the great configuration script.

I was able to set up a chain like this that works well for outgoing connections:

AppVM => WirequardVM => FirewallVM => NetVM

However, when I send incoming traffic, it does not reach the destination. Ideally the destination would be inside the AppVM, but even when it's inside WireguardVM that has IP address 10.9.0.8, I cannot reach it. More specifically, I can ping other hosts within the VPN network from AppVM, such as 10.9.0.6, but not WireguardVM itself. TCP traffic does not come as well.

Do you have an idea how to enable inbound traffic into the WireguardVM? The official firewall docs have lots of useful information, but it didn't help me to achieve the goal.

Great job, works well!

one question, @hkbakke will this work effectively with a multihop wireguard .conf file?

Thanks

[user@sys-vpn-wireguard ~]$ git clone https://github.com/hkbakke/qubes-wireguard

Cloning into 'qubes-wireguard'...

remote: Enumerating objects: 43, done.

remote: Counting objects: 100% (43/43), done.

remote: Compressing objects: 100% (27/27), done.

remote: Total 43 (delta 20), reused 27 (delta 10), pack-reused 0

Receiving objects: 100% (43/43), 6.51 KiB | 6.51 MiB/s, done.

Resolving deltas: 100% (20/20), done.

[user@sys-vpn-wireguard ~]$ ls

Desktop    Downloads  Pictures  Templates  qubes-wireguard
Documents  Music      Public    Videos

[user@sys-vpn-wireguard ~]$ cd qubes-wireguard

[user@sys-vpn-wireguard qubes-wireguard]$ ls

README.md  bin  config.example

[user@sys-vpn-wireguard qubes-wireguard]$ cp config.example config

[user@sys-vpn-wireguard qubes-wireguard]$ chmod 600 config

[user@sys-vpn-wireguard qubes-wireguard]$ ls

README.md  bin  config  config.example

[user@sys-vpn-wireguard qubes-wireguard]$ sudo ./bin/qubes-wg-conf

[user@sys-vpn-wireguard qubes-wireguard]$ 

Here is a copy of my config file (using mullvad)

WG_ADDRESS="10.64.185.11/32,fc00:bbbb:bbbb:bb01::1:b90a/128" WG_DNS="193.138.218.74" WG_PRIVATE_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=" WG_PEER_PUBLIC_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" WG_ENDPOINT="193.138.218.74"

Attaching a disposableVM's networking to the wireguard App the internet is accessible via original WAN connection (i.e. iP leak).

• PresharedKey
• PersistentKeepalive

[user@sys-vpn ~]$ git clone https://github.com/hkbakke/qubes-wireguard
Cloning into 'qubes-wireguard'...
remote: Enumerating objects: 101, done.
remote: Counting objects: 100% (101/101), done.
remote: Compressing objects: 100% (77/77), done.
remote: Total 101 (delta 51), reused 43 (delta 17), pack-reused 0
Receiving objects: 100% (101/101), 17.87 KiB | 397.00 KiB/s, done.
Resolving deltas: 100% (51/51), done.
[user@sys-vpn ~]$ cd qubes-wireguard
[user@sys-vpn qubes-wireguard]$ cp config.example config
[user@sys-vpn qubes-wireguard]$ chmod 600 config
{After this, I edited the config file with the details given to me by ProtonVPN Wireguard Configuration, then saved it before running the following command}
[user@sys-vpn qubes-wireguard]$ sudo ./bin/wg-appvm-conf
[user@sys-vpn qubes-wireguard]$

The above is the Terminal output of the sys-vpn I created, based off the fedora-38-wireguard template I cloned from fedora-38 (which I also cloned the repo to the template in order to run the "sudo ./bin/wg-templatevm-conf" command, then shut it down before making the sys-vpn and running the above commands)

After the final terminal output, I shut down sys-vpn, set my work Qube to use sys-vpn for network then Started sys-vpn again. I don't know that I am supposed to do anything else after this, because there are no further instructions from here. I tried loading my IP on my Work Qube's Firefox and I am not showing any change, still leaking my IP. I am not sure what else I need to do, if I have to run some app or command on sys-vpn or something... it was not made clear in the instructions if that is the case.

Any offered assistance is much appreciated!

One thing I do want to note, when I ran "sudo ./bin/wg-templatevm-conf" it seemed to do a lot of things, but the appvm-conf just immediately skips to the next line, so I have no idea if that is expected behavior or not.

SELinux behaviour seems to be different for freshly installed Qubes OS 4.2 compared to ones upgraded from Qubes OS 4.1. It is probably related to this 4.2 release changelog item:

• SELinux support in Fedora templates (#4239)