VPN documentation needs update on iptables rules

[erikw]

Qubes OS version:

Qubes release 4.0 (R4.0)

Affected component(s):

Documentation @ https://www.qubes-os.org/doc/vpn/
regarding /rw/config/qubes-firewall-user-script

---

Steps to reproduce the behavior:

Follow the instructions at the given page

Expected behavior:

That outgoing network traffic for programs running with the GID qvpn will be allowed through the iptables rules.

Actual behavior:

Traffic is blocked

vpn-vm$ sudo sg qvpn -c 'ping 8.8.8.8
ping: sendmsg: Operation not permitted '

General notes:

I don't think this documentation notes has been updated since the release of Qubes R4. I used the very exact same instructions and setup for Qubes R3 and everything worked fine. But I assume something has changed.

I debugged this quite a while and it seems like that if you append the following line to /rw/config/qubes-firewall-user-script it works like intended:

iptables -I OUTPUT -p all -o tun0 -m owner --gid-owner qvpn -j ACCEPT

I tried many configuration variants but it seems like if we add an ACCEPT for GID qvpn for both eht0 and tun0, it works like I think it should work, i.e.

should not work:

vpn-vm$ ping 8.8.8.8

should work:

vpn-vm$ sudo sg qvpn -c 'ping 8.8.8.8

should work when openvpn is running in vpn-vm

appvm-using-vpn-vm$ ping 8.8.8.8

should not work when openvpn is NOT running in vp-nvm:

appvm-using-vpn-vm$ ping 8.8.8.8

Looking at the logs from openvpn when it starts, it changes the ip routing rules a bit. Maybe this has changed from the version that was included in Qubes R3, thus the need to allow outgoing traffic for tun0?

Maybe the author(s) of this documentation page can confirm / deny / comment this suggested added line?

Thanks,

Edit.
I found this issue now, might fix this: #3520

[tasket]

The OUTPUT rule you're adding makes pinging in the proxyVM possible, but at the (slight) expense of network isolation. One of the goals of the VPN solution is to prevent VPN VM tools from inadvertently accessing the net via the tunnel.

I would ask @adrelanos if such a rule is compatible with his criteria for isolation.

OTOH, it may be better to advise switching OUTPUT chain to ACCEPT for ping and traceroute tests. And testing from an appVM should probably be emphasized after the point where firewall rules are added (which is already the case in the proposed update).

Note that in the qubes-tunnel code (which the doc update is based on) firewall script will react to how the service name is specified. EDIT: It will be possible for the user to turn off OUTPUT restrictions for testing by not specifying a 'qubes-tunnel*' service. This will allow testing connectivity more freely from within the proxyVM, although the service will have to be started manually.

[tasket]

The OUTPUT rule you're adding makes pinging in the proxyVM possible, but at the (slight) expense of network isolation. One of the goals of the VPN solution is to prevent VPN VM tools from inadvertently accessing the net via the tunnel.

I would ask @adrelanos if such a rule is compatible with his criteria for isolation.

OTOH, it may be better to advise switching OUTPUT chain to ACCEPT for ping and traceroute tests. And testing from an appVM should probably be emphasized after the point where firewall rules are added (which is already the case in the proposed update).

Note that in the qubes-tunnel code (which the doc update is based on) firewall script will react to how the service name is specified. EDIT: It will be possible for the user to turn off OUTPUT restrictions for testing by not specifying a 'qubes-tunnel*' service. This will allow testing connectivity more freely from within the proxyVM, although the service will have to be started manually.

[erikw]

Clarification

The whole idea of the solution currently online at https://www.qubes-os.org/doc/vpn/ is that only programs running under gid "qvpn" is allowed by iptables OUTPUT, and that the only program in the VPN VM that is supposed to be run under this gid is openvpn.

So in my example, ping from within the vpn using gid qvpn was just an example. openvpn does not work either without my suggested added rule.

It did work in qubes v3, but not in qubes v4. In v4 it seems like my suggested rule is needed for openvpn to be able to connect out to net-vm.

[erikw]

Clarification

The whole idea of the solution currently online at https://www.qubes-os.org/doc/vpn/ is that only programs running under gid "qvpn" is allowed by iptables OUTPUT, and that the only program in the VPN VM that is supposed to be run under this gid is openvpn.

So in my example, ping from within the vpn using gid qvpn was just an example. openvpn does not work either without my suggested added rule.

It did work in qubes v3, but not in qubes v4. In v4 it seems like my suggested rule is needed for openvpn to be able to connect out to net-vm.