I've followed this tutorial in order to force all traffic to go through the VPN - https://www.qubes-os.org/doc/vpn/ .
While this was successful I'm no longer able to do any updates on the templateVMs (except the whonix which are working fine), it seems that the traffic somehow is now blocked.
Anyone knows what rule should be added to iptables in order to have this working through the VPN?
I've dropped all forward traffic (either upstream or downstream) from the sys-fw as suggested:
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
Should I need to allow the forwarding traffic to and from the subnet 10.137.1.0/24 in order to have the updates working again?
Thanks
----
Sent using GuerrillaMail.com
Block or report abuse: https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D
Thanks for the suggestion.
Just to clarify, the VPN tunnel was created within the sys-firewall, and currently that's the only proxyVM that I'm using (apart from the sys-whonix), hence all traffic from the sys-net isn't encapsulated by the tunnel.
My understanding is that the sys-firewall merely forwards the traffic through the sys-net by adding a forwad rule in the sys-firewall every time a new VM is started. For that reason I was wondering if I cannot solve this more effectively by simple adding a forwarding rule in the sys-firewall to whitelist all traffic originated from 0.0.0.0/0 to the destination address 10.137.255.254/32 and port 8082, wouldn't this be possible?
Privacy during updates are not an issue for me, by the contrary, since this would allow more network throughput.
I confess I'm not very keen in changing templates or creating a dedicated proxyVm for this purpose.
Thanks
"The 'sys-firewall' AppVM is not connected to a FirewallVM!
You may edit the 'sys-firewall' VM firewall rules, but these will not take any effect until you connect it to a working Firewall VM."
I would expect this warning to be normal, right? Is there any risk in terms of IP leakage to allow all the output traffic from the sys-firewall to the sys-net?
Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082
And also the corresponding rule on the INPUT chain:
Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082
So you don't need to do this by hand.
@Manuel I agree with you, the instructions on the Qubes VPN doc. don't outline this step. And this is necessary to have the updates working while forcing all the traffic through the VPN.
Can someone add some references on the VPN article (https://www.qubes-os.org/doc/vpn/) in the same manner as this page reflected in this page - https://www.qubes-os.org/doc/software-update-vm/#updates-proxy . Since anyone following the VPN article,as it is, would not have the yum/apt updates working.