Forwarding a port to a VM behind a VPN ProxyVM

[Verifiable List]

Hello All,

I use Mullvad as my VPN provider. They allow you to forward a port
through the VPN. However, I'm having a hard time wrapping my head around
how to get this to work with Qubes OS. This is what the network chain in
question looks like:

AppVM > ProxyVM (VPN Client Here) > sys-firewall > sys-net > Internet

Because the port is being forwarded through the VPN tunnel, I expected
it to be accessible from the ProxyVM without altering the configurations
on sys-net or sys-firewall. However, after enabling the port forward on
Mullvad and testing as described in their documentation:

- In a terminal window, run netcat -l -p <port>
- In another terminal window, run curl
https://ipv4.am.i.mullvad.net/port/<port>
- If everything is working properly, the result will show
"reachable:true".

the result is always "reachable:false". (Note: I'm running this test on
the ProxyVM itself.)

Any assistance would be appreciated.

Thank you.

[unman]

If you look at the firewall rules I suspect that you will find that the
inbound rule only accepts connected traffic, whereas this would be NEW.
Certainly on the appVM you will need a rule to allow inbound traffic to
the target port.
I don't know the detail of how Mullvad deals with port forwarding, but
you should be able to identify the port that is accessed (this may not
be the same as the target on the appVM). I assume that in the
documentation you will find a reference to what firewall ports you need
to open on the ProxyVM for inbound traffic.
It's *possible* that you'll have to open inbound ports on sys-firewall
AND sys-net in the forward chains,depending on the implementation. Check
the Mullvad docs.

unman