Connection via a proxyVM with a VPN client, VM's have no acces to LAN devices

[Fredrik]

How do I I set up access to my LAN devices? In this case my NAS that is located on my 192.168.1.1/24 network. The VM's are of course NAT in this case 10.137.4/24.

My proxy-vm is connected to the default sys-firewall if i switch to sys-net I can access my nas for a minute or so then it stops working. I could see it stop working at the same time since I pinged the NAS from 3 VM's.

What am I doing wrong?

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

As long as you have your firewall rules set correctly (to allow
traffic to the correct IP address, range, or CIDR block) from
whichever VMs you want to access those devices from, it should work,
even if connected to the FirewallVM.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXgGYnAAoJENtN07w5UDAwWLIP/3yZwdZvi2LRUJyuY5tmK2JE
cEbJ2+egNEblz/dV9y//MxozJo/j97CDJyJq6G9u66STEmQXjIc+V8VEN/2JAM1k
GHsZgaYhtHntIqsw5057Ap77XGZtwmE1Uftqr1EpnD9GtZVOajWiX2Avow3tTQNK
taYQLYbn19I3rzNFAQPP6a9u8ATS9nSEN8PD+7D/+Ex7AD+0m0T20D/zqPP5Ao44
LOmmGqZdqkL0YzKBTbggmhK/+uheJdeIwTT5jBnVnN8HWdA2D0vEnQtyJb41+fKI
LFsP35ZBBmI5h34IdqjQR8yV3rLuEtYU3rE0aYXSaIEYdO8GZWv4dhrw/2aZrp3k
YJMg+WRYhrlb61LM7asqYrgVyoKl4eCLn2AYXB3jQcKxbYmp+A04p4C+rJhPXBoA
XVjx2vyUQMrT/JQbTMMZh0GtQDcHsf3zuijiVmQWswNMXosr31tS+wXJQke5XytJ
wa9aUQu+xqdStczy51ytDh+DN4jRu/a6bk+S9dGSpmj9ya3a2BeR1FYnR7y6II+x
FT6swrpZukJ3LK93YiTAd/uXoCRyvMoeQXLrT8cub9SUArjeg4FN24kitMPPie0J
VttfWUFtXjloAED7I7qAVCYail9+fJWFyoHJxy4lCsCmhbI9NkDsaa+nBnxkFW/z
eBmnWfcd3hiSEZI/bfzG
=6pZd
-----END PGP SIGNATURE-----

[Fredrik]

My firewall rules allows for everything but when I do a traceroute from a vm to my NAS on my lan all traffic goes trough my VPN to the public internet.

MyVM -> VPN (proxyVM) - > sys-firewall -> sys-net
tried this setup as well
MyVM -> sys-firewall -> VPN (proxyVM) -> sys-net

Then I figured outh it must be my open VPN client (proXPN) that is not behaving. Even when I run the vpn client inside an AppVM I cant acces my LAN and trace-route shows it is trying to find my NAS on the public internet.

So this is not a qubesOS issue. But if anyone know how to configure openVPN to ignore LAN traffic I would appreciate it.

[Chris Laprise]

Openvpn will usually set a default gateway (reroute all traffic) unless
you tell it otherwise. Check out the '--route' directives and the
openvpn website for help with configuration.

Note if you don't need simultaneous access to LAN and VPN in the same
application, it may be more secure to move the LAN-based activities to
an appvm setup for that purpose. The topology would look like:

LANVM -> sys-firewall -> sys-net
MyVM -> VPN -> sys-firewall -> sys-net

Chris