Help with qubes-vpn-support

[lu...@firemail.cc]

I'm setting up wireguard, but encountered an issue with
qubes-vpn-support (https://github.com/tasket/Qubes-vpn-support).

Traffic from my vpn proxyvm ('sys-mullvad') is getting through. Apt
updates and installations, wget, ping, etc all work from within
sys-mullvad. I don't think this is expected behavior.

FWIW, I'm on Qubes 4.0.3, with the debian 10 minimal template used for
this. Tried the debian 10 template too, to the same effect. Did I miss
anything?

[Chris Laprise]

The Wireguard mode uses an egress configuration where traffic initiated
from inside the VPN VM is permitted (note this is how the Qubes vpn doc
now does it as well, with Marek's approval).

This doesn't affect the fail-safes for traffic initiated from either
side of the VPN VM (e.g. nothing can go 'around' the VPN link).

--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[Abel Luck]

lu...@firemail.cc:

> I'm setting up wireguard, but encountered an issue with
> qubes-vpn-support (https://github.com/tasket/Qubes-vpn-support).
>
> Traffic from my vpn proxyvm ('sys-mullvad') is getting through. Apt
> updates and installations, wget, ping, etc all work from within
> sys-mullvad. I don't think this is expected behavior.

What do you mean "getting through"? Is it going through the vpn or going
over your local network?

If it is the former, then there is no issue. Traffic originating from
the vpn proxy vm should go out over the vpn.

~abel