Skip to content
/ qubes-wireguard- Public
forked from hkbakke/qubes-wireguard

Wireguard VPN setup for Qubes OS

0 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hexstore/qubes-wireguard-

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits

bin

bin

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

config.example

config.example

 
 

Repository files navigation

Description

Wireguard configuration script for Fedora 36 template in Qubes OS

After setup you will have the following:

  • A reusable wireguard template
  • A wireguard VPN managed by wg-quick that starts automatically at boot
  • Properly configured firewall that only forwards app VM traffic connected to the VPN qube network to the VPN. If the VPN is down, the app VM traffic to WAN is dropped.
    • Only the app VMs connected to the VPN qube network are protected
    • The VPN qube's own output traffic is not protected if the VPN is down. So don't use the VPN qube for applications. This is by design as it has to speak directly to the WAN to establish the tunnel. By using a dedicated VPN qube and the Qubes OS network design properly we can work around this for our client apps without having complicated and hard to verify rulesets in place to contain locally generated traffic, and the more challenging DNS requests, as one would need to have if the VPN client runs on the same host as the application that needs protection. Also I don't personally like the concept of the VPN client host to be responsible (and hence trusted) for its own protection to avoid leaks, so I would avoid it and use the dedicated VPN gateway approach in all cases if possible. In qubes we have the luxury option to put another network gateway in front of the VPN gateway that may enforce the leak-protection policy externally without implicitly trusting the VPN client host if you for some reason want to use the VPN qube for sensitive applications.
  • TCP MSS clamping to avoid MTU issues when used as a network provider
  • Wireguard DNS handled via Qubes' DNS DNAT rules

Reusable wireguard template

First clone the fedora 36 template to e.g. fedora-36-wireguard. Then run the template configuration script.

sudo ./bin/wg-template-conf

Stop the template VM before continuing.

VPN Qube

  • Create a new qube based on the wireguard template
  • Ensure Provides network is enabled
  • You probably also want to enable Start qube automatically on boot

Configuration

  • Clone this repo

  • Copy config.example to config and change permissions to protect it

      cp config.example config
  chmod 600 config

  • Edit the configuration file

  • Run the configuration script

      sudo ./bin/wg-appvm-conf

  • Reboot the VPN qube to activate the changes

About

Wireguard VPN setup for Qubes OS

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%