Skip to content

Instantly share code, notes, and snippets.

@Joeviocoe

Joeviocoe/qvm-portfwd-socat

Last active January 3, 2024 22:44
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save Joeviocoe/90ec9fd9a0769b4671a8ae9c87584187 to your computer and use it in GitHub Desktop.
Save Joeviocoe/90ec9fd9a0769b4671a8ae9c87584187 to your computer and use it in GitHub Desktop.
Download ZIP
Qubes-OS socket connection to allow external connections
Raw
qvm-portfwd-socat
NetVM=$1
TargetVM=$2
Service=$3
TCP_Port=$4
wasrunning=$(qvm-ls | grep $TargetVM | grep -i RUNNING)
echo -ne "TCP socket connection for $Service from $NetVM to $TargetVM on port $TCP_Port...\nPress Any Key to End\n\n"
trap cleanup 1 2 3 6 15
cleanup() {
# qvm-run -p -u root $NetVM "iptables-save | grep -v 'SOCAT_PortFwd-$Service' | iptables-restore"
qvm-run -p -u root $NetVM "nft delete rule ip qubes custom-input handle \$(nft -a list ruleset | grep SOCAT_PortFwd | head -1 | awk '{print \$NF}')"
qvm-run -p -u root $NetVM "pkill -HUP -f 'socat -d -d TCP-LISTEN:$TCP_Port'"
qvm-run -p -u root $TargetVM "pkill -HUP -f 'tail -f /home/user/.config/$Service/$Service.log'"
if [ -z "$wasrunning" ] ; then qvm-shutdown $TargetVM ; fi
}
qvm-start --skip-if-running $TargetVM
#qvm-run -p -u root $NetVM "iptables -A INPUT -p tcp --dport $TCP_Port -m conntrack --ctstate NEW -j ACCEPT -m comment --comment 'SOCAT_PortFwd-$Service'"
qvm-run -p -u root $NetVM "nft add rule ip qubes custom-input tcp dport $TCP_Port ct state new counter accept comment SOCAT_PortFwd"
qvm-run -p -u root $NetVM "socat -d -d TCP-LISTEN:$TCP_Port,reuseaddr,fork EXEC:'qrexec-client-vm $TargetVM $Service'" &
qvm-run -p -u root $TargetVM "tail -f /home/user/.config/$Service/$Service.log 2>/dev/null" &
read -p ""
cleanup
sleep 5
exit 0
@Joeviocoe
Copy link
Author

Joeviocoe commented Feb 14, 2018
edited

Inspired by qubes-issues 2148

Run this script to enable a socat TCP "port forward" connection between VMs.

Example: xterm -geometry 300x24 -e "./qvm-portfwd-socat sys-net appvm my-tcp-service 4444"

TargetVM:

Install your service on TargetVM
Ensure it is listening on desired port using 127.0.0.1 loopback
In /usr/local/etc/qubes-rpc/my-tcp-service (this is stored in /rw):
sudo mkdir -p /usr/local/etc/qubes-rpc/ (if needed)
socat STDIO TCP:localhost:4444

dom0:

In /etc/qubes-rpc/policy/my-tcp-service
source-vm target-vm allow

Optional
If you wish to NOT use this script, but instead have SourceVM persistently listening and forwarding connections:

SourceVM:

Launch this command on SourceVM in persistent location (i.e. /rw/config/rc.local)
socat TCP-LISTEN:4444,fork EXEC:"qrexec-client-vm target-vm my-tcp-service"
If SourceVM is a NetVM exposing a port externally...
iptables -I INPUT 5 -p tcp --dport 4444 -m conntrack --ctstate NEW -j ACCEPT

@daktak
Copy link

daktak commented Aug 18, 2019
edited

This is an excellent way to expose a VM that may be behind a vpn VM.
Copied this to do UDP so I can run kdeconnect. (port 1716). TCP seems to work after VPN'ning but not UDP.

@100111001
Copy link

Dear @Joeviocoe also for this script: Are the changes persistent upon next reboot or even beyond that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment