Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Qubes-OS socket connection to allow external connections
#!/bin/bash
NetVM=$1
TargetVM=$2
Service=$3
TCP_Port=$4
wasrunning=$(qvm-ls | grep $TargetVM | grep -i RUNNING)
echo -ne "TCP socket connection for $Service from $NetVM to $TargetVM on port $TCP_Port...\nPress Any Key to End\n\n"
trap cleanup 1 2 3 6 15
cleanup() {
qvm-run -p -u root $NetVM "iptables-save | grep -v 'SOCAT_PortFwd-$Service' | iptables-restore"
qvm-run -p -u root $NetVM "pkill -HUP -f 'socat -d -d TCP-LISTEN:$TCP_Port'"
if [ -z "$wasrunning" ] ; then qvm-shutdown $TargetVM ; fi
}
qvm-start --skip-if-running $TargetVM
qvm-run -p -u root $NetVM "iptables -I INPUT 5 -p tcp --dport $TCP_Port -m conntrack --ctstate NEW -j ACCEPT -m comment --comment 'SOCAT_PortFwd-$Service'"
qvm-run -p -u root $NetVM "socat -d -d TCP-LISTEN:$TCP_Port,reuseaddr,fork EXEC:'qrexec-client-vm $TargetVM $Service'" &
read -p ""
cleanup
sleep 5
exit 0
@Joeviocoe
Copy link
Author

Joeviocoe commented Feb 14, 2018

Inspired by qubes-issues 2148

Run this script to enable a socat TCP "port forward" connection between VMs.

Example: xterm -geometry 300x24 -e "./qvm-portfwd-socat sys-net appvm my-tcp-service 4444"

TargetVM:

Install your service on TargetVM
Ensure it is listening on desired port using 127.0.0.1 loopback
In /usr/local/etc/qubes-rpc/my-tcp-service (this is stored in /rw):
sudo mkdir -p /usr/local/etc/qubes-rpc/ (if needed)
socat STDIO TCP:localhost:4444

dom0:

In /etc/qubes-rpc/policy/my-tcp-service
source-vm target-vm allow

Optional
If you wish to NOT use this script, but instead have SourceVM persistently listening and forwarding connections:

SourceVM:

Launch this command on SourceVM in persistent location (i.e. /rw/config/rc.local)
socat TCP-LISTEN:4444,fork EXEC:"qrexec-client-vm target-vm my-tcp-service"
If SourceVM is a NetVM exposing a port externally...
iptables -I INPUT 5 -p tcp --dport 4444 -m conntrack --ctstate NEW -j ACCEPT

@daktak
Copy link

daktak commented Aug 18, 2019

This is an excellent way to expose a VM that may be behind a vpn VM.
Copied this to do UDP so I can run kdeconnect. (port 1716). TCP seems to work after VPN'ning but not UDP.

@100111001
Copy link

100111001 commented Oct 4, 2019

Dear @Joeviocoe also for this script: Are the changes persistent upon next reboot or even beyond that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment