Skip to content

Instantly share code, notes, and snippets.

@e9x

e9x/README.md

Last active February 5, 2024 00:10
Show Gist options
  • Save e9x/38df9de3ee2bfe8be05a2e8721b54a20 to your computer and use it in GitHub Desktop.
Save e9x/38df9de3ee2bfe8be05a2e8721b54a20 to your computer and use it in GitHub Desktop.
Download ZIP
Qubes Mullvad VPN Firewall Command Generator
Raw
README.md

Qubes Mullvad VPN Firewall Command Generator

Based on https://mullvad.net/en/help/wireguard-on-qubes-os

Goes through your Mullvad VPN/wireguard configs stored in your sys-vpn qube at /home/user/configs/ and generates qvm-firewall commands.

The commands aren't executed automatically and are instead written to console.

Setup

  • Copy the script below to DOM0 and make it executable

    In a networked VM:

    curl -o /home/user/firewall-cmds.sh https://gist.github.com/e9x/38df9de3ee2bfe8be05a2e8721b54a20/raw/db4d0c3a314e50059ddb839ea3a6f40bd891b04f/firewall-cmds.sh

    In DOM0:

    qvm-run --pass-io your-vm "cat /home/user/firewall-cmds.sh" > /home/user/firewall-cmds.sh
chmod +x /home/user/firewall-cmds.sh

    Make sure to review the script and make sure it's safe.

    cat /home/user/firewall-cmds.sh

Example

~/firewall-cmds.sh

Would output something like:

qvm-firewall sys-vpn reset
# for every config in /home/user/configs/
qvm-firewall sys-vpn add accept dsthost=IP.OF.SERVER.1
qvm-firewall sys-vpn add accept dsthost=IP.OF.SERVER.2
qvm-firewall sys-vpn add accept dsthost=IP.OF.SERVER.3
# and so on...
qvm-firewall sys-vpn add accept specialtarget=dns
qvm-firewall sys-vpn add drop proto=icmp
qvm-firewall sys-vpn add drop
qvm-firewall sys-vpn del --rule-at 0

Usage

In DOM0:

# get commands
~/firewall-cmds.sh > ./tmp-commands
# make sure they're right:
#cat ./tmp-commands
# run it:
source ./tmp-commands
Raw
firewall-cmds.sh
#!/bin/bash
#accept (the IP addresses of the VPN servers), accept dns, drop icmp, drop.
qube="sys-vpn"
#Reset firewall
echo "qvm-firewall $qube reset"
#Accept the VPN servers
qvm-run --pass-io sys-vpn 'cat /home/user/configs/*.conf' \
| grep -Po "(?<=Endpoint = )(\d+\.\d+\.\d+\.\d+)" \
| xargs -I {} echo "qvm-firewall $qube add accept dsthost={}"
#Accept DNS
echo "qvm-firewall $qube add accept specialtarget=dns"
#Drop ICMP
echo "qvm-firewall $qube add drop proto=icmp"
#Drop everything
echo "qvm-firewall sys-vpn add drop"
#Delete default accept any rule
echo "qvm-firewall $qube del --rule-no 0"
# https://mullvad.net/en/help/wireguard-on-qubes-os/
#9.9.9.9 as an example of a VPN server
#Default DNS:
#NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
#0 accept 9.9.9.9/32 - - - - - -
#1 accept - - - dns - - -
#2 accept - icmp - - - - -
#3 drop - - - - - - -
#Default DNS (Blocking pings):
#NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
#0 accept 9.9.9.9/32 - - - - - -
#1 accept - - - dns - - -
#2 drop - icmp - - - - -
#3 drop - - - - - - -
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment