Based on https://mullvad.net/en/help/wireguard-on-qubes-os
Goes through your Mullvad VPN/wireguard configs stored in your sys-vpn
qube at /home/user/configs/
and generates qvm-firewall commands.
The commands aren't executed automatically and are instead written to console.
-
Copy the script below to DOM0 and make it executable
In a networked VM:
curl -o /home/user/firewall-cmds.sh https://gist.github.com/e9x/38df9de3ee2bfe8be05a2e8721b54a20/raw/db4d0c3a314e50059ddb839ea3a6f40bd891b04f/firewall-cmds.sh
In DOM0:
qvm-run --pass-io your-vm "cat /home/user/firewall-cmds.sh" > /home/user/firewall-cmds.sh chmod +x /home/user/firewall-cmds.sh
Make sure to review the script and make sure it's safe.
cat /home/user/firewall-cmds.sh
~/firewall-cmds.sh
Would output something like:
qvm-firewall sys-vpn reset
# for every config in /home/user/configs/
qvm-firewall sys-vpn add accept dsthost=IP.OF.SERVER.1
qvm-firewall sys-vpn add accept dsthost=IP.OF.SERVER.2
qvm-firewall sys-vpn add accept dsthost=IP.OF.SERVER.3
# and so on...
qvm-firewall sys-vpn add accept specialtarget=dns
qvm-firewall sys-vpn add drop proto=icmp
qvm-firewall sys-vpn add drop
qvm-firewall sys-vpn del --rule-at 0
In DOM0:
# get commands
~/firewall-cmds.sh > ./tmp-commands
# make sure they're right:
#cat ./tmp-commands
# run it:
source ./tmp-commands