Last active
January 3, 2024 22:44
-
-
Save Joeviocoe/90ec9fd9a0769b4671a8ae9c87584187 to your computer and use it in GitHub Desktop.
Qubes-OS socket connection to allow external connections
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NetVM=$1 | |
| TargetVM=$2 | |
| Service=$3 | |
| TCP_Port=$4 | |
| wasrunning=$(qvm-ls | grep $TargetVM | grep -i RUNNING) | |
| echo -ne "TCP socket connection for $Service from $NetVM to $TargetVM on port $TCP_Port...\nPress Any Key to End\n\n" | |
| trap cleanup 1 2 3 6 15 | |
| cleanup() { | |
| # qvm-run -p -u root $NetVM "iptables-save | grep -v 'SOCAT_PortFwd-$Service' | iptables-restore" | |
| qvm-run -p -u root $NetVM "nft delete rule ip qubes custom-input handle \$(nft -a list ruleset | grep SOCAT_PortFwd | head -1 | awk '{print \$NF}')" | |
| qvm-run -p -u root $NetVM "pkill -HUP -f 'socat -d -d TCP-LISTEN:$TCP_Port'" | |
| qvm-run -p -u root $TargetVM "pkill -HUP -f 'tail -f /home/user/.config/$Service/$Service.log'" | |
| if [ -z "$wasrunning" ] ; then qvm-shutdown $TargetVM ; fi | |
| } | |
| qvm-start --skip-if-running $TargetVM | |
| #qvm-run -p -u root $NetVM "iptables -A INPUT -p tcp --dport $TCP_Port -m conntrack --ctstate NEW -j ACCEPT -m comment --comment 'SOCAT_PortFwd-$Service'" | |
| qvm-run -p -u root $NetVM "nft add rule ip qubes custom-input tcp dport $TCP_Port ct state new counter accept comment SOCAT_PortFwd" | |
| qvm-run -p -u root $NetVM "socat -d -d TCP-LISTEN:$TCP_Port,reuseaddr,fork EXEC:'qrexec-client-vm $TargetVM $Service'" & | |
| qvm-run -p -u root $TargetVM "tail -f /home/user/.config/$Service/$Service.log 2>/dev/null" & | |
| read -p "" | |
| cleanup | |
| sleep 5 | |
| exit 0 |
This is an excellent way to expose a VM that may be behind a vpn VM.
Copied this to do UDP so I can run kdeconnect. (port 1716). TCP seems to work after VPN'ning but not UDP.
Dear @Joeviocoe also for this script: Are the changes persistent upon next reboot or even beyond that?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Inspired by qubes-issues 2148
Run this script to enable a socat TCP "port forward" connection between VMs.
Example:
xterm -geometry 300x24 -e "./qvm-portfwd-socat sys-net appvm my-tcp-service 4444"TargetVM:
Install your service on TargetVM
Ensure it is listening on desired port using 127.0.0.1 loopback
In /usr/local/etc/qubes-rpc/my-tcp-service (this is stored in /rw):
sudo mkdir -p /usr/local/etc/qubes-rpc/(if needed)socat STDIO TCP:localhost:4444dom0:
In /etc/qubes-rpc/policy/my-tcp-service
source-vm target-vm allow