Mullvad - update to new browser.

Rename AppVM to sys-mullvad.
Allow sys-mullvad to be used as transparent vpn proxy

mullvad.spec

@@ -1,6 +1,6 @@
 Name:           3isec-qubes-mullvad-vpn
 Version:       	2023.6
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Set up a Mullvad qube and disposable template
 
 License:        GPLv3+
@@ -8,7 +8,7 @@ SOURCE0:	      mullvad
 
 %description
 This package creates a template, loaded with the MullvadVPN GUI and Mullvad Browser. 
-An AppVM named mullvad, and a disposable template, mullvad-dvm, are
+An AppVM named sys-mullvad, and a disposable template, mullvad-dvm, are
 created from that template.
 
 The template, template-mullvad, is based on the debian-12-minimal template.
@@ -18,6 +18,9 @@ and installed - this may take some time depending on your net connection.
 Both the AppVM and the disposable template have the Mullvad GUI to
 set up a VPN, and the Mullvad browser. You can run the Mullvad Browser
 independently of the VPN.
+The sys-mullvad AppVM can be used as a standard AppVM or as a vpn gateway
+- set the netvm of client qubes to mullvad, and they will use the VPN. No
+traffic will pass except through the VPN.
 
 If you remove this package, the salt files will be removed, but the qubes will not.
 You can manually remove them if you wish.
@@ -43,6 +46,7 @@ if [ $1 -eq 1 ]; then
   qubesctl state.apply mullvad.clone
   qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.repo
   qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.browser
+  qubesctl --skip-dom0 --targets=mullvad state.apply mullvad.configure
   qubesctl state.apply mullvad.create_disposable
 fi
 

mullvad/browser.sls

@@ -1,15 +1,15 @@
-/etc/skel/Downloads/mullvad_browser-linux-x86_64-13.0.9.tar.xz:
+/etc/skel/Downloads/mullvad_browser-linux-x86_64-13.0.10.tar.xz:
   file.managed:
     - source: 
-      - salt://mullvad/mullvad-browser-linux-x86_64-13.0.9.tar.xz
+      - salt://mullvad/mullvad-browser-linux-x86_64-13.0.10.tar.xz
     - user: root
     - group: root
     - makedirs: True
 
-mullvad-browser-linux-x86_64-13.0.9.tar.xz:
+mullvad-browser-linux-x86_64-13.0.10.tar.xz:
   archive.extracted:
     - name: /etc/skel
-    - source: /etc/skel/Downloads/mullvad_browser-linux-x86_64-13.0.9.tar.xz
+    - source: /etc/skel/Downloads/mullvad_browser-linux-x86_64-13.0.10.tar.xz
     - user: user
 
 /etc/skel/.local/share/applications/start-mullvad-browser.desktop:

mullvad/configure.sls

@@ -0,0 +1,26 @@
+/rw/config/qubes-firewall.d/set_forward.sh:
+  file.managed:
+    - source: 
+      - salt://mullvad/set_forward.sh
+    - user: root
+    - group: root
+    - mode: '755'
+    - makedirs: True
+
+/rw/config/network-hooks.d/set_forward.sh:
+  file.managed:
+    - source: 
+      - salt://mullvad/set_forward.sh
+    - user: root
+    - group: root
+    - mode: '755'
+    - makedirs: True
+
+/rw/config/qubes-firewall.d/update_dns.nft:
+  file.managed:
+    - source: 
+      - salt://mullvad/update_dns.nft
+    - user: root
+    - group: root
+    - mode: '755'
+    - makedirs: True

mullvad/configure.top

@@ -0,0 +1,3 @@
+base:
+ sys-mullvad:
+    - mullvad.configure

mullvad/create.sls

@@ -3,21 +3,22 @@ include:
 
 qvm-present-id:
   qvm.present:
-    - name: mullvad
+    - name: sys-mullvad
     - class: AppVM
     - template: template-mullvad
     - label: green
 
 qvm-prefs-id:
   qvm.prefs:
-    - name: mullvad
+    - name: sys-mullvad
     - memory: 400
     - maxmem: 800
     - vcpus: 2
+    - provides_network: True
 
 qvm-features-id:
   qvm.features:
-    - name: mullvad
+    - name: sys-mullvad
     - disable:
       - service.cups
       - service.cups-browsed

mullvad/set_forward.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/sh
+nft -f /rw/config/qubes-firewall.d/update_dns.nft

mullvad/update_dns.nft

@@ -0,0 +1,8 @@
+#!/usr/sbin/nft -f
+flush chain qubes dnat-dns
+insert rule qubes dnat-dns udp dport 53 dnat to 10.64.0.1
+insert rule qubes dnat-dns tcp dport 53 dnat to 10.64.0.1
+flush chain qubes custom-forward
+insert rule ip qubes custom-forward oifname eth0 drop
+flush chain ip6 qubes custom-forward
+insert rule ip6 qubes custom-forward oifname eth0 drop