Enabling VPN connections for Qubes OS firewall

Services like Tailscale and reverse shells won’t work until you relax the firewall to allow them, for example:

nft add rule ip qubes input iif "tailscale0" accept

where tailscale0 is the interface name from ip addr that you want to allow.

You could add this rule to autostart, but make sure it runs AFTER the network interface is initialized; otherwise, the command will silently fail.

For example, in /rw/config/rc.local:

# Wait for tailscale0 interface to exist
while ! ip link show tailscale0 > /dev/null 2>&1; do
    sleep 1
done

# Now add the rule
nft add rule ip qubes input iif "tailscale0" accept

Using systemd would be more elegant:

[Unit]
Description=Add Tailscale nftables rule
After=network-online.target tailscaled.service
Wants=network-online.target

[Service]
Type=oneshot
ExecStart=/rw/config/tailscale-firewall.sh
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

where tailscale-firewall.sh contains nft add rule ip qubes input iif "tailscale0" accept.