“A deep dive into QubesOS network isolation and how to verify your VPN, TOR, and inter-VM firewalling actually works.”
📝 Introduction
I began my IT career as a client/server programmer before transitioning into Linux system administration. More recently, I’ve been focusing on deepening my knowledge of networking — an area filled with concepts like subnetting, CIDR, ingress, egress, MTU, and VLANs. At first, these felt like abstract jargon. But as the landscape of cybersecurity evolves, the importance of understanding these fundamentals has become crystal clear.
AI has radically accelerated the pace of threat evolution. Modern attacks aren’t just faster — they’re adaptive, capable of learning and pivoting in real time. Defensive systems can barely log a packet before t…
“A deep dive into QubesOS network isolation and how to verify your VPN, TOR, and inter-VM firewalling actually works.”
📝 Introduction
I began my IT career as a client/server programmer before transitioning into Linux system administration. More recently, I’ve been focusing on deepening my knowledge of networking — an area filled with concepts like subnetting, CIDR, ingress, egress, MTU, and VLANs. At first, these felt like abstract jargon. But as the landscape of cybersecurity evolves, the importance of understanding these fundamentals has become crystal clear.
AI has radically accelerated the pace of threat evolution. Modern attacks aren’t just faster — they’re adaptive, capable of learning and pivoting in real time. Defensive systems can barely log a packet before the threat has already morphed. In this new environment, more detection isn’t the answer. Architecture is.
🔖 Table of Contents
- Introduction
- QubesOS Networking Basics
- My Setup Overview
- Network Flow and Egress IP Mapping
- Security Verification Tests
- Firewall Log Example
- Diagram: Visualizing the Network
- Lessons Learned & Tips
- Conclusion
QubesOS embraces that philosophy
QubesOS embraces that philosophy. It doesn’t rely on the hope that software won’t break — it assumes compromise is inevitable and minimizes the impact. Each virtual machine operates as an isolated zone, with tightly controlled networking where every packet must earn its way out.
Over the past few weeks, I’ve been putting that model to the test: tracing VPN, TOR, and firewall flows, verifying isolation boundaries, and looking for weaknesses. This isn’t just another lab experiment — it’s a real-world exploration of how we can build AI-resilient containment systems. Architectures that adapt as fast as the threats they’re designed to survive.
🌐 QubesOS Networking Basics
QubesOS works by splitting your computer into separate compartments, each with its own virtual network connection. Only one part of the system is allowed to talk directly to the physical network, and it passes network access to the others, acting like a secure gatekeeper.
| Component | Description |
|---|---|
sys-net | - Connects directly to the physical network interface. - Provides NAT and internal IPs to other VMs. - Subnets the internal network for isolation. - From the outside, all traffic appears to come from sys-net. |
sys-firewall | - Filters traffic between AppVMs and sys-net. - You can view its firewall rules with: bash<br>qvm-firewall sys-firewall<br> - Uses QubesOS qvm tools for rule management (more in future articles). |
sys-vpn | - Clone of sys-net with OpenVPN configured. - VPN starts automatically on boot. - Any VM usi Samba on Linux - Secure File Sharing for Mixed Environments-## Trending Tags linux cybersecurity devops robotics ros2 Linux SSH Automation CyberSecurity DevOps |