On 07/14/2016 04:51 PM, [email protected] wrote:
On 07/14/2016 10:39 AM, [email protected] wrote:
Good day
I'm using a VPN in sys-net and would setup firewall rules to stop
internet
connection if VPN crash. In sys-net isn't possible to insert ip
addresses,
then I did it in sys-firewall. With some tests I saw that if VPN
disconnect suddenly, sys-net finds my wifi network and doesn't break the
connection, as I would. How can I solve this? (in the proxyVMs all work
well)
Thank you
Take a look at https://www.qubes-os.org/doc/vpn/
For leak protection and security it is best to set up a vpn client in a
proxy vm, between sys-net and the appvms. You can follow the
instructions from the doc "Using iptables and openvpn", or use the
firewall script as an example. The two critical commands that prevent
leaks (in the proxy vm configuration) are:
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
This means that no forwarding can take place involving the
upstream/clearnet interface eth0, so the only way out is through the vpn
tunnel.
Chris
Hi Chris
Thank you for the explanation, I want to know if I can use firewall tab in
sys-net (or sys-firewall) like I have done in proxyVM because I have also
a VPN in sys-net. If it isn't possible, do I change ip tables in sys-net
while in all the other proxyVMs I use firewall tab?
Regards
The firewall tab (in any vm) is not a good place to add this restriction
even if it did accept that kind of rule (which it does not). The best
way is to run the vpn client in a separate proxy vm, and set the
firewall rules with the qubes-firewall-user-script in that vm as shown
in the doc.
You can try to use qubes-firewall-user-script in the netvm, but I think
this approach is untested. Of course, by Qubes standards it is insecure.
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/86dd7246-b123-92ea-7430-076d4d2599ef%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
