[First, a rant. I hate mailing lists. How am I supposed to attribute quotes from earlier posts in the thread not contained in the previous post?]
nishi: >Any advices on how to set up Qubes to have a VPN + sys-whonix working together >(or VPN + a TorVM proxy) in a good anonymous way would be really appreciated :) As you know, you can either connect to a VPN from a non-Whonix proxyVM or set up the VPN directly in the Whonix-Gateway. Both methods have the goal of preventing "unintentional" leaks and have the property of failing-closed. IMO, since you are using Qubes already, the proxyVM method is easier to configure and provides more flexibility. If you're short on RAM and/or need to operate multiple Whonix-Gateways with each having a separate VPN, you may be better off connecting to the VPN from within the Gateway. From a security/anonymity perspective, neither is obviously better than the other. A Gateway compromise would most likely be game-over in either scenario. Speaking generally, you've got a whole bunch of moving parts. You need to troubleshoot by isolating each piece. **This step reveals that you use Tor. Only proceed if safe to do so. 1. sys-net <- appVM: Do I have general connectivity? 2. sys-net <- vpn-VM <- appVM: Does my VPN work? 3.** sys-net <- appVM w/ Tor Browser Bundle: Does Tor work? 4.** sys-net <- whonix-gateway: Run whonixcheck. Does Whonix-Gateway work? 5. sys-net <- vpn-vm <- whonix-gateway My suggestion is to start with a fresh proxyVM and follow Chris' Qubes VPN documentation step by step. (Or take a look at his [git repo](https://github.com/ttasket/Qubes-vpn-support) ). If the vpn-VM allows successful connections from the appVM, then it's simply a matter of assigning it to the Whonix-Gateway as its netVM. No Whonix-specific configuration is necessary since it's all transparent to Whonix. * Make sure that the Qubes firewall (Qubes VM Manager) is open on the Whonix-Gateway. I don't remember what the default setting is. * Both TCP and UDP are fine for upstream VPNs. Tor can not carry UDP but it can be carried on UDP, if that makes sense. * Don't add any additional firewalls until you can get this working. nishi: >Which gives in Qubes something a pattern like this one below (I don't know if >all firewall VMs are really needed though) : > >AppVM => sys-vpn-firewall => sys-vpn => sys-whonix-firewall (or >TorVM-firewall) => sys-whonix (or TorVM) => sys-firewall => sys-net Firewalls have limited usefulness as described here: https://www.qubes-os.org/doc/data-leaks/ rustybird's Corridor can ensure that all traffic goes to a Tor Entry Guard (but obviously, can't guarantee that the Entry Guard is trustworthy). nishi: >When I purchased a VPN subscription, I saw it as a way to improve anonymity, >now I feel it is more a tool to provide security. VPNs don't necessarily improve anonymity OR security. They simply shift the trust that you place in your ISP to someone else. That may be good or bad. Chris: >Although its straightforward to get the opposite working (Tor -> VPN -> Internet -- just follow the Qubes vpn doc and connect sys-whonix to the vpn vm) Just to clarify, to achieve user -> Tor -> VPN -> Internet, sys-whonix needs to be connected as the *netVM* for the vpn-vm. If vpn-vm is the netVM for sys-whonix, the resulting traffic is user -> VPN -> Tor -> Internet. I may be forgetting something, but I believe both configurations work out of the box. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8ab52f16-0a3a-4acf-bcc7-ed6153ded7c8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.