[First, a rant. I hate mailing lists. How am I supposed to attribute quotes 
from earlier posts in the thread not contained in the previous post?]

nishi:
>Any advices on how to set up Qubes to have a VPN + sys-whonix working together 
>(or VPN + a TorVM proxy) in a good anonymous way would be really appreciated :)

As you know, you can either connect to a VPN from a non-Whonix proxyVM or set 
up the VPN directly in the Whonix-Gateway. Both methods have the goal of 
preventing "unintentional" leaks and have the property of failing-closed. IMO, 
since you are using Qubes already, the proxyVM method is easier to configure 
and provides more flexibility. If you're short on RAM and/or need to operate 
multiple Whonix-Gateways with each having a separate VPN, you may be better off 
connecting to the VPN from within the Gateway. From a security/anonymity 
perspective, neither is obviously better than the other. A Gateway compromise 
would most likely be game-over in either scenario.

Speaking generally, you've got a whole bunch of moving parts. You need to 
troubleshoot by isolating each piece. 

**This step reveals that you use Tor. Only proceed if safe to do so.

1. sys-net <- appVM: Do I have general connectivity?
2. sys-net <- vpn-VM <- appVM: Does my VPN work?
3.** sys-net <- appVM w/ Tor Browser Bundle: Does Tor work?
4.** sys-net <- whonix-gateway: Run whonixcheck. Does Whonix-Gateway work?
5. sys-net <- vpn-vm <- whonix-gateway

My suggestion is to start with a fresh proxyVM and follow Chris' Qubes VPN 
documentation step by step. (Or take a look at his [git 
repo](https://github.com/ttasket/Qubes-vpn-support) ). If the vpn-VM allows 
successful connections from the appVM, then it's simply a matter of assigning 
it to the Whonix-Gateway as its netVM. No Whonix-specific configuration is 
necessary since it's all transparent to Whonix.

* Make sure that the Qubes firewall (Qubes VM Manager) is open on the 
Whonix-Gateway. I don't remember what the default setting is.

* Both TCP and UDP are fine for upstream VPNs. Tor can not carry UDP but it can 
be carried on UDP, if that makes sense.

* Don't add any additional firewalls until you can get this working.


nishi:
>Which gives in Qubes something a pattern like this one below (I don't know if 
>all firewall VMs are really needed though) :
>
>AppVM => sys-vpn-firewall => sys-vpn => sys-whonix-firewall (or 
>TorVM-firewall) => sys-whonix (or TorVM) => sys-firewall => sys-net

Firewalls have limited usefulness as described here: 
https://www.qubes-os.org/doc/data-leaks/

rustybird's Corridor can ensure that all traffic goes to a Tor Entry Guard (but 
obviously, can't guarantee that the Entry Guard is trustworthy).


nishi:
>When I purchased a VPN subscription, I saw it as a way to improve anonymity, 
>now I feel it is more a tool to provide security.

VPNs don't necessarily improve anonymity OR security. They simply shift the 
trust that you place in your ISP to someone else. That may be good or bad.


Chris:
>Although its straightforward to get the opposite working (Tor -> VPN ->
Internet -- just follow the Qubes vpn doc and connect sys-whonix to the
vpn vm)

Just to clarify, to achieve user -> Tor -> VPN -> Internet, sys-whonix needs to 
be connected as the *netVM* for the vpn-vm. If vpn-vm is the netVM for 
sys-whonix, the resulting traffic is user -> VPN -> Tor -> Internet. I may be 
forgetting something, but I believe both configurations work out of the box.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8ab52f16-0a3a-4acf-bcc7-ed6153ded7c8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to