On Tuesday, September 13, 2016 at 11:56:53 PM UTC, nishi...@gmail.com wrote:
> Le samedi 10 septembre 2016 20:36:38 UTC+2, 3n7r...@gmail.com a écrit :
> > [First, a rant. I hate mailing lists. How am I supposed to attribute quotes 
> > from earlier posts in the thread not contained in the previous post?]
> > 
> > nishi:
> > >Any advices on how to set up Qubes to have a VPN + sys-whonix working 
> > >together (or VPN + a TorVM proxy) in a good anonymous way would be really 
> > >appreciated :)
> > 
> > As you know, you can either connect to a VPN from a non-Whonix proxyVM or 
> > set up the VPN directly in the Whonix-Gateway. Both methods have the goal 
> > of preventing "unintentional" leaks and have the property of 
> > failing-closed. IMO, since you are using Qubes already, the proxyVM method 
> > is easier to configure and provides more flexibility. If you're short on 
> > RAM and/or need to operate multiple Whonix-Gateways with each having a 
> > separate VPN, you may be better off connecting to the VPN from within the 
> > Gateway. From a security/anonymity perspective, neither is obviously better 
> > than the other. A Gateway compromise would most likely be game-over in 
> > either scenario.
> > 
> > Speaking generally, you've got a whole bunch of moving parts. You need to 
> > troubleshoot by isolating each piece. 
> > 
> > **This step reveals that you use Tor. Only proceed if safe to do so.
> > 
> > 1. sys-net <- appVM: Do I have general connectivity?
> > 2. sys-net <- vpn-VM <- appVM: Does my VPN work?
> > 3.** sys-net <- appVM w/ Tor Browser Bundle: Does Tor work?
> > 4.** sys-net <- whonix-gateway: Run whonixcheck. Does Whonix-Gateway work?
> > 5. sys-net <- vpn-vm <- whonix-gateway
> > 
> > My suggestion is to start with a fresh proxyVM and follow Chris' Qubes VPN 
> > documentation step by step. (Or take a look at his [git 
> > repo](https://github.com/ttasket/Qubes-vpn-support) ). If the vpn-VM allows 
> > successful connections from the appVM, then it's simply a matter of 
> > assigning it to the Whonix-Gateway as its netVM. No Whonix-specific 
> > configuration is necessary since it's all transparent to Whonix.
> > 
> > * Make sure that the Qubes firewall (Qubes VM Manager) is open on the 
> > Whonix-Gateway. I don't remember what the default setting is.
> > 
> > * Both TCP and UDP are fine for upstream VPNs. Tor can not carry UDP but it 
> > can be carried on UDP, if that makes sense.
> > 
> > * Don't add any additional firewalls until you can get this working.
> > 
> > 
> > nishi:
> > >Which gives in Qubes something a pattern like this one below (I don't know 
> > >if all firewall VMs are really needed though) :
> > >
> > >AppVM => sys-vpn-firewall => sys-vpn => sys-whonix-firewall (or 
> > >TorVM-firewall) => sys-whonix (or TorVM) => sys-firewall => sys-net
> > 
> > Firewalls have limited usefulness as described here: 
> > https://www.qubes-os.org/doc/data-leaks/
> > 
> > rustybird's Corridor can ensure that all traffic goes to a Tor Entry Guard 
> > (but obviously, can't guarantee that the Entry Guard is trustworthy).
> > 
> > 
> > nishi:
> > >When I purchased a VPN subscription, I saw it as a way to improve 
> > >anonymity, now I feel it is more a tool to provide security.
> > 
> > VPNs don't necessarily improve anonymity OR security. They simply shift the 
> > trust that you place in your ISP to someone else. That may be good or bad.
> > 
> > 
> > Chris:
> > >Although its straightforward to get the opposite working (Tor -> VPN ->
> > Internet -- just follow the Qubes vpn doc and connect sys-whonix to the
> > vpn vm)
> > 
> > Just to clarify, to achieve user -> Tor -> VPN -> Internet, sys-whonix 
> > needs to be connected as the *netVM* for the vpn-vm. If vpn-vm is the netVM 
> > for sys-whonix, the resulting traffic is user -> VPN -> Tor -> Internet. I 
> > may be forgetting something, but I believe both configurations work out of 
> > the box.
> Hello,
> Thank you for your answer. Yes I agree with you, the proxyVM is easier to 
> configure and provide more flexibility. I don't know if you can make your VPN 
> autostart if you install it inside the whonix gateway, so I rather prefer to 
> have it directly installed in an AppVM, because I find it is a great Qubes 
> feature : )
> Also as I said directly in the Whonix-forum site, I don't believe building a 
> fortress in a gateway that will become the main target for hackers is what 
> will necessarily will make us all more secure out there. Whonix or Qubes are 
> targets right now... You have too many hacking intrusion exploits nowadays to 
> build a fail-safe system for everyone. If you just type list in metasploit on 
> kali Linux you know what I mean... I feel like people working on Whonix would 
> be a really more usefull to random noobs like me and most of the internet 
> community by trying to act like hackers, idea being to create a code able to 
> send back nukes to people entering your own private space. I see global 
> improvement of internet security this way. Btw Qubes is born on this idea 
> (the "blue pill" attack), and even it is probably one of the most secured OS 
> out there atm,  I wish you would have OS able to react to attacks by sending 
> back the attack or to create a new one, to tell hackers "heeeeey leave me 
> alone dude, ur gonna get nuked in return, don't waste your time :d" lol. But 
> that's just a personal opinion and I am probably too naive on complexity 
> required to make this happen one day...
> Thanks again for all your explanations. To answer your questions :
> 1. sys-net <- appVM: Do I have general connectivity? Yes
> 2. sys-net <- vpn-VM <- appVM: Does my VPN work? Yes
> 3.** sys-net <- appVM w/ Tor Browser Bundle: Does Tor work? Yes
> 4.** sys-net <- whonix-gateway: Run whonixcheck. Does Whonix-Gateway work? Yes
> 5. sys-net <- vpn-vm <- whonix-gateway Yes
> In fact my only problem is that I need to run my VPN in TCP to have a 
> connection with sys-whonix. It doesn't work in UDP in a user -> VPN -> Tor 
> scheme and also in the other way always in UDP.
> UDP is a bit faster than TCP but less secured, I don't really know if I 
> should use either UDP or TCP just to browse the web.

Both Whonix and Tor work fine over UDP. This is most likely a VPN-specific 
configuration issue. Your provider may have different ports and/or ciphers for 

Conventional wisdom would argue against TCP over TCP over TCP. However, given 
Tor's already massive latency and slow connections, it's hard to say whether 
you'd even notice a difference between VPN over TCP vs UDP.

> Tanks a lot for sharing rustybird's Corridor, it looks like a very 
> interesting program for people concerned about security on Tor 
> https://github.com/rustybird/corridor
> It looks a bit complicated to set it up on Qubes but I am gonna try it !
> If you could explain to me how I could add firewalls between proxyVMs, that 
> would help me. What I could go for is a scheme like this (on a user -> VPN -> 
> Tor -> internet connection) :
> sys-net <- sys-firewall <- sys-whonix <- sys-firewall2 <- sys-vpn <- 
> sys-firewall3 <- AppVM.

First of all, that VM configuration will result in user -> tor -> vpn so make 
sure you've got that right.

You can add explicit firewall VMs wherever you want or you can configure 
firewall rules using Qubes VM Manager.

Whether or not that makes any sense is a different discussion. As stated 
previously, firewalls contain "inadvertent leaks", not "intentional leaks". ( 
https://www.qubes-os.org/doc/data-leaks/ ) The main purpose of a firewall is to 
block upstream traffic. So the consensus location for a firewall would be just 
inside sys-net. If sys-whonix is connected directly to sys-net, it already has 
a restrictive firewall and doesn't really need another.

> I would probably allow all traffic on all the firewalls because Andrew David 
> Wong who works a a community manager on Qubes told me here that it doesn't 
> matter, you have to set up rules only after the proxys directly on the AppVM 
> (or the next proxyVM). I am probably stupid or paranoid to add all those 
> proxyVMs, I have no good idea bout what I'm doing, just playing with Qubes 
> legos ^.^
> https://www.whonix.org/wiki/Stream_Isolation I tried to open ports 9150, 9110 
> and 9051 on the tcp protocl sys-whonix to reduce a bit the surface attack, 
> but it didn't work. So I am gonna let it all opened but on the sys-vpn it 
> seems to connect if I put a rule like accepting all the IP adresses only on 
> the gateway port inside my openvpn client file : )

[Whonix specific questions are probably better asked on Whonix.org, since 1. 
that's where Patrick lives, and 2. that's where people will go to find answers 
to Whonix questions.]

I don't understand your question. You opened ports where? Stream Isolation is 
in effect by default. It means that a pre-configured application running in 
Whonix-Workstation, like Tor Browser, sends its traffic to a specific port on 
Whonix-Gateway's inward-facing network adapter. Whonix-Gateway then routes the 
traffic over a new Tor circuit. No ports need to be opened **or closed** 
because following the same reasoning with firewalls/leaks, a compromised 
Workstation could just switch traffic to an open port.

I'm assuming here that you mean to route your traffic: user -> vpn -> tor. If 
in fact, you have your VM's setup like sys-net -> sys-whonix -> sys-vpn -> 
appVM, then no, stream isolation is not possible. And this is precisely why I 
stated that user -> tor -> vpn reduces anonymity. Your vpn connection, and 
everything going through it will travel over 1 tor circuit for its active 
lifetime unless a relay goes offline.

> For the AppVM, I deny all traffic, I just add an exception to open http / 
> https port for all adresses. And even if it worked during my tests without 
> all the firewallVMs, I have an IP adress provided by my VPN if I google "ip 
> address", which looks logic as I am connected first to the sys-vpn, which 
> then connect to the TorVM. My IP should be probably different at the outside 
> of the sys-whonix. But if I'm wrong and I have to run whonix-workstation or 
> TBB installed into the AppVM, please tell me, I am a bit confused about this 
> situation :v

Again, denying all traffic except http/https just means that malware will 
communicate over 80/443, which any decent malware should do anyway.

The reason why google is showing you your vpn ip address is because your 
traffic is flowing: user -> isp -> tor -> vpn -> destination (google)

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to