Chris wrote:
> Especially if you did the sharing via a separate vpn or ssh tunnel. But
> in general, I don't think Qubes security should be considered much if
> any benefit to adjacent non-Qubes systems.

This is one of my favorite implicit features of Qubes:

Setting up multiple layers of network protection is sooooo much easier
than on a non VM'd system.

When I used to use Tails, I set things up to use VPN-over-Tor, so any
dodgy Tor exit node only sees encrypted VPN traffic, and my nosy ISP
doesn't know if I'm use a VPN, or which provider.  I've also done
Tor-Over-VPN, and VPN->Tor->VPN setups.  :)

It was a nightmare to set up.  And that can lead to mistakes.

On Qubes, it's a simple matter of layering another ProxyVM above
sys-firewall.  Add the NetworkManager service in the VM Manager settings,
and you can configure OpenVPN, and you're good to go.  Any additional
layers are just as easy.

(Qubes-whonix is a good example of such a configuration.)

Memory can be a problem for limited systems (such as mine) and multiple
ProxyVM layers, but (at a slightly greater risk of the effects of a
compromise) could do your VPN configuration right in sys-firewall/sys-net
if you wished, to avoid additional VM's.

For example, with sys-net -> sys-firewall -> sys-whonix -> sys-vpn ->
AppVM (and hey, throw a Tor Browser on top of that if you want to go nuts)
any attacker has quite a few challenges ahead of them.  :)

I generally go with sys-net->sys-firewall->sys-vpn, and Torbrowser when I
need to get to a .onion site.

It's rewarding to fire up iptraf-ng in sys-net, and see nothing but
encrypted packets to your VPN provider, while your AppVM's think they're
just on the regular net.  :)

(Standard disclaimer, of course, that your VPN provider will see any
unencrypted traffic you send through it.  As Chris mentioned,
https-anywhere can with that risk.)


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

Reply via email to