Chris wrote: > Especially if you did the sharing via a separate vpn or ssh tunnel. But > in general, I don't think Qubes security should be considered much if > any benefit to adjacent non-Qubes systems.
This is one of my favorite implicit features of Qubes: Setting up multiple layers of network protection is sooooo much easier than on a non VM'd system. When I used to use Tails, I set things up to use VPN-over-Tor, so any dodgy Tor exit node only sees encrypted VPN traffic, and my nosy ISP doesn't know if I'm use a VPN, or which provider. I've also done Tor-Over-VPN, and VPN->Tor->VPN setups. :) It was a nightmare to set up. And that can lead to mistakes. On Qubes, it's a simple matter of layering another ProxyVM above sys-firewall. Add the NetworkManager service in the VM Manager settings, and you can configure OpenVPN, and you're good to go. Any additional layers are just as easy. (Qubes-whonix is a good example of such a configuration.) Memory can be a problem for limited systems (such as mine) and multiple ProxyVM layers, but (at a slightly greater risk of the effects of a compromise) could do your VPN configuration right in sys-firewall/sys-net if you wished, to avoid additional VM's. For example, with sys-net -> sys-firewall -> sys-whonix -> sys-vpn -> AppVM (and hey, throw a Tor Browser on top of that if you want to go nuts) any attacker has quite a few challenges ahead of them. :) I generally go with sys-net->sys-firewall->sys-vpn, and Torbrowser when I need to get to a .onion site. It's rewarding to fire up iptraf-ng in sys-net, and see nothing but encrypted packets to your VPN provider, while your AppVM's think they're just on the regular net. :) (Standard disclaimer, of course, that your VPN provider will see any unencrypted traffic you send through it. As Chris mentioned, https-anywhere can with that risk.) JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to firstname.lastname@example.org. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/57abd72601b36ae3f1206f134fa5b74c.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.