On 10/15/2016 12:56 PM, 4lgaqp+cqeepdnbinsts via qubes-users wrote:
Hi Chris,

Thanks for the suggestion.
Just to clarify, the VPN tunnel was created within the sys-firewall, and 
currently that's the only proxyVM that I'm using (apart from the sys-whonix), 
hence all traffic from the sys-net isn't encapsulated by the tunnel.
My understanding is that the sys-firewall merely forwards the traffic through 
the sys-net by adding a forwad rule in the sys-firewall every time a new VM is 
started. For that reason I was wondering if I cannot solve this more 
effectively by simple adding a forwarding rule in the sys-firewall to whitelist 
all traffic originated from 0.0.0.0/0 to the destination address 
10.137.255.254/32 and port 8082, wouldn't this be possible?
Privacy during updates are not an issue for me, by the contrary, since this 
would allow more network throughput.
I confess I'm not very keen in changing templates or creating a dedicated 
proxyVm for this purpose.

Thanks


I think you mentioned you were using the 'eth0 -j DROP' rules in FORWARD.... that would imply that you /are/ putting all traffic through the tunnel. Also, your thread title says you are doing this?

Unfortunately, making exceptions to a VM that is configured to stop all plaintext forwarding can be a bit dicey. IOW, this kind of VPN VM is supposed to be dedicated to the purpose.

Qubes' modular style of networking allows you to make exceptions with low risk if you use (for example) a plain sys-firewall in parallel to a VPN VM.

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/774205fd-f688-b713-d799-d6f145d86de4%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to