13. Nov 2016 08:48 by amad...@riseup.net:

> We see much correspondence in these forums about installing a VPN within 
> Qubes. Surely, the most secure place for VPN is to install on a Router?
> I say these things after reading the following paper [ > 
> https://cryptome.org/2013/12/Full-Disclosure.pdf>  ] in which a group of 
> hackers demonstrate that the majority of routers (in-particular those 
> provided by ISP's] have backdoors to government agencies. These adversary's 
> are able attack our LAN and its devices; including the ability to intercept 
> VPN and Tor traffic.
> The solution they say is to isolate these rogue routers in the Militarized 
> Zone by creating a DMZ [demilitarized zone]. Achieved by installing a 2nd 
> router [flashed with open source firmware such as OPenWRT]. It is here, on 
> the router, that we should enable and run OpenVPN.
> Thoughts on this paper and it's conclusions are welcomed

An always-on VPN connection on the router works well but can be a bit slow 
since the processing power of router CPUs is generally quite limited. If 
choosing a router, I'd suggest a dual-core ARM-based device. Although openvpn 
is only single-threaded you can usually configure cpu-affinity to place it on 
one core and the other routing tasks on the other core.

For those who want to go beyond around 20-25 Mb/s, which is where an ARM router 
will start to reach its limits, a fine alternative is a small fanless PC, such 
as the Intel NUC or Gigabyte Brix, and run an open source firewall on it, 
instead of a router. I'm using IPFire. If the processor supports AES-NI, the 
limiting factor will be your network speed, not the firewall's CPU.

Finally, I've always felt that running a vpn on Qubes and having an always-on 
vpn running on a router/PC complement each other. 

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to