On Mon, Jan 30, 2017 at 11:36:37AM -0800, Jane Jok wrote: > On Monday, January 30, 2017 at 10:25:48 PM UTC+3, Garrett Robinson wrote: > > On 01/30/2017 11:21 AM, Jane Jok wrote: > > > > > I know that Qubes security model doesn't rely on users system for > > > security, but combined with iptables, this could prevent traffic leaks > > > when running certain "wonky" VPN configs (for instance, ipsec based VPNs > > > where a tun device is absent) by straight up disallowing a certain user > > > from communicating over anything other than the VPN link. > > Hm, this sound like you're running a VPN in your AppVM. Are you? If so, > > a better solution (that can easily achieve your goal of preventing > > leaks, albeit for an entire VM instead of a specific user of a VM) is to > > use a ProxyVM, as documented here: https://www.qubes-os.org/doc/vpn/. > > - > I already have a bunch of proxyvms running different VPNs for... different > reasons. > > Unless I get a box with more ram or someone much smarter than me does one of > those super-fancy <100MB RAM unikernel VM things, but for ipsec tunnels, this > is the best option. > > Besides, it's not a "high risk" VM or anything like that. >
Yes, you can do this, exactly as you envisage, and it's relatively straightforward. Standard caveats apply, and you'll need to get permissions right and grant access to the X server, but otherwise there's nothing Qubes specific here. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170131235558.GD9109%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
