On Mon, Jan 30, 2017 at 11:36:37AM -0800, Jane Jok wrote:
> On Monday, January 30, 2017 at 10:25:48 PM UTC+3, Garrett Robinson wrote:
> > On 01/30/2017 11:21 AM, Jane Jok wrote:
> > 
> > > I know that Qubes security model doesn't rely on users system for 
> > > security, but combined with iptables, this could prevent traffic leaks 
> > > when running certain "wonky" VPN configs (for instance, ipsec based VPNs 
> > > where a tun device is absent) by straight up disallowing a certain user 
> > > from communicating over anything other than the VPN link.
> > Hm, this sound like you're running a VPN in your AppVM. Are you? If so,
> > a better solution (that can easily achieve your goal of preventing
> > leaks, albeit for an entire VM instead of a specific user of a VM) is to
> > use a ProxyVM, as documented here: https://www.qubes-os.org/doc/vpn/.
> 
> -
> I already have a bunch of proxyvms running different VPNs for... different 
> reasons.
> 
> Unless I get a box with more ram or someone much smarter than me does one of 
> those super-fancy <100MB RAM unikernel VM things, but for ipsec tunnels, this 
> is the best option.
> 
> Besides, it's not a "high risk" VM or anything like that.
> 

Yes, you can do this, exactly as you envisage, and it's relatively
straightforward. Standard caveats apply, and you'll need to get
permissions right and grant access to the X server, but otherwise there's
nothing Qubes specific here.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170131235558.GD9109%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to