On Sat, Oct 21, 2017 at 11:09:40AM +0200, Noor Christensen wrote: > On Fri, Oct 20, 2017 at 12:58:27PM -0700, [email protected] wrote: > > Hello > > > > In this doc https://www.qubes-os.org/doc/vpn/, a configuration is > > described where app vms connect to the firewall VPN, which connects to > > the VPN proxy, and finally the net vm. > > > > Was this correctly documented as a configuration? Should the VPN proxy > > sit behind the firewall? > > AFAIK, if you connect your AppVMs directly to the VPN proxy, you lose > the ability to firewall the traffic since it will be encrypted when it > leaves the VPN proxy. > > So, for this reason, if you want to apply any filtering for that traffic > you would need a firewall VM between the AppVMs and the VPN VM. In this > situation, any firewall rules configured for the AppVMs will then be > applied by the firewall VM before it reaches the VPN VM. > > There is a good explanation here (read "Security note" under Usage): > > https://github.com/Rudd-O/qubes-vpn#usage
Additionally, this graph might help to understand the flow: https://raw.githubusercontent.com/Rudd-O/qubes-vpn/master/doc/Qubes%20VPN%20filtering%20rules.png -- noor |_|O|_| |_|_|O| Noor Christensen |O|O|O| 0x401DA1E0 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171021091738.wedrrlozdmahbeh3%40mail. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: PGP signature
