On 12/15/2017 05:58 PM, [email protected] wrote:
Scenario #1
VM---sys-vpn--------\
\
\
VM---------------------\----sys-firewall---sys-net
/
/
VM-------------------/
Scenario #2
VM------sys-vpn------sys-firewall---sys-net(Wireless and ethernet)
VM-------------------sys-firewall---sys-net(Wireless and ethernet)
VM-------------------sys-firewall---sys-net(Wireless and ethernet)
Scenario #3
VM----------sys-vpn---------sys-net(Wireless and ethernet)
VM----------sys-firewall----sys-net(Ethernet only)
VM----------sys-firewall----sys-net(Wireless only)
I am looking at configuring a VPN for 3.2 and I am trying to find the best
configuration and firewall settings balancing usability, flexibility and
security. My questions are:
1) If sys-net is not trustworthy do these scenarios matter from a security
perspective regarding sys-net? Scenario #1 I assume consumes the least
resources...
Number 3 doesn't look like a Qubes configuration as far as sys-net goes;
that is assuming those lines denote parallel/simultaneous access.
The first two are essentially the same, though I'm not sure why #1 is
just 'sys-net' while #2 shows sys-net with wifi & ethernet.
2) Regarding sys-vpn firewall...do these setting in effect create a kill switch
in my firewall?(I only have a URL, not the IPs):
Address= *
Service= I enter the port number from my VPN provider
Protocol= I enter UDP or TCP depending on my VPN providers instructions?
There are two ingredients here you may not be aware of:
1. The Qubes VPN howto doc has a leak-prevention feature. This
configuration can route packets only over the VPN tunnel.
2. Most subscription VPNs distribute validation certificates with their
config files. Using a certificate, VPN software will reject connections
with any impostor site.
So, as to the need for preventing the VPN VM from connecting with
anything other than the VPN provider, a firewall setting shouldn't be
necessary with a properly setup VPN client. Also, the Qubes firewall is
limited when domain names are used; you could end up with the firewall
trying to filter different addresses than what the VPN client is trying
to use (that is, if your VPN provider has multiple addresses kept in
rotation).
Finally, on Qubes 3.x it can make sense to use sys-firewall (or similar
proxyVM) the other way: Put it between the appVMs and VPN VM if you wish
to use "Deny except" mode in your appVM settings. The reason is this
mode will trigger a Qubes bug if the appVM is connected directly to the
VPN VM resulting in DNS blockage. However, the Qubes-vpn-support
project[1] has a workaround for the bug, making the following
arrangement perfectly fine even when using "Deny except" on the appVM:
appVM------->sys-vpn------->sys-net
If you're not using "Deny except" on appVMs this arrangement also works,
no workaround required.
[1] https://github.com/tasket/Qubes-vpn-support
--
Chris Laprise, [email protected]
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/7ed27489-9e2c-ee30-d9b6-2b2122d4b853%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
