I have scenario #1 working...I checked DNS leak and was able to get different results depending on the VM I was on. Is this just likely to break due to the bug you reference?
Scenario 2 was supposed to depict 3 separate sys-net, not running at the same time. clarified as follows: Clarrified Scenario #2 a) VMa------sys-vpn------sys-firewall---sys-net(Wireless and ethernet) b) VMb-------------------sys-firewall---sys-net(Wireless and ethernet) c) VMc-------------------sys-firewall---sys-net(Wireless and ethernet) If I want to get on VMa(VPN)...I would need to close all VMs in b) and c), if I wanted to get on VMb, I would need to close all VMs in a) and c), etc...pain in the but! But is this more secure due to multiple seperated sys-net? Scenario #3 clarified a) VMa----------sys-vpn---------sys-net(Wireless and ethernet) b) VMb----------sys-firewall----sys-net(Ethernet only) c) VMc----------sys-firewall----sys-net(Wireless only) #3 Scenario is insipired by this post(multiple sys-net's): Multiple sys-net: http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html ...is the only benefit of this configuration that I can use VMb and VMc at the same time? or is there better isolation with this config having multiple sys-net's? This assumes all VMs in a) and b) would need to be closed to get on VMa(VPN) Regarding the firewall rules in sys-vpn: Unfortunately (or fortunately?) my VPN provides a domain name instead of IPs e.g. VPNprovider.Canada.com, the VPN provider requires port 1194(UDP only), with user name/password and a local cert(all set up in the OpenVPN client in sys-vpn). In the sys-vpn VM firewall, I would "allow DNS queries" and "deny network access except": 1) put a rule that allows "*"(Which I believe allows "Any" domain/IP to pass, although it is limited to VPNprovider.Canada.com i.e. the Gateway in OpenVPN client )for "address", 2) port 1195 for "service" and 3) a protocol of "UDP". Wouldn't this block port 80, 443 and all other ports and only allow VPNprovider.Canada.com on port 1195 via UDP only? Therefor if VPN goes down all other ports 80, 443 would not be allowed? i.e. a kill switch?...similar to whats on the Qubes instructions except GUI configured? Similar to this post: https://github.com/Rudd-O/qubes-vpn Specifically: Firewall your VPN VM Open the Firewall rules tab of your new VPN VM's preferences page. Deny network access except for Allow DNS queries. If the VPN server is just an IP address (check the configuration given you by the VPN provider) then you do not have to Allow DNS queries at all. Add a single rule: Address: either * (all hosts) as address (use this when you do not know the IP address of the VPN server in advance, and all you have is a DNS host name), or the fixed VPN IP address (if your VPN configuration has a fixed IP address). Protocol: choose the protocol that your VPN server configuration indicates (TCP or UDP). Port number: type in the port number of your VPN server (with OpenVPN, it's typically 1194, 5000 or 443, but refer to your VPN configuration). Thanks for the thoughts...I know there are multiple questions here that are difficult for me to articulate. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fbb5a97f-5693-479e-914a-8a75cf5f64ff%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
