Re: [qubes-users] Bitmask VPN DNS leaks

Mon, 18 Dec 2017 07:45:05 -0800 

On 12/18/2017 10:02 AM, Michael Carbone wrote:

On 12/18/2017 09:15 AM, donoban wrote:

On 12/18/2017 03:10 PM, donoban wrote:

First:
- Block all traffic and whitelist your DNS provider IP with sys-firewall
(you should connect your VPN-VM to sys-firewall). For riseup and bitmask
you should permit some ip's.


Also consider disabling ICMP and DNS queries


Then:
The solution is edit /etc/resolv.conf to the default gw of the tunnel.
Try 'sudo route -n' and see the gateway which uses tun0 interface.



After editing /etc/resolv.conf you have to run:

'sudo /usr/lib/qubes/qubes-setup-dnat-to-ns'

for doing it effective.


FYI this is the issue I created to try to collect clear instructions for
Bitmask users:

https://github.com/QubesOS/qubes-issues/issues/2021

the ticket is still open and once clear documentation is created we can
push it to the website.



Unfortunately the connection process is all controlled by the leap 
client app, and there is no obvious place to add Qubes-specific lines of 
code.



But since that issue was logged there has been a lot of bitmask 
documentation added to their site. I'll ask them about adding Qubes 
support directly to their client.



In the meantime, leaks are still an issue if you have to manually run a 
script like qubes-setup-dnat-to-ns after a connection goes up. The best 
stopgap may be to block direct forwarding in the proxyVM with:


iptables -I FORWARD -i eth0 -j DROP
iptables -I FORWARD -o eth0 -j DROP


Put these lines in /rw/config/qubes-firewall-user-script and make it 
executable. On Qubes R4.0-rc you may have to do this for it to work:

ln -s /rw/config/qubes-firewall-user-script /rw/config/qubes-ip-change-hook


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c0e97ad5-e448-6eef-8182-08e94316a6c1%40posteo.net.
For more options, visit https://groups.google.com/d/optout.






















					Reply via email to