On 2/26/19 4:18 PM, [email protected] wrote:
Hello,Chris Laprise,
I’ve been using qubes-tunnel for a few months now, and first tried with
qubes-vpn-support, ,thank you for develop them and answered so many
questions in a very clear manner, that helped a lot, I accumulated some
questions along this time, now would like to understand both of them
better, could you answer some of them while you are free, thank you.
1.Qubes-tunnel and Qubes-vpn-support ,chose which one on what stage is
better?
They're functionally identical. The only difference is the name and that
Qubes-vpn-support can be installed inside an appVM without touching a
template. The reason for this is that qubes-tunnel was created for
possible inclusion in Qubes OS.
from these two app’s Github description, ‘qubes-tunnelis tested on
Debian and Fedora, more for basic users’,‘qubes-vpn-support has ipv6
anti leak and whonix tested’
----does it mean qubes-vpn-suppor is more advanced, when a user is more
familiar with Qubes, he’s suggested to move from tunnel to vpn-support?
---Since qubes-tunnel is officially integrated in Qubes OS now, is
vpn-support still being maintained. BTW,does this mean the qubes
official document on vpn is slightly out-dated as well.
The two perform exactly the same, with same features (incl. ipv6
protection). Although qubes-tunnel has been forked by Marek, it hasn't
yet gone into the Qubes project repo.
2. how to use these security tools together?
When Im online, firefox won’t show ip, ipv6,dns, but tor, with it’s exit
node, show them all. Please note this is not my info, but tor exit node’s.
There will always be some kind of ip address associated with your
connections. The appVM's ip may even be known under some circumstances,
but this is only virtual. The point of the vpn (and tor) is that other
sites are seeing a virtual address, not from your physical ISP link.
However, tor team publish all ivp6 exit on their website publicly, with
ipv6 is too traceable, and most of ipcheck website can tell a browser is
from a tor exit, and you once suggested as well, ipv6 is a ‘naïve’ concept.
----Does this mean using tor for sign-in service like check email is not
secure and not recommended, so it’s better just for browsing?
If the mail service has an .onion or .i2p address, then you can connect
with high confidence in the link security. With a regular https address,
it is theoretically secure but this may not be true for every type of
adversary.
The same caveat about https holds when using a vpn, except that a vpn
you trust probably won't try to attack you when a tor exit node might.
That's why an .onion address is safer because exit nodes aren't involved.
---In that case is firefoxor opera more secure for email-checking?--
Especially, when tor team claimed tor +vpn would make a user’s traffic
‘more obvious’.
Wish I knew more about recent Opera releases; They have a vpn but this
doesn't make it better than a good vpn configured in Qubes. I'd say the
latter is superior bc if the browser is compromised (as is likely at
some point) then the attacker could get access to your opera vpn
credentials.
I feel its also better to subscribe to vpns from companies that are
identified as only that... virtual private network providers. They can't
pretend that privacy is a secondary concern, so their reputation is made
or broken on their privacy promise.
----How to check webmails if it were you?
Using an .onion address from Whonix/Torbrowser is probably best for
email. It could also be pop3 or imap, not necessarily in a web browser.
Protonmail.com has an .onion address.
But keep in mind that email is also an old format that didn't anticipate
a very hostile network environment. I would look to alternatives like
i2p-bote, signal, wire, matrix, and the one that used to be called
"Ring". These specialize in decentralized messaging that is end-to-end
encrypted.
323.Just to confirm some configure details
--On firewall rules,Adding below lines
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP
in /rw/config /qubes-firewall-user-script
This is in vpn-vm not app-vm, sys-net or dom0 right?
Correct. They are effective in a proxyvm or "network-providing" VM. It
is based on the VM's forwarding function.
---When you suggested to test a uplink-vm with package send to non-vpn
address,
do you mean by something like ware-shark? in sys-net right?
That depends on which doc you're referring to, but non-vpn address
probably means something out on the Internet.
---Disable ipv6 should by
qvm-features VM ipv6 ''should be in sys-net as well correct?
is it permanent, or should we do it on each boot.
According to Marek this should do the trick. But its best to also have
an anti-leak firewall that covers ipv6 (like the rules you mentioned
previously).
--
Chris Laprise, [email protected]
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/049198c1-b65e-9e64-0e88-6932cd8be0cd%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
