On Monday, May 13, 2019 at 12:03:18 PM UTC-4, Chris Laprise wrote:
> On 5/13/19 9:36 AM, [email protected] wrote:
> > Hello, I am trying to achieve this: User -> VPN -> Tor -> Internet
> >
> > This is my setup in qubes:
> >
> > fedora-29-vpn (templatevm- has openvpn installed)
> >
> > VPN-appvm (has openvpn running in it. It is using fedora-29-vpn
> > template)------> vpn-sys-whonix(ProxyVM based on whonix-gw-14 template and
> > its NETVM is VPN-appVM------>Internet AppVM(based on template whonix-ws-14.
> > Its NETVM is set as vpn-sys-whonix).
>
> You might double-check this diagram. It doesn't look right. I would
> expect something more like: Anon1(whonix-ws)-->VPN(fedora or
> debian)-->sys-whonix(whonix-gw)-->sys-net.
wouldnt this way be User -> TOR -> VPN -> Internet? Sorry if it was a bit
confusing my explanation of the setup. maybe this is better explained.
whonix-ws -->Whonix-gw---->sys-vm------>sys-firewall
Internet VPN
Internet(NETVM=vpn-sys-whonix)---->vpn-sys-whonix(NETVM=sys-vm)----->sys-vm
(NETVM=sys-firewall)
(whonix-ws template)
(whonix-gw template) (fedora-29-vpn template)
>
> It also matters precisely where you are checking for DNS packets.
>
> >
> > I have been following this guide
> > https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts
> > when I was setting up VPN-appvm which I followed to a tee and completed
> > without too much trouble.
> >
> > The Issue is, I have DNS leaks by doing some online DNS checks with
> > VPN-appvm. Any Idea why/how to possibly fix this.
>
> A vpn vm may still send out DNS packets in the clear to look up its own
> servers. Beyond that, you shouldn't see any.
>
> You can try a more thorough vpn setup here:
>
> https://github.com/tasket/Qubes-vpn-support
>
> This will check that the anti-leak firewall rules are in place before
> starting the vpn client, and generally keep the link running more smoothly.
I can try this method see the difference.
>
> However, I should note there is at least one issue open there for Fedora
> 29 weirdness. In general, I recommend using Debian (which is what Whonix
> is based on) as it has been better behaved than Fedora overall. Its also
> the case that Fedora is intended to be a testbed, NON-production OS and
> Qubes has plans to migrate away from it.
Yes I can switch over to debian and see if that fixes the problem aswell.
>
> You should also read the vpn-related sections of the Whonix docs; There
> are tradeoffs to using a vpn with Whonix.
>
> --
>
> Chris Laprise, [email protected]
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/1aead4a0-b3c5-4471-bbb3-b667a086f92b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
