On 8/6/19 10:42 AM, [email protected] wrote:
Hello,
I have a commercial VPN that does not have any options to pass a DNS
handling script. Following how i setup my qubes: sys-net <> sys-firewall
<> VPN <> AppVm. As you see here I've setup a service vm named VPN where
the VPN software is installed. I've also tried the other variation which
is to have an additional firewall between VPN and AppVm. Neither setup
works for browsing although the VPN is connecting as expected and AppVm
can do IP pings (DNS ping for same address fails), but no web browsing
is available which i suspect is due to no DNS handling setups. I have
spent so much time trying to figure this out that I'm now left
frustrated. Is there a way to do this DNS handling at system level
rather than relying on VPN software to do that? If so, then how do i go
about it?
PS: Is there a difference between the two setups at all? what is the
advantage of having an additional firewall between VPN and AppVm?
OS: Qubes 4
VPN Software: Proprietary based on openvpn
Hi,
There is a VPN guide in the doc section:
https://www.qubes-os.org/doc/vpn/
The CLI section is a very manual way to do it, but it shows how DNS
support is implemented in Qubes and provides some Qubes-specific
firewall protection. The Network Manager section can be useful if your
VPN provider has instructions for setting up the connection in NM.
A more automated and reliable way to setup VPNs is to use Qubes-vpn-support:
https://github.com/tasket/Qubes-vpn-support
Most VPN services that are based on openvpn will offer downloadable
configuration files for openvpn. You can drop such config files into
Qubes-vpn-support and they should work.
OTOH, the 'proprietary' VPN apps are not a good fit for Qubes
networking. You can probably use them in each AppVM where you run your
browsers or other apps, but they won't handle DNS or firewall security
properly in a ProxyVM (the kind of 'provides network' VM you setup like
a firewall).
A separate firewall VM is not required as your ProxyVM will behave just
like a firewall in Qubes 4. This is assuming you trust the VPN software
not to be attacked/exploited in some way (and IMO this is a rather low
risk).
--
Chris Laprise, [email protected]
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/341bd739-021a-6c80-756c-eb890cde7179%40posteo.net.
