On 3/29/20 5:16 AM, scurge1tl wrote:
Chris Laprise:
On 3/27/20 5:02 AM, scurge1tl wrote:
Hello all,
I would like to ask about proper setting of AppVM flow if using
Mullvad VPN. I would like to connect to the clearnet following way: Me
- -> Tor -> VPN -> clearnet.
When setting up mullvad in their web page, I set the parameters for
download here https://mullvad.net/en/download/openvpn-config/ in a
following way:
- - All countries (so that I can change my exit country as needed)
- - Port -> TCP 443 (Tor doesn't use UDP, right?)
- - tick Use IP addresses
Using TCP 443 for the connection helps only if you are running the VPN
on top of Tor. With Tor on top of VPN, you're probably better off with UDP.
Would this mean, if I plan to go with Me -> Tor -> VPN -> clarnet, to go
with UDP mullvad settings? Just to clear the "on top of".
To make it less ambiguous:
AppVM -> sys-whonix -> sys-vpn -> sys-net
The above connection is Tor on top of (or inside of) VPN, so UDP can be
used for the VPN. If sys-whonix and sys-vpn places were reversed, then
VPN should switch to TCP mode.
An easy way to remember this is that the sys-* VM attached to the AppVM
is the one the service sees on the other end.
To set the Mullvad VPN AppVM, I followed this guide from micahflee
https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with
mullvad is vpn-mullvad. All works fine and connects to the network.
How should I connect Me -> Tor -> VPN -> clearnet? Am I right with
this setup (I didn't launch it yet): anon-whonix -> sys-whonix ->
vpn-mullvad -> sys-firewall, or I should use different setup?
Whonix has a guide that examines the issues of combining Tor and a VPN.
However, I think its better as a 'what-if/why' guide than a Howto...
https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor
Thank you I will check it.
Are there any other steps to follow to prevent leaks?
Yes.
The Qubes-vpn-support project is much easier to setup and should work
more smoothly, in addition to providing better protection against leaks:
https://github.com/tasket/Qubes-vpn-support
There is also a VPN setup guide on the Qubes doc page (this is the one
the Whonix page links to). FWIW, I wrote the scripts for both but the
idea for Qubes-vpn-support was to automate the setup and improve the
connection handling of Openvpn so re-connection doesn't take 5 minutes.
It also checks the firewall to make sure leak prevention is in place
before initiating connections.
I will try to set the additional AppVM for this and try this guide. What
would be the linking of the AppVMs, if I would like to go Me -> Tor ->
VPN -> clearnet? Is it like anon-whonix -> sys-whonix -> mullvad-AppVM
-> sys-firewall ?
Also I would like to use different exit countries of choice, so I
downloaded all countries from mullvad. Is there any simple way to switch
countries with this VPN settings?
There is no GUI way to do it when using the Qubes scripts. However, if
you use the Network Manager method on the Qubes vpn howto, then you can
import multiple configs (and cross your fingers that they can make
connections :) ).
For a non-GUI solution, you could create a small script that lets you
choose which ovpn config to use, and 'cp' or 'ln' that choice to the
config filename that the scripts use (then restart the vpn). Some people
have used simple random selection without a prompt, like 'ln -s $( ls
*ovpn | shuf | head -n1 ) vpn-client.conf'.
Sorry for noob questions, I am new to the VPN stuff, just used Tor only
till now, but I need to use tor-unfriendly services from time to time
and even if it were tor-friendly, ExitNodes {xx} StrictNodes 1 doesn't
work in qubes-whonix and I therefore can't select exit country easily if
I need to. So I need to have the VPN country as a strict exit.
To use Tor-unfriendly services, the service has to see the VPN IP not
Tor exit node IP. Therefore...
AppVM -> sys-vpn -> sys-whonix -> sys-net
If you add sys-firewall (or similar proxyVM, as you probably don't want
to change sys-firewall netvm setting) in the mix, it just depends on
which VM you wish to add 'Qubes firewall' rules to.... it always goes
'to the right of' whichever VM you added rules. In my experience,
however, such rules are not required for securing a VPN link; The
internal (scripted) rules used by the VPN doc or Qubes-vpn-support
handle VPN security rather well. IOW, its better to forget placing
sys-firewall in the loop, at least until you're more used to Qubes
networking.
Thank you and I will let you know if it works!
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/9eae27ff-8e92-1b43-dde4-e968631ca1a5%40posteo.net.
