On 10/29/20 8:31 AM, 'Totally Zoid' via qubes-users wrote:
ATM I'm using standard Fedora qubes with NetworkManager enabled and
OpenVPN in order to connect to a VPN. I'd like to switch to the VPN's
own full-fledged program to use features such as easy switching between
exit servers and killswitch. I've previously used exclusively OpenVPN,
but on Qubes, stuck in its own qube, I guess there isn't really anything
the VPN's program can spy (other than traffic obv), and I reasonably
trust this particular service.
The app comes as .deb/.rpm or, mercifully, source code. I've tried
installing the .rpm but naturally I'd have to either do it on each
restart, do it in the main Fedora template (which could compromise it),
or do it in its own TemplateVM which would take up another 5 GB.
Bind-dirs looks like an option but I'm not sure which files the .rpm
install changes, and it looks like an update could easily break it.
Is there anything I'm missing? Looks like I'll have to either waste
another 5GB space on a new template for a single program (and run
updates for that template regularly), or have to compile it from source,
possibly every time there's an update for the VPN program (not looking
forward to that hehe). I'm thinking there has to be a better way...
The things you may be missing here:
1. Its more secure to have a 'sys-vpn' VM dedicated to the VPN client.
2. Service provider apps generally don't work or don't secure a
dedicated VM properly. They assume a PC network architecture while a
Qubes proxy VM is more like a router.
From a security standpoint the best way is probably Qubes-vpn-support
(see my github link below). But it doesn't have easy GUI switching
between servers; you would have to 'cp' the config for the new server
then 'systemctl restart' the service to switch.
Its possible to setup Network Manager in a dedicated VPN VM including
added anti-leak firewall rules. See the Qubes vpn doc for details.
Chris Laprise, tas...@posteo.net
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To view this discussion on the web visit