On 11/28/20 9:26 PM, setemera...@posteo.net wrote:
Documentation followed: 

Someone please help me, I'm fucking screaming here every time I try to do the 
right thing following documentation or try to figure out why my own OS is 
stopping me from doing basic shit.

Hmmm yes the official Qubes doc on VPN is still overcomplicating things a bit 
too much and even lacking in some areas.

Here's a simple and probably even better way than the official doc:

1. Set up a network infrastructure such as:

                                             -------- your VPN client VM 1
sys-net -- sys-fw -- sys-vpn -- sys-fw-vpn --|
                                             -------- your VPN client VM 2 etc.

Use `qvm-prefs netvm` and `qvm-prefs provides_network` for that.

2. IMPORTANT: Configure your Qubes Os firewall to only allow traffic from 
sys-vpn to your VPN provider.
I.e. `qvm-firewall sys-vpn --raw` should show something like
action=accept proto=tcp dst4=[VPN IP]/32 dstports=[port]-[port]
in the end. Use `qvm-firewall` and not the GUI as the GUI will allow e.g. DNS & 
pings by default IIRC (you need to remove those GUI rules).

If you leave out this step or get it wrong, VPN leaks may be possible.
For testing purposes you could skip this step and implement it after step 3 

3. Inside sys-vpn at `/rw/config/rc.local` (autostart file) start your VPN 
client, e.g. `openvpn` with whatever config you need.

That's it. No messing with iptables et al required... ^^
(Actually there's one iptables rule that would improve security by 0,01%, but I 
guess it's not really relevant to 99,9% of users.)

Maybe someone should update the official recommendations.

Thank you for taking the time to help me so far. Be well.

You too.

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to