David, this setup is very interesting and referenced in a reputable source 
by a developer I trust (here 
https://groups.google.com/g/qubes-users/c/m8BfvtAV2o8/m/FGlwdHrGAgAJ ).

I can grasp the general concept, but I'm unable to execute the instructions 
without further guidance.

Do you have a hint for a step by step guide that I may follow to be able to 
implement this?

Official Qubes docs are surely overcomplicating things, as you say, but 
being step by step guides those are just the thing that users like me need.

I've looked around but I can't seem to find any up-to-date, uncomplicated 
step by step guide to get a fail closed, antileak VPN tunnel environment.

Thanks in advance for your support.


On Sunday, November 29, 2020 at 12:09:23 PM UTC+1 David Hobach wrote:

> On 11/28/20 9:26 PM, setem...@posteo.net wrote: 
> > Documentation followed: 
> http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts
> > Someone please help me, I'm fucking screaming here every time I try to 
> do the right thing following documentation or try to figure out why my own 
> OS is stopping me from doing basic shit. 
> Hmmm yes the official Qubes doc on VPN is still overcomplicating things a 
> bit too much and even lacking in some areas. 
> Here's a simple and probably even better way than the official doc: 
> 1. Set up a network infrastructure such as: 
> -------- your VPN client VM 1 
> sys-net -- sys-fw -- sys-vpn -- sys-fw-vpn --| 
> -------- your VPN client VM 2 etc. 
> Use `qvm-prefs netvm` and `qvm-prefs provides_network` for that. 
> 2. IMPORTANT: Configure your Qubes Os firewall to only allow traffic from 
> sys-vpn to your VPN provider. 
> I.e. `qvm-firewall sys-vpn --raw` should show something like 
> ``` 
> action=accept proto=tcp dst4=[VPN IP]/32 dstports=[port]-[port] 
> ``` 
> in the end. Use `qvm-firewall` and not the GUI as the GUI will allow e.g. 
> DNS & pings by default IIRC (you need to remove those GUI rules). 
> If you leave out this step or get it wrong, VPN leaks may be possible. 
> For testing purposes you could skip this step and implement it after step 
> 3 though. 
> 3. Inside sys-vpn at `/rw/config/rc.local` (autostart file) start your VPN 
> client, e.g. `openvpn` with whatever config you need. 
> That's it. No messing with iptables et al required... ^^ 
> (Actually there's one iptables rule that would improve security by 0,01%, 
> but I guess it's not really relevant to 99,9% of users.) 
> Maybe someone should update the official recommendations. 
> > Thank you for taking the time to help me so far. Be well. 
> You too. 

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 

Reply via email to