Re: [qubes-users] Re: Unable to uptade templates affer forced all traffic trhough VPN
On 10/16/2016 08:50 AM, 4lpt9o+3m11o9qubb38o via qubes-users wrote: You don't need to manually add the iptables rules. When enable the 'qubes-yum-proxy' on the VPNVM the rule to iptables is automatically added: Chain PR-QBS-SERVICES (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082 And also the corresponding rule on the INPUT chain: Chain PR-QBS-SERVICES (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082 So you don't need to do this by hand. @Manuel I agree with you, the instructions on the Qubes VPN doc. don't outline this step. And this is necessary to have the updates working while forcing all the traffic through the VPN. Can someone add some references on the VPN article (https://www.qubes-os.org/doc/vpn/) in the same manner as this page reflected in this page - https://www.qubes-os.org/doc/software-update-vm/#updates-proxy . Since anyone following the VPN article,as it is, would not have the yum/apt updates working. Although following the doc would leave the updates working (user is instructed to create a new VPN VM, not use existing sys-firewall) it would be nice to be able to update over a VPN tunnel. I'll create an issue for updating the doc. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3cff8ec6-510e-34a6-9681-4ff01d223c9c%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Unable to uptade templates affer forced all traffic trhough VPN
You don't need to manually add the iptables rules. When enable the 'qubes-yum-proxy' on the VPNVM the rule to iptables is automatically added: Chain PR-QBS-SERVICES (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082 And also the corresponding rule on the INPUT chain: Chain PR-QBS-SERVICES (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082 So you don't need to do this by hand. @Manuel I agree with you, the instructions on the Qubes VPN doc. don't outline this step. And this is necessary to have the updates working while forcing all the traffic through the VPN. Can someone add some references on the VPN article (https://www.qubes-os.org/doc/vpn/) in the same manner as this page reflected in this page - https://www.qubes-os.org/doc/software-update-vm/#updates-proxy . Since anyone following the VPN article,as it is, would not have the yum/apt updates working. Sent using GuerrillaMail.com Block or report abuse: https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/34473a329176388840a0d28b17896b0d3a49%40guerrillamail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Unable to uptade templates affer forced all traffic trhough VPN
On 10/15/2016 04:56 PM, 4lgaqp+cqeepdnbinsts via qubes-users wrote: > Hi Chris, > > Thanks for the suggestion. > Just to clarify, the VPN tunnel was created within the sys-firewall, I believe the VPN set up by the instructions in the official docs interfere with the updates proxy functionality. Try this: https://github.com/Rudd-O/qubes-vpn . Pay special attention to README.md heading "Updates of template VMs attached to the VPN VM". That ought to work. > and currently that's the only proxyVM that I'm using (apart from the > sys-whonix), hence all traffic from the sys-net isn't encapsulated by the > tunnel. > My understanding is that the sys-firewall merely forwards the traffic through > the sys-net by adding a forwad rule in the sys-firewall every time a new VM > is started. For that reason I was wondering if I cannot solve this more > effectively by simple adding a forwarding rule in the sys-firewall to > whitelist all traffic originated from 0.0.0.0/0 to the destination address > 10.137.255.254/32 and port 8082, wouldn't this be possible? > Privacy during updates are not an issue for me, by the contrary, since this > would allow more network throughput. > I confess I'm not very keen in changing templates or creating a dedicated > proxyVm for this purpose. > > Thanks > > > > > > > Sent using GuerrillaMail.com > Block or report abuse: > https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D > > -- Rudd-O http://rudd-o.com/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/85a129e5-98f8-9dfa-e4f2-3b6ca5c569c2%40rudd-o.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Unable to uptade templates affer forced all traffic trhough VPN
On 10/15/2016 04:56 PM, 4lgaqp+cqeepdnbinsts via qubes-users wrote: > Hi Chris, > > Thanks for the suggestion. > Just to clarify, the VPN tunnel was created within the sys-firewall, and > currently that's the only proxyVM that I'm using (apart from the sys-whonix), > hence all traffic from the sys-net isn't encapsulated by the tunnel. The instructions in the VPN doc (appear to me to) interfere with the Yum Qubes proxy forwarding that is necessary for updates to work. Try https://github.com/Rudd-O/qubes-vpn if possible, see if updates work there. You must run the Qubes updates proxy service directly in the same VPN VM.Note that update server queries will be handled by the proxy and therefore will not go over the VPN. > My understanding is that the sys-firewall merely forwards the traffic through > the sys-net by adding a forwad rule in the sys-firewall every time a new VM > is started. For that reason I was wondering if I cannot solve this more > effectively by simple adding a forwarding rule in the sys-firewall to > whitelist all traffic originated from 0.0.0.0/0 to the destination address > 10.137.255.254/32 and port 8082, wouldn't this be possible? > Privacy during updates are not an issue for me, by the contrary, since this > would allow more network throughput. > I confess I'm not very keen in changing templates or creating a dedicated > proxyVm for this purpose. > > Thanks > > > > > > > Sent using GuerrillaMail.com > Block or report abuse: > https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D > > -- Rudd-O http://rudd-o.com/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/081416f6-f3ff-7404-222a-2d9b32fae64a%40rudd-o.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Unable to uptade templates affer forced all traffic trhough VPN
> Ok, so I tried to enable the updates proxy in the sys-firewall > consequently forcing all updates to go through the VPN, I followed the > instructions outlined here - > https://www.qubes-os.org/doc/software-update-vm/#updates-proxy > However, as soon as I try to run the updates on one of the vmtemplate I > get the error "No route to host". All the templatevm has a default route > to the sys-net (10.137.1.1), notwithstanding the update should be > targeting the sys-firewall. Should I change the default GW of the > templatevm ?! I found that using an UpdateVM other than sys-net results in failures because the iptables rule to accept connections on local port 8082 is never added to any VM, other than than the default NetVM. Updates failed for me (packets to port 8082 being dropped on the update VM) until I manually added the rule myself as the first filter rule: "-A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT" Or you could just call /usr/lib/qubes/iptables-updates-proxy, which is what happens in sys-net -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9091424ebc3fdf63cf1e757d83fcb21c.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Unable to uptade templates affer forced all traffic trhough VPN
I was finally able to put this to work! I have to set the sys-firewall as a qubes-yum-proxy forcing also all the apt/yum traffic through the tunnel. Everything seems to be working fine now, although I do get a warning on the sys-firewall on the firewall settings while using the Qubes VM Manager: "The 'sys-firewall' AppVM is not connected to a FirewallVM! You may edit the 'sys-firewall' VM firewall rules, but these will not take any effect until you connect it to a working Firewall VM." I would expect this warning to be normal, right? Is there any risk in terms of IP leakage to allow all the output traffic from the sys-firewall to the sys-net? Sent using GuerrillaMail.com Block or report abuse: https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/722403b66ca80d6ff787c55d56f623810939%40guerrillamail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Unable to uptade templates affer forced all traffic trhough VPN
On 10/15/2016 12:56 PM, 4lgaqp+cqeepdnbinsts via qubes-users wrote: Hi Chris, Thanks for the suggestion. Just to clarify, the VPN tunnel was created within the sys-firewall, and currently that's the only proxyVM that I'm using (apart from the sys-whonix), hence all traffic from the sys-net isn't encapsulated by the tunnel. My understanding is that the sys-firewall merely forwards the traffic through the sys-net by adding a forwad rule in the sys-firewall every time a new VM is started. For that reason I was wondering if I cannot solve this more effectively by simple adding a forwarding rule in the sys-firewall to whitelist all traffic originated from 0.0.0.0/0 to the destination address 10.137.255.254/32 and port 8082, wouldn't this be possible? Privacy during updates are not an issue for me, by the contrary, since this would allow more network throughput. I confess I'm not very keen in changing templates or creating a dedicated proxyVm for this purpose. Thanks I think you mentioned you were using the 'eth0 -j DROP' rules in FORWARD that would imply that you /are/ putting all traffic through the tunnel. Also, your thread title says you are doing this? Unfortunately, making exceptions to a VM that is configured to stop all plaintext forwarding can be a bit dicey. IOW, this kind of VPN VM is supposed to be dedicated to the purpose. Qubes' modular style of networking allows you to make exceptions with low risk if you use (for example) a plain sys-firewall in parallel to a VPN VM. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/774205fd-f688-b713-d799-d6f145d86de4%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Unable to uptade templates affer forced all traffic trhough VPN
Ok, so I tried to enable the updates proxy in the sys-firewall consequently forcing all updates to go through the VPN, I followed the instructions outlined here - https://www.qubes-os.org/doc/software-update-vm/#updates-proxy However, as soon as I try to run the updates on one of the vmtemplate I get the error "No route to host". All the templatevm has a default route to the sys-net (10.137.1.1), notwithstanding the update should be targeting the sys-firewall. Should I change the default GW of the templatevm ?! Thanks Sent using GuerrillaMail.com Block or report abuse: https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/33ad158b2f30014d4093277972e2b769a334%40guerrillamail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Unable to uptade templates affer forced all traffic trhough VPN
Unfortunately I overlooked the config. There's already an automatic rule that whitelists all VMs that are marked to 'Allow connections to Updates proxy' to connect to the proxy on port 8082, therefore my suggestion would not work (specially given the fact that the rule to block all traffic is added at very top of the FORWARD chain). So is there any way to use the same mechanism to use the proxy on the sys-net while forwarding the traffic to the sys-firewall? Sent using GuerrillaMail.com Block or report abuse: https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3902b7bfc81722822e4b5ea2c76c03e54d69%40guerrillamail.com. For more options, visit https://groups.google.com/d/optout.