Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
taran1s: Chris Laprise: On 5/2/20 6:54 AM, unman wrote: On Sat, May 02, 2020 at 08:22:57AM +, taran1s wrote: unman: On Fri, May 01, 2020 at 11:54:27AM +, taran1s wrote: taran1s: Chris, I tried now to connect to the kraken.com, which seems to be tor unfriendly through me->tor->VPN->kraken.com but it returns error on the site "Disabled". I learned now that despite I use the above connection model, using VPN as an exit, I still exit from the tor exit not and not from the VPN. I am not sure what broke. If I understand your model: me->tor->VPN->kraken.com you are running Tor *through* your VPN - this means that your service provider sees your connection to the VPN, and your VPN provider sees your connection to the first Tor hop. Naturally, when you exit the VPN and set up the TOR circuit, it's a Tor exit node that connects to kraken. The VPN is NOT an exit in this model. Nothing has broken. I am actually using mullvad VPN. The idea is to have the possibility to access websites or services (like kraken.com) that are not tor-friendly. I would like to connect first to Tor through sys-whonix than connect to the VPN through VPN AppVM and from that VPN to connect to the clearnet. I set the AppVMs networking following way: anon-whonix networking set to -> sys-whonix networking set to -> VPN-AppVM proxy that connects to the clearnet. Is that right for my model? No. Think about it. anon-whonix creates a request. sys-whonix takes that request, and builds a circuit. VPN-AppVM sees the traffic to the first hop, and sends it down the VPN. The VPN provider gets the Tor traffic, and sends it on to the first hop. Then it goes via Tor to the exit node and then to the target. Your ISP sees traffic to the VPN; the VPN provider sees traffic from you going to Tor; the target sees traffic coming from Tor network. *Always* use check.torproject.org to confirm your exit IP in this sort of case (always) so that actual matches expectations. What you have built (in packet terms) is: me - Tor - VPN - target. What you seem to want is: me - VPN - Tor - target To do that you need to build the VPN traffic and send it down a Tor circuit. Your Qubes network configuration should be: client - VPN qube - Tor qube - sys-firewall - sys-net A good rule of thumb is that whichever proxyVM is directly attached to your appVM will be the type of network that the remote service sees. I have no idea if Whonix will let you do this. This should work for most VPNs, as Patrick and I and others have tested it (though I haven't tested Whonix specifically with Mullvad). The only constraint is that the VPN use TCP instead of UDP. Thank you for the hint with ProxyVM logic. I tried both configurations from Mullvad with UDP and TCP 443, but didn't get it work. The VPN-ProxyVM cycles at ready to start link but never goes to the Link Up. Mullvad's options are Default (UDP), UDP 53, TCP 80 and TCP 443. Chris, if you have any chance to try the setup, would be very much appreciated. Hello everyone, did anyone actually managed to make this setup run? Posibly any aditional ideas how to acomplish the task of connecting in the above configuration? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d8ad56cf-49f6-e8b8-a670-ba51d922273f%40mailbox.org.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 5/2/20 6:54 AM, unman wrote: >> On Sat, May 02, 2020 at 08:22:57AM +, taran1s wrote: >>> >>> >>> unman: On Fri, May 01, 2020 at 11:54:27AM +, taran1s wrote: > > > taran1s: >> >> > Chris, I tried now to connect to the kraken.com, which seems to be tor > unfriendly through me->tor->VPN->kraken.com but it returns error on > the > site "Disabled". > > I learned now that despite I use the above connection model, using VPN > as an exit, I still exit from the tor exit not and not from the VPN. I > am not sure what broke. > If I understand your model: me->tor->VPN->kraken.com you are running Tor *through* your VPN - this means that your service provider sees your connection to the VPN, and your VPN provider sees your connection to the first Tor hop. Naturally, when you exit the VPN and set up the TOR circuit, it's a Tor exit node that connects to kraken. The VPN is NOT an exit in this model. Nothing has broken. >>> >>> I am actually using mullvad VPN. The idea is to have the possibility to >>> access websites or services (like kraken.com) that are not tor-friendly. >>> I would like to connect first to Tor through sys-whonix than connect to >>> the VPN through VPN AppVM and from that VPN to connect to the clearnet. >>> >>> I set the AppVMs networking following way: anon-whonix networking set >>> to -> sys-whonix networking set to -> VPN-AppVM proxy that connects to >>> the clearnet. Is that right for my model? >>> >> No. >> Think about it. >> anon-whonix creates a request. >> sys-whonix takes that request, and builds a circuit. >> VPN-AppVM sees the traffic to the first hop, and sends it down the VPN. >> The VPN provider gets the Tor traffic, and sends it on to the first >> hop. >> Then it goes via Tor to the exit node and then to the target. >> Your ISP sees traffic to the VPN; the VPN provider sees traffic from you >> going to Tor; the target sees traffic coming from Tor network. >> >> *Always* use check.torproject.org to confirm your exit IP in this sort of >> case (always) so that actual matches expectations. >> >> What you have built (in packet terms) is: >> me - Tor - VPN - target. >> >> What you seem to want is: >> me - VPN - Tor - target >> >> To do that you need to build the VPN traffic and send it down a Tor >> circuit. >> Your Qubes network configuration should be: >> client - VPN qube - Tor qube - sys-firewall - sys-net > > A good rule of thumb is that whichever proxyVM is directly attached to > your appVM will be the type of network that the remote service sees. > >> >> I have no idea if Whonix will let you do this. > > This should work for most VPNs, as Patrick and I and others have tested > it (though I haven't tested Whonix specifically with Mullvad). The only > constraint is that the VPN use TCP instead of UDP. > Thank you for the hint with ProxyVM logic. I tried both configurations from Mullvad with UDP and TCP 443, but didn't get it work. The VPN-ProxyVM cycles at ready to start link but never goes to the Link Up. Mullvad's options are Default (UDP), UDP 53, TCP 80 and TCP 443. Chris, if you have any chance to try the setup, would be very much appreciated. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5d657f35-0639-6467-851b-7cedb6f9f9ef%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On 5/2/20 6:54 AM, unman wrote: On Sat, May 02, 2020 at 08:22:57AM +, taran1s wrote: unman: On Fri, May 01, 2020 at 11:54:27AM +, taran1s wrote: taran1s: Chris, I tried now to connect to the kraken.com, which seems to be tor unfriendly through me->tor->VPN->kraken.com but it returns error on the site "Disabled". I learned now that despite I use the above connection model, using VPN as an exit, I still exit from the tor exit not and not from the VPN. I am not sure what broke. If I understand your model: me->tor->VPN->kraken.com you are running Tor *through* your VPN - this means that your service provider sees your connection to the VPN, and your VPN provider sees your connection to the first Tor hop. Naturally, when you exit the VPN and set up the TOR circuit, it's a Tor exit node that connects to kraken. The VPN is NOT an exit in this model. Nothing has broken. I am actually using mullvad VPN. The idea is to have the possibility to access websites or services (like kraken.com) that are not tor-friendly. I would like to connect first to Tor through sys-whonix than connect to the VPN through VPN AppVM and from that VPN to connect to the clearnet. I set the AppVMs networking following way: anon-whonix networking set to -> sys-whonix networking set to -> VPN-AppVM proxy that connects to the clearnet. Is that right for my model? No. Think about it. anon-whonix creates a request. sys-whonix takes that request, and builds a circuit. VPN-AppVM sees the traffic to the first hop, and sends it down the VPN. The VPN provider gets the Tor traffic, and sends it on to the first hop. Then it goes via Tor to the exit node and then to the target. Your ISP sees traffic to the VPN; the VPN provider sees traffic from you going to Tor; the target sees traffic coming from Tor network. *Always* use check.torproject.org to confirm your exit IP in this sort of case (always) so that actual matches expectations. What you have built (in packet terms) is: me - Tor - VPN - target. What you seem to want is: me - VPN - Tor - target To do that you need to build the VPN traffic and send it down a Tor circuit. Your Qubes network configuration should be: client - VPN qube - Tor qube - sys-firewall - sys-net A good rule of thumb is that whichever proxyVM is directly attached to your appVM will be the type of network that the remote service sees. I have no idea if Whonix will let you do this. This should work for most VPNs, as Patrick and I and others have tested it (though I haven't tested Whonix specifically with Mullvad). The only constraint is that the VPN use TCP instead of UDP. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6c8f7629-8bdf-a098-cd5c-7ee6207895bd%40posteo.net.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Frank: >> >> unman: On Sun, May 03, 2020 at 08:01:59AM +, taran1s wrote: >> What you have built (in packet terms) is: >> me - Tor - VPN - target. >> >> What you seem to want is: >> me - VPN - Tor - target >> >> To do that you need to build the VPN traffic and send it down a Tor >> circuit. >> Your Qubes network configuration should be: >> client - VPN qube - Tor qube - sys-firewall - sys-net >> >> I have no idea if Whonix will let you do this. >> >> unman >> > > Ah, omg I see. I thought about it in regards of seeing other AppVMs like > sys-whonix -> sys-firewall -> sys-net. I am not experienced in > networking and so just followed the logic of whats first gets first. But > now I see that packet wise, it is vice versa. It is a bit confusing for > me, but if it is working, I will be more than happy :) > > So if I understand it properly, I set the networking of the AppVMs > following way: > > anon-whonix -> VPN-AppVM -> sys-whonix -> clearnet. In this case I use > tor first, exit from tor-exit-node to the VPN and than exit from VPN to > clearnet. Am I right? > I tried the setup, but in this case the the VPN proxy doesn't go to Link UP and TB in anon-whonix isn't connected to the internet. Any ideas? BTW I downloaded the default UDP setting package from mullvadVPN as Chris mentioned. I know that tor is using TCP only. Could this be an issue with this setup and I should get the TCP package instead of UDP? >>> Yes. Your UDP traffic wont go through Tor. >>> You need a TCP VPN to route through Tor. >>> >>> unman >>> >> >> I downloaded the TCP port 443 (there is also TCP port 80?) file from >> Mullvad and tried to go through, but the VPN Proxy AppVM cycles with >> 'Ready to start link' only and never goes to the 'Link is UP'. >> >> Maybe there is something in the script from Chris that doesn't cooperate >> with the whonix setup and something needs to be adjusted for this model >> of connecting to VPN after Tor. But no idea what it could be.I am >> unfortunately not able to check the script itself as I am not a programmer.. > > What exactly are you trying to accomplish with this kind of set-up? If you > want to stay anonymous, your connection through the VPN should accomplish > that already (if you make sure your browser doesn’t contain any information > that can be traced back to you) and if not (because you didn’t pay with > Bitcoin or cash and there is a possible paper-trail back to your person from > your mullvad VPN account number) then using it through Tor doesn’t help > either. > > Maybe I am missing something here and I would love to be enlightened if that > is the case... > > Regards, Frank > As I mentioned, I would like to use Tor before VPN to be able to connect to the tor-unfriendly services like kraken.com. VPN itself is not anonymous and so connect to the VPN from the Tor exit node helps. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e0d02f08-f3ea-1eea-db71-edf8ff2598dd%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
> > unman: >>> On Sun, May 03, 2020 at 08:01:59AM +, taran1s wrote: >>> >>> > What you have built (in packet terms) is: > me - Tor - VPN - target. > > What you seem to want is: > me - VPN - Tor - target > > To do that you need to build the VPN traffic and send it down a Tor > circuit. > Your Qubes network configuration should be: > client - VPN qube - Tor qube - sys-firewall - sys-net > > I have no idea if Whonix will let you do this. > > unman > Ah, omg I see. I thought about it in regards of seeing other AppVMs like sys-whonix -> sys-firewall -> sys-net. I am not experienced in networking and so just followed the logic of whats first gets first. But now I see that packet wise, it is vice versa. It is a bit confusing for me, but if it is working, I will be more than happy :) So if I understand it properly, I set the networking of the AppVMs following way: anon-whonix -> VPN-AppVM -> sys-whonix -> clearnet. In this case I use tor first, exit from tor-exit-node to the VPN and than exit from VPN to clearnet. Am I right? >>> >>> I tried the setup, but in this case the the VPN proxy doesn't go to Link >>> UP and TB in anon-whonix isn't connected to the internet. Any ideas? >>> >>> BTW I downloaded the default UDP setting package from mullvadVPN as >>> Chris mentioned. I know that tor is using TCP only. Could this be an >>> issue with this setup and I should get the TCP package instead of UDP? >>> >> Yes. Your UDP traffic wont go through Tor. >> You need a TCP VPN to route through Tor. >> >> unman >> > > I downloaded the TCP port 443 (there is also TCP port 80?) file from > Mullvad and tried to go through, but the VPN Proxy AppVM cycles with > 'Ready to start link' only and never goes to the 'Link is UP'. > > Maybe there is something in the script from Chris that doesn't cooperate > with the whonix setup and something needs to be adjusted for this model > of connecting to VPN after Tor. But no idea what it could be.I am > unfortunately not able to check the script itself as I am not a programmer.. What exactly are you trying to accomplish with this kind of set-up? If you want to stay anonymous, your connection through the VPN should accomplish that already (if you make sure your browser doesn’t contain any information that can be traced back to you) and if not (because you didn’t pay with Bitcoin or cash and there is a possible paper-trail back to your person from your mullvad VPN account number) then using it through Tor doesn’t help either. Maybe I am missing something here and I would love to be enlightened if that is the case... Regards, Frank > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/450ea647-ba17-d0ec-71e6-d9599654f455%40mailbox.org. > <0xA664B90BD3BE59B3.asc> -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/23820-1588575107-681381%40sneakemail.com.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
unman: > On Sun, May 03, 2020 at 08:01:59AM +, taran1s wrote: >> >> What you have built (in packet terms) is: me - Tor - VPN - target. What you seem to want is: me - VPN - Tor - target To do that you need to build the VPN traffic and send it down a Tor circuit. Your Qubes network configuration should be: client - VPN qube - Tor qube - sys-firewall - sys-net I have no idea if Whonix will let you do this. unman >>> >>> Ah, omg I see. I thought about it in regards of seeing other AppVMs like >>> sys-whonix -> sys-firewall -> sys-net. I am not experienced in >>> networking and so just followed the logic of whats first gets first. But >>> now I see that packet wise, it is vice versa. It is a bit confusing for >>> me, but if it is working, I will be more than happy :) >>> >>> So if I understand it properly, I set the networking of the AppVMs >>> following way: >>> >>> anon-whonix -> VPN-AppVM -> sys-whonix -> clearnet. In this case I use >>> tor first, exit from tor-exit-node to the VPN and than exit from VPN to >>> clearnet. Am I right? >>> >> >> I tried the setup, but in this case the the VPN proxy doesn't go to Link >> UP and TB in anon-whonix isn't connected to the internet. Any ideas? >> >> BTW I downloaded the default UDP setting package from mullvadVPN as >> Chris mentioned. I know that tor is using TCP only. Could this be an >> issue with this setup and I should get the TCP package instead of UDP? >> > Yes. Your UDP traffic wont go through Tor. > You need a TCP VPN to route through Tor. > > unman > I downloaded the TCP port 443 (there is also TCP port 80?) file from Mullvad and tried to go through, but the VPN Proxy AppVM cycles with 'Ready to start link' only and never goes to the 'Link is UP'. Maybe there is something in the script from Chris that doesn't cooperate with the whonix setup and something needs to be adjusted for this model of connecting to VPN after Tor. But no idea what it could be.I am unfortunately not able to check the script itself as I am not a programmer.. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/450ea647-ba17-d0ec-71e6-d9599654f455%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On Sun, May 03, 2020 at 08:01:59AM +, taran1s wrote: > > > >> What you have built (in packet terms) is: > >> me - Tor - VPN - target. > >> > >> What you seem to want is: > >> me - VPN - Tor - target > >> > >> To do that you need to build the VPN traffic and send it down a Tor > >> circuit. > >> Your Qubes network configuration should be: > >> client - VPN qube - Tor qube - sys-firewall - sys-net > >> > >> I have no idea if Whonix will let you do this. > >> > >> unman > >> > > > > Ah, omg I see. I thought about it in regards of seeing other AppVMs like > > sys-whonix -> sys-firewall -> sys-net. I am not experienced in > > networking and so just followed the logic of whats first gets first. But > > now I see that packet wise, it is vice versa. It is a bit confusing for > > me, but if it is working, I will be more than happy :) > > > > So if I understand it properly, I set the networking of the AppVMs > > following way: > > > > anon-whonix -> VPN-AppVM -> sys-whonix -> clearnet. In this case I use > > tor first, exit from tor-exit-node to the VPN and than exit from VPN to > > clearnet. Am I right? > > > > I tried the setup, but in this case the the VPN proxy doesn't go to Link > UP and TB in anon-whonix isn't connected to the internet. Any ideas? > > BTW I downloaded the default UDP setting package from mullvadVPN as > Chris mentioned. I know that tor is using TCP only. Could this be an > issue with this setup and I should get the TCP package instead of UDP? > Yes. Your UDP traffic wont go through Tor. You need a TCP VPN to route through Tor. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200503155612.GA25870%40thirdeyesecurity.org.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On Sat, May 02, 2020 at 08:22:57AM +, taran1s wrote: > > > unman: > > On Fri, May 01, 2020 at 11:54:27AM +, taran1s wrote: > >> > >> > >> taran1s: > >>> > >>> > >> Chris, I tried now to connect to the kraken.com, which seems to be tor > >> unfriendly through me->tor->VPN->kraken.com but it returns error on the > >> site "Disabled". > >> > >> I learned now that despite I use the above connection model, using VPN > >> as an exit, I still exit from the tor exit not and not from the VPN. I > >> am not sure what broke. > >> > > > > If I understand your model: me->tor->VPN->kraken.com > > you are running Tor *through* your VPN - this means that your service > > provider sees your connection to the VPN, and your VPN provider sees > > your connection to the first Tor hop. > > Naturally, when you exit the VPN and set up the TOR circuit, it's a Tor > > exit node that connects to kraken. > > The VPN is NOT an exit in this model. Nothing has broken. > > > > I am actually using mullvad VPN. The idea is to have the possibility to > access websites or services (like kraken.com) that are not tor-friendly. > I would like to connect first to Tor through sys-whonix than connect to > the VPN through VPN AppVM and from that VPN to connect to the clearnet. > > I set the AppVMs networking following way: anon-whonix networking set > to -> sys-whonix networking set to -> VPN-AppVM proxy that connects to > the clearnet. Is that right for my model? > No. Think about it. anon-whonix creates a request. sys-whonix takes that request, and builds a circuit. VPN-AppVM sees the traffic to the first hop, and sends it down the VPN. The VPN provider gets the Tor traffic, and sends it on to the first hop. Then it goes via Tor to the exit node and then to the target. Your ISP sees traffic to the VPN; the VPN provider sees traffic from you going to Tor; the target sees traffic coming from Tor network. *Always* use check.torproject.org to confirm your exit IP in this sort of case (always) so that actual matches expectations. What you have built (in packet terms) is: me - Tor - VPN - target. What you seem to want is: me - VPN - Tor - target To do that you need to build the VPN traffic and send it down a Tor circuit. Your Qubes network configuration should be: client - VPN qube - Tor qube - sys-firewall - sys-net I have no idea if Whonix will let you do this. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200502105407.GA15257%40thirdeyesecurity.org.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
unman: > On Fri, May 01, 2020 at 11:54:27AM +, taran1s wrote: >> >> >> taran1s: >>> >>> >> Chris, I tried now to connect to the kraken.com, which seems to be tor >> unfriendly through me->tor->VPN->kraken.com but it returns error on the >> site "Disabled". >> >> I learned now that despite I use the above connection model, using VPN >> as an exit, I still exit from the tor exit not and not from the VPN. I >> am not sure what broke. >> > > If I understand your model: me->tor->VPN->kraken.com > you are running Tor *through* your VPN - this means that your service > provider sees your connection to the VPN, and your VPN provider sees > your connection to the first Tor hop. > Naturally, when you exit the VPN and set up the TOR circuit, it's a Tor > exit node that connects to kraken. > The VPN is NOT an exit in this model. Nothing has broken. > I am actually using mullvad VPN. The idea is to have the possibility to access websites or services (like kraken.com) that are not tor-friendly. I would like to connect first to Tor through sys-whonix than connect to the VPN through VPN AppVM and from that VPN to connect to the clearnet. I set the AppVMs networking following way: anon-whonix networking set to -> sys-whonix networking set to -> VPN-AppVM proxy that connects to the clearnet. Is that right for my model? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/109885fc-9032-d1ea-b725-5180db8086ae%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On Fri, May 01, 2020 at 11:54:27AM +, taran1s wrote: > > > taran1s: > > > > > Chris, I tried now to connect to the kraken.com, which seems to be tor > unfriendly through me->tor->VPN->kraken.com but it returns error on the > site "Disabled". > > I learned now that despite I use the above connection model, using VPN > as an exit, I still exit from the tor exit not and not from the VPN. I > am not sure what broke. > If I understand your model: me->tor->VPN->kraken.com you are running Tor *through* your VPN - this means that your service provider sees your connection to the VPN, and your VPN provider sees your connection to the first Tor hop. Naturally, when you exit the VPN and set up the TOR circuit, it's a Tor exit node that connects to kraken. The VPN is NOT an exit in this model. Nothing has broken. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200501125641.GA3763%40thirdeyesecurity.org.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
taran1s: > > > Chris Laprise: >> On 4/21/20 11:30 AM, taran1s wrote: >>> Thank you, this did the trick ^^ Link is up. I will test it with the >>> setup me -> sys-whonix -> ProxyVM setup -> >>> clearnet_Tor_unfriendly_services ;) >>> >>> If I understand it well, I can select a new VPN country for the >>> particular session just by executing sudo cp any_country_I_need.ovpn >>> vpn-client.conf right? >>> >> >> Yes, that will work. To change without restarting the VPN VM, you can do: >> >> sudo service qubes-vpn-handler stop >> sudo cp some_location.ovpn vpn-client.conf >> sudo service qubes-vpn-handler start >> > > All is working well. Thank you very much Chris. At the end it is > actually very easy to set up and run. The point was my luck of > experience in basic commands related to Linux and most probably > selecting wrong mullvad setup files for my planned routing > (me->tor->vpn). Now it is much clearer. > > You mention in your previous email "I suggest you look at an > introduction to Linux command line". Do you have any good resource for that? > > Thank you again ;) > Chris, I tried now to connect to the kraken.com, which seems to be tor unfriendly through me->tor->VPN->kraken.com but it returns error on the site "Disabled". I learned now that despite I use the above connection model, using VPN as an exit, I still exit from the tor exit not and not from the VPN. I am not sure what broke. Can you please try to connect through this setup to for example kraken.com and click on Features if it returns the "Disabled" error too? If you have any advice for me, would be very much appreciated. Thank you! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/672bd5a5-8aef-4800-8f9a-456c82c923a1%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/21/20 11:30 AM, taran1s wrote: >> Thank you, this did the trick ^^ Link is up. I will test it with the >> setup me -> sys-whonix -> ProxyVM setup -> >> clearnet_Tor_unfriendly_services ;) >> >> If I understand it well, I can select a new VPN country for the >> particular session just by executing sudo cp any_country_I_need.ovpn >> vpn-client.conf right? >> > > Yes, that will work. To change without restarting the VPN VM, you can do: > > sudo service qubes-vpn-handler stop > sudo cp some_location.ovpn vpn-client.conf > sudo service qubes-vpn-handler start > All is working well. Thank you very much Chris. At the end it is actually very easy to set up and run. The point was my luck of experience in basic commands related to Linux and most probably selecting wrong mullvad setup files for my planned routing (me->tor->vpn). Now it is much clearer. You mention in your previous email "I suggest you look at an introduction to Linux command line". Do you have any good resource for that? Thank you again ;) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ac626b17-6ee7-4ac7-47cc-9eeff99141b8%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On 4/21/20 11:30 AM, taran1s wrote: Thank you, this did the trick ^^ Link is up. I will test it with the setup me -> sys-whonix -> ProxyVM setup -> clearnet_Tor_unfriendly_services ;) If I understand it well, I can select a new VPN country for the particular session just by executing sudo cp any_country_I_need.ovpn vpn-client.conf right? Yes, that will work. To change without restarting the VPN VM, you can do: sudo service qubes-vpn-handler stop sudo cp some_location.ovpn vpn-client.conf sudo service qubes-vpn-handler start -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/23aa6b77-6d12-0043-f826-871adaa48193%40posteo.net.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/21/20 7:03 AM, taran1s wrote: >> >> >> Chris Laprise: >>> The 'No such file' error is the one to correct. As I said earlier, you >>> will need to move the files out of the "mullvad_config_linux" >>> subdirectory into the vpn dir. It can't find the .crt file because its >>> in the subdirectory. >>> >> So it seems like I will need to use the ProxyVM based on debian-10 >> template instead of fedora-30. In case of Fedora-30 ProxyVM, the error >> is different for some mysterious reason, even the process was the same. >> >> I try to unzip the files into the /rw/config/vpn directory, but whatever >> I try, the unzip comand still creates the subdirectory. When I try to >> get just the files there, without the subdirectory, I don't have enough >> permissions. Is there any way how to unzip or somehow get the files into >> /rw/config/vpn? Sorry for the noob questions :) > > You could try 'sudo unzip -j' to extract without the subdirectory. > > Or you could move the existing files with: > > 'sudo mv /rw/config/vpn/mullvad_config_linux/* /rw/config/vpn' > > In any case, I suggest you look at an introduction to Linux command line > to get better acquainted with the OS. > >> >> Btw is it enough to have the ProxyVM routed through sys-net instead of >> sys-firewall? >> > > Yes. > Thank you, this did the trick ^^ Link is up. I will test it with the setup me -> sys-whonix -> ProxyVM setup -> clearnet_Tor_unfriendly_services ;) If I understand it well, I can select a new VPN country for the particular session just by executing sudo cp any_country_I_need.ovpn vpn-client.conf right? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/10542f82-fcbf-6ac5-59e4-6fff3d182bd9%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On 4/21/20 7:03 AM, taran1s wrote: Chris Laprise: The 'No such file' error is the one to correct. As I said earlier, you will need to move the files out of the "mullvad_config_linux" subdirectory into the vpn dir. It can't find the .crt file because its in the subdirectory. So it seems like I will need to use the ProxyVM based on debian-10 template instead of fedora-30. In case of Fedora-30 ProxyVM, the error is different for some mysterious reason, even the process was the same. I try to unzip the files into the /rw/config/vpn directory, but whatever I try, the unzip comand still creates the subdirectory. When I try to get just the files there, without the subdirectory, I don't have enough permissions. Is there any way how to unzip or somehow get the files into /rw/config/vpn? Sorry for the noob questions :) You could try 'sudo unzip -j' to extract without the subdirectory. Or you could move the existing files with: 'sudo mv /rw/config/vpn/mullvad_config_linux/* /rw/config/vpn' In any case, I suggest you look at an introduction to Linux command line to get better acquainted with the OS. Btw is it enough to have the ProxyVM routed through sys-net instead of sys-firewall? Yes. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e8b0e436-20ad-88aa-7b4d-c7b588bdab74%40posteo.net.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/20/20 3:01 PM, taran1s wrote: >> >> Chris Laprise: >>> You'll need to put the files in the vpn directory, not a subdirectory >>> like "mullvad_config_linux". >> >> Is there any particular comand, instead of unzip, to not create the >> sub-directory but unzip it in the vpn directory directly? >> >>> >>> That particular error, however, indicates that the config expects >>> "update-resolv-conf" to be in "/etc/openvpn". You can copy it there for >>> the test, but this part of the config is overridden by Qubes-vpn-support >>> so in the end you won't need it there. >> >> Should the Qubes-vpn-support be unzipped and installed in /home/user/ or >> an another path or it doesn't matter? > > You can unzip it in any user directory and the installer will know where > to install the program files. > >> >> BTW this is the log from debian-10 based ProxyVM. The error seems to be >> different: >> >> user@open:~$ sudo mkdir -p /rw/config/vpn >> user@open:~$ cd /rw/config/vpn >> user@open:/rw/config/vpn$ sudo unzip ~/mullvad_openvpn_linux_all_all.zip >> Archive: /home/user/mullvad_openvpn_linux_all_all.zip >> creating: mullvad_config_linux/ >> extracting: mullvad_config_linux/mullvad_ae_all.conf >> extracting: mullvad_config_linux/mullvad_al_all.conf >> extracting: mullvad_config_linux/mullvad_at_all.conf >> extracting: mullvad_config_linux/mullvad_au_all.conf >> extracting: mullvad_config_linux/mullvad_be_all.conf >> extracting: mullvad_config_linux/mullvad_bg_all.conf >> extracting: mullvad_config_linux/mullvad_br_all.conf >> extracting: mullvad_config_linux/mullvad_ca_all.conf >> extracting: mullvad_config_linux/mullvad_ch_all.conf >> extracting: mullvad_config_linux/mullvad_cz_all.conf >> extracting: mullvad_config_linux/mullvad_de_all.conf >> extracting: mullvad_config_linux/mullvad_dk_all.conf >> extracting: mullvad_config_linux/mullvad_es_all.conf >> extracting: mullvad_config_linux/mullvad_fi_all.conf >> extracting: mullvad_config_linux/mullvad_fr_all.conf >> extracting: mullvad_config_linux/mullvad_gb_all.conf >> extracting: mullvad_config_linux/mullvad_gr_all.conf >> extracting: mullvad_config_linux/mullvad_hk_all.conf >> extracting: mullvad_config_linux/mullvad_hu_all.conf >> extracting: mullvad_config_linux/mullvad_ie_all.conf >> extracting: mullvad_config_linux/mullvad_il_all.conf >> extracting: mullvad_config_linux/mullvad_it_all.conf >> extracting: mullvad_config_linux/mullvad_jp_all.conf >> extracting: mullvad_config_linux/mullvad_lu_all.conf >> extracting: mullvad_config_linux/mullvad_lv_all.conf >> extracting: mullvad_config_linux/mullvad_md_all.conf >> extracting: mullvad_config_linux/mullvad_nl_all.conf >> extracting: mullvad_config_linux/mullvad_no_all.conf >> extracting: mullvad_config_linux/mullvad_nz_all.conf >> extracting: mullvad_config_linux/mullvad_pl_all.conf >> extracting: mullvad_config_linux/mullvad_pt_all.conf >> extracting: mullvad_config_linux/mullvad_ro_all.conf >> extracting: mullvad_config_linux/mullvad_rs_all.conf >> extracting: mullvad_config_linux/mullvad_se_all.conf >> extracting: mullvad_config_linux/mullvad_sg_all.conf >> extracting: mullvad_config_linux/mullvad_us_all.conf >> extracting: mullvad_config_linux/mullvad_userpass.txt >> extracting: mullvad_config_linux/mullvad_ca.crt >> extracting: mullvad_config_linux/update-resolv-conf >> user@open:/rw/config/vpn$ sudo cp >> mullvad_config_linux/mullvad_ch_all.conf vpn-client.conf >> user@open:/rw/config/vpn$ sudo openvpn --cd /rw/config/vpn --config >> vpn-client.conf --auth-user-pass >> mullvad_config_linux/mullvad_userpass.txt >> Mon Apr 20 16:03:58 2020 Note: option tun-ipv6 is ignored because modern >> operating systems do not need special IPv6 tun handling anymore. >> Options error: --ca fails with 'mullvad_ca.crt': No such file or >> directory (errno=2) >> Mon Apr 20 16:03:58 2020 WARNING: file >> 'mullvad_config_linux/mullvad_userpass.txt' is group or others accessible >> Options error: Please correct these errors. >> Use --help for more information. >> > > The 'No such file' error is the one to correct. As I said earlier, you > will need to move the files out of the "mullvad_config_linux" > subdirectory into the vpn dir. It can't find the .crt file because its > in the subdirectory. > So it seems like I will need to use the ProxyVM based on debian-10 template instead of fedora-30. In case of Fedora-30 ProxyVM, the error is different for some mysterious reason, even the process was the same. I try to unzip the files into the /rw/config/vpn directory, but whatever I try, the unzip comand still creates the subdirectory. When I try to get just the files there, without the subdirectory, I don't have enough permissions. Is there any way how to unzip or somehow get the files into /rw/config/vpn? Sorry for the noob questions :) Btw is it enough to have the ProxyVM routed through sys-net instead of sys-firewall? -- You
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On 4/20/20 3:01 PM, taran1s wrote: Chris Laprise: You'll need to put the files in the vpn directory, not a subdirectory like "mullvad_config_linux". Is there any particular comand, instead of unzip, to not create the sub-directory but unzip it in the vpn directory directly? That particular error, however, indicates that the config expects "update-resolv-conf" to be in "/etc/openvpn". You can copy it there for the test, but this part of the config is overridden by Qubes-vpn-support so in the end you won't need it there. Should the Qubes-vpn-support be unzipped and installed in /home/user/ or an another path or it doesn't matter? You can unzip it in any user directory and the installer will know where to install the program files. BTW this is the log from debian-10 based ProxyVM. The error seems to be different: user@open:~$ sudo mkdir -p /rw/config/vpn user@open:~$ cd /rw/config/vpn user@open:/rw/config/vpn$ sudo unzip ~/mullvad_openvpn_linux_all_all.zip Archive: /home/user/mullvad_openvpn_linux_all_all.zip creating: mullvad_config_linux/ extracting: mullvad_config_linux/mullvad_ae_all.conf extracting: mullvad_config_linux/mullvad_al_all.conf extracting: mullvad_config_linux/mullvad_at_all.conf extracting: mullvad_config_linux/mullvad_au_all.conf extracting: mullvad_config_linux/mullvad_be_all.conf extracting: mullvad_config_linux/mullvad_bg_all.conf extracting: mullvad_config_linux/mullvad_br_all.conf extracting: mullvad_config_linux/mullvad_ca_all.conf extracting: mullvad_config_linux/mullvad_ch_all.conf extracting: mullvad_config_linux/mullvad_cz_all.conf extracting: mullvad_config_linux/mullvad_de_all.conf extracting: mullvad_config_linux/mullvad_dk_all.conf extracting: mullvad_config_linux/mullvad_es_all.conf extracting: mullvad_config_linux/mullvad_fi_all.conf extracting: mullvad_config_linux/mullvad_fr_all.conf extracting: mullvad_config_linux/mullvad_gb_all.conf extracting: mullvad_config_linux/mullvad_gr_all.conf extracting: mullvad_config_linux/mullvad_hk_all.conf extracting: mullvad_config_linux/mullvad_hu_all.conf extracting: mullvad_config_linux/mullvad_ie_all.conf extracting: mullvad_config_linux/mullvad_il_all.conf extracting: mullvad_config_linux/mullvad_it_all.conf extracting: mullvad_config_linux/mullvad_jp_all.conf extracting: mullvad_config_linux/mullvad_lu_all.conf extracting: mullvad_config_linux/mullvad_lv_all.conf extracting: mullvad_config_linux/mullvad_md_all.conf extracting: mullvad_config_linux/mullvad_nl_all.conf extracting: mullvad_config_linux/mullvad_no_all.conf extracting: mullvad_config_linux/mullvad_nz_all.conf extracting: mullvad_config_linux/mullvad_pl_all.conf extracting: mullvad_config_linux/mullvad_pt_all.conf extracting: mullvad_config_linux/mullvad_ro_all.conf extracting: mullvad_config_linux/mullvad_rs_all.conf extracting: mullvad_config_linux/mullvad_se_all.conf extracting: mullvad_config_linux/mullvad_sg_all.conf extracting: mullvad_config_linux/mullvad_us_all.conf extracting: mullvad_config_linux/mullvad_userpass.txt extracting: mullvad_config_linux/mullvad_ca.crt extracting: mullvad_config_linux/update-resolv-conf user@open:/rw/config/vpn$ sudo cp mullvad_config_linux/mullvad_ch_all.conf vpn-client.conf user@open:/rw/config/vpn$ sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass mullvad_config_linux/mullvad_userpass.txt Mon Apr 20 16:03:58 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. Options error: --ca fails with 'mullvad_ca.crt': No such file or directory (errno=2) Mon Apr 20 16:03:58 2020 WARNING: file 'mullvad_config_linux/mullvad_userpass.txt' is group or others accessible Options error: Please correct these errors. Use --help for more information. The 'No such file' error is the one to correct. As I said earlier, you will need to move the files out of the "mullvad_config_linux" subdirectory into the vpn dir. It can't find the .crt file because its in the subdirectory. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e62e93c1-4619-0966-03c2-68337e794269%40posteo.net.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/20/20 9:31 AM, taran1s wrote: >> >> >> Chris Laprise: >>> On 4/20/20 8:12 AM, taran1s wrote: Chris Laprise: > On 4/17/20 7:12 AM, taran1s wrote: >> >> >> Chris Laprise: >>> On 4/15/20 6:35 AM, taran1s wrote: In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide there is the cd Qubes-vpn-support command as the first one. This assumes that the file is unzipped already, right? So I unzip it in the /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 and execute sudo bash ./install. Than proceed to the restart. Is this how it was meant? >>> >>> Yes, if you're installing it in the Proxy VM (VPN VM) itself. >>> Otherwise, >>> installing it in a template means you have to do step 4 also. >> >> Yes, I install it in the ProxyVM. Is my procedure right? The >> >>> >>> Hmmm. Its not showing the full "Options error" lines. Try >>> redirecting >>> the output to a text file instead: >>> >>> sudo journalctl -u qubes-vpn-handler >log.txt >>> >> >> See the log attached please. >> > > It doesn't look like the same error as before. This one says the > config > has no "dev" specified. Can you check '/rw/config/vpn/vpn-client.conf' > to see if it has a line like "dev tun"? > If I go to the /rw/config/vpn/ there is no vpn-client.conf file but vpn-client.conf-example only. This is content of the vpn-client.conf-example: >>> >>> OK, it looks like you skipped the part of Step 2 where you copy or link >>> your config file so that "vpn-client.conf" exists. For example: >>> >>> sudo cp US_East.ovpn vpn-client.conf >>> >> I created another ProxyVM ovpn and do it from the scratch. Can you >> please check if this is the right procedure? >> >> [user@ovpn ~]$ sudo mkdir -p /rw/config/vpn >> [user@ovpn ~]$ cd /rw/config/vpn >> [user@ovpn vpn]$ ls >> [user@ovpn vpn]$ sudo unzip ~/mullvad_openvpn_linux_all_all.zip >> Archive: /home/user/mullvad_openvpn_linux_all_all.zip >> creating: mullvad_config_linux/ >> extracting: mullvad_config_linux/mullvad_ae_all.conf >> extracting: mullvad_config_linux/mullvad_al_all.conf >> extracting: mullvad_config_linux/mullvad_at_all.conf >> extracting: mullvad_config_linux/mullvad_au_all.conf >> extracting: mullvad_config_linux/mullvad_be_all.conf >> extracting: mullvad_config_linux/mullvad_bg_all.conf >> extracting: mullvad_config_linux/mullvad_br_all.conf >> extracting: mullvad_config_linux/mullvad_ca_all.conf >> extracting: mullvad_config_linux/mullvad_ch_all.conf >> extracting: mullvad_config_linux/mullvad_cz_all.conf >> extracting: mullvad_config_linux/mullvad_de_all.conf >> extracting: mullvad_config_linux/mullvad_dk_all.conf >> extracting: mullvad_config_linux/mullvad_es_all.conf >> extracting: mullvad_config_linux/mullvad_fi_all.conf >> extracting: mullvad_config_linux/mullvad_fr_all.conf >> extracting: mullvad_config_linux/mullvad_gb_all.conf >> extracting: mullvad_config_linux/mullvad_gr_all.conf >> extracting: mullvad_config_linux/mullvad_hk_all.conf >> extracting: mullvad_config_linux/mullvad_hu_all.conf >> extracting: mullvad_config_linux/mullvad_ie_all.conf >> extracting: mullvad_config_linux/mullvad_il_all.conf >> extracting: mullvad_config_linux/mullvad_it_all.conf >> extracting: mullvad_config_linux/mullvad_jp_all.conf >> extracting: mullvad_config_linux/mullvad_lu_all.conf >> extracting: mullvad_config_linux/mullvad_lv_all.conf >> extracting: mullvad_config_linux/mullvad_md_all.conf >> extracting: mullvad_config_linux/mullvad_nl_all.conf >> extracting: mullvad_config_linux/mullvad_no_all.conf >> extracting: mullvad_config_linux/mullvad_nz_all.conf >> extracting: mullvad_config_linux/mullvad_pl_all.conf >> extracting: mullvad_config_linux/mullvad_pt_all.conf >> extracting: mullvad_config_linux/mullvad_ro_all.conf >> extracting: mullvad_config_linux/mullvad_rs_all.conf >> extracting: mullvad_config_linux/mullvad_se_all.conf >> extracting: mullvad_config_linux/mullvad_sg_all.conf >> extracting: mullvad_config_linux/mullvad_us_all.conf >> extracting: mullvad_config_linux/mullvad_userpass.txt >> extracting: mullvad_config_linux/mullvad_ca.crt >> extracting: mullvad_config_linux/update-resolv-conf >> [user@ovpn vpn]$ sudo cp mullvad_config_linux/mullvad_ch_all.conf >> vpn-client.conf >> [user@ovpn vpn]$ sudo openvpn --cd /rw/config/vpn --config >> vpn-client.conf --auth-user-pass >> mullvad_config_linux/mullvad_userpass.txt >> Mon Apr 20 15:27:43 2020 Note: option tun-ipv6 is ignored because modern >> operating systems do not need special IPv6 tun handling anymore. >> Options error: --up script fails with '/etc/openvpn/update-resolv-conf': >> No such file or directory (errno=2) >> Options error: Please correct this error. >> Use
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On 4/20/20 9:31 AM, taran1s wrote: Chris Laprise: On 4/20/20 8:12 AM, taran1s wrote: Chris Laprise: On 4/17/20 7:12 AM, taran1s wrote: Chris Laprise: On 4/15/20 6:35 AM, taran1s wrote: In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide there is the cd Qubes-vpn-support command as the first one. This assumes that the file is unzipped already, right? So I unzip it in the /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 and execute sudo bash ./install. Than proceed to the restart. Is this how it was meant? Yes, if you're installing it in the Proxy VM (VPN VM) itself. Otherwise, installing it in a template means you have to do step 4 also. Yes, I install it in the ProxyVM. Is my procedure right? The Hmmm. Its not showing the full "Options error" lines. Try redirecting the output to a text file instead: sudo journalctl -u qubes-vpn-handler >log.txt See the log attached please. It doesn't look like the same error as before. This one says the config has no "dev" specified. Can you check '/rw/config/vpn/vpn-client.conf' to see if it has a line like "dev tun"? If I go to the /rw/config/vpn/ there is no vpn-client.conf file but vpn-client.conf-example only. This is content of the vpn-client.conf-example: OK, it looks like you skipped the part of Step 2 where you copy or link your config file so that "vpn-client.conf" exists. For example: sudo cp US_East.ovpn vpn-client.conf I created another ProxyVM ovpn and do it from the scratch. Can you please check if this is the right procedure? [user@ovpn ~]$ sudo mkdir -p /rw/config/vpn [user@ovpn ~]$ cd /rw/config/vpn [user@ovpn vpn]$ ls [user@ovpn vpn]$ sudo unzip ~/mullvad_openvpn_linux_all_all.zip Archive: /home/user/mullvad_openvpn_linux_all_all.zip creating: mullvad_config_linux/ extracting: mullvad_config_linux/mullvad_ae_all.conf extracting: mullvad_config_linux/mullvad_al_all.conf extracting: mullvad_config_linux/mullvad_at_all.conf extracting: mullvad_config_linux/mullvad_au_all.conf extracting: mullvad_config_linux/mullvad_be_all.conf extracting: mullvad_config_linux/mullvad_bg_all.conf extracting: mullvad_config_linux/mullvad_br_all.conf extracting: mullvad_config_linux/mullvad_ca_all.conf extracting: mullvad_config_linux/mullvad_ch_all.conf extracting: mullvad_config_linux/mullvad_cz_all.conf extracting: mullvad_config_linux/mullvad_de_all.conf extracting: mullvad_config_linux/mullvad_dk_all.conf extracting: mullvad_config_linux/mullvad_es_all.conf extracting: mullvad_config_linux/mullvad_fi_all.conf extracting: mullvad_config_linux/mullvad_fr_all.conf extracting: mullvad_config_linux/mullvad_gb_all.conf extracting: mullvad_config_linux/mullvad_gr_all.conf extracting: mullvad_config_linux/mullvad_hk_all.conf extracting: mullvad_config_linux/mullvad_hu_all.conf extracting: mullvad_config_linux/mullvad_ie_all.conf extracting: mullvad_config_linux/mullvad_il_all.conf extracting: mullvad_config_linux/mullvad_it_all.conf extracting: mullvad_config_linux/mullvad_jp_all.conf extracting: mullvad_config_linux/mullvad_lu_all.conf extracting: mullvad_config_linux/mullvad_lv_all.conf extracting: mullvad_config_linux/mullvad_md_all.conf extracting: mullvad_config_linux/mullvad_nl_all.conf extracting: mullvad_config_linux/mullvad_no_all.conf extracting: mullvad_config_linux/mullvad_nz_all.conf extracting: mullvad_config_linux/mullvad_pl_all.conf extracting: mullvad_config_linux/mullvad_pt_all.conf extracting: mullvad_config_linux/mullvad_ro_all.conf extracting: mullvad_config_linux/mullvad_rs_all.conf extracting: mullvad_config_linux/mullvad_se_all.conf extracting: mullvad_config_linux/mullvad_sg_all.conf extracting: mullvad_config_linux/mullvad_us_all.conf extracting: mullvad_config_linux/mullvad_userpass.txt extracting: mullvad_config_linux/mullvad_ca.crt extracting: mullvad_config_linux/update-resolv-conf [user@ovpn vpn]$ sudo cp mullvad_config_linux/mullvad_ch_all.conf vpn-client.conf [user@ovpn vpn]$ sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass mullvad_config_linux/mullvad_userpass.txt Mon Apr 20 15:27:43 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. Options error: --up script fails with '/etc/openvpn/update-resolv-conf': No such file or directory (errno=2) Options error: Please correct this error. Use --help for more information. [user@ovpn vpn]$ cd ~ [user@ovpn ~]$ sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass mullvad_config_linux/mullvad_userpass.txt Mon Apr 20 15:28:29 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. Options error: --up script fails with '/etc/openvpn/update-resolv-conf': No such file or directory (errno=2) Options error: Please correct this error. Use --help for more information. You'll need to put
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/20/20 8:12 AM, taran1s wrote: >> >> >> Chris Laprise: >>> On 4/17/20 7:12 AM, taran1s wrote: Chris Laprise: > On 4/15/20 6:35 AM, taran1s wrote: >> In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide >> there is the cd Qubes-vpn-support command as the first one. This >> assumes >> that the file is unzipped already, right? So I unzip it in the >> /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 >> and >> execute sudo bash ./install. Than proceed to the restart. Is this >> how it >> was meant? > > Yes, if you're installing it in the Proxy VM (VPN VM) itself. > Otherwise, > installing it in a template means you have to do step 4 also. Yes, I install it in the ProxyVM. Is my procedure right? The > > Hmmm. Its not showing the full "Options error" lines. Try redirecting > the output to a text file instead: > > sudo journalctl -u qubes-vpn-handler >log.txt > See the log attached please. >>> >>> It doesn't look like the same error as before. This one says the config >>> has no "dev" specified. Can you check '/rw/config/vpn/vpn-client.conf' >>> to see if it has a line like "dev tun"? >>> >> >> If I go to the /rw/config/vpn/ there is no vpn-client.conf file but >> vpn-client.conf-example only. This is content of the >> vpn-client.conf-example: > > OK, it looks like you skipped the part of Step 2 where you copy or link > your config file so that "vpn-client.conf" exists. For example: > > sudo cp US_East.ovpn vpn-client.conf > I created another ProxyVM ovpn and do it from the scratch. Can you please check if this is the right procedure? [user@ovpn ~]$ sudo mkdir -p /rw/config/vpn [user@ovpn ~]$ cd /rw/config/vpn [user@ovpn vpn]$ ls [user@ovpn vpn]$ sudo unzip ~/mullvad_openvpn_linux_all_all.zip Archive: /home/user/mullvad_openvpn_linux_all_all.zip creating: mullvad_config_linux/ extracting: mullvad_config_linux/mullvad_ae_all.conf extracting: mullvad_config_linux/mullvad_al_all.conf extracting: mullvad_config_linux/mullvad_at_all.conf extracting: mullvad_config_linux/mullvad_au_all.conf extracting: mullvad_config_linux/mullvad_be_all.conf extracting: mullvad_config_linux/mullvad_bg_all.conf extracting: mullvad_config_linux/mullvad_br_all.conf extracting: mullvad_config_linux/mullvad_ca_all.conf extracting: mullvad_config_linux/mullvad_ch_all.conf extracting: mullvad_config_linux/mullvad_cz_all.conf extracting: mullvad_config_linux/mullvad_de_all.conf extracting: mullvad_config_linux/mullvad_dk_all.conf extracting: mullvad_config_linux/mullvad_es_all.conf extracting: mullvad_config_linux/mullvad_fi_all.conf extracting: mullvad_config_linux/mullvad_fr_all.conf extracting: mullvad_config_linux/mullvad_gb_all.conf extracting: mullvad_config_linux/mullvad_gr_all.conf extracting: mullvad_config_linux/mullvad_hk_all.conf extracting: mullvad_config_linux/mullvad_hu_all.conf extracting: mullvad_config_linux/mullvad_ie_all.conf extracting: mullvad_config_linux/mullvad_il_all.conf extracting: mullvad_config_linux/mullvad_it_all.conf extracting: mullvad_config_linux/mullvad_jp_all.conf extracting: mullvad_config_linux/mullvad_lu_all.conf extracting: mullvad_config_linux/mullvad_lv_all.conf extracting: mullvad_config_linux/mullvad_md_all.conf extracting: mullvad_config_linux/mullvad_nl_all.conf extracting: mullvad_config_linux/mullvad_no_all.conf extracting: mullvad_config_linux/mullvad_nz_all.conf extracting: mullvad_config_linux/mullvad_pl_all.conf extracting: mullvad_config_linux/mullvad_pt_all.conf extracting: mullvad_config_linux/mullvad_ro_all.conf extracting: mullvad_config_linux/mullvad_rs_all.conf extracting: mullvad_config_linux/mullvad_se_all.conf extracting: mullvad_config_linux/mullvad_sg_all.conf extracting: mullvad_config_linux/mullvad_us_all.conf extracting: mullvad_config_linux/mullvad_userpass.txt extracting: mullvad_config_linux/mullvad_ca.crt extracting: mullvad_config_linux/update-resolv-conf [user@ovpn vpn]$ sudo cp mullvad_config_linux/mullvad_ch_all.conf vpn-client.conf [user@ovpn vpn]$ sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass mullvad_config_linux/mullvad_userpass.txt Mon Apr 20 15:27:43 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. Options error: --up script fails with '/etc/openvpn/update-resolv-conf': No such file or directory (errno=2) Options error: Please correct this error. Use --help for more information. [user@ovpn vpn]$ cd ~ [user@ovpn ~]$ sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass mullvad_config_linux/mullvad_userpass.txt Mon Apr 20 15:28:29 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. Options error: --up script fails with '/etc/openvpn/update-resolv-conf': No
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On 4/20/20 8:12 AM, taran1s wrote: Chris Laprise: On 4/17/20 7:12 AM, taran1s wrote: Chris Laprise: On 4/15/20 6:35 AM, taran1s wrote: In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide there is the cd Qubes-vpn-support command as the first one. This assumes that the file is unzipped already, right? So I unzip it in the /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 and execute sudo bash ./install. Than proceed to the restart. Is this how it was meant? Yes, if you're installing it in the Proxy VM (VPN VM) itself. Otherwise, installing it in a template means you have to do step 4 also. Yes, I install it in the ProxyVM. Is my procedure right? The Hmmm. Its not showing the full "Options error" lines. Try redirecting the output to a text file instead: sudo journalctl -u qubes-vpn-handler >log.txt See the log attached please. It doesn't look like the same error as before. This one says the config has no "dev" specified. Can you check '/rw/config/vpn/vpn-client.conf' to see if it has a line like "dev tun"? If I go to the /rw/config/vpn/ there is no vpn-client.conf file but vpn-client.conf-example only. This is content of the vpn-client.conf-example: OK, it looks like you skipped the part of Step 2 where you copy or link your config file so that "vpn-client.conf" exists. For example: sudo cp US_East.ovpn vpn-client.conf -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c021dc1b-3d41-4326-ca33-3bf6482f6288%40posteo.net.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On 4/17/20 7:12 AM, taran1s wrote: Chris Laprise: On 4/15/20 6:35 AM, taran1s wrote: In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide there is the cd Qubes-vpn-support command as the first one. This assumes that the file is unzipped already, right? So I unzip it in the /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 and execute sudo bash ./install. Than proceed to the restart. Is this how it was meant? Yes, if you're installing it in the Proxy VM (VPN VM) itself. Otherwise, installing it in a template means you have to do step 4 also. Yes, I install it in the ProxyVM. Is my procedure right? The Hmmm. Its not showing the full "Options error" lines. Try redirecting the output to a text file instead: sudo journalctl -u qubes-vpn-handler >log.txt See the log attached please. It doesn't look like the same error as before. This one says the config has no "dev" specified. Can you check '/rw/config/vpn/vpn-client.conf' to see if it has a line like "dev tun"? -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/55d034d2-3637-2c49-aafb-9a17a48d6097%40posteo.net.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/15/20 6:35 AM, taran1s wrote: >> In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide >> there is the cd Qubes-vpn-support command as the first one. This assumes >> that the file is unzipped already, right? So I unzip it in the >> /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 and >> execute sudo bash ./install. Than proceed to the restart. Is this how it >> was meant? > > Yes, if you're installing it in the Proxy VM (VPN VM) itself. Otherwise, > installing it in a template means you have to do step 4 also. Yes, I install it in the ProxyVM. Is my procedure right? The > > Hmmm. Its not showing the full "Options error" lines. Try redirecting > the output to a text file instead: > > sudo journalctl -u qubes-vpn-handler >log.txt > See the log attached please. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/111b736b-da9c-3088-7f34-9d9e322cc3ea%40mailbox.org. -- Logs begin at Tue 2020-02-18 14:58:45 CET, end at Fri 2020-04-17 13:08:07 CEST. -- Apr 17 13:07:49 openvpn systemd[1]: Starting VPN Client for Qubes proxyVM... Apr 17 13:07:49 openvpn qubes-vpn-setup[753]: grep: /rw/config/vpn/vpn-client.conf: No such file or directory Apr 17 13:07:49 openvpn qubes-vpn-setup[805]: EXEC /usr/sbin/openvpn --cd /rw/config/vpn/ --config /tmp/vpn-client.conf --verb 3 --mlock --ping 10 --ping-restart 42 --connect-retry 5 30 --connect-retry-max 7 --resolv-retry 15 --group qvpn --script-security 2 --up "/usr/lib/qubes/qubes-vpn-ns up" --down "/usr/lib/qubes/qubes-vpn-ns down" --auth-user-pass /tmp/userpassword.txt Apr 17 13:07:49 openvpn qubes-vpn-setup[806]: STARTED network forwarding! Apr 17 13:07:49 openvpn systemd[1]: Started VPN Client for Qubes proxyVM. Apr 17 13:07:49 openvpn qubes-vpn-setup[805]: Fri Apr 17 13:07:49 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode Apr 17 13:07:49 openvpn qubes-vpn-setup[805]: Options error: You must define TUN/TAP device (--dev) Apr 17 13:07:49 openvpn qubes-vpn-setup[805]: Use --help for more information. Apr 17 13:07:49 openvpn systemd[1]: qubes-vpn-handler.service: Main process exited, code=exited, status=1/FAILURE Apr 17 13:07:49 openvpn qubes-vpn-setup[822]: STOPPED network forwarding! Apr 17 13:07:49 openvpn systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'. Apr 17 13:08:00 openvpn systemd[1]: qubes-vpn-handler.service: Scheduled restart job, restart counter is at 1. Apr 17 13:08:00 openvpn systemd[1]: Stopped VPN Client for Qubes proxyVM. Apr 17 13:08:00 openvpn systemd[1]: Starting VPN Client for Qubes proxyVM... Apr 17 13:08:00 openvpn qubes-vpn-setup[1167]: grep: /rw/config/vpn/vpn-client.conf: No such file or directory Apr 17 13:08:00 openvpn qubes-vpn-setup[1172]: EXEC /usr/sbin/openvpn --cd /rw/config/vpn/ --config /tmp/vpn-client.conf --verb 3 --mlock --ping 10 --ping-restart 42 --connect-retry 5 30 --connect-retry-max 7 --resolv-retry 15 --group qvpn --script-security 2 --up "/usr/lib/qubes/qubes-vpn-ns up" --down "/usr/lib/qubes/qubes-vpn-ns down" --auth-user-pass /tmp/userpassword.txt Apr 17 13:08:00 openvpn qubes-vpn-setup[1173]: STARTED network forwarding! Apr 17 13:08:00 openvpn systemd[1]: Started VPN Client for Qubes proxyVM. Apr 17 13:08:00 openvpn qubes-vpn-setup[1172]: Fri Apr 17 13:08:00 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode Apr 17 13:08:00 openvpn qubes-vpn-setup[1172]: Options error: You must define TUN/TAP device (--dev) Apr 17 13:08:00 openvpn qubes-vpn-setup[1172]: Use --help for more information. Apr 17 13:08:00 openvpn systemd[1]: qubes-vpn-handler.service: Main process exited, code=exited, status=1/FAILURE Apr 17 13:08:00 openvpn qubes-vpn-setup[1179]: STOPPED network forwarding! Apr 17 13:08:00 openvpn systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On 4/15/20 6:35 AM, taran1s wrote: In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide there is the cd Qubes-vpn-support command as the first one. This assumes that the file is unzipped already, right? So I unzip it in the /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 and execute sudo bash ./install. Than proceed to the restart. Is this how it was meant? Yes, if you're installing it in the Proxy VM (VPN VM) itself. Otherwise, installing it in a template means you have to do step 4 also. This is the output from the sudo journalctl -u qubes-vpn-handler in teh openvpn VM. [user@ovpn ~]$ sudo journalctl -u qubes-vpn-handler -- Logs begin at Tue 2020-02-18 14:58:45 CET, end at Wed 2020-04-15 12:22:55 CE> Apr 15 12:22:12 ovpn systemd[1]: Starting VPN Client for Qubes proxyVM... Apr 15 12:22:12 ovpn qubes-vpn-setup[789]: STARTED network forwarding! Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: EXEC /usr/sbin/openvpn --cd /rw/conf> Apr 15 12:22:12 ovpn systemd[1]: Started VPN Client for Qubes proxyVM. Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Wed Apr 15 12:22:12 2020 Note: optio> Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Options error: --ca fails with 'mull> Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Options error: Please correct these > Hmmm. Its not showing the full "Options error" lines. Try redirecting the output to a text file instead: sudo journalctl -u qubes-vpn-handler >log.txt -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5638909e-db69-40f5-5194-df08a884b20d%40posteo.net.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/9/20 3:34 AM, taran1s wrote: >> >> >> Chris Laprise: >>> On 4/8/20 6:25 AM, taran1s wrote: I try to set the VPN in my laest qubes with your guide on https://github.com/tasket/Qubes-vpn-support. I use the version 1.4.3. and followed the guide. My setting from mullvad is UDP (default) for Linux. No IPs. When asked, I entered correct login. The link but doesn't go up, no popup notification LINK IS UP when restarting the proxy VM. I also added vpn-handler-openvpn to the proxy VM services as required. Executing systemctl status returns this: [user@ovpn ~]$ systemctl status qubes-vpn-handler ● qubes-vpn-handler.service - VPN Client for Qubes proxyVM Loaded: loaded (/usr/lib/systemd/system/qubes-vpn-handler.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/qubes-vpn-handler.service.d └─00_example.conf Active: activating (auto-restart) (Result: exit-code) since Tue 2020-04-07 15:30:15 CEST; 4s ago Process: 3098 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup --check-firewall (code=exited, status=0/SUCCESS) Process: 3105 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup --pre-start (code=exited, status=0/SUCCESS) Process: 3110 ExecStart=/usr/lib/qubes/qubes-vpn-setup --start-exec (code=exited, status=1/FAILURE) Process: 3111 ExecStartPost=/usr/lib/qubes/qubes-vpn-setup --post-start (code=exited, status=0/SUCCESS) Process: 3117 ExecStopPost=/usr/lib/qubes/qubes-vpn-setup --post-stop (code=exited, status=0/SUCCESS) Main PID: 3110 (code=exited, status=1/FAILURE) Any idea how to set this up properly? >>> >>> The one exception I can think of for setting up with a Mullvad account >>> is that they use a single-character "m" password for everyone. So if you >>> typed something into the password prompt other than "m" or left it >>> blank, then it won't connect. >>> >>> To see a more detailed log you should use 'journalctl -u >>> qubes-vpn-handler'. >>> >> >> Yes Chris, mullvad uses the "m" for password and I put this in when >> asked. I checked this in the pass file from mullvad. >> >> I did the following. I downloaded the default UDP settings for "All >> countries" from mullvad as adviced, without ticking the IPs. Than I took >> one of the countries from the downloaded list and copied this particular >> country to the vpn-client.conf with sudo cp whatver-country.ovpn >> vpn-client.conf. But it doesn't connect. > > Did you do the link testing suggested in Step 2? > >> >> Is this setup ok for me-tor-vpn situation? > > These network representations can easily get reversed in people's heads. > Best thing to do is look at your 'Networking' setting for your VPN VM. > If its set to 'sys-whonix' then UDP won't work. > >> >> I executed the command in the proxyVM (fedora-30 based) with following >> results: >> >> [user@ovpn ~]$ journalctl -u qubes-vpn-handler >> Hint: You are currently not seeing messages from other users and the >> system. >> Users in groups 'adm', 'systemd-journal', 'wheel' can see all >> messages. >> Pass -q to turn off this notice. >> -- Logs begin at Tue 2020-02-18 14:58:55 CET, end at Thu 2020-04-09 >> 09:21:21 CE> >> -- No entries -- >> lines 1-2/2 (END) >> >> I tried also the micahflee guide and it connects so the settings should >> be ok. >> > > Sorry, you need to put 'sudo' in front of the 'journalctl' command. > In the point 3 of https://github.com/tasket/Qubes-vpn-support/ guide there is the cd Qubes-vpn-support command as the first one. This assumes that the file is unzipped already, right? So I unzip it in the /home/user folder, than cd to the unzipped Qubes-vpn-support-1.4.3 and execute sudo bash ./install. Than proceed to the restart. Is this how it was meant? This is the output from the sudo journalctl -u qubes-vpn-handler in teh openvpn VM. [user@ovpn ~]$ sudo journalctl -u qubes-vpn-handler -- Logs begin at Tue 2020-02-18 14:58:45 CET, end at Wed 2020-04-15 12:22:55 CE> Apr 15 12:22:12 ovpn systemd[1]: Starting VPN Client for Qubes proxyVM... Apr 15 12:22:12 ovpn qubes-vpn-setup[789]: STARTED network forwarding! Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: EXEC /usr/sbin/openvpn --cd /rw/conf> Apr 15 12:22:12 ovpn systemd[1]: Started VPN Client for Qubes proxyVM. Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Wed Apr 15 12:22:12 2020 Note: optio> Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Options error: --ca fails with 'mull> Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Options error: Please correct these > Apr 15 12:22:12 ovpn qubes-vpn-setup[788]: Use --help for more information. Apr 15 12:22:12 ovpn systemd[1]: qubes-vpn-handler.service: Main process exited> Apr 15 12:22:12 ovpn qubes-vpn-setup[801]: STOPPED network forwarding! Apr 15 12:22:12 ovpn systemd[1]: qubes-vpn-handler.service: Failed with result > Apr 15
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On 4/9/20 3:34 AM, taran1s wrote: Chris Laprise: On 4/8/20 6:25 AM, taran1s wrote: I try to set the VPN in my laest qubes with your guide on https://github.com/tasket/Qubes-vpn-support. I use the version 1.4.3. and followed the guide. My setting from mullvad is UDP (default) for Linux. No IPs. When asked, I entered correct login. The link but doesn't go up, no popup notification LINK IS UP when restarting the proxy VM. I also added vpn-handler-openvpn to the proxy VM services as required. Executing systemctl status returns this: [user@ovpn ~]$ systemctl status qubes-vpn-handler ● qubes-vpn-handler.service - VPN Client for Qubes proxyVM Loaded: loaded (/usr/lib/systemd/system/qubes-vpn-handler.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/qubes-vpn-handler.service.d └─00_example.conf Active: activating (auto-restart) (Result: exit-code) since Tue 2020-04-07 15:30:15 CEST; 4s ago Process: 3098 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup --check-firewall (code=exited, status=0/SUCCESS) Process: 3105 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup --pre-start (code=exited, status=0/SUCCESS) Process: 3110 ExecStart=/usr/lib/qubes/qubes-vpn-setup --start-exec (code=exited, status=1/FAILURE) Process: 3111 ExecStartPost=/usr/lib/qubes/qubes-vpn-setup --post-start (code=exited, status=0/SUCCESS) Process: 3117 ExecStopPost=/usr/lib/qubes/qubes-vpn-setup --post-stop (code=exited, status=0/SUCCESS) Main PID: 3110 (code=exited, status=1/FAILURE) Any idea how to set this up properly? The one exception I can think of for setting up with a Mullvad account is that they use a single-character "m" password for everyone. So if you typed something into the password prompt other than "m" or left it blank, then it won't connect. To see a more detailed log you should use 'journalctl -u qubes-vpn-handler'. Yes Chris, mullvad uses the "m" for password and I put this in when asked. I checked this in the pass file from mullvad. I did the following. I downloaded the default UDP settings for "All countries" from mullvad as adviced, without ticking the IPs. Than I took one of the countries from the downloaded list and copied this particular country to the vpn-client.conf with sudo cp whatver-country.ovpn vpn-client.conf. But it doesn't connect. Did you do the link testing suggested in Step 2? Is this setup ok for me-tor-vpn situation? These network representations can easily get reversed in people's heads. Best thing to do is look at your 'Networking' setting for your VPN VM. If its set to 'sys-whonix' then UDP won't work. I executed the command in the proxyVM (fedora-30 based) with following results: [user@ovpn ~]$ journalctl -u qubes-vpn-handler Hint: You are currently not seeing messages from other users and the system. Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages. Pass -q to turn off this notice. -- Logs begin at Tue 2020-02-18 14:58:55 CET, end at Thu 2020-04-09 09:21:21 CE> -- No entries -- lines 1-2/2 (END) I tried also the micahflee guide and it connects so the settings should be ok. Sorry, you need to put 'sudo' in front of the 'journalctl' command. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ead2f0a8-0f4e-513f-028e-dc362fff8bce%40posteo.net.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise: > On 4/8/20 6:25 AM, taran1s wrote: >> I try to set the VPN in my laest qubes with your guide on >> https://github.com/tasket/Qubes-vpn-support. I use the version >> 1.4.3. and followed the guide. >> >> My setting from mullvad is UDP (default) for Linux. No IPs. >> >> When asked, I entered correct login. The link but doesn't go up, >> no popup notification LINK IS UP when restarting the proxy VM. >> >> I also added vpn-handler-openvpn to the proxy VM services as required. >> >> Executing systemctl status returns this: >> >> [user@ovpn ~]$ systemctl status qubes-vpn-handler >> ● qubes-vpn-handler.service - VPN Client for Qubes proxyVM >> Loaded: loaded (/usr/lib/systemd/system/qubes-vpn-handler.service; >> enabled; vendor preset: disabled) >> Drop-In: /usr/lib/systemd/system/qubes-vpn-handler.service.d >> └─00_example.conf >> Active: activating (auto-restart) (Result: exit-code) since Tue >> 2020-04-07 15:30:15 CEST; 4s ago >> Process: 3098 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup >> --check-firewall (code=exited, status=0/SUCCESS) >> Process: 3105 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup >> --pre-start (code=exited, status=0/SUCCESS) >> Process: 3110 ExecStart=/usr/lib/qubes/qubes-vpn-setup --start-exec >> (code=exited, status=1/FAILURE) >> Process: 3111 ExecStartPost=/usr/lib/qubes/qubes-vpn-setup >> --post-start (code=exited, status=0/SUCCESS) >> Process: 3117 ExecStopPost=/usr/lib/qubes/qubes-vpn-setup >> --post-stop (code=exited, status=0/SUCCESS) >> Main PID: 3110 (code=exited, status=1/FAILURE) >> >> Any idea how to set this up properly? >> > > The one exception I can think of for setting up with a Mullvad account > is that they use a single-character "m" password for everyone. So if you > typed something into the password prompt other than "m" or left it > blank, then it won't connect. > > To see a more detailed log you should use 'journalctl -u > qubes-vpn-handler'. > Yes Chris, mullvad uses the "m" for password and I put this in when asked. I checked this in the pass file from mullvad. I did the following. I downloaded the default UDP settings for "All countries" from mullvad as adviced, without ticking the IPs. Than I took one of the countries from the downloaded list and copied this particular country to the vpn-client.conf with sudo cp whatver-country.ovpn vpn-client.conf. But it doesn't connect. Is this setup ok for me-tor-vpn situation? I executed the command in the proxyVM (fedora-30 based) with following results: [user@ovpn ~]$ journalctl -u qubes-vpn-handler Hint: You are currently not seeing messages from other users and the system. Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages. Pass -q to turn off this notice. -- Logs begin at Tue 2020-02-18 14:58:55 CET, end at Thu 2020-04-09 09:21:21 CE> -- No entries -- lines 1-2/2 (END) I tried also the micahflee guide and it connects so the settings should be ok. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/da5e3086-581e-f966-1cc1-30c6dee66416%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Sorry memory better now. That was three years ago. Windscribe was the VPN that was easy to install, in a Debian based distro. Are you installing in the Template or a stand alone VM? I obviously do not have the experience - knowledge you would want. But my experience with a VPN under Linux was different than where you were trying. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/30e3b385-f4a6-432f-bf1e-47bc07e3a3b7%40googlegroups.com.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
I have never used Mullvad or a VPN under Qubes. However, I seem to recall having problems with udp, I think you want tls and tcp. If you DuckDuckGo the differences. You might see udp is not so great. Also. Usually to get a VPN to work in Linux you must turn off IPv6. That is the one that goes to printers. IPv4 is for most all the internet. Consider doing this to see if the whole concept of VPN is working. I think it is CyberGhost which offers a few free GBs every month. But I think that is the one I once used under another linux distro. And it was easy to set up and worked. Then you might see what settings need to be what. Best wishes -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/972e7a0d-520a-42a8-a502-b0fe762bae3b%40googlegroups.com.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On 4/8/20 6:25 AM, taran1s wrote: I try to set the VPN in my laest qubes with your guide on https://github.com/tasket/Qubes-vpn-support. I use the version 1.4.3. and followed the guide. My setting from mullvad is UDP (default) for Linux. No IPs. When asked, I entered correct login. The link but doesn't go up, no popup notification LINK IS UP when restarting the proxy VM. I also added vpn-handler-openvpn to the proxy VM services as required. Executing systemctl status returns this: [user@ovpn ~]$ systemctl status qubes-vpn-handler ● qubes-vpn-handler.service - VPN Client for Qubes proxyVM Loaded: loaded (/usr/lib/systemd/system/qubes-vpn-handler.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/qubes-vpn-handler.service.d └─00_example.conf Active: activating (auto-restart) (Result: exit-code) since Tue 2020-04-07 15:30:15 CEST; 4s ago Process: 3098 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup --check-firewall (code=exited, status=0/SUCCESS) Process: 3105 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup --pre-start (code=exited, status=0/SUCCESS) Process: 3110 ExecStart=/usr/lib/qubes/qubes-vpn-setup --start-exec (code=exited, status=1/FAILURE) Process: 3111 ExecStartPost=/usr/lib/qubes/qubes-vpn-setup --post-start (code=exited, status=0/SUCCESS) Process: 3117 ExecStopPost=/usr/lib/qubes/qubes-vpn-setup --post-stop (code=exited, status=0/SUCCESS) Main PID: 3110 (code=exited, status=1/FAILURE) Any idea how to set this up properly? The one exception I can think of for setting up with a Mullvad account is that they use a single-character "m" password for everyone. So if you typed something into the password prompt other than "m" or left it blank, then it won't connect. To see a more detailed log you should use 'journalctl -u qubes-vpn-handler'. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cf0cf304-e995-c4aa-0b5a-e152db48c659%40posteo.net.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
scurge1tl:
>
>
> Chris Laprise:
>> On 3/29/20 5:16 AM, scurge1tl wrote:
>>>
>>>
>>> Chris Laprise:
On 3/27/20 5:02 AM, scurge1tl wrote:
>>>
>
> Hello all,
>
> I would like to ask about proper setting of AppVM flow if using
> Mullvad VPN. I would like to connect to the clearnet following way: Me
> - -> Tor -> VPN -> clearnet.
>
> When setting up mullvad in their web page, I set the parameters for
> download here https://mullvad.net/en/download/openvpn-config/ in a
> following way:
> - - All countries (so that I can change my exit country as needed)
> - - Port -> TCP 443 (Tor doesn't use UDP, right?)
> - - tick Use IP addresses
Using TCP 443 for the connection helps only if you are running the VPN
on top of Tor. With Tor on top of VPN, you're probably better off
with UDP.
>>>
>>> Would this mean, if I plan to go with Me -> Tor -> VPN -> clarnet, to go
>>> with UDP mullvad settings? Just to clear the "on top of".
>>
>> To make it less ambiguous:
>>
>> AppVM -> sys-whonix -> sys-vpn -> sys-net
>>
>> The above connection is Tor on top of (or inside of) VPN, so UDP can be
>> used for the VPN. If sys-whonix and sys-vpn places were reversed, then
>> VPN should switch to TCP mode.
>>
>> An easy way to remember this is that the sys-* VM attached to the AppVM
>> is the one the service sees on the other end.
>>
>>>
>
> To set the Mullvad VPN AppVM, I followed this guide from micahflee
> https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with
> mullvad is vpn-mullvad. All works fine and connects to the network.
>
> How should I connect Me -> Tor -> VPN -> clearnet? Am I right with
> this setup (I didn't launch it yet): anon-whonix -> sys-whonix ->
> vpn-mullvad -> sys-firewall, or I should use different setup?
Whonix has a guide that examines the issues of combining Tor and a VPN.
However, I think its better as a 'what-if/why' guide than a Howto...
https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor
>>>
>>> Thank you I will check it.
>>>
>
> Are there any other steps to follow to prevent leaks?
Yes.
The Qubes-vpn-support project is much easier to setup and should work
more smoothly, in addition to providing better protection against leaks:
https://github.com/tasket/Qubes-vpn-support
There is also a VPN setup guide on the Qubes doc page (this is the one
the Whonix page links to). FWIW, I wrote the scripts for both but the
idea for Qubes-vpn-support was to automate the setup and improve the
connection handling of Openvpn so re-connection doesn't take 5 minutes.
It also checks the firewall to make sure leak prevention is in place
before initiating connections.
>>>
>>> I will try to set the additional AppVM for this and try this guide. What
>>> would be the linking of the AppVMs, if I would like to go Me -> Tor ->
>>> VPN -> clearnet? Is it like anon-whonix -> sys-whonix -> mullvad-AppVM
>>> -> sys-firewall ?
>>>
>>> Also I would like to use different exit countries of choice, so I
>>> downloaded all countries from mullvad. Is there any simple way to switch
>>> countries with this VPN settings?
>>
>> There is no GUI way to do it when using the Qubes scripts. However, if
>> you use the Network Manager method on the Qubes vpn howto, then you can
>> import multiple configs (and cross your fingers that they can make
>> connections :) ).
>>
>> For a non-GUI solution, you could create a small script that lets you
>> choose which ovpn config to use, and 'cp' or 'ln' that choice to the
>> config filename that the scripts use (then restart the vpn). Some people
>> have used simple random selection without a prompt, like 'ln -s $( ls
>> *ovpn | shuf | head -n1 ) vpn-client.conf'.
>>
>>> Sorry for noob questions, I am new to the VPN stuff, just used Tor only
>>> till now, but I need to use tor-unfriendly services from time to time
>>> and even if it were tor-friendly, ExitNodes {xx} StrictNodes 1 doesn't
>>> work in qubes-whonix and I therefore can't select exit country easily if
>>> I need to. So I need to have the VPN country as a strict exit.
>>
>> To use Tor-unfriendly services, the service has to see the VPN IP not
>> Tor exit node IP. Therefore...
>>
>> AppVM -> sys-vpn -> sys-whonix -> sys-net
>>
>> If you add sys-firewall (or similar proxyVM, as you probably don't want
>> to change sys-firewall netvm setting) in the mix, it just depends on
>> which VM you wish to add 'Qubes firewall' rules to it always goes
>> 'to the right of' whichever VM you added rules. In my experience,
>> however, such rules are not required for securing a VPN link; The
>> internal (scripted) rules used by the VPN doc or Qubes-vpn-support
>> handle VPN security rather well. IOW, its better to forget placing
>> sys-firewall in the loop, at least until you're more used to Qubes
>> networking.
>>
>>>
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise:
> On 3/29/20 5:16 AM, scurge1tl wrote:
>>
>>
>> Chris Laprise:
>>> On 3/27/20 5:02 AM, scurge1tl wrote:
>>
Hello all,
I would like to ask about proper setting of AppVM flow if using
Mullvad VPN. I would like to connect to the clearnet following way: Me
- -> Tor -> VPN -> clearnet.
When setting up mullvad in their web page, I set the parameters for
download here https://mullvad.net/en/download/openvpn-config/ in a
following way:
- - All countries (so that I can change my exit country as needed)
- - Port -> TCP 443 (Tor doesn't use UDP, right?)
- - tick Use IP addresses
>>>
>>> Using TCP 443 for the connection helps only if you are running the VPN
>>> on top of Tor. With Tor on top of VPN, you're probably better off
>>> with UDP.
>>
>> Would this mean, if I plan to go with Me -> Tor -> VPN -> clarnet, to go
>> with UDP mullvad settings? Just to clear the "on top of".
>
> To make it less ambiguous:
>
> AppVM -> sys-whonix -> sys-vpn -> sys-net
>
> The above connection is Tor on top of (or inside of) VPN, so UDP can be
> used for the VPN. If sys-whonix and sys-vpn places were reversed, then
> VPN should switch to TCP mode.
>
> An easy way to remember this is that the sys-* VM attached to the AppVM
> is the one the service sees on the other end.
>
>>
>>>
To set the Mullvad VPN AppVM, I followed this guide from micahflee
https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with
mullvad is vpn-mullvad. All works fine and connects to the network.
How should I connect Me -> Tor -> VPN -> clearnet? Am I right with
this setup (I didn't launch it yet): anon-whonix -> sys-whonix ->
vpn-mullvad -> sys-firewall, or I should use different setup?
>>>
>>> Whonix has a guide that examines the issues of combining Tor and a VPN.
>>> However, I think its better as a 'what-if/why' guide than a Howto...
>>>
>>> https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor
>>
>> Thank you I will check it.
>>
>>>
Are there any other steps to follow to prevent leaks?
>>>
>>> Yes.
>>>
>>> The Qubes-vpn-support project is much easier to setup and should work
>>> more smoothly, in addition to providing better protection against leaks:
>>>
>>> https://github.com/tasket/Qubes-vpn-support
>>>
>>> There is also a VPN setup guide on the Qubes doc page (this is the one
>>> the Whonix page links to). FWIW, I wrote the scripts for both but the
>>> idea for Qubes-vpn-support was to automate the setup and improve the
>>> connection handling of Openvpn so re-connection doesn't take 5 minutes.
>>> It also checks the firewall to make sure leak prevention is in place
>>> before initiating connections.
>>
>> I will try to set the additional AppVM for this and try this guide. What
>> would be the linking of the AppVMs, if I would like to go Me -> Tor ->
>> VPN -> clearnet? Is it like anon-whonix -> sys-whonix -> mullvad-AppVM
>> -> sys-firewall ?
>>
>> Also I would like to use different exit countries of choice, so I
>> downloaded all countries from mullvad. Is there any simple way to switch
>> countries with this VPN settings?
>
> There is no GUI way to do it when using the Qubes scripts. However, if
> you use the Network Manager method on the Qubes vpn howto, then you can
> import multiple configs (and cross your fingers that they can make
> connections :) ).
>
> For a non-GUI solution, you could create a small script that lets you
> choose which ovpn config to use, and 'cp' or 'ln' that choice to the
> config filename that the scripts use (then restart the vpn). Some people
> have used simple random selection without a prompt, like 'ln -s $( ls
> *ovpn | shuf | head -n1 ) vpn-client.conf'.
>
>> Sorry for noob questions, I am new to the VPN stuff, just used Tor only
>> till now, but I need to use tor-unfriendly services from time to time
>> and even if it were tor-friendly, ExitNodes {xx} StrictNodes 1 doesn't
>> work in qubes-whonix and I therefore can't select exit country easily if
>> I need to. So I need to have the VPN country as a strict exit.
>
> To use Tor-unfriendly services, the service has to see the VPN IP not
> Tor exit node IP. Therefore...
>
> AppVM -> sys-vpn -> sys-whonix -> sys-net
>
> If you add sys-firewall (or similar proxyVM, as you probably don't want
> to change sys-firewall netvm setting) in the mix, it just depends on
> which VM you wish to add 'Qubes firewall' rules to it always goes
> 'to the right of' whichever VM you added rules. In my experience,
> however, such rules are not required for securing a VPN link; The
> internal (scripted) rules used by the VPN doc or Qubes-vpn-support
> handle VPN security rather well. IOW, its better to forget placing
> sys-firewall in the loop, at least until you're more used to Qubes
> networking.
>
>>
>> Thank you and I will let you know if it works!
>>
>
>
I sent an email to your protonmail, as stated in your signature
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise:
> On 3/29/20 5:16 AM, scurge1tl wrote:
>>
>>
>> Chris Laprise:
>>> On 3/27/20 5:02 AM, scurge1tl wrote:
>>
Hello all,
I would like to ask about proper setting of AppVM flow if using
Mullvad VPN. I would like to connect to the clearnet following way: Me
- -> Tor -> VPN -> clearnet.
When setting up mullvad in their web page, I set the parameters for
download here https://mullvad.net/en/download/openvpn-config/ in a
following way:
- - All countries (so that I can change my exit country as needed)
- - Port -> TCP 443 (Tor doesn't use UDP, right?)
- - tick Use IP addresses
>>>
>>> Using TCP 443 for the connection helps only if you are running the VPN
>>> on top of Tor. With Tor on top of VPN, you're probably better off
>>> with UDP.
>>
>> Would this mean, if I plan to go with Me -> Tor -> VPN -> clarnet, to go
>> with UDP mullvad settings? Just to clear the "on top of".
>
> To make it less ambiguous:
>
> AppVM -> sys-whonix -> sys-vpn -> sys-net
>
> The above connection is Tor on top of (or inside of) VPN, so UDP can be
> used for the VPN. If sys-whonix and sys-vpn places were reversed, then
> VPN should switch to TCP mode.
>
> An easy way to remember this is that the sys-* VM attached to the AppVM
> is the one the service sees on the other end.
>
>>
>>>
To set the Mullvad VPN AppVM, I followed this guide from micahflee
https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with
mullvad is vpn-mullvad. All works fine and connects to the network.
How should I connect Me -> Tor -> VPN -> clearnet? Am I right with
this setup (I didn't launch it yet): anon-whonix -> sys-whonix ->
vpn-mullvad -> sys-firewall, or I should use different setup?
>>>
>>> Whonix has a guide that examines the issues of combining Tor and a VPN.
>>> However, I think its better as a 'what-if/why' guide than a Howto...
>>>
>>> https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor
>>
>> Thank you I will check it.
>>
>>>
Are there any other steps to follow to prevent leaks?
>>>
>>> Yes.
>>>
>>> The Qubes-vpn-support project is much easier to setup and should work
>>> more smoothly, in addition to providing better protection against leaks:
>>>
>>> https://github.com/tasket/Qubes-vpn-support
>>>
>>> There is also a VPN setup guide on the Qubes doc page (this is the one
>>> the Whonix page links to). FWIW, I wrote the scripts for both but the
>>> idea for Qubes-vpn-support was to automate the setup and improve the
>>> connection handling of Openvpn so re-connection doesn't take 5 minutes.
>>> It also checks the firewall to make sure leak prevention is in place
>>> before initiating connections.
>>
>> I will try to set the additional AppVM for this and try this guide. What
>> would be the linking of the AppVMs, if I would like to go Me -> Tor ->
>> VPN -> clearnet? Is it like anon-whonix -> sys-whonix -> mullvad-AppVM
>> -> sys-firewall ?
>>
>> Also I would like to use different exit countries of choice, so I
>> downloaded all countries from mullvad. Is there any simple way to switch
>> countries with this VPN settings?
>
> There is no GUI way to do it when using the Qubes scripts. However, if
> you use the Network Manager method on the Qubes vpn howto, then you can
> import multiple configs (and cross your fingers that they can make
> connections :) ).
>
> For a non-GUI solution, you could create a small script that lets you
> choose which ovpn config to use, and 'cp' or 'ln' that choice to the
> config filename that the scripts use (then restart the vpn). Some people
> have used simple random selection without a prompt, like 'ln -s $( ls
> *ovpn | shuf | head -n1 ) vpn-client.conf'.
>
>> Sorry for noob questions, I am new to the VPN stuff, just used Tor only
>> till now, but I need to use tor-unfriendly services from time to time
>> and even if it were tor-friendly, ExitNodes {xx} StrictNodes 1 doesn't
>> work in qubes-whonix and I therefore can't select exit country easily if
>> I need to. So I need to have the VPN country as a strict exit.
>
> To use Tor-unfriendly services, the service has to see the VPN IP not
> Tor exit node IP. Therefore...
>
> AppVM -> sys-vpn -> sys-whonix -> sys-net
>
> If you add sys-firewall (or similar proxyVM, as you probably don't want
> to change sys-firewall netvm setting) in the mix, it just depends on
> which VM you wish to add 'Qubes firewall' rules to it always goes
> 'to the right of' whichever VM you added rules. In my experience,
> however, such rules are not required for securing a VPN link; The
> internal (scripted) rules used by the VPN doc or Qubes-vpn-support
> handle VPN security rather well. IOW, its better to forget placing
> sys-firewall in the loop, at least until you're more used to Qubes
> networking.
>
>>
>> Thank you and I will let you know if it works!
>>
>
>
Thank you for your help. I have written an email to your address
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On 3/29/20 5:16 AM, scurge1tl wrote:
Chris Laprise:
On 3/27/20 5:02 AM, scurge1tl wrote:
Hello all,
I would like to ask about proper setting of AppVM flow if using
Mullvad VPN. I would like to connect to the clearnet following way: Me
- -> Tor -> VPN -> clearnet.
When setting up mullvad in their web page, I set the parameters for
download here https://mullvad.net/en/download/openvpn-config/ in a
following way:
- - All countries (so that I can change my exit country as needed)
- - Port -> TCP 443 (Tor doesn't use UDP, right?)
- - tick Use IP addresses
Using TCP 443 for the connection helps only if you are running the VPN
on top of Tor. With Tor on top of VPN, you're probably better off with UDP.
Would this mean, if I plan to go with Me -> Tor -> VPN -> clarnet, to go
with UDP mullvad settings? Just to clear the "on top of".
To make it less ambiguous:
AppVM -> sys-whonix -> sys-vpn -> sys-net
The above connection is Tor on top of (or inside of) VPN, so UDP can be
used for the VPN. If sys-whonix and sys-vpn places were reversed, then
VPN should switch to TCP mode.
An easy way to remember this is that the sys-* VM attached to the AppVM
is the one the service sees on the other end.
To set the Mullvad VPN AppVM, I followed this guide from micahflee
https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with
mullvad is vpn-mullvad. All works fine and connects to the network.
How should I connect Me -> Tor -> VPN -> clearnet? Am I right with
this setup (I didn't launch it yet): anon-whonix -> sys-whonix ->
vpn-mullvad -> sys-firewall, or I should use different setup?
Whonix has a guide that examines the issues of combining Tor and a VPN.
However, I think its better as a 'what-if/why' guide than a Howto...
https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor
Thank you I will check it.
Are there any other steps to follow to prevent leaks?
Yes.
The Qubes-vpn-support project is much easier to setup and should work
more smoothly, in addition to providing better protection against leaks:
https://github.com/tasket/Qubes-vpn-support
There is also a VPN setup guide on the Qubes doc page (this is the one
the Whonix page links to). FWIW, I wrote the scripts for both but the
idea for Qubes-vpn-support was to automate the setup and improve the
connection handling of Openvpn so re-connection doesn't take 5 minutes.
It also checks the firewall to make sure leak prevention is in place
before initiating connections.
I will try to set the additional AppVM for this and try this guide. What
would be the linking of the AppVMs, if I would like to go Me -> Tor ->
VPN -> clearnet? Is it like anon-whonix -> sys-whonix -> mullvad-AppVM
-> sys-firewall ?
Also I would like to use different exit countries of choice, so I
downloaded all countries from mullvad. Is there any simple way to switch
countries with this VPN settings?
There is no GUI way to do it when using the Qubes scripts. However, if
you use the Network Manager method on the Qubes vpn howto, then you can
import multiple configs (and cross your fingers that they can make
connections :) ).
For a non-GUI solution, you could create a small script that lets you
choose which ovpn config to use, and 'cp' or 'ln' that choice to the
config filename that the scripts use (then restart the vpn). Some people
have used simple random selection without a prompt, like 'ln -s $( ls
*ovpn | shuf | head -n1 ) vpn-client.conf'.
Sorry for noob questions, I am new to the VPN stuff, just used Tor only
till now, but I need to use tor-unfriendly services from time to time
and even if it were tor-friendly, ExitNodes {xx} StrictNodes 1 doesn't
work in qubes-whonix and I therefore can't select exit country easily if
I need to. So I need to have the VPN country as a strict exit.
To use Tor-unfriendly services, the service has to see the VPN IP not
Tor exit node IP. Therefore...
AppVM -> sys-vpn -> sys-whonix -> sys-net
If you add sys-firewall (or similar proxyVM, as you probably don't want
to change sys-firewall netvm setting) in the mix, it just depends on
which VM you wish to add 'Qubes firewall' rules to it always goes
'to the right of' whichever VM you added rules. In my experience,
however, such rules are not required for securing a VPN link; The
internal (scripted) rules used by the VPN doc or Qubes-vpn-support
handle VPN security rather well. IOW, its better to forget placing
sys-firewall in the loop, at least until you're more used to Qubes
networking.
Thank you and I will let you know if it works!
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
Chris Laprise:
> On 3/27/20 5:02 AM, scurge1tl wrote:
>>
>> Hello all,
>>
>> I would like to ask about proper setting of AppVM flow if using
>> Mullvad VPN. I would like to connect to the clearnet following way: Me
>> - -> Tor -> VPN -> clearnet.
>>
>> When setting up mullvad in their web page, I set the parameters for
>> download here https://mullvad.net/en/download/openvpn-config/ in a
>> following way:
>> - - All countries (so that I can change my exit country as needed)
>> - - Port -> TCP 443 (Tor doesn't use UDP, right?)
>> - - tick Use IP addresses
>
> Using TCP 443 for the connection helps only if you are running the VPN
> on top of Tor. With Tor on top of VPN, you're probably better off with UDP.
Would this mean, if I plan to go with Me -> Tor -> VPN -> clarnet, to go
with UDP mullvad settings? Just to clear the "on top of".
>
>>
>> To set the Mullvad VPN AppVM, I followed this guide from micahflee
>> https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with
>> mullvad is vpn-mullvad. All works fine and connects to the network.
>>
>> How should I connect Me -> Tor -> VPN -> clearnet? Am I right with
>> this setup (I didn't launch it yet): anon-whonix -> sys-whonix ->
>> vpn-mullvad -> sys-firewall, or I should use different setup?
>
> Whonix has a guide that examines the issues of combining Tor and a VPN.
> However, I think its better as a 'what-if/why' guide than a Howto...
>
> https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor
Thank you I will check it.
>
>>
>> Are there any other steps to follow to prevent leaks?
>
> Yes.
>
> The Qubes-vpn-support project is much easier to setup and should work
> more smoothly, in addition to providing better protection against leaks:
>
> https://github.com/tasket/Qubes-vpn-support
>
> There is also a VPN setup guide on the Qubes doc page (this is the one
> the Whonix page links to). FWIW, I wrote the scripts for both but the
> idea for Qubes-vpn-support was to automate the setup and improve the
> connection handling of Openvpn so re-connection doesn't take 5 minutes.
> It also checks the firewall to make sure leak prevention is in place
> before initiating connections.
I will try to set the additional AppVM for this and try this guide. What
would be the linking of the AppVMs, if I would like to go Me -> Tor ->
VPN -> clearnet? Is it like anon-whonix -> sys-whonix -> mullvad-AppVM
-> sys-firewall ?
Also I would like to use different exit countries of choice, so I
downloaded all countries from mullvad. Is there any simple way to switch
countries with this VPN settings?
Sorry for noob questions, I am new to the VPN stuff, just used Tor only
till now, but I need to use tor-unfriendly services from time to time
and even if it were tor-friendly, ExitNodes {xx} StrictNodes 1 doesn't
work in qubes-whonix and I therefore can't select exit country easily if
I need to. So I need to have the VPN country as a strict exit.
>
Thank you and I will let you know if it works!
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/e36a80c7-d1db-b533-3ef7-d45cde0acb75%40cock.li.
0xC1F4E83AF470A4ED.asc
Description: application/pgp-keys
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On 3/27/20 5:02 AM, scurge1tl wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello all, I would like to ask about proper setting of AppVM flow if using Mullvad VPN. I would like to connect to the clearnet following way: Me - -> Tor -> VPN -> clearnet. When setting up mullvad in their web page, I set the parameters for download here https://mullvad.net/en/download/openvpn-config/ in a following way: - - All countries (so that I can change my exit country as needed) - - Port -> TCP 443 (Tor doesn't use UDP, right?) - - tick Use IP addresses Using TCP 443 for the connection helps only if you are running the VPN on top of Tor. With Tor on top of VPN, you're probably better off with UDP. To set the Mullvad VPN AppVM, I followed this guide from micahflee https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with mullvad is vpn-mullvad. All works fine and connects to the network. How should I connect Me -> Tor -> VPN -> clearnet? Am I right with this setup (I didn't launch it yet): anon-whonix -> sys-whonix -> vpn-mullvad -> sys-firewall, or I should use different setup? Whonix has a guide that examines the issues of combining Tor and a VPN. However, I think its better as a 'what-if/why' guide than a Howto... https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor Are there any other steps to follow to prevent leaks? Yes. The Qubes-vpn-support project is much easier to setup and should work more smoothly, in addition to providing better protection against leaks: https://github.com/tasket/Qubes-vpn-support There is also a VPN setup guide on the Qubes doc page (this is the one the Whonix page links to). FWIW, I wrote the scripts for both but the idea for Qubes-vpn-support was to automate the setup and improve the connection handling of Openvpn so re-connection doesn't take 5 minutes. It also checks the firewall to make sure leak prevention is in place before initiating connections. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3065445d-4f37-9f26-4ace-68b4b2cd4b26%40posteo.net.
[qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello all, I would like to ask about proper setting of AppVM flow if using Mullvad VPN. I would like to connect to the clearnet following way: Me - -> Tor -> VPN -> clearnet. When setting up mullvad in their web page, I set the parameters for download here https://mullvad.net/en/download/openvpn-config/ in a following way: - - All countries (so that I can change my exit country as needed) - - Port -> TCP 443 (Tor doesn't use UDP, right?) - - tick Use IP addresses To set the Mullvad VPN AppVM, I followed this guide from micahflee https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with mullvad is vpn-mullvad. All works fine and connects to the network. How should I connect Me -> Tor -> VPN -> clearnet? Am I right with this setup (I didn't launch it yet): anon-whonix -> sys-whonix -> vpn-mullvad -> sys-firewall, or I should use different setup? Are there any other steps to follow to prevent leaks? This setup should serve me to connect to the services that are not Tor unfriendly from a country of my choice, and remain anonymous. Thank you all for your support! p.s. micahflee doesn't mention any need to install the OpenVPN in his guide. Should I install it or is it intended to work without it? -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEExlmPb5HoPUTt+CQT44JZDAWK6UwFAl59wTJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM2 NTk4RjZGOTFFODNENDRFREY4MjQxM0UzODI1OTBDMDU4QUU5NEMACgkQ44JZDAWK 6UwiXhAAivlJwfkjYv9ZQUQqEeYeQ+NsmrvpnETawv18blPjGJgNF6LTlfEwsr+L S7liZfi9cdT3FfCMPBbl9mdESoFOhIubbru30cos4UGUHUzoCV6U0t/rVAYblugb DhXAjGQk47VVcMmmUnhnY5Q7gm1DCpYb/yW9AUJPWrZWfhyK6CH58Zec892Q5iL2 FgHQo2yuJVxDVX4U/ZOWrWE3dmaxU8trfcw1VMtJDEEcKi33M4toHexsF34IwgKl q/dNNhbtaPw/2ONmoTCmRElLCbShuiZDUEnQ+fg7fEkqraOlTYq/5LnLh0dTu57b HcS1CQ7vwBErDr8ufoQpmTK9/4HEww6V4LLSZp/6QQoaej5nT/NNrMZ4iKOMjpuW +hmnVLwVj3sKAmeOLOaLTW8LHgLOkMH0xohU06ZeNcvoQcfrK/Kw4J/JWZMoERtq 4kbHzmjDs50ZUpWGUppX/CsP/e9MCNO3uUcEGSRa3/NQEKPbUM/qzQFZe0bp9UOr odoxUgWadY3hiKA2DXmhtY/+4k/ugpR6HdXRLuUrlDoysGsNU7VbGMj7Mpy/yhRQ REr1h60jH6ZSZLRRK8EJkvY9kjhH6jIYyRikeB1mkbidDoi0ENCbB7UdLFzXqTlE TU0eF9MVjCvdTY6XOJ5w6JgZo+DGMpfLt1ZlFGd4PpLrZXzaEiI= =5OS5 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6d30b6b6-e140-8584-3e77-dedcb668da55%40cock.li. 0xC1F4E83AF470A4ED.asc Description: application/pgp-keys
