Re: [qubes-users] Network chain (VPN)

2017-10-22 Thread aaron williams 
thank you all for your help


Virus-free.
www.avg.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Sat, Oct 21, 2017 at 11:55 PM, Chris Laprise  wrote:

> On 10/20/2017 03:58 PM, variableap...@gmail.com wrote:
>
>> Hello
>>
>> In this doc https://www.qubes-os.org/doc/vpn/, a configuration is
>> described where app vms connect to the firewall VPN, which connects to the
>> VPN proxy, and finally the net vm.
>>
>> Was this correctly documented as a configuration? Should the VPN proxy
>> sit behind the firewall?
>>
>> Thanks
>>
>
> You should theoretically be able to use VPNVM as a firewall. However,
> there is a bug in qubes-firewall that causes "Deny Except" mode to block
> all DNS traffic when a VPN/tunnel is used. The obvious workaround is to
> create another proxyVM to be placed between appVM and VPNVM.
>
> If you would rather avoid creating an extra proxyVM, you can use a VPN
> project that contains a fix for the DNS bug:
>
> https://github.com/tasket/Qubes-vpn-support
>
>
> Also, in most cases no firewallVM is needed between VPNVM and sys-net, so
> the following chain is OK:
> appVM -> VPNVM -> sys-net
>
> --
>
> Chris Laprise, tas...@posteo.net
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CACbN6r3ptd1LuEAQCFTBvvFgDL%2BPK5-LeD1AS4TdiPADA9sEDw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Network chain (VPN)

2017-10-21 Thread Noor Christensen 
On Sat, Oct 21, 2017 at 11:09:40AM +0200, Noor Christensen wrote:
> On Fri, Oct 20, 2017 at 12:58:27PM -0700, variableap...@gmail.com wrote:
> > Hello
> > 
> > In this doc https://www.qubes-os.org/doc/vpn/, a configuration is
> > described where app vms connect to the firewall VPN, which connects to
> > the VPN proxy, and finally the net vm.
> > 
> > Was this correctly documented as a configuration? Should the VPN proxy
> > sit behind the firewall?
> 
> AFAIK, if you connect your AppVMs directly to the VPN proxy, you lose
> the ability to firewall the traffic since it will be encrypted when it
> leaves the VPN proxy.
> 
> So, for this reason, if you want to apply any filtering for that traffic
> you would need a firewall VM between the AppVMs and the VPN VM. In this
> situation, any firewall rules configured for the AppVMs will then be
> applied by the firewall VM before it reaches the VPN VM.
> 
> There is a good explanation here (read "Security note" under Usage):
> 
> https://github.com/Rudd-O/qubes-vpn#usage

Additionally, this graph might help to understand the flow:

https://raw.githubusercontent.com/Rudd-O/qubes-vpn/master/doc/Qubes%20VPN%20filtering%20rules.png

-- noor

|_|O|_|
|_|_|O|  Noor Christensen  
|O|O|O|  0x401DA1E0

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171021091738.wedrrlozdmahbeh3%40mail.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

Re: [qubes-users] Network chain (VPN)

2017-10-21 Thread Noor Christensen 
On Fri, Oct 20, 2017 at 12:58:27PM -0700, variableap...@gmail.com wrote:
> Hello
> 
> In this doc https://www.qubes-os.org/doc/vpn/, a configuration is
> described where app vms connect to the firewall VPN, which connects to
> the VPN proxy, and finally the net vm.
> 
> Was this correctly documented as a configuration? Should the VPN proxy
> sit behind the firewall?

AFAIK, if you connect your AppVMs directly to the VPN proxy, you lose
the ability to firewall the traffic since it will be encrypted when it
leaves the VPN proxy.

So, for this reason, if you want to apply any filtering for that traffic
you would need a firewall VM between the AppVMs and the VPN VM. In this
situation, any firewall rules configured for the AppVMs will then be
applied by the firewall VM before it reaches the VPN VM.

There is a good explanation here (read "Security note" under Usage):

https://github.com/Rudd-O/qubes-vpn#usage


-- noor

|_|O|_|
|_|_|O|  Noor Christensen  
|O|O|O|  0x401DA1E0

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171021090940.mzojthov4ikw4duc%40mail.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Network chain (VPN)

2017-10-20 Thread variableapple 
Hello

In this doc https://www.qubes-os.org/doc/vpn/, a configuration is described 
where app vms connect to the firewall VPN, which connects to the VPN proxy, and 
finally the net vm.

Was this correctly documented as a configuration? Should the VPN proxy sit 
behind the firewall?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4bbbd1fc-042e-4331-873a-7cb287c0c368%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.