Re: [qubes-users] What's the best way to run a VPN app on Qubes?

2020-10-29 Thread Chris Laprise 

On 10/29/20 8:31 AM, 'Totally Zoid' via qubes-users wrote:

Hello,

ATM I'm using standard Fedora qubes with NetworkManager enabled and 
OpenVPN in order to connect to a VPN. I'd like to switch to the VPN's 
own full-fledged program to use features such as easy switching between 
exit servers and killswitch. I've previously used exclusively OpenVPN, 
but on Qubes, stuck in its own qube, I guess there isn't really anything 
the VPN's program can spy (other than traffic obv), and I reasonably 
trust this particular service.


The app comes as .deb/.rpm or, mercifully, source code. I've tried 
installing the .rpm but naturally I'd have to either do it on each 
restart, do it in the main Fedora template (which could compromise it), 
or do it in its own TemplateVM which would take up another 5 GB. 
Bind-dirs looks like an option but I'm not sure which files the .rpm 
install changes, and it looks like an update could easily break it.


Is there anything I'm missing? Looks like I'll have to either waste 
another 5GB space on a new template for a single program (and run 
updates for that template regularly), or have to compile it from source, 
possibly every time there's an update for the VPN program (not looking 
forward to that hehe). I'm thinking there has to be a better way...


The things you may be missing here:

1. Its more secure to have a 'sys-vpn' VM dedicated to the VPN client.

2. Service provider apps generally don't work or don't secure a 
dedicated VM properly. They assume a PC network architecture while a 
Qubes proxy VM is more like a router.



From a security standpoint the best way is probably Qubes-vpn-support 
(see my github link below). But it doesn't have easy GUI switching 
between servers; you would have to 'cp' the config for the new server 
then 'systemctl restart' the service to switch.


Its possible to setup Network Manager in a dedicated VPN VM including 
added anti-leak firewall rules. See the Qubes vpn doc for details.


--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cc46b6a2-1ae3-b0b8-c274-0790afad3043%40posteo.net.

[qubes-users] What's the best way to run a VPN app on Qubes?

2020-10-29 Thread 'Totally Zoid' via qubes-users 
Hello,

ATM I'm using standard Fedora qubes with NetworkManager enabled and OpenVPN in 
order to connect to a VPN. I'd like to switch to the VPN's own full-fledged 
program to use features such as easy switching between exit servers and 
killswitch. I've previously used exclusively OpenVPN, but on Qubes, stuck in 
its own qube, I guess there isn't really anything the VPN's program can spy 
(other than traffic obv), and I reasonably trust this particular service.

The app comes as .deb/.rpm or, mercifully, source code. I've tried installing 
the .rpm but naturally I'd have to either do it on each restart, do it in the 
main Fedora template (which could compromise it), or do it in its own 
TemplateVM which would take up another 5 GB. Bind-dirs looks like an option but 
I'm not sure which files the .rpm install changes, and it looks like an update 
could easily break it.

Is there anything I'm missing? Looks like I'll have to either waste another 5GB 
space on a new template for a single program (and run updates for that template 
regularly), or have to compile it from source, possibly every time there's an 
update for the VPN program (not looking forward to that hehe). I'm thinking 
there has to be a better way...

Sent with [ProtonMail](https://protonmail.com) Secure Email.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/rrBC_LxgEeBhGEC3CToJZIHm4oqHLTrq1wYZ757fLkTjzbffXtegOV9DBazo_tsCGWpg4nxNdSaW5YAdoqjFiDSDPRwnJsR8XP8ZoObS1Jk%3D%40protonmail.com.