Re: [qubes-users] Bitmask VPN DNS leaks

2017-12-18 Thread donoban 
On 12/18/2017 08:09 PM, niepowie...@gmail.com wrote:
> Also why bitmask connection with proxyVM has leaks and connection bitmask in 
> appVM has no leaks. Any idea?
> 

Because bitmask is designed for end users which run it on the same
machine they connect to the internet. They capture DNS queries on the
OUTPUT chain of your interfaces and redirect them to the tun0 interface.

Using it on a proxyVM, you are routing traffic from another VM's to the
VPN tunnel and the method they use for avoid DNS leaks doesn't work. The
traffic goes through the FORWARD chain and skip their protection.

Maybe using iptables could be a better solution but editing
/etc/resolv.conf seems the simplest method.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/43377a9f-b8b4-c75c--2f89a9be4938%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Bitmask VPN DNS leaks

2017-12-18 Thread niepowiem48 
Also why bitmask connection with proxyVM has leaks and connection bitmask in 
appVM has no leaks. Any idea?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57af4c01-ff90-434f-a6ce-d8bee66b0187%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitmask VPN DNS leaks

2017-12-18 Thread niepowiem48 
Running Bitmask in appVM has no leaks.

Thre are errors show in bitmask logs as below. Colud anybody review them and 
tell if my bitmas works proper with there errors?

-

[2017-12-18 17:44:10] ERROR - L#None : None:None - Requirements file not found. 
IOError(2, 'No such file or directory')


[2017-12-18 17:44:11] WARNING - L#None : None:None - Backend is offline!


[2017-12-18 17:46:00] WARNING - L#None : None:None - Trying to update eip 
enabled status but there's no default provider. Disabling EIP for the time 
being...


[2017-12-18 17:46:27] WARNING - L#44 : leap.common.files:check_and_fix_urw_only 
- Bad permission on 
/home/user/.config/leap/providers/riseup.net/keys/ca/cacert.pem attempting to 
set 600


[2017-12-18 17:46:30] WARNING - L#44 : leap.common.files:check_and_fix_urw_only 
- Bad permission on 
/home/user/.config/leap/providers/riseup.net/keys/client/openvpn.pem attempting 
to set 600


[2017-12-18 17:46:33] WARNING - L#None : None:None - Could not connect to 
OpenVPN yet: MissingSocketError()
---

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/85c9dfe5-b771-4394-9aa9-cc4148d58ba8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitmask VPN DNS leaks

2017-12-18 Thread Chris Laprise 

On 12/18/2017 03:50 AM, niepowie...@gmail.com wrote:

Do anybody know how prevent or disable dns leak with bitmask vpn provider?

Bitmask when used "out of box" is useless as there are dns leak (checked with 
dnsleaktest.com).

Instruction please.



One thing you could try is to run bitmask in the appVM itself, instead 
of in a proxyVM. That might stop the leaks for that particular VM.


Also see my other message in thread about stopping leaks in the proxyVM:
https://groups.google.com/d/msgid/qubes-users/c0e97ad5-e448-6eef-8182-08e94316a6c1%40posteo.net

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/82dbbcb0-a32c-d605-44c9-f19f842e0136%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitmask VPN DNS leaks

2017-12-18 Thread Chris Laprise 

On 12/18/2017 10:02 AM, Michael Carbone wrote:

On 12/18/2017 09:15 AM, donoban wrote:

On 12/18/2017 03:10 PM, donoban wrote:

First:
- Block all traffic and whitelist your DNS provider IP with sys-firewall
(you should connect your VPN-VM to sys-firewall). For riseup and bitmask
you should permit some ip's.


Also consider disabling ICMP and DNS queries


Then:
The solution is edit /etc/resolv.conf to the default gw of the tunnel.
Try 'sudo route -n' and see the gateway which uses tun0 interface.



After editing /etc/resolv.conf you have to run:

'sudo /usr/lib/qubes/qubes-setup-dnat-to-ns'

for doing it effective.


FYI this is the issue I created to try to collect clear instructions for
Bitmask users:

https://github.com/QubesOS/qubes-issues/issues/2021

the ticket is still open and once clear documentation is created we can
push it to the website.


Unfortunately the connection process is all controlled by the leap 
client app, and there is no obvious place to add Qubes-specific lines of 
code.


But since that issue was logged there has been a lot of bitmask 
documentation added to their site. I'll ask them about adding Qubes 
support directly to their client.


In the meantime, leaks are still an issue if you have to manually run a 
script like qubes-setup-dnat-to-ns after a connection goes up. The best 
stopgap may be to block direct forwarding in the proxyVM with:


iptables -I FORWARD -i eth0 -j DROP
iptables -I FORWARD -o eth0 -j DROP

Put these lines in /rw/config/qubes-firewall-user-script and make it 
executable. On Qubes R4.0-rc you may have to do this for it to work:

ln -s /rw/config/qubes-firewall-user-script /rw/config/qubes-ip-change-hook


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c0e97ad5-e448-6eef-8182-08e94316a6c1%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitmask VPN DNS leaks

2017-12-18 Thread Michael Carbone 
On 12/18/2017 09:15 AM, donoban wrote:
> On 12/18/2017 03:10 PM, donoban wrote:
>> First:
>> - Block all traffic and whitelist your DNS provider IP with sys-firewall
>> (you should connect your VPN-VM to sys-firewall). For riseup and bitmask
>> you should permit some ip's.
> 
> Also consider disabling ICMP and DNS queries
> 
>> Then:
>> The solution is edit /etc/resolv.conf to the default gw of the tunnel.
>> Try 'sudo route -n' and see the gateway which uses tun0 interface.
>>
> 
> After editing /etc/resolv.conf you have to run:
> 
> 'sudo /usr/lib/qubes/qubes-setup-dnat-to-ns'
> 
> for doing it effective.

FYI this is the issue I created to try to collect clear instructions for
Bitmask users:

https://github.com/QubesOS/qubes-issues/issues/2021

the ticket is still open and once clear documentation is created we can
push it to the website.

Thanks,
Michael

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS 

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2dfaf4da-e931-ea8d-c1de-fda67d4137cb%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitmask VPN DNS leaks

2017-12-18 Thread donoban 
On 12/18/2017 03:10 PM, donoban wrote:
> First:
> - Block all traffic and whitelist your DNS provider IP with sys-firewall
> (you should connect your VPN-VM to sys-firewall). For riseup and bitmask
> you should permit some ip's.

Also consider disabling ICMP and DNS queries

> Then:
> The solution is edit /etc/resolv.conf to the default gw of the tunnel.
> Try 'sudo route -n' and see the gateway which uses tun0 interface.
> 

After editing /etc/resolv.conf you have to run:

'sudo /usr/lib/qubes/qubes-setup-dnat-to-ns'

for doing it effective.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/19fb218a-b997-c53c-b0b8-35f86f80187d%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Bitmask VPN DNS leaks

2017-12-18 Thread donoban 

On 12/18/2017 09:50 AM, niepowie...@gmail.com wrote:
> Do anybody know how prevent or disable dns leak with bitmask vpn provider?
>
> Bitmask when used "out of box" is useless as there are dns leak
(checked with dnsleaktest.com).
>
> Instruction please.
>

First:
- Block all traffic and whitelist your DNS provider IP with sys-firewall
(you should connect your VPN-VM to sys-firewall). For riseup and bitmask
you should permit some ip's.

Then:
- bitmask uses some kind of iptables rules for forward your DNS
petitions through the tunnel but it only affects the OUT chain, so when
you are using the VM as a netVM for other AppVM this will be skipped and
your petitions will go to the address specified in /etc/resolv.conf
(probably sys-firewall).

The solution is edit /etc/resolv.conf to the default gw of the tunnel.
Try 'sudo route -n' and see the gateway which uses tun0 interface.

If you do the first step you will protect DNS and any other kind of
leaks since a compromised VPN-VM won't know your real address and won't
reach direct internet without compromising sys-firewall.

I hope it helps.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d46a5d0b-e1e7-26cd-fc46-ef14c8f53354%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature