Re: [qubes-users] Can't connect a VPN before Tor

2016-09-14 Thread nishiwaka46
Le mercredi 14 septembre 2016 05:30:30 UTC+2, 3n7r...@gmail.com a écrit :
> On Tuesday, September 13, 2016 at 11:56:53 PM UTC, nishi...@gmail.com wrote:
> > Le samedi 10 septembre 2016 20:36:38 UTC+2, 3n7r...@gmail.com a écrit :
> > > [First, a rant. I hate mailing lists. How am I supposed to attribute 
> > > quotes from earlier posts in the thread not contained in the previous 
> > > post?]
> > > 
> > > nishi:
> > > >Any advices on how to set up Qubes to have a VPN + sys-whonix working 
> > > >together (or VPN + a TorVM proxy) in a good anonymous way would be 
> > > >really appreciated :)
> > > 
> > > As you know, you can either connect to a VPN from a non-Whonix proxyVM or 
> > > set up the VPN directly in the Whonix-Gateway. Both methods have the goal 
> > > of preventing "unintentional" leaks and have the property of 
> > > failing-closed. IMO, since you are using Qubes already, the proxyVM 
> > > method is easier to configure and provides more flexibility. If you're 
> > > short on RAM and/or need to operate multiple Whonix-Gateways with each 
> > > having a separate VPN, you may be better off connecting to the VPN from 
> > > within the Gateway. From a security/anonymity perspective, neither is 
> > > obviously better than the other. A Gateway compromise would most likely 
> > > be game-over in either scenario.
> > > 
> > > Speaking generally, you've got a whole bunch of moving parts. You need to 
> > > troubleshoot by isolating each piece. 
> > > 
> > > **This step reveals that you use Tor. Only proceed if safe to do so.
> > > 
> > > 1. sys-net <- appVM: Do I have general connectivity?
> > > 2. sys-net <- vpn-VM <- appVM: Does my VPN work?
> > > 3.** sys-net <- appVM w/ Tor Browser Bundle: Does Tor work?
> > > 4.** sys-net <- whonix-gateway: Run whonixcheck. Does Whonix-Gateway work?
> > > 5. sys-net <- vpn-vm <- whonix-gateway
> > > 
> > > My suggestion is to start with a fresh proxyVM and follow Chris' Qubes 
> > > VPN documentation step by step. (Or take a look at his [git 
> > > repo](https://github.com/ttasket/Qubes-vpn-support) ). If the vpn-VM 
> > > allows successful connections from the appVM, then it's simply a matter 
> > > of assigning it to the Whonix-Gateway as its netVM. No Whonix-specific 
> > > configuration is necessary since it's all transparent to Whonix.
> > > 
> > > * Make sure that the Qubes firewall (Qubes VM Manager) is open on the 
> > > Whonix-Gateway. I don't remember what the default setting is.
> > > 
> > > * Both TCP and UDP are fine for upstream VPNs. Tor can not carry UDP but 
> > > it can be carried on UDP, if that makes sense.
> > > 
> > > * Don't add any additional firewalls until you can get this working.
> > > 
> > > 
> > > nishi:
> > > >Which gives in Qubes something a pattern like this one below (I don't 
> > > >know if all firewall VMs are really needed though) :
> > > >
> > > >AppVM => sys-vpn-firewall => sys-vpn => sys-whonix-firewall (or 
> > > >TorVM-firewall) => sys-whonix (or TorVM) => sys-firewall => sys-net
> > > 
> > > Firewalls have limited usefulness as described here: 
> > > https://www.qubes-os.org/doc/data-leaks/
> > > 
> > > rustybird's Corridor can ensure that all traffic goes to a Tor Entry 
> > > Guard (but obviously, can't guarantee that the Entry Guard is 
> > > trustworthy).
> > > 
> > > 
> > > nishi:
> > > >When I purchased a VPN subscription, I saw it as a way to improve 
> > > >anonymity, now I feel it is more a tool to provide security.
> > > 
> > > VPNs don't necessarily improve anonymity OR security. They simply shift 
> > > the trust that you place in your ISP to someone else. That may be good or 
> > > bad.
> > > 
> > > 
> > > Chris:
> > > >Although its straightforward to get the opposite working (Tor -> VPN ->
> > > Internet -- just follow the Qubes vpn doc and connect sys-whonix to the
> > > vpn vm)
> > > 
> > > Just to clarify, to achieve user -> Tor -> VPN -> Internet, sys-whonix 
> > > needs to be connected as the *netVM* for the vpn-vm. If vpn-vm is the 
> > > netVM for sys-whonix, the resulting traffic is user -> VPN -> Tor -> 
> > > Internet. I may be forgetting something, but I believe both 
> > > configurations work out of the box.
> > 
> > Hello,
> > 
> > Thank you for your answer. Yes I agree with you, the proxyVM is easier to 
> > configure and provide more flexibility. I don't know if you can make your 
> > VPN autostart if you install it inside the whonix gateway, so I rather 
> > prefer to have it directly installed in an AppVM, because I find it is a 
> > great Qubes feature : )
> > 
> > Also as I said directly in the Whonix-forum site, I don't believe building 
> > a fortress in a gateway that will become the main target for hackers is 
> > what will necessarily will make us all more secure out there. Whonix or 
> > Qubes are targets right now... You have too many hacking intrusion exploits 
> > nowadays to build a fail-safe system for everyone. If you just type list in 
> > metasploit on kali Linux you know 

Re: [qubes-users] Can't connect a VPN before Tor

2016-09-13 Thread 3n7r0py1
On Tuesday, September 13, 2016 at 11:56:53 PM UTC, nishi...@gmail.com wrote:
> Le samedi 10 septembre 2016 20:36:38 UTC+2, 3n7r...@gmail.com a écrit :
> > [First, a rant. I hate mailing lists. How am I supposed to attribute quotes 
> > from earlier posts in the thread not contained in the previous post?]
> > 
> > nishi:
> > >Any advices on how to set up Qubes to have a VPN + sys-whonix working 
> > >together (or VPN + a TorVM proxy) in a good anonymous way would be really 
> > >appreciated :)
> > 
> > As you know, you can either connect to a VPN from a non-Whonix proxyVM or 
> > set up the VPN directly in the Whonix-Gateway. Both methods have the goal 
> > of preventing "unintentional" leaks and have the property of 
> > failing-closed. IMO, since you are using Qubes already, the proxyVM method 
> > is easier to configure and provides more flexibility. If you're short on 
> > RAM and/or need to operate multiple Whonix-Gateways with each having a 
> > separate VPN, you may be better off connecting to the VPN from within the 
> > Gateway. From a security/anonymity perspective, neither is obviously better 
> > than the other. A Gateway compromise would most likely be game-over in 
> > either scenario.
> > 
> > Speaking generally, you've got a whole bunch of moving parts. You need to 
> > troubleshoot by isolating each piece. 
> > 
> > **This step reveals that you use Tor. Only proceed if safe to do so.
> > 
> > 1. sys-net <- appVM: Do I have general connectivity?
> > 2. sys-net <- vpn-VM <- appVM: Does my VPN work?
> > 3.** sys-net <- appVM w/ Tor Browser Bundle: Does Tor work?
> > 4.** sys-net <- whonix-gateway: Run whonixcheck. Does Whonix-Gateway work?
> > 5. sys-net <- vpn-vm <- whonix-gateway
> > 
> > My suggestion is to start with a fresh proxyVM and follow Chris' Qubes VPN 
> > documentation step by step. (Or take a look at his [git 
> > repo](https://github.com/ttasket/Qubes-vpn-support) ). If the vpn-VM allows 
> > successful connections from the appVM, then it's simply a matter of 
> > assigning it to the Whonix-Gateway as its netVM. No Whonix-specific 
> > configuration is necessary since it's all transparent to Whonix.
> > 
> > * Make sure that the Qubes firewall (Qubes VM Manager) is open on the 
> > Whonix-Gateway. I don't remember what the default setting is.
> > 
> > * Both TCP and UDP are fine for upstream VPNs. Tor can not carry UDP but it 
> > can be carried on UDP, if that makes sense.
> > 
> > * Don't add any additional firewalls until you can get this working.
> > 
> > 
> > nishi:
> > >Which gives in Qubes something a pattern like this one below (I don't know 
> > >if all firewall VMs are really needed though) :
> > >
> > >AppVM => sys-vpn-firewall => sys-vpn => sys-whonix-firewall (or 
> > >TorVM-firewall) => sys-whonix (or TorVM) => sys-firewall => sys-net
> > 
> > Firewalls have limited usefulness as described here: 
> > https://www.qubes-os.org/doc/data-leaks/
> > 
> > rustybird's Corridor can ensure that all traffic goes to a Tor Entry Guard 
> > (but obviously, can't guarantee that the Entry Guard is trustworthy).
> > 
> > 
> > nishi:
> > >When I purchased a VPN subscription, I saw it as a way to improve 
> > >anonymity, now I feel it is more a tool to provide security.
> > 
> > VPNs don't necessarily improve anonymity OR security. They simply shift the 
> > trust that you place in your ISP to someone else. That may be good or bad.
> > 
> > 
> > Chris:
> > >Although its straightforward to get the opposite working (Tor -> VPN ->
> > Internet -- just follow the Qubes vpn doc and connect sys-whonix to the
> > vpn vm)
> > 
> > Just to clarify, to achieve user -> Tor -> VPN -> Internet, sys-whonix 
> > needs to be connected as the *netVM* for the vpn-vm. If vpn-vm is the netVM 
> > for sys-whonix, the resulting traffic is user -> VPN -> Tor -> Internet. I 
> > may be forgetting something, but I believe both configurations work out of 
> > the box.
> 
> Hello,
> 
> Thank you for your answer. Yes I agree with you, the proxyVM is easier to 
> configure and provide more flexibility. I don't know if you can make your VPN 
> autostart if you install it inside the whonix gateway, so I rather prefer to 
> have it directly installed in an AppVM, because I find it is a great Qubes 
> feature : )
> 
> Also as I said directly in the Whonix-forum site, I don't believe building a 
> fortress in a gateway that will become the main target for hackers is what 
> will necessarily will make us all more secure out there. Whonix or Qubes are 
> targets right now... You have too many hacking intrusion exploits nowadays to 
> build a fail-safe system for everyone. If you just type list in metasploit on 
> kali Linux you know what I mean... I feel like people working on Whonix would 
> be a really more usefull to random noobs like me and most of the internet 
> community by trying to act like hackers, idea being to create a code able to 
> send back nukes to people entering your own private space. I see 

Re: [qubes-users] Can't connect a VPN before Tor

2016-09-10 Thread 3n7r0py1
[First, a rant. I hate mailing lists. How am I supposed to attribute quotes 
from earlier posts in the thread not contained in the previous post?]

nishi:
>Any advices on how to set up Qubes to have a VPN + sys-whonix working together 
>(or VPN + a TorVM proxy) in a good anonymous way would be really appreciated :)

As you know, you can either connect to a VPN from a non-Whonix proxyVM or set 
up the VPN directly in the Whonix-Gateway. Both methods have the goal of 
preventing "unintentional" leaks and have the property of failing-closed. IMO, 
since you are using Qubes already, the proxyVM method is easier to configure 
and provides more flexibility. If you're short on RAM and/or need to operate 
multiple Whonix-Gateways with each having a separate VPN, you may be better off 
connecting to the VPN from within the Gateway. From a security/anonymity 
perspective, neither is obviously better than the other. A Gateway compromise 
would most likely be game-over in either scenario.

Speaking generally, you've got a whole bunch of moving parts. You need to 
troubleshoot by isolating each piece. 

**This step reveals that you use Tor. Only proceed if safe to do so.

1. sys-net <- appVM: Do I have general connectivity?
2. sys-net <- vpn-VM <- appVM: Does my VPN work?
3.** sys-net <- appVM w/ Tor Browser Bundle: Does Tor work?
4.** sys-net <- whonix-gateway: Run whonixcheck. Does Whonix-Gateway work?
5. sys-net <- vpn-vm <- whonix-gateway

My suggestion is to start with a fresh proxyVM and follow Chris' Qubes VPN 
documentation step by step. (Or take a look at his [git 
repo](https://github.com/ttasket/Qubes-vpn-support) ). If the vpn-VM allows 
successful connections from the appVM, then it's simply a matter of assigning 
it to the Whonix-Gateway as its netVM. No Whonix-specific configuration is 
necessary since it's all transparent to Whonix.

* Make sure that the Qubes firewall (Qubes VM Manager) is open on the 
Whonix-Gateway. I don't remember what the default setting is.

* Both TCP and UDP are fine for upstream VPNs. Tor can not carry UDP but it can 
be carried on UDP, if that makes sense.

* Don't add any additional firewalls until you can get this working.


nishi:
>Which gives in Qubes something a pattern like this one below (I don't know if 
>all firewall VMs are really needed though) :
>
>AppVM => sys-vpn-firewall => sys-vpn => sys-whonix-firewall (or 
>TorVM-firewall) => sys-whonix (or TorVM) => sys-firewall => sys-net

Firewalls have limited usefulness as described here: 
https://www.qubes-os.org/doc/data-leaks/

rustybird's Corridor can ensure that all traffic goes to a Tor Entry Guard (but 
obviously, can't guarantee that the Entry Guard is trustworthy).


nishi:
>When I purchased a VPN subscription, I saw it as a way to improve anonymity, 
>now I feel it is more a tool to provide security.

VPNs don't necessarily improve anonymity OR security. They simply shift the 
trust that you place in your ISP to someone else. That may be good or bad.


Chris:
>Although its straightforward to get the opposite working (Tor -> VPN ->
Internet -- just follow the Qubes vpn doc and connect sys-whonix to the
vpn vm)

Just to clarify, to achieve user -> Tor -> VPN -> Internet, sys-whonix needs to 
be connected as the *netVM* for the vpn-vm. If vpn-vm is the netVM for 
sys-whonix, the resulting traffic is user -> VPN -> Tor -> Internet. I may be 
forgetting something, but I believe both configurations work out of the box.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8ab52f16-0a3a-4acf-bcc7-ed6153ded7c8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Can't connect a VPN before Tor

2016-09-10 Thread nishiwaka46
Le samedi 10 septembre 2016 04:57:17 UTC+2, Chris Laprise a écrit :
> On 09/08/2016 04:41 AM, nishiwak...@gmail.com wrote:
> > Hello,
> >
> > I am struggling to have VPN work while using it with Tor, I can't have both 
> > work.
> >
> > I tried first to follow Mrs. Rutkowska's tutorial on setting up a clear Tor 
> > proxyVM 
> > https://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html
> >  but unfortunately I can't make it work.
> >
> > "QUBES_IP=$(xenstore-read qubes_ip)" line doesn't seem to work. If I 
> > replace "(xenstore-read qubes_ip)" with proxyVM's IP then script works but 
> > then I have to set up /etc/tor/torrc to achieve to connect Tor Browser in 
> > another AppVM. I guess this setup is too complicated for me.
> >
> > Then I read whonix documentation 
> > https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor, to 
> > check what I need to do to avoid reinstalling my VPN into a whonix gateway 
> > and just use it as a proxy VM before Tor.
> 
> Although its straightforward to get the opposite working (Tor -> VPN -> 
> Internet -- just follow the Qubes vpn doc and connect sys-whonix to the 
> vpn vm) there are wrinkles to iron out when getting it to work as you 
> describe.

Indeed it is easier to make it work the other way, but problem is that even if 
I kinda trust my VPN provider, who claims not to keep connection logs, I don't 
like to have my connection go through 1 spot in 1 country (you can create 
multiple openvpn.conf file, but this is not very convenient to use). I guess 
this is irrelevant to look for anonymity with this bottle neck effect. When I 
purchased a VPN subscription, I saw it as a way to improve anonymity, now I 
feel it is more a tool to provide security.

This is also why I put Tor browser as the #1 service to provide anonymity, 
because even if nodes exit might be observed, you still have possibilities to 
improve this aspect setting up bridges, besides Tor was created by the US Navy 
Research Laboratory, it is not a big surprise to me that the US were involved 
in this project. When you're talking about defense of freedom, how could one 
not show great admiration and love for the US. I know you have people to talk 
shit about US policies, that the US fucked up in Vietnam or Irak, but where 
would be Europe at right now if no young heroic US soldiers to sacrifice their 
lives to defend freedom and help beating nazi rats ? When I see rise of 
nationalism once again in Europe, I am just so ashamed. They don't know what's 
memory, what's bravery. They want another bloody tyrant on one continent in the 
future, they want the end of time ? Fuck this. Welcome the refugees, stop 
hating.

> Since the solution is Tor-specific, probably the best place to start is 
> trying create the whole setup in Whonix-Qubes using the Whonix doc you 
> referenced. The Whonix forum should be able to help you with any 
> specific issues when following their directions.
> 
> Chris

Ok thank you, I'll find out what I can do setting up Whonix. Maybe this will 
fix my issue https://www.whonix.org/wiki/Bridges#How_to_use_bridges_in_Whonix

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a223e934-58d5-4cd8-ba29-35cc330b4858%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Can't connect a VPN before Tor

2016-09-09 Thread Chris Laprise

On 09/08/2016 04:41 AM, nishiwak...@gmail.com wrote:

Hello,

I am struggling to have VPN work while using it with Tor, I can't have both 
work.

I tried first to follow Mrs. Rutkowska's tutorial on setting up a clear Tor 
proxyVM 
https://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html
 but unfortunately I can't make it work.

"QUBES_IP=$(xenstore-read qubes_ip)" line doesn't seem to work. If I replace 
"(xenstore-read qubes_ip)" with proxyVM's IP then script works but then I have to set up 
/etc/tor/torrc to achieve to connect Tor Browser in another AppVM. I guess this setup is too 
complicated for me.

Then I read whonix documentation 
https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor, to check 
what I need to do to avoid reinstalling my VPN into a whonix gateway and just 
use it as a proxy VM before Tor.


Although its straightforward to get the opposite working (Tor -> VPN -> 
Internet -- just follow the Qubes vpn doc and connect sys-whonix to the 
vpn vm) there are wrinkles to iron out when getting it to work as you 
describe.


Since the solution is Tor-specific, probably the best place to start is 
trying create the whole setup in Whonix-Qubes using the Whonix doc you 
referenced. The Whonix forum should be able to help you with any 
specific issues when following their directions.


Chris


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eb206f33-67e9-5ddb-f59b-26a4d4df09fa%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.