Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

2018-03-27 Thread Chris Laprise

On 03/27/2018 07:49 PM, vel...@tutamail.com wrote:

My Fedora setup is still working great. Passes OpenDNS check when they are 
added to config, reconnects generally after I turn off my wireless.

I am trying to get this to work with a stock Debian9 template(upgraded from 
Debian8 with stock install).

I can't seem to get it to work with Debian, the closest I have come is to a pop-up alert 
saying "Ready to connect" or words to that effect. I feel like I am missing a 
basic step in adding OpenVPN. I am adding the following commands:

su
apt-get install openvpn
apt-get install nautilus
apt-get install network-manager-openvpn-gnome   ?

It just works using the Fedora 26 template(Not minimal template)...

Any suggestions?

Thanks in advance...



An upgraded Debian 8 to 9 template is what I use normally. Adding 
network-manager bits is unnecessary.


If you get "Ready to connect" but nothing after, its possible you didn't 
add the vpn/vpn-client.conf file (via the command that starts with "ln 
-s"). The journalctl log would say somewhere that the file wasn't found, 
or could point out some other problem you need to address.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/99bb189e-3317-8183-386a-151a62ad79ae%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

2018-03-27 Thread velcro
My Fedora setup is still working great. Passes OpenDNS check when they are 
added to config, reconnects generally after I turn off my wireless.

I am trying to get this to work with a stock Debian9 template(upgraded from 
Debian8 with stock install).

I can't seem to get it to work with Debian, the closest I have come is to a 
pop-up alert saying "Ready to connect" or words to that effect. I feel like I 
am missing a basic step in adding OpenVPN. I am adding the following commands:

su
apt-get install openvpn
apt-get install nautilus
apt-get install network-manager-openvpn-gnome   ?

It just works using the Fedora 26 template(Not minimal template)...

Any suggestions?

Thanks in advance...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a96b06fc-0bec-43e1-9c20-806a66ce11cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

2018-03-06 Thread Chris Laprise

On 03/06/2018 05:30 PM, vel...@tutamail.com wrote:

Pretty slick Chris...

I just reconfigured with your Qubes4 
(https://github.com/tasket/Qubes-vpn-support/tree/qubes4)...I assume it 
defaults to 1.4beta2. I added the following to the PIA OpenVPN config file:



Yes, the Readme there will say 1.4beta2. I need to get better at 
assigning version tags.




setenv vpn_dns '208.67.222.222'

...at the bottom of the config file and hit "save".

I went to:

https://support.opendns.com/hc/en-us/articles/227986567-How-to-test-for-successful-OpenDNS-configuration-

and it showed it worked OpenDNS was "active".

Question:
1) If I wanted to put both OpenDNS IPs into this would the addition to the 
config file look like this?:

setenv vpn_dns '208.67.222.222 208.67.220.220'
(i.e. space between the IPs)



Yes, that's all. FYI, as with regular Qubes DNS config, assigning more 
than two currently will behave as if there are only two.




I'll keep you posted how it works on Qubes 3.2...not sure I can do any formal 
tests but it is working. Would be happy to try if you tell me how...otherwise 
I'll keep you posted on what I see.



That's already good feedback to have. Thanks!

For formal tests there are traceroute, the test you linked, 
dnsleaktest.com, ipleak.net. You can also try using a packet monitoring 
program. I'll be updating the leak testing issue (#1) with a bit more 
info tonight.


The only type of "leak" I'm currently seeing is WebRTC doing its thing 
in the browser, showing the VM's internal address. This is a 
fingerprinting issue that is best addressed with a browser extension 
like Chris Antaki's 'Disable WebRTC':


https://addons.mozilla.org/en-US/firefox/addon/happy-bonobo-disable-webrtc/

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0adc12a0-4525-edb9-c26f-4fedf33f9cdf%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

2018-03-06 Thread velcro
Pretty slick Chris...

I just reconfigured with your Qubes4 
(https://github.com/tasket/Qubes-vpn-support/tree/qubes4)...I assume it 
defaults to 1.4beta2. I added the following to the PIA OpenVPN config file:

setenv vpn_dns '208.67.222.222'

...at the bottom of the config file and hit "save". 

I went to:

https://support.opendns.com/hc/en-us/articles/227986567-How-to-test-for-successful-OpenDNS-configuration-

and it showed it worked OpenDNS was "active".

Question:
1) If I wanted to put both OpenDNS IPs into this would the addition to the 
config file look like this?:

setenv vpn_dns '208.67.222.222 208.67.220.220'
(i.e. space between the IPs)

I'll keep you posted how it works on Qubes 3.2...not sure I can do any formal 
tests but it is working. Would be happy to try if you tell me how...otherwise 
I'll keep you posted on what I see.

Thanks again for all you do...this is super hero type stuff!!

V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8caeab8c-eae5-4609-83b0-59138e7aa51b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

2018-03-05 Thread Chris Laprise

On 03/05/2018 11:04 AM, vel...@tutamail.com wrote:

Again I have been using the Tasket VPN setup with Fedora 26 for a few weeks and 
it works well...love the kill switch element!

I was hoping to beef up the security(maybe compromise the privacy) of the VPN 
service by adding OpenDNS or Quad9 DNS addresses to this configuration.

My questions I was hoping to get some thoughts on were:

1) I was presented with a Phishing site the other day...understand I am being 
targetted so I am not suprised. Is OpenDNS, Quad9 better then others? Are there 
others that would provide just as good filtering?


Does this mean PIA's DNS converted a good domain name into a phishing IP 
address? Or was the phishing site arrived at by some other means (email, 
typo)?


My inclination is to view the VPN provider's nameservers as the safer 
option, but not if its serving wrong IPs.


Not sure what OpenDNS users would say on the subject...




2) Tasket I found some documentation in the Qubes-vpn-support-master (README.md 
file) and references the ability to change your DNS address:

You can manually set your VPN's DNS addresses with:
```
export vpn_dns=""
sudo /rw/config/vpn/qubes-vpn-ns up
```

How would I specifically change this? Is this a command? Would this be the 
specific command I would enter into my VPN VM if I was using OpenDNS:

export vpn_dns="208.67.222.222 208.67.220.220"
sudo /rw/config/vpn/qubes-vpn-ns up


I am asking here in the spirit of maybe providing some help to people trying to 
do the same thing...


Those shell commands could be used manually for testing purposes, for 
example. But the placement and phrasing is confusing so I'll change it.


For your purposes -- forcing particular DNS addresses despite the 
numbers that the VPN provider sends over DHCP -- the setenv example in 
the qubes-vpn-ns script comments is better. So if you want to use DNS 
8.8.8.8 you can put this in your openvpn config file:


   setenv vpn_dns '8.8.8.8'

Then whenever openvpn calls qubes-vpn-ns script it will see the vpn_dns 
variable is already set and will use that instead.


-

And since DNS is now the subject.

Both the VPN doc and Qubes-vpn-support 1.3 force all DNS requests to go 
through the tunnel (or else blocked). However, this does not mean an 
appVM will always send requests to the DNS server you want; it could 
conceivably try to use some other DNS server for nefarious purposes 
(although the threat model for this is weak).


TheirryIT was looking for a way to make sure the proper DNS servers were 
addressed for all DNS requests, so in 1.4beta2 I changed the dnat rules 
to convert all addresses for DNS request packets to the proper servers.


So my advice is to use the 1.4beta2 from the 'qubes4' branch (not 
currently 'master') if you aren't already. Only caveat is that, although 
its intended to still be compatible with Qubes 3.2, I haven't tested it 
yet on 3.2.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b7a59ffa-4f27-36a3-82ef-d5a420df5bae%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

2018-03-05 Thread velcro
Again I have been using the Tasket VPN setup with Fedora 26 for a few weeks and 
it works well...love the kill switch element!

I was hoping to beef up the security(maybe compromise the privacy) of the VPN 
service by adding OpenDNS or Quad9 DNS addresses to this configuration.

My questions I was hoping to get some thoughts on were:

1) I was presented with a Phishing site the other day...understand I am being 
targetted so I am not suprised. Is OpenDNS, Quad9 better then others? Are there 
others that would provide just as good filtering?

2) Tasket I found some documentation in the Qubes-vpn-support-master (README.md 
file) and references the ability to change your DNS address:

You can manually set your VPN's DNS addresses with:
```
export vpn_dns=""
sudo /rw/config/vpn/qubes-vpn-ns up
```

How would I specifically change this? Is this a command? Would this be the 
specific command I would enter into my VPN VM if I was using OpenDNS:

export vpn_dns="208.67.222.222 208.67.220.220"
sudo /rw/config/vpn/qubes-vpn-ns up


I am asking here in the spirit of maybe providing some help to people trying to 
do the same thing...

Gratefully,
V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b3725e34-23d7-4f11-9fc8-e6a3e607f57c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

2018-02-14 Thread velcro
Thank you Tasket\Chris...

Thanks for the education on trust/veracity/trustworthiness with Github.

You and the Qubes team are doing a good thing! I really appreciate all the 
help...

Thank you!

V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9a06d65d-ee00-4ec8-bd2f-20b7d30bda0a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

2018-02-14 Thread Chris Laprise

On 02/13/2018 05:23 PM, vel...@tutamail.com wrote:

Thanks Chris(and "tasket"!)took me a few tries but I managed to get it 
going, I tweaked the implementation a bit(scarey).

I was not however able to get this command going from step #3 of the Github 
guide:  sudo /usr/lib/qubes/qubes-vpn-setup --config

I doubt I did this right/well but when I went to DNSleaktest.com it showed no 
leaks.


Since you installed into a proxyVM only (not a template) you should skip 
this command anyway (per instructions).





Couple of questions:
* What security am I not getting by doing step #3?
* Is using a script from Github good? Appreciate the lead but will this be 
sanctioned by the Qubes community long term?


That depends. For one, you should be accessing github through HTTPS 
which offers some protection. As for my veracity/trustworthiness that is 
ultimately up to you, but looking at the commits you'll notice they are 
cryptographically signed by me so they can be verified in 'git'. And 
there is the pattern of my (signed) contributions accepted to Qubes and 
other projects.


I'm helping add new vpn tunnel features in Qubes itself, so you can 
think of this as most of Qubes-vpn-support being incorporated into the OS.



* How can I test the kill switch functionality?


If you mean anti-leak, you can try leak testing sites* like you 
mentioned or try monitoring traffic in an upstream vm for any packets 
sent to non-vpn addresses.


*Some more sites: https://github.com/tasket/Qubes-vpn-support/issues/1

One way you can check if the firewall script is running is if 'sudo 
iptables -L -v' shows the following rule at the top of the FORWARD section:


DROPall  --  eth0   any  anywhere  anywhere


Thanks for the feedback!


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/06e0b075-3336-b1f1-d1cc-cb6e40b54511%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

2018-02-13 Thread velcro
Thanks Chris(and "tasket"!)took me a few tries but I managed to get it 
going, I tweaked the implementation a bit(scarey).

I was not however able to get this command going from step #3 of the Github 
guide:  sudo /usr/lib/qubes/qubes-vpn-setup --config

I doubt I did this right/well but when I went to DNSleaktest.com it showed no 
leaks.

Couple of questions:
* What security am I not getting by doing step #3?
* Is using a script from Github good? Appreciate the lead but will this be 
sanctioned by the Qubes community long term?
* How can I test the kill switch functionality?
* Any feedback, comments, ways to do it better?

Looking forward to those instructions Chris...

My sketchy/newbie steps are detailed below:

Create Proxy VM  Make Green  Proxy  Connected to sys-Net -  Name it

Add Files and Firefox in applications (didn’t really need firefox as I could 
download it in a disposable and the move it to my new sys-VPN)

Go to the services tab and add vpn-handler-openvpn then hit the + button

Notes:
* All commands were done in the proxy VM (No template was used)
* Not a huge terminal expert, so used GUI for some things

Download config files:
https://github.com/tasket/Qubes-vpn-support hit the green Clone or Download 
button
https://www.privateinternetaccess.com/pages/client-support/ (Download the 
“openvpn-ip.zip” file) specifically 
https://www.privateinternetaccess.com/openvpn/openvpn-ip.zip
 
Unzip openvpn-ip.zip in download folder
Manualy change name in file from “US East.ovpn” to  “openvpn-client.ovpn”

sudo mkdir /rw/config/vpn
sudo mv “openvpn-client.ovpn” '/rw/config/vpn'
sudo mv “.crt file” '/rw/config/vpn'
sudo mv “.pem file” '/rw/config/vpn'

cd '/home/user/Downloads/Qubes-vpn-support-master'
Type cd(space)then drag and drop from downloads the whole “Qubes-vpn-support” 
from “Github” in your downloads folder(Manually Unzipped folder by double 
clicking)

sudo bash ./install

Enter VPN User name and password


Close terminal

cd /rw/config/vpn
sudo ln -s openvpn-client.ovpn vpn-client.conf

Restart VM

Connect your VMs


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b126ae28-d76a-4670-9f6a-3e8e200aa56b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Setting up privateinternetaccess on qubes 3.2

2018-02-13 Thread Chris Laprise

On 02/12/2018 07:01 PM, vel...@tutamail.com wrote:

I have tried, tried, tried ...and tried and I am over my head! (Fedora 26, 
Qubes 3.2)

I am stuck

I tried this:
https://www.qubes-os.org/doc/vpn/

and this, this was a pretty good video but unfortunately its not the same as 
PIAs config.:
https://www.youtube.com/watch?v=K1_zqT7_N7k (Nice video internetz.me...learned 
a lot)

Qubester I went down your path as well but wasn't sure where to go after.


But couldn't really get off step 2 of the Qubes instructions...primarily due to 
my linux skills.

Can anybody help?

I got a NetVM working but with out a kill switch and credentials exposed it 
just doesn't work for me.

Looking at the Qubes instructions, I was able to create the "sudo mkdir 
/rw/config/vpn" but then things fall apart.

My specific questions from the VPN instructions that keep derailing me, 
specifically the basic commands needed are:

1) How do I copy files to: "Copy your VPN config files to /rw/config/vpn"?



Each VPN service supplies configs in their own way, but usually there 
should be some option to simply download a zip or tar.


In PIA's case they don't make it easy to find where the openvpn configs 
are, but they're there:


https://www.privateinternetaccess.com/pages/client-support/#fifth

Any of the three *ip, *tcp or *strong-tcp will work.

After downloading the file, unzip the contents to /rw/config/vpn. For 
example:


$ cd /rw/config/vpn
$ sudo unzip ~/Downloads/openvpn-ip.zip

There are multiple configs (one for each region) so pick one and copy it 
to the config filename that will be used:


$ sudo cp "US East.ovpn" openvpn-client.ovpn


--

At this point you can continue with the doc instructions, but I'd 
recommend switching to the method at 
https://github.com/tasket/Qubes-vpn-support


It comes with an installer and you'll notice the instructions are pretty 
simple.




2) "Create a file in the /rw/config/vpn folder with your credentials and using a 
directive"...how do I do this?


This is done automatically by the Qubes-vpn-support installer. To do it 
manually, just "sudo nano /rw/config/vpn/pass.txt" and add your PIA 
username and password, one on each line.



3) I haven't gotten further but suspect I'll have more questions.

Anybody have a source for a tutorial...I have googled the h3ll out of this and 
more questions then answers.


I'm preparing new vpn tunnel support in Qubes and a simplified doc to go 
with it. This should be available within a week or two. In the meantime 
I suggest using Qubes-vpn-support at the above link.



--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/160e3e39-5aa8-3b4b-f4d2-a0ed69b3eebf%40posteo.net.
For more options, visit https://groups.google.com/d/optout.