Re: [qubes-users] Unable to get VPN to ping out. Unable to set up ProxyVM as sys-vpn
On 3/1/21 7:36 PM, 'awokd' via qubes-users wrote: roberto re: I've looked around but I can't seem to find any up-to-date, uncomplicated step by step guide to get a fail closed, antileak VPN tunnel environment. https://github.com/QubesOS-contrib/qubes-tunnel Sorry I dont have any words of wisdom, I have literally posted for weeks actually trying to get a functional VPN, I have gotten it to work using the iptables cli method, and once using the qubes tunnel method (was easy the one time it worked for me). Honestly while there are those who have gotten it going I am thinking there are bugs or something esp for those who want to use minimal non-fedora templates... but thats just me. Best of luck. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/37a4d58e-c0cc-4147-4024-a0243c51dcd0%40posteo.co.
Re: [qubes-users] Unable to get VPN to ping out. Unable to set up ProxyVM as sys-vpn
roberto re: I've looked around but I can't seem to find any up-to-date, uncomplicated step by step guide to get a fail closed, antileak VPN tunnel environment. https://github.com/QubesOS-contrib/qubes-tunnel -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a842f938-57ef-6a87-018f-a23897992a4b%40danwin1210.me.
Re: [qubes-users] Unable to get VPN to ping out. Unable to set up ProxyVM as sys-vpn
David, this setup is very interesting and referenced in a reputable source by a developer I trust (here https://groups.google.com/g/qubes-users/c/m8BfvtAV2o8/m/FGlwdHrGAgAJ ). I can grasp the general concept, but I'm unable to execute the instructions without further guidance. Do you have a hint for a step by step guide that I may follow to be able to implement this? Official Qubes docs are surely overcomplicating things, as you say, but being step by step guides those are just the thing that users like me need. I've looked around but I can't seem to find any up-to-date, uncomplicated step by step guide to get a fail closed, antileak VPN tunnel environment. Thanks in advance for your support. Roby On Sunday, November 29, 2020 at 12:09:23 PM UTC+1 David Hobach wrote: > > On 11/28/20 9:26 PM, setem...@posteo.net wrote: > > Documentation followed: > http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts > > > > Someone please help me, I'm fucking screaming here every time I try to > do the right thing following documentation or try to figure out why my own > OS is stopping me from doing basic shit. > > Hmmm yes the official Qubes doc on VPN is still overcomplicating things a > bit too much and even lacking in some areas. > > Here's a simple and probably even better way than the official doc: > > 1. Set up a network infrastructure such as: > > your VPN client VM 1 > sys-net -- sys-fw -- sys-vpn -- sys-fw-vpn --| > your VPN client VM 2 etc. > > Use `qvm-prefs netvm` and `qvm-prefs provides_network` for that. > > 2. IMPORTANT: Configure your Qubes Os firewall to only allow traffic from > sys-vpn to your VPN provider. > I.e. `qvm-firewall sys-vpn --raw` should show something like > ``` > action=accept proto=tcp dst4=[VPN IP]/32 dstports=[port]-[port] > ``` > in the end. Use `qvm-firewall` and not the GUI as the GUI will allow e.g. > DNS & pings by default IIRC (you need to remove those GUI rules). > > If you leave out this step or get it wrong, VPN leaks may be possible. > For testing purposes you could skip this step and implement it after step > 3 though. > > 3. Inside sys-vpn at `/rw/config/rc.local` (autostart file) start your VPN > client, e.g. `openvpn` with whatever config you need. > > That's it. No messing with iptables et al required... ^^ > (Actually there's one iptables rule that would improve security by 0,01%, > but I guess it's not really relevant to 99,9% of users.) > > Maybe someone should update the official recommendations. > > > Thank you for taking the time to help me so far. Be well. > > You too. > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ef5bbfc0-28ed-408f-be39-72fccc2d5eb3n%40googlegroups.com.
Re: [qubes-users] Unable to get VPN to ping out. Unable to set up ProxyVM as sys-vpn
On 11/29/20 12:09 PM, David Hobach wrote: On 11/28/20 9:26 PM, setemera...@posteo.net wrote: Documentation followed: http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts Someone please help me, I'm fucking screaming here every time I try to do the right thing following documentation or try to figure out why my own OS is stopping me from doing basic shit. Hmmm yes the official Qubes doc on VPN is still overcomplicating things a bit too much and even lacking in some areas. Here's a simple and probably even better way than the official doc: 1. Set up a network infrastructure such as: your VPN client VM 1 sys-net -- sys-fw -- sys-vpn -- sys-fw-vpn --| your VPN client VM 2 etc. Use `qvm-prefs netvm` and `qvm-prefs provides_network` for that. 2. IMPORTANT: Configure your Qubes Os firewall to only allow traffic from sys-vpn to your VPN provider. I.e. `qvm-firewall sys-vpn --raw` should show something like ``` action=accept proto=tcp dst4=[VPN IP]/32 dstports=[port]-[port] ``` in the end. Use `qvm-firewall` and not the GUI as the GUI will allow e.g. DNS & pings by default IIRC (you need to remove those GUI rules). If you leave out this step or get it wrong, VPN leaks may be possible. For testing purposes you could skip this step and implement it after step 3 though. 3. Inside sys-vpn at `/rw/config/rc.local` (autostart file) start your VPN client, e.g. `openvpn` with whatever config you need. P.S.: If DNS doesn't work after step 3, you might have to add the following lines to `/rw/config/rc.local` inside `sys-vpn`: #[your openvpn stuff here] echo "nameserver [your DNS server]" > /etc/resolv.conf /usr/lib/qubes/qubes-setup-dnat-to-ns That's it. No messing with iptables et al required... ^^ (Actually there's one iptables rule that would improve security by 0,01%, but I guess it's not really relevant to 99,9% of users.) Maybe someone should update the official recommendations. Thank you for taking the time to help me so far. Be well. You too. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/901294dd-50c1-9d44-9b1c-77219b67a806%40hackingthe.net. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/36d97866-08ea-bc0c-487a-e77ff5e8608a%40hackingthe.net. smime.p7s Description: S/MIME Cryptographic Signature
Re: [qubes-users] Unable to get VPN to ping out. Unable to set up ProxyVM as sys-vpn
On 11/28/20 9:26 PM, setemera...@posteo.net wrote: Documentation followed: http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts Someone please help me, I'm fucking screaming here every time I try to do the right thing following documentation or try to figure out why my own OS is stopping me from doing basic shit. Hmmm yes the official Qubes doc on VPN is still overcomplicating things a bit too much and even lacking in some areas. Here's a simple and probably even better way than the official doc: 1. Set up a network infrastructure such as: your VPN client VM 1 sys-net -- sys-fw -- sys-vpn -- sys-fw-vpn --| your VPN client VM 2 etc. Use `qvm-prefs netvm` and `qvm-prefs provides_network` for that. 2. IMPORTANT: Configure your Qubes Os firewall to only allow traffic from sys-vpn to your VPN provider. I.e. `qvm-firewall sys-vpn --raw` should show something like ``` action=accept proto=tcp dst4=[VPN IP]/32 dstports=[port]-[port] ``` in the end. Use `qvm-firewall` and not the GUI as the GUI will allow e.g. DNS & pings by default IIRC (you need to remove those GUI rules). If you leave out this step or get it wrong, VPN leaks may be possible. For testing purposes you could skip this step and implement it after step 3 though. 3. Inside sys-vpn at `/rw/config/rc.local` (autostart file) start your VPN client, e.g. `openvpn` with whatever config you need. That's it. No messing with iptables et al required... ^^ (Actually there's one iptables rule that would improve security by 0,01%, but I guess it's not really relevant to 99,9% of users.) Maybe someone should update the official recommendations. Thank you for taking the time to help me so far. Be well. You too. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/901294dd-50c1-9d44-9b1c-77219b67a806%40hackingthe.net. smime.p7s Description: S/MIME Cryptographic Signature
