On 11/09/2016 08:46 AM, SEC Tester wrote:
I've considered leaving network lock off, and building my own custom IP Tables,
or firewall rules to stop the leaks.
But this is currently beyond my skill set, so would need some hand holding to
learn what to do.
I have looked at the section here on the Qubes site on how to stop leaks using
scripts, but its kinda confusing, and looks like its for a CLI approach, when i
would prefer to have my AirVPN GUI for convince.
https://www.qubes-os.org/doc/vpn/#proxyvm
The VPN doc definitely uses scripts to block leaks. However, the editing
of files is kept to a minimum as its mostly copy and paste.
The two basic things the scripts do are block all direct forwarding
to/from eth0 (the Qubes uplink interface), and setup DNAT rules that
allow DNS requests to be tunneled. This is roughly analogous to running:
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
(during firewall setup)
/usr/lib/qubes/qubes-setup-dnat-to-ns
(triggered by the openvpn 'up' script command which runs after openvpn
puts new DNS values in /etc/resolv.conf)
To use the VPN doc scripts with the AirVPN GUI wrapper, you could try
running the GUI program under the 'qvpn' group, granting it access to
the net. Or you could change the policy of the OUTPUT chain to ACCEPT to
bypass the group restriction, which doesn't affect leak prevention for
forwarded traffic.
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/d5fbf306-eeb0-0ec4-ab29-3ce83ccdce6b%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
