On 11/09/2016 01:51 PM, SEC Tester wrote:
Im trying to setup a VPN ProxyVM on Qubes R3.2================== Here's what works: ================== Ive got AirVPN GUI setup and working on Fedora-23-minimal My AppVM can proxy through VPN ProxyVM whatismyip.com shows the VPN IP ==================== Here's whats broken: ==================== When i leak test the browser on the AppVM, my real IP leaks.
What test do you use?
The AirVPN GUI has a nice Network lock feature, that works well on the ProxyVM, stops leaks. However, the network lock feature blocks the AppVM too, cutting off its internet. In the AirVPN GUI, there are advanced settings that are suppose to allow lockal vpn traffic. And you can even specify specific IP's. Unfortunately this isnt working. ===================== Im hoping someone with a higher understanding of IP tables, and networking can help me find a solution.
In general I'd recommend not to play with iptables in any Qubes proxy or netvm unless you know for 100% what you're doing and are following Qubes changes all of the time. I.e. I'd recommend to avoid any tools employing iptables which were not written explicitly for Qubes as well.
Why: Qubes apparently manages its firewall settings for all VMs (Qubes VM Manager --> Firewall tab) via qubes-firewall in dom0, which injects all necessary firewall rules during runtime to the respective proxy VM. This is done whenever a VM is started or stopped etc.
Your firewall settings are constantly being reset and manipulated by Qubes. Your custom changes will disappear, if you don't use the Qubes-method of persisting them. However even then your custom changes might not work well with the Qubes changes and you might run into unexpected issues such as your downstream appVMs suddenly having internet access even though you configured it differently in Qubes (but your custom rules somehow allow it).
Moreover this behaviour might change with newer Qubes versions...Maybe the iptables lines mentioned at https://www.qubes-os.org/doc/vpn/ will continue to work in the future, maybe they won't. Will you check that site every 3 months? Will you hope that no one forgot to update it (is it currently up-to-date anyway)?
In short: Avoid any iptables usage in proxy and netvms.Use standard OpenVPN or the network manager GUI and implement firewall rules using the Qubes Manager GUI to only allow access to your VPN servers from your proxy VM.
P.S.:I had once posted a script to do the VPN setup here, but I wouldn't recommend that neither anymore as it did iptables changes in the proxy VM as well.
-- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6eaa460c-7f52-c425-2ec1-74ae0cacde4b%40hackingthe.net. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
