Am 13.11.2016 um 14:22 schrieb hed...@tutanota.com: > 13. Nov 2016 08:48 by amad...@riseup.net <mailto:amad...@riseup.net>: > > We see much correspondence in these forums about installing a VPN > within Qubes. Surely, the most secure place for VPN is to install > on a Router? >
You might continue proving that this is the case for a router running on its own VM compared to a router running on separate hardware but keep in mind counting the problem of keeping the router's os current and free of security-relevant problems. > The solution they say is to isolate these rogue routers in the > Militarized Zone by creating a DMZ [demilitarized zone]. Achieved > by installing a 2nd router [flashed with open source firmware such > as OPenWRT]. It is here, on the router, that we should enable and > run OpenVPN. > And of course another router/packet filter/firewall/whatever behind it as there could be something _inside_ the VPN that would not be agreaable to you. > Thoughts on this paper and it's conclusions are welcomed > There is a point where additional components won't give you defense-in-depth but only additional complexity that will in the end make you less secure. > An always-on VPN connection on the router works well but can be a bit > slow since the processing power of router CPUs is generally quite > limited. If choosing a router, I'd suggest a dual-core ARM-based > device. Although openvpn is only single-threaded you can usually > configure cpu-affinity to place it on one core and the other routing > tasks on the other core. > One of the GL-Inet small arm(s 8-) ) routers is sufficient for 80 MBit/s (see https://www.gl-inet.com/). I'm using one of their "Mifi" devices (https://www.gl-inet.com/mifi/) to write this and right now it is holding up quite well with 150 MBit/s LTE plus an OpenVPN on top of it. The only problem is the about 1MBit/s I'm getting from their uplink. > For those who want to go beyond around 20-25 Mb/s, which is where an > ARM router will start to reach its limits > Seriously? I doubt that. Right now I'm using an ASUS RT-AC5300 (ARM, dual core) router on a 400/20 MBit link (residential cable) and even if I'm sturating it using an OpenVPN process running on the router its cores seem quite unimpressed. But maybe DD-WRT is magical. > , a fine alternative is a small fanless PC, such as the Intel NUC or > Gigabyte Brix, and run an open source firewall on it, instead of a router. > For security-sensitive applications I'm using a USBArmory-based "crypto-afterburner" that I can plug into other machines offering two "USB-NICs" and I don't have problems with reathing the USB bandwidth limit. If it wasn't impossible to get a single USB port into a VM I would have found a place to stick one inside my Thinkpad already. If there was a Qubes developer feeling bored I would have thrown one at him already to see if we could have a few interesting things introduced into Qubes (like boot media running on a separate volume that need to be unlocked first, external key storage, external crypto functions…) > Finally, I've always felt that running a vpn on Qubes and having an > always-on vpn running on a router/PC complement each other. And an independent packet filter in front of it. And one behind it. And no wireless networking in between any component. Again: Consider a USB Armory; write some interesting tools, add them to Qubes. That might really help. Achom -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a07e2dfb-10f7-d37e-50f4-0712f8d25453%40noses.com. For more options, visit https://groups.google.com/d/optout.