On 07/09/2017 11:48 PM, yreb-qusw wrote:
at the end of the VPN CLI setup it says :
==
If you want to be able to use the Qubes firewall, create a new
FirewallVM (as a ProxyVM) and set it to use the VPN VM as its NetVM.
Then, configure AppVMs to use your new FirewallVM as their NetVM.
==
is there some reason why I should or should not just use the existing
firewall, or should each of the VPN VMs each have it's own firewall VM
for some reason?
Qubes firewall creates DNS accept rules that target only the upstream
netVM. This has no side-effect until you start whitelisting in the
presence of a tunnel; then DNS queries become blocked by the "Deny
except" rule even if "Allow DNS" is selected.
One workaround is to use a firewall VM between the VPN VM and downstream
VMs, as suggested in doc. You need one for each VPN VM where you intend
to whitelist.
The existing sys-firewall normally interfaces to sys-net; In that
configuration it can't filter any traffic that gets routed through the
tunnel. But you can re-assign it to use a VPN VM instead of sys-net; The
only downside is if you have any VMs that need direct non-VPN access to
the net, in which case its still good to keep sys-firewall connected to
sys-net and use other proxyVMs as VPN firewalls.
-
A different workaround is to use 'sed' to update iptables with the
correct DNS entries, as in this script which can replace
"qubes-vpn-handler.sh":
https://github.com/tasket/Qubes-vpn-support/blob/new-1/rw/config/vpn/qubes-vpn-ns
...then add this to the end of "qubes-firewall-user-script":
/rw/config/vpn/qubes-vpn-ns fwupdate
--
Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ee9bfdd5-d36b-1fde-1396-8df628397030%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
