On Tue, 25 Sep 2018 22:34:12 -0400
Chris Laprise <tas...@posteo.net> wrote:
>On 09/25/2018 05:27 PM, Stuart Perkins wrote:
>>
>> On Tue, 25 Sep 2018 12:52:16 -0700 (PDT)
>> Ninja-mania via qubes-users <qubes-users@googlegroups.com> wrote:
>>
>>> Dude I actually love you (no homo).
>>>
>>> Spent 20+ trying to set vpn up (Big ass noob) and never came across the
>>> Qubes tunnel. It’s awesome. You’re awesome.
>
>Glad to help!
>
>
>> I have two separate VPN's on my Qubes 3.2 laptop.
>>
>> One Cisco VPN running via OpenConnect in a dedicated appVM for a client.
>> One OpenVPN running in a secondary copy of sys-net which I switch to when I
>> need it. I run the server OpenVPN on a VM on my home server (Debian and
>> VirtualBox).
>>
>> When I want to connect EVERYTHING to the VPN, I switch out and run the copy
>> of sys-net with the VPN credentials and scripts.
>>
>> When I want to access the client, I start the appVM with the OpenConnect
>> Cisco VPN client and credentials. I also use this appVM to run client
>> specific software through Wine for most of my work on their equipment,
>> although I do a fair amount of straight up command line stuff on their
>> system as well. I can run this on top of the other VPN if absolutely
>> necessary, but performance is not fast since my home connection is not fast.
>>
>> Haven't had occasion to try the Qubes tunnel. Is there a particular reason
>> to?
>
>Its good practice to use a Qubes-specific tool like qubes-tunnel to
>ensure that DNS packets (and everything else) gets routed through the
>tunnel and never _around_ it even when the link goes down. This is
>important for Qubes because any service VM (NetVM or ProxyVM) that runs
>VPN software is acting like a router, not a PC, and Qubes also has
>special requirements for proper routing of DNS in this situation.
>
>In your case the AppVM with OpenConnect acts like a PC endpoint and is
>probably not a security issue. But the sys-net copy is acting like a
>router as previously mentioned and that's an issue on Qubes; to improve
>security you could move your openvpn config to a ProxyVM and use
>qubes-tunnel.
>
>There is also the issue of VPN passwords or keys being stored in a
>sys-net type VM, since these VMs are considered vulnerable to attack.
>Moving the VPN to a ProxyVM increases the security of your VPN secrets.
>
I will try and get the qubes-tunnel to work, as this makes sense.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20180926002429.7a135069%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
