Re: Best practice for managing default routes over only VPN connections?
On 11/07/2016 01:49 PM, Stuart D. Gathman wrote: Cool! I had not had time to find out exactly what qubes did, but you explained it very well. I suspect that's not *all* qubes does, but I'll be installing a prepackaged VM router (or hacking my own). What a great concept. Yeah, Qubes really is cool... All mundane app functions and external connections are done in virtual machines which are controlled with very simple/safe interfaces by the bare-metal hypervisor, Xen. It does the same for hardware, too... Network and USB controllers especially are confined to service VMs using the IOMMU to ensure DMA-based attacks don't yield access to the rest of the system. OTOH, the admin VM has no network access. Its job is to run the GUI and local storage, and manage the unprivileged VMs (which by default run from read-only OS templates). The Qubes graphics stack prevents the usual GUI vulnerabilities with VM running on Linux, e.g. no clipboard sniffing or bitmap spying; it also displays window borders with VM name and assigned color so there's little or nothing a compromised VM can do to fool you. The overall idea is to stuff most of the complexity and attack surface of a modern desktop into isolated, unprivileged VMs. You have to trust only a much smaller admin VM, tiny Xen hypervisor and core hardware components. From there, its up to the user to organize their activities and data into different VMs like "personal", "work", "untrusted". BTW, some Qubes users are experimenting with router and network VMs that utilize microkernels. However, the default OS templates (Debian and Fedora) make pretty good routers themselves. Chris ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: Best practice for managing default routes over only VPN connections?
Cool! I had not had time to find out exactly what qubes did, but you explained it very well. I suspect that's not *all* qubes does, but I'll be installing a prepackaged VM router (or hacking my own). What a great concept. On Mon, 7 Nov 2016, Chris Laprise wrote: FWIW... If the OP is inquiring about a 'fail closed' configuration that can prevent any traffic leaking from the tunnel, then he may want to look at Qubes OS where users can define a 'Proxy VM' to control all traffic in this way. This means the VPN is running inside a forwarding *router* and preventing leaks becomes a much simpler matter of stopping any forwarding to clearnet NICs. https://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html https://www.qubes-os.org/doc/vpn/ You can get the same effect with a dedicated physical router, but then you'd have to carry that around (and router devices get exploited a lot these days). -- Stuart D. Gathman "Confutatis maledictis, flamis acribus addictis" - background song for a Microsoft sponsored "Where do you want to go from here?" commercial. ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: Best practice for managing default routes over only VPN connections?
On 11/07/2016 06:57 AM, Thomas Haller wrote: Another thing is ensuring that all traffic is routed via the VPN (that is, controlling the configured routes). That is not supported by NM directly (besize that you can manually configure your underlying connection to have no default-route and only give a default-route to the VPN connection). See for example https://bugzilla.gnome.org/show_bug.cgi?id=749376 . FWIW... If the OP is inquiring about a 'fail closed' configuration that can prevent any traffic leaking from the tunnel, then he may want to look at Qubes OS where users can define a 'Proxy VM' to control all traffic in this way. This means the VPN is running inside a forwarding *router* and preventing leaks becomes a much simpler matter of stopping any forwarding to clearnet NICs. https://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html https://www.qubes-os.org/doc/vpn/ You can get the same effect with a dedicated physical router, but then you'd have to carry that around (and router devices get exploited a lot these days). Chris ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: Proxy Settings per Profile
On Mon, 2016-11-07 at 09:33 +0530, Janaka Wickramasinghe wrote: > Hi All, > > Is there a way to set the proxy setting per connection profile ? > e.g. WifiCon001 --> to use ProxyA and WifiCon002 to use ProxyB That was added recently, see proxy setting in `man nm-settings`. https://developer.gnome.org/NetworkManager/unstable/nm-settings.html#id-1.2.6.4.22 It however requires at least version 1.5.1, which you probably don't have. So, no. You could instead use a dispatcher script. See https://developer.gnome.org/NetworkManager/stable/NetworkManager.html#id-1.2.10.6 Thomas signature.asc Description: This is a digitally signed message part ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: Best practice for managing default routes over only VPN connections?
On Sun, 2016-11-06 at 19:30 -0500, Paul Swanson wrote: Hi > I've recently been configuring my Ubuntu 16.10 laptop for default > routing via VPN only and have discovered some difficulties. > > > My goal is to only connect to the Internet via a VPN and ensure that > DNS requests are resolved by a trusted server only. > > One thing I've noticed is that DNS resolution seems to be handled by > NM on a connection by connection basis, but I want to ensure that DNS > resolvers are fixed to my choice regardless of the underlying > connection, without giving up NM control and dnsmasq for caching. > > From what I've seen so far, the configuration bias is towards VPN > connections providing tangential access to a private network and NOT > as the default route. You ask here only about DNS. That is actually possible since 1.4.0 by setting ipv4.dns-priority to a negative value. See https://developer.gnome.org/NetworkManager/stable/nm-settings.html#nm-settings.property.ipv4.dns-priority nmcli connection modify $VPN_CONNECTION ipv4.dns-priority -1 nmcli connection up $VPN_CONNECTION Another thing is ensuring that all traffic is routed via the VPN (that is, controlling the configured routes). That is not supported by NM directly (besize that you can manually configure your underlying connection to have no default-route and only give a default-route to the VPN connection). See for example https://bugzilla.gnome.org/show_bug.cgi?id=749376 . > Is anyone aware of any clear guidance for configuring NM's behaviour > when seeking to use VPN for default routing and DNS safe connections? > > I've had further issues with NetworkManager SSH VPN configuration. > > I would like to be able to link my VPN configuration to the > underlying network adapters on my machine, so that regardless of > which Wireless SSID or ethernet connection is activated the VPN > connection is automatically and subsequently brought up and down as > required. Right now, this is a manual process for me. A VPN connection can be set as "secondary" of another connection. See https://developer.gnome.org/NetworkManager/stable/nm-settings.html#nm-settings.property.connection.secondaries Another option might be to write a dispatcher script. See https://developer.gnome.org/NetworkManager/stable/NetworkManager.html#id-1.2.10.6 best, Thomas signature.asc Description: This is a digitally signed message part ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list