Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-03 Thread 799
On Thu, 3 Jan 2019 at 22:35, 799  wrote:

> [...]
> The obvious question which would maybe solve the autoconnection problem is:
>
> How can I make persistent changes to the following file/s which will
> survice the AppVM reboot:
> /rw/config/NM-system-connections/qubes-uplink-eth0
> /etc/NetworkManager/system-connections/qubes-uplink-eth0
> [...]
>

I found a way to update the file
/rw/config/NM-system-connections/qubes-uplink-eth0.



1) create a new file in /home/user/qubes-uplink-eth0.new
[connection]
id=VM uplink eth0
uuid=de85f79b-8c3d-405f-a652-cb4c10b4f9ef
type=ethernet
permissions=
secondaries=e3ced633-e808-408c-be1b-577522e7b28a;
timestamp=1546552856

[ethernet]
mac-address-blacklist=

[ipv4]
address1=10.137.0.17/32,10.137.0.5
dns=10.139.1.1;10.139.1.2;
dns-search=
may-fail=false
method=manual

[ipv6]
addr-gen-mode=eui64
dns-search=
ip6-privacy=0
method=ignore

2)  I then edited /rw/config/rc.local and added the following line:
cp /home/user/qubes-uplink-eth0.new
/rw/config/NM-system-connections/qubes-uplink-eth0
rc.local will run on start of the AppVM and therefore the Network Manager
config files will be updated.

Unfortunately the VPN is still not launching automatically, as the Setting
"" is disabled, even when the config files include the settings
secondaries=...
Launching Network Manager and Edit the connection "VM uplink eth0 will show
that the "Automatically connect to VPN when using this connection" is
disabled again.

If I enable the setting again no change will be done to the config files
and therefore the settings seems to be correct.
Additionally Autoconnecting the VPN is working after enablng the option
again.

Therefore I know that something is wrong, but I just don't know where to
look further :-/

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vzNxEDmoqL-jKbxTixQXh1aGGS2EAvCWFYK3K%2BAN-OWg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-03 Thread 799
Hello Chris,

I have done some troubleshooting as I would like to see my VPN AppVM
automatically connect to my OpenVPN after it has been started up.

On Thu, 3 Jan 2019 at 19:55, Chris Laprise  wrote:

> I'm not sure. Probably you'd have to use Qubes 'binddirs'.
> You might want to test NM Autoconnect first, by disconnecting then
> re-connecting the virtual eth0 interface. You may encounter what we did
> (when step 4 was written): erratic behavior from NM that fails to
> reconnect the vpn.
>

I took a look at the following two files, which are identical
/rw/config/NM-system-connections/qubes-uplink-eth0
/etc/NetworkManager/system-connections/qubes-uplink-eth0

[802-3-ethernet]
duplex=full

[ethernet]
mac-address=00:16:3e:5e:6c:00

[connection]
id=VM uplink eth0
uuid=de85f79b-8c3d-405f-a652-cb4c10b4f9ef
type=802-3-ethernet

[ipv4]
method=manual
may-fail=false
dns=10.139.1.1;10.139.1.2
addresses1=10.137.0.17;32;10.137.0.5

[ipv6]
method=ignore

Launching Network Manager and Edit the connection "VM uplink eth0":
Tab: General
[X] Automatically connect to VPN when using this connection
OpenVPN-ExpressVPN

If I then reopen the configuration files above, the content has been
changed:

[ethernet]
mac-address=00:16:3E:5E:6C:00
mac-address-blacklist=

[connection]
id=VM uplink eth0
uuid=de85f79b-8c3d-405f-a652-cb4c10b4f9ef
type=ethernet

interface-name=eth0
***permissions=
***secondaries=e3ced633-e808-408c-be1b-577522e7b28a;
***timestamp=1546548963

[ipv4]
method=manual
may-fail=false
dns=10.139.1.1;10.139.1.2;
address1=10.137.0.17/32,10.137.0.5
***dns-search=

[ipv6]
method=ignore
***addr-gen-mode=eui64
***dns-search=
***ip6-privacy=0

Lines with marked with *** have been added after applying the change
(Autoconnect ...) in Network Manager.

I think the most important line is this one under [connection]:
secondaries=e3ced633-e808-408c-be1b-577522e7b28a;

As mentioned already this line references to UUID of the
OpenVPN-NetworkManager-config file which seems to be launched after the 1st
connection has been established.

As soon as I restart the VPN AppVM will reconnect the eth0 interface, but
NOT automatically initialize the OpenVPN connection.
I have to manually enable the VPN connection and the connection will be
established.
The changes to the config file stated above are lost and the config file
looks again like this:

cat /rw/config/NM-system-connections/qubes-uplink-eth0

[802-3-ethernet]
duplex=full

[ethernet]
mac-address=00:16:3e:5e:6c:00

[connection]
id=VM uplink eth0
uuid=de85f79b-8c3d-405f-a652-cb4c10b4f9ef
type=802-3-ethernet

[ipv4]
method=manual
may-fail=false
dns=10.139.1.1;10.139.1.2
addresses1=10.137.0.17;32;10.137.0.5

[ipv6]
method=ignore


The obvious question which would maybe solve the autoconnection problem is:

How can I make persistent changes to the following file/s which will
survice the AppVM reboot:
/rw/config/NM-system-connections/qubes-uplink-eth0
/etc/NetworkManager/system-connections/qubes-uplink-eth0

I tried to edit the file via ...
vi /rw/config/NM-system-connections/qubes-uplink-eth0
.. and got the following error message:

E325: ATTENTION
Found a swap file by the name
"/rw/config/NM-system-connections/.qubes-uplink-eth0.swp"
  owned by: root   dated: Thu Jan  3 01:48:00 2019
 file name: /rw/config/NM-system-connections/qubes-uplink-eth0
  modified: YES
 user name: root   host name: sys-vpn
process ID: 3232
While opening file "/rw/config/NM-system-connections/qubes-uplink-eth0"
 dated: Thu Jan  3 22:19:37 2019
  NEWER than swap file!

(1) Another program may be editing the same file.  If this is the case,
be careful not to end up with two different instances of the same
file when making changes.  Quit, or continue with caution.
(2) An edit session for this file crashed.
If this is the case, use ":recover" or "vim -r
/rw/config/NM-system-connections/qubes-uplink-eth0"
to recover the changes (see ":help recovery").
If you did this already, delete the swap file
"/rw/config/NM-system-connections/.qubes-uplink-eth0.swp"
to avoid this message.
"/rw/config/NM-system-connections/qubes-uplink-eth0" 18L, 286C

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tWq7uBvn8aN1w_D6Pj6v%2BurOth65ZEqa%3DrUqQinpKWzw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-03 Thread Stuart Perkins



On Thu, 3 Jan 2019 19:24:31 +0100
799  wrote:

>Hello Stuart,
>
>On Thu, 3 Jan 2019 at 15:36, Stuart Perkins 
>wrote:
>
>> [...]
>> have an appVM which I use to connect via openconnect to a client's Cisco
>> VPN.  I installed the openconnect connection in that specific
>> appVM...program in the general template, but connection configuration only
>> in that appVM.
>> [...]
>>
>
>very interesting...
>... working within IT I also have the same need to connect to our office
>from outside and also to certain customers (who are also using Cisco gear)
>I have been able to install Cisco AnyConnect in a fedora-28-work template
>and have created AppVMs from it, which I use to connect via Cisco
>Anyconnect.
>Unfortunately I have been unable to create something like a Proxy VM.
>Do you mind sharing your setup how you're using OpenConnect to connect to
>Cisco VPNs?
>
>- O.

I execute open connect with a command of the form...

sudo /usr/sbin/openconnect "client's vpn server domain...'xx.yyy.com'" --config 
~/Client.conf

The only thing in the Client.conf file is authgroup and user, authgroup being 
the AD domain and user being my login network id.  

authgroup=DOMAIN-name
user=user-AD-id

I give my AD password when prompted and the shell stays active running the 
connection.  This allows me to connect where I used to have to use the Cisco 
VPN client under windows.  I close the connection with "ctrl-c" in the terminal 
window.  I've done this for years.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190103143321.0fbfbe89%40D620Debian9.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-03 Thread Chris Laprise

On 01/03/2019 01:43 PM, 799 wrote:

Hello Chris,

thanks for yor answer.

On Thu, 3 Jan 2019 at 03:55, Chris Laprise > wrote:


 > I thought I found out how to have OpenVPN auto-connect after the
sys-vpn
 > AppVM has launched:
 >
 > 1) right click in on the network manager applet icon of the
sys-vpn AppVM
 > 2) edit connections
 > 3) Choose the ethernet (NOT the VPN connection) and then preferences
 > 4) 1st Tab "General" choose "Automatically connect to VPN when using
 > this connection"
 > and choose the ExpressVPN connection here.
 >
 > As far as I understand this makes it unnecessary to run step 4
from the
 > Qubes VPN howto.

Actually IIRC step 4 was added because NM also has (or had) a bug in
its
automatic VPN startup.


As mentioned enabling the option "Automatically Connect to VPN..." is 
not persistent between rebooting the AppVM.
I have done some research and found out that if I enable this setting 
the following file will be changed:

/etc/NetworkManager/system-connections/qubes-uplink-eth0

Under the section [connection] you will find a new line which says:
secondaries=UUID;

This UUID is referencing to the UUID in the OpenVPN Connection file.
If I reboot the AppVM the change is not persistent.

The line is also present in 
/rw/config/NM-system-connections/qubes-uplink-eth0


What do I need to do, so that this change will survice a reboot?


I'm not sure. Probably you'd have to use Qubes 'binddirs'.

You might want to test NM Autoconnect first, by disconnecting then 
re-connecting the virtual eth0 interface. You may encounter what we did 
(when step 4 was written): erratic behavior from NM that fails to 
reconnect the vpn.



--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ad979e93-317f-d6d4-24f8-789c72b87d0c%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-03 Thread 799
Hello Chris,

thanks for yor answer.

On Thu, 3 Jan 2019 at 03:55, Chris Laprise  wrote:

> > I thought I found out how to have OpenVPN auto-connect after the sys-vpn
> > AppVM has launched:
> >
> > 1) right click in on the network manager applet icon of the sys-vpn AppVM
> > 2) edit connections
> > 3) Choose the ethernet (NOT the VPN connection) and then preferences
> > 4) 1st Tab "General" choose "Automatically connect to VPN when using
> > this connection"
> > and choose the ExpressVPN connection here.
> >
> > As far as I understand this makes it unnecessary to run step 4 from the
> > Qubes VPN howto.
>
> Actually IIRC step 4 was added because NM also has (or had) a bug in its
> automatic VPN startup.
>

As mentioned enabling the option "Automatically Connect to VPN..." is not
persistent between rebooting the AppVM.
I have done some research and found out that if I enable this setting the
following file will be changed:
/etc/NetworkManager/system-connections/qubes-uplink-eth0

Under the section [connection] you will find a new line which says:
secondaries=UUID;

This UUID is referencing to the UUID in the OpenVPN Connection file.
If I reboot the AppVM the change is not persistent.

The line is also present in
/rw/config/NM-system-connections/qubes-uplink-eth0

What do I need to do, so that this change will survice a reboot?


> > Only step 5 ("Make the network fail-close for the AppVMs f the
> > connection to the VPN breaks") is then needed.
> Recommended.
>

and implemented :-)

[...]
> Under various circumstances, your vpn vm could behave like sys-firewall
> when the vpn connection stops. In such cases, traffic could pass through
> without encryption. The best blanket policy to stop any chance of that
> happening is in step 5.
>

ok, thanks for the clarification.

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tHJqSemqYMMu%2Brc-wPNoXe9mYQW%3D%3DU6kPj_8T_k96pYg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-03 Thread 799
Hello Stuart,

On Thu, 3 Jan 2019 at 15:36, Stuart Perkins 
wrote:

> [...]
> have an appVM which I use to connect via openconnect to a client's Cisco
> VPN.  I installed the openconnect connection in that specific
> appVM...program in the general template, but connection configuration only
> in that appVM.
> [...]
>

very interesting...
... working within IT I also have the same need to connect to our office
from outside and also to certain customers (who are also using Cisco gear)
I have been able to install Cisco AnyConnect in a fedora-28-work template
and have created AppVMs from it, which I use to connect via Cisco
Anyconnect.
Unfortunately I have been unable to create something like a Proxy VM.
Do you mind sharing your setup how you're using OpenConnect to connect to
Cisco VPNs?

- O.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2thhupSOv61m_9Kp2jPFQNES9Q-e8ok%3DXJnpxdcXGmDHA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-03 Thread Stuart Perkins
On Wed, 2 Jan 2019 22:28:25 +0100
799  wrote:

>Hello,
>
>I'm trying to setup ExpressVPN with Qubes.
>In their howto the suggestion is to install the Expressway Client in the
>sys-net VM.
>But I'd like to use an own AppVM so that I am more flexible and I can
>choose that only certain AppVM will use the expressvpn as netvm.
>
>What I did so far:
>1) clone the template I am also using for my sys-firewall to a new template
>which has qvm-prefs set to netvm True
>
>2) installed expressvpn client app in this template, described here:
>https://www.expressvpn.com/de/support/vpn-setup/app-for-qubes-os/
>
>3) Created an AppVM from this new template and run through the setup
>expressvpn connected successfully
>
>4) I then created a normal appvm and choose the expressvpn AppVm as netvm.
>
>but unfortunately this AppVM is unable to connect to the internet, even
>when expressvpn netvm is connected.
>
>Setup is:
>
>sys-net (netvm)*  <-- sys-expressvpn (netvm)** <-- AppVM***
>
>* and ** = can connect to the internet
>*** = no internet connection
>
>Am I missing something?
>
>- O
>

I have a similar need.  Using Qubes 3.2, Fedora 28 and Debian 9 templates.

I have an appVM which I use to connect via openconnect to a client's Cisco VPN. 
 I installed the openconnect connection in that specific appVM...program in the 
general template, but connection configuration only in that appVM.

I also have a need to VPN into my home network in order to gather my e-mails 
via pop3 and/or imap access.  I have a few G-mail addresses and they like to 
"block" access from "new" ip addresses.  I also maintain my home system from 
wherever I find myself, which entails updating a Drupal installation and 
maintaining two Debian 9 VM's (one for the Drupal site and one for openvpn into 
my network), an old XP VM (monitors my solar electric system) and the Debian 9 
"server" (actually an old Dell laptop).  

Initially, I setup a proxyVM to use for the home VPN and defined it as the 
network VM for my mail appVM and had sys-firewall as its net VM.  I have since 
simply added the home VPN connection script and config to the mail appVM, and 
openvpn client to the template.  This allows me to connect my mail appVM to my 
home VPN and my client specific appVM to my client's Cisco VPN independently 
and simultaneously. Both the client specific appVM and the mail appVM use 
sys-firewall as their net VM.

The biggest issue is various default installed network management systems 
lunching DNS.  I disable avahi services to get around that.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190103083626.7e8791e6%40D620Debian9.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-02 Thread Chris Laprise

On 01/02/2019 07:44 PM, 799 wrote:


On Thu, 3 Jan 2019 at 01:19, Chris Laprise > wrote:


Hmmm, that 3.x language should be changed in the doc. Where its says
"proxyVM", that simply means "appVM with provides network" in Qubes 4.0.


I thought U found out how to have OpenVPN auto-connect after the sys-vpn 
AppVM has launched:


1) right click in on the network manager applet icon of the sys-vpn AppVM
2) edit connections
3) Choose the ethernet (NOT the VPN connection) and then preferences
4) 1st Tab "General" choose "Automatically connect to VPN when using 
this connection"

and choose the ExpressVPN connection here.

As far as I understand this makes it unnecessary to run step 4 from the 
Qubes VPN howto.


Actually IIRC step 4 was added because NM also has (or had) a bug in its 
automatic VPN startup.


Only step 5 ("Make the network fail-close for the AppVMs if the 
connection to the VPN breaks") is then needed.


Recommended.

I also tested this by closing and restarting sys-vpn but it seems that 
enabling this option "automatically connect to VPN doesn't survice 
reboots of the AppVM.
I guess that this setting has also to be placed in the network manager 
config file for the ethernet connection which is placed in 
/rw/config/NM-system-connections/qubes-uplink-eth0

but I don't know the right options to write into the file yet.

You're right there is a kind of forwarding (via dnat) issue to take
care
of, however that and anti-leak are what the vpn doc and
Qubes-vpn-support were created for. The latter (which is my own
project)
has only 4 basic steps with no editing necessary.

BTW, the expressvpn app doesn't deal with the Qubes forwarding
issue, so
you can be sure it doesn't address security fully either. That is a
recipe for leaking unencrypted packets.


I think I do not fully understand what this means? If I disable the VPN 
connection in sys-vpn my AppVMs which are using this VM as netvm can't 
connect to the network and this should mean that no leakage should 
happen correctly (and all traffic goes through the VPN).
Additionally I am using browser plugins like https everywhere and 
disable unecrypted connections.


Under various circumstances, your vpn vm could behave like sys-firewall 
when the vpn connection stops. In such cases, traffic could pass through 
without encryption. The best blanket policy to stop any chance of that 
happening is in step 5.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/99ea7c3d-2d56-e049-ade3-5f33f6ae1c4c%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-02 Thread 799
On Thu, 3 Jan 2019 at 01:19, Chris Laprise  wrote:

> Hmmm, that 3.x language should be changed in the doc. Where its says
> "proxyVM", that simply means "appVM with provides network" in Qubes 4.0.
>

I thought U found out how to have OpenVPN auto-connect after the sys-vpn
AppVM has launched:

1) right click in on the network manager applet icon of the sys-vpn AppVM
2) edit connections
3) Choose the ethernet (NOT the VPN connection) and then preferences
4) 1st Tab "General" choose "Automatically connect to VPN when using this
connection"
and choose the ExpressVPN connection here.

As far as I understand this makes it unnecessary to run step 4 from the
Qubes VPN howto.
Only step 5 ("Make the network fail-close for the AppVMs if the connection
to the VPN breaks") is then needed.
I also tested this by closing and restarting sys-vpn but it seems that
enabling this option "automatically connect to VPN doesn't survice reboots
of the AppVM.
I guess that this setting has also to be placed in the network manager
config file for the ethernet connection which is placed in
/rw/config/NM-system-connections/qubes-uplink-eth0
but I don't know the right options to write into the file yet.

You're right there is a kind of forwarding (via dnat) issue to take care
> of, however that and anti-leak are what the vpn doc and
> Qubes-vpn-support were created for. The latter (which is my own project)
> has only 4 basic steps with no editing necessary.
>
> BTW, the expressvpn app doesn't deal with the Qubes forwarding issue, so
> you can be sure it doesn't address security fully either. That is a
> recipe for leaking unencrypted packets.
>

I think I do not fully understand what this means? If I disable the VPN
connection in sys-vpn my AppVMs which are using this VM as netvm can't
connect to the network and this should mean that no leakage should happen
correctly (and all traffic goes through the VPN).
Additionally I am using browser plugins like https everywhere and disable
unecrypted connections.

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vDEutK2QFcPMEzWzBTU-tTG0TDgxJXonfOxDLeh3x4ow%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-02 Thread Chris Laprise

On 01/02/2019 05:46 PM, 799 wrote:

The other problem I have is that this site in the Qubes Docs:
https://www.qubes-os.org/doc/vpn/
... is not that easy to understand as I don't have the option to choose 
a "Proxy VM" in Qubes 4.


Hmmm, that 3.x language should be changed in the doc. Where its says 
"proxyVM", that simply means "appVM with provides network" in Qubes 4.0.


You're right there is a kind of forwarding (via dnat) issue to take care 
of, however that and anti-leak are what the vpn doc and 
Qubes-vpn-support were created for. The latter (which is my own project) 
has only 4 basic steps with no editing necessary.


BTW, the expressvpn app doesn't deal with the Qubes forwarding issue, so 
you can be sure it doesn't address security fully either. That is a 
recipe for leaking unencrypted packets.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aa9967e5-4e22-634d-1fd7-54b05fa25dec%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-02 Thread 799
Hello,

On Wed, 2 Jan 2019 at 23:46, 799  wrote:

> [...]
> I am willing to write a more Qubes 4 targeted howto if I go it working and
> maybe even with the focus how to configure VPN services like ExpressVPN /
> Private Internet Access or others as this might be a common task (to have
> some AppVms routing traffic via a VPN service).
> [...]
>

after some trial and error I have been able to get everything running.
Thank you Chris for pointing me in the right direction and use OpenVPN
instead of the ExpressVPN Client.

If someone is interesting how to setup ExpressVPN in Qubes and use an own
"expressvpn-NetVM" to which other AppVMs can connect to, I had to run the
following steps:

1) Install network-manager-openvpn and network-manager-openvpn-gnome in the
VPN Template VM.
I have choosen to use a fedora-28-minimal template named t-fedora-28-sys
which has all packages installed for my sys-* AppVMs and the new sys-vpn VM.

2) Create a new VPN AppVM (I named it sys-vpn) which is based on this
template.
enable "This VM provides Networking" or qvm-prefs --set sys-vpn netvm True

3) Launch  "Network Connections" and in the NM Applet icon choose "VPN
Connections", then Configure VPN

4) Login into your expressvpn account and go to manual install
https://www.expressvpn.com/setup#manual
Download the OpenVPN Config file and get your username and password from
the right sidebar.

5) qvm-copy the OpenVPN config file to your sys-vpn AppVM and import it
into the OpenVPN Plugin (window from step 3)
make sure to use a name without blanks for this VPN connection so that you
don't run into problems when you reference to the config file later.

6) Add the credentials from your express vpn account into User Name /
Password (and User key password).
Not sure if it has to be in both password location, but this is how I did
it.

7) Click on the small Icon on the right in the password field and make sure
to choose "store the password for all users" in both password fields.

8) run the steps 4) and 5) which are described in the Qubes VPN howto here:
Set up a ProxyVM as a VPN gateway using NetworkManager
https://www.qubes-os.org/doc/vpn/

9) You need to edit those files via vi in a root-terminal in the sys-vpn
AppVM.
qvm-rum --user root sys-vpn xterm
The file which is named "file-vpn-conn" in the howto is the OpenVPN config
file which has been autogenerated after importing the OpenVPN config file
in step 5.
In my case ExpressVPN-Frankfurt

Hint:
It can take a few seconds until an AppVM which has the sys-vpn as netvm
gets its initial network connection.
if you run into problems, maybe restart both VMs.

If you have further questions feel free to mail me, maybe I'll add more
information if this is not enough and upload it to the qubes documentation
repository.

ONE PROBLEM:
The OpenVPN connection will not start automatically after launching my
sys-vpn AppVM.
according to the qubes docs this should work as described in step 4 here:
https://www.qubes-os.org/doc/vpn/

Any idea how I can force the OpenVPN connection to happen?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uJHMon2UqEEK6fENt4XAd_v8_5L6wy1kaW-X5L-xoKGg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-02 Thread 799
The other problem I have is that this site in the Qubes Docs:
https://www.qubes-os.org/doc/vpn/
... is not that easy to understand as I don't have the option to choose a
"Proxy VM" in Qubes 4.
I am willing to write a more Qubes 4 targeted howto if I go it working and
maybe even with the focus how to configure VPN services like ExpressVPN /
Private Internet Access or others as this might be a common task (to have
some AppVms routing traffic via a VPN service).

- O

On Wed, 2 Jan 2019 at 23:40, 799  wrote:

>
>
> On Wed, 2 Jan 2019 at 23:14, Chris Laprise  wrote:
>
>>
>> They don't seem to have understood Qubes security model. I don't blame
>> you for wanting a different setup
>
>
> glad that you have the same understanding which I had after reading the
> howto ;-)
>
>> .
>>
>> > But I'd like to use an own AppVM so that I am more flexible and I can
>> > choose that only certain AppVM will use the expressvpn as netvm.
>> >
>> > What I did so far:
>> > 1) clone the template I am also using for my sys-firewall to a new
>> template
>> > which has qvm-prefs set to netvm True
>>
>> Its not clear to me what you're trying to do here. In most cases, you
>> would create a new appVM with "provides network" checked and use that to
>> run VPN software. Prefs for a template wouldn't have a bearing on the
>> appVM.
>>
>> If their homebrew app doesn't work out, I would download their config
>> file and use it with Qubes-vpn-support:
>>
>> https://www.expressvpn.com/support/vpn-setup/manual-config-for-linux-with-openvpn/#download
>> https://github.com/tasket/Qubes-vpn-support/
>> That is probably the most secure option.
>>
>
> as mentioned my "VPN" AppVM is working and can connect to the internet.
> Just for a test I have installed firefox in the new "VPN" AppVm to test if
> this is working.
> The problem which I have is that even when this VM is set as NetVM via:
> qvm-prefs --set sys-vpn provides_network True
> ... the other AppVM which has the "VPN" AppVM set as netvm can't connect
> to the web.
> I had the same problem when I tried to setup a VPN VM which used Cisco
> AnyConnect to connect to our corporate LAN.
>
>
>> As an alternative, you could try the first section of Qubes VPN doc
>> (Network Manager) and combine it with expressvpn's Network Manager
>> instructions. This also involves creating an appVM with "provides
>> network" checked, and then enabling NM for it.
>>
>
> Maybe this is an option which would leave the ExpressVPN out of the
> equation but as mentioned, as the VPN VM has network connectivity I think
> that there is some kind of forwarding problem.
> The "VPN" AppVM has already IP forwarding enabled:
>
> # sysctl -w net.ipv4.ip_forward=1
> net.ipv4.ip_forward = 1
>
> therefor I am currently stuck ... is there a way to disable the firewall
> which is running in an AppVM?
> I tried systemctl disable|stop firewalld|iptables but nothing worked.
>
> - O.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u2g88werPDSrc1%2BBs9OLmEiODHHpKYPm%2Bxc3oqCSM49w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-02 Thread 799
On Wed, 2 Jan 2019 at 23:14, Chris Laprise  wrote:

>
> They don't seem to have understood Qubes security model. I don't blame
> you for wanting a different setup


glad that you have the same understanding which I had after reading the
howto ;-)

> .
>
> > But I'd like to use an own AppVM so that I am more flexible and I can
> > choose that only certain AppVM will use the expressvpn as netvm.
> >
> > What I did so far:
> > 1) clone the template I am also using for my sys-firewall to a new
> template
> > which has qvm-prefs set to netvm True
>
> Its not clear to me what you're trying to do here. In most cases, you
> would create a new appVM with "provides network" checked and use that to
> run VPN software. Prefs for a template wouldn't have a bearing on the
> appVM.
>
> If their homebrew app doesn't work out, I would download their config
> file and use it with Qubes-vpn-support:
>
> https://www.expressvpn.com/support/vpn-setup/manual-config-for-linux-with-openvpn/#download
> https://github.com/tasket/Qubes-vpn-support/
> That is probably the most secure option.
>

as mentioned my "VPN" AppVM is working and can connect to the internet.
Just for a test I have installed firefox in the new "VPN" AppVm to test if
this is working.
The problem which I have is that even when this VM is set as NetVM via:
qvm-prefs --set sys-vpn provides_network True
... the other AppVM which has the "VPN" AppVM set as netvm can't connect to
the web.
I had the same problem when I tried to setup a VPN VM which used Cisco
AnyConnect to connect to our corporate LAN.


> As an alternative, you could try the first section of Qubes VPN doc
> (Network Manager) and combine it with expressvpn's Network Manager
> instructions. This also involves creating an appVM with "provides
> network" checked, and then enabling NM for it.
>

Maybe this is an option which would leave the ExpressVPN out of the
equation but as mentioned, as the VPN VM has network connectivity I think
that there is some kind of forwarding problem.
The "VPN" AppVM has already IP forwarding enabled:

# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

therefor I am currently stuck ... is there a way to disable the firewall
which is running in an AppVM?
I tried systemctl disable|stop firewalld|iptables but nothing worked.

- O.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uw7Ee95vrYS5idjTWZU%2BqTXvVKuR6zZwcyxj8bQD83rQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-02 Thread Chris Laprise

On 01/02/2019 04:28 PM, 799 wrote:

Hello,

I'm trying to setup ExpressVPN with Qubes.
In their howto the suggestion is to install the Expressway Client in the 
sys-net VM.


They don't seem to have understood Qubes security model. I don't blame 
you for wanting a different setup.


But I'd like to use an own AppVM so that I am more flexible and I can 
choose that only certain AppVM will use the expressvpn as netvm.


What I did so far:
1) clone the template I am also using for my sys-firewall to a new template
which has qvm-prefs set to netvm True


Its not clear to me what you're trying to do here. In most cases, you 
would create a new appVM with "provides network" checked and use that to 
run VPN software. Prefs for a template wouldn't have a bearing on the appVM.




2) installed expressvpn client app in this template, described here:
https://www.expressvpn.com/de/support/vpn-setup/app-for-qubes-os/

3) Created an AppVM from this new template and run through the setup
expressvpn connected successfully

4) I then created a normal appvm and choose the expressvpn AppVm as netvm.

but unfortunately this AppVM is unable to connect to the internet, even 
when expressvpn netvm is connected.


Setup is:

sys-net (netvm)*  <-- sys-expressvpn (netvm)** <-- AppVM***

* and ** = can connect to the internet
*** = no internet connection

Am I missing something?


If their homebrew app doesn't work out, I would download their config 
file and use it with Qubes-vpn-support:


https://www.expressvpn.com/support/vpn-setup/manual-config-for-linux-with-openvpn/#download

https://github.com/tasket/Qubes-vpn-support/

That is probably the most secure option.

As an alternative, you could try the first section of Qubes VPN doc 
(Network Manager) and combine it with expressvpn's Network Manager 
instructions. This also involves creating an appVM with "provides 
network" checked, and then enabling NM for it.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/37cae94c-f885-0be8-391a-82d75a5853cb%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Help setting up a expressvpn proxy VM

2019-01-02 Thread 799
Hello,

I'm trying to setup ExpressVPN with Qubes.
In their howto the suggestion is to install the Expressway Client in the
sys-net VM.
But I'd like to use an own AppVM so that I am more flexible and I can
choose that only certain AppVM will use the expressvpn as netvm.

What I did so far:
1) clone the template I am also using for my sys-firewall to a new template
which has qvm-prefs set to netvm True

2) installed expressvpn client app in this template, described here:
https://www.expressvpn.com/de/support/vpn-setup/app-for-qubes-os/

3) Created an AppVM from this new template and run through the setup
expressvpn connected successfully

4) I then created a normal appvm and choose the expressvpn AppVm as netvm.

but unfortunately this AppVM is unable to connect to the internet, even
when expressvpn netvm is connected.

Setup is:

sys-net (netvm)*  <-- sys-expressvpn (netvm)** <-- AppVM***

* and ** = can connect to the internet
*** = no internet connection

Am I missing something?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2t5kfF6Ukw6h8aG4auqixwjvFER6pN6D7RceUmuyWsCpg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.