Heh.... yep! (though it would be computer -> vpn -> TOR -> net)
And alternatively, on the road you may want to TOR out of the hotspot
(they don't need to see your VPN destination - especially if it is on
your home router) and then VPN on to routine business. Each works well
using the DOM0 gui.
* I built a package called Gopenvpn, which is a graphical front end for OpenVpn, not network manager:
https://github.com/dweeezil/gopenvpn
* I added these lines to /rw/config/qubes-firewall-user-script which will prevent DNS leaks:
iptables -t filter -I FORWARD 1 -o eth0 -j drop
iptables -t filter -I FORWARD 1 -o eth1 -j drop
* Gopen looks for config files in /etc/openvpn.
* Edit your config file appropriately
* add lines:
auth-user-pass nameofyourauth.txt
script-security 2
#route-up resolv.sh
up openvpn-setup.sh
down openvpn-set
* add lines for your certs or/and key if needed
ca nameofyour_ca.crt
tls-auth nameofyour.key 1
* Create auth.txt in /etc/openvpn
* add two lines
username
password
* Copy vpnsetup-sh to /etc/openvpn --- file was posted earlier in thread
* Copy resolv.conf to /etc/openvpn --- file was posted earlier in thread
* Gopenvpns GUI will now show whatever available servers you configured in /etc/openvpn
* All your configs will use openvpn-setup.sh which will configure your DNS servers automatically
* All your configs will contain these lines:
script-security 2
#route-up resolv.sh
up openvpn-setup.sh
down openvpn-setup.sh
* If you want your GUI to launch and VPN connect at startup
* Download gnome-tweak-tool
* Launch and and add gopenvpn.desktop (make executable) to Startup Applications
* Select auto connect option in gopenvpn GUI
Let me know if this setup works for y'all
I don't know how to edit a post on here but in my original post there was a typo on the last line. It should read
down openvpn-setup.sh
Did you do that in a template and expose your credentials to all VMs based on that??? You can provide full path to the file with password and store it in /home/user/openvpn of just one vm that doesn't run anything else.
cprise's approach of storing config files in /rw/config and copying them to /etc on start is the best practice for qubes.
[Unit]
Description=Run user script after suspend
After=basic.target
After=suspend.target
After=hibernate.target
[Service]
User=YOURLOGIN
Environment=Display=:0
ExecStart=/home/YOURLOGIN/bin/wakeup.sh
[Install]
WantedBy=basic.target
WantedBy=suspend.target
WantedBy=hibernate.target
#!/bin/bash
qvm-run YOUR-VPN-VMNAME 'sudo kill -SIGHUP `sudo cat /var/run/openvpn/openvpn-client.pid`'
systemctl enable wakeup.service
systemctl status wakeup.service
Using
https://github.com/Rudd-O/ansible-qubes/tree/master/examples/ansible
this is the formula you want: