The VPN avalibel in Qubes

[27casa...@gmail.com]

Hi, how god is the vpn that can be sett up in Qubes?

Any point in downloading a vpn when using Qubes? And in that case why?

[27casa...@gmail.com]

This is indipendent of Tor. I just relised that some kind of vpn can be sett up when making a new VM.

I guse it uses whonix gateway indipendent of Tor?

[Chris Laprise]

On 8/12/19 5:51 PM, 27casa...@gmail.com wrote:
> This is indipendent of Tor. I just relised that some kind of vpn can be sett up when making a new VM.
>
> I guse it uses whonix gateway indipendent of Tor?
>

The easiest & most comprehensive/secure VPN config for Qubes is here:

https://github.com/tasket/Qubes-vpn-support

You can also try your luck with the VPN instructions on the Qubes
website, but its more manual work (even if you use Network Manager) for
less results.

All of these involve setting up a dedicated VM for the VPN. You can
chain such a VPN either before or after sys-whonix.

OTOH, Whonix has some instructions on configuring a VPN inside
sys-whonix. I'm not familiar with it, so I'll leave it there.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[799]

Hello Chris,

Chris Laprise <tas...@posteo.net> schrieb am Di., 13. Aug. 2019, 23:10:

(...)

The easiest & most comprehensive/secure VPN config for Qubes is here:

https://github.com/tasket/Qubes-vpn-support

You can also try your luck with the VPN instructions on the Qubes
website, but its more manual work (even if you use Network Manager) for
less results.

I just tried your script and installation was straightforward.

Very nice work, thanks for sharing.

Should be included in Qubes by default or at least be highlighted in bold in the Qubes docs:

https://www.qubes-os.org/doc/vpn/

I'll also take a look into your other scripts ;-)

[799]

[799]

Hello Chris,

On Sat, 17 Aug 2019 at 04:35, 799 <one7...@gmail.com> wrote:

Chris Laprise <tas...@posteo.net> schrieb am Di., 13. Aug. 2019, 23:10:

(...)
The easiest & most comprehensive/secure VPN config for Qubes is here:

https://github.com/tasket/Qubes-vpn-support

[...]

I thought about a way to simplify the installation of your VPN-Script & the deployment of a VPN-Proxy VPN even further.

My Qubes-Installation & configuration is all done by scripts which I start from dom0, this allowas to rebuild my complete Qubes system without much work.

I have written a scripted install, which is building a VPN-ProxyVM based on my own sys-template for sys-net / sys-usb / sys-firewall (which is itself based on a  fedora-29-minimal template).

All steps to build the vpn-proxy VPN including configuration for privateinternetaccess.com is done through the script. Only step has to be done manually:

Adding vpn-handler-openvpn to the Qubes Setting / Services Tab.

QUESTION:

I know that this can also be done via dom0 CLI, but I am missing the right command.

Can someone help?

[799]

PS: This is the script, which will build the VPN-ProxyVM.

(Hint: I like to keep my templates small and therefor packages which I only need during setup will be installed in the AppVM (and be lost on reboot). In this case git/unzip/wget are only used to setup everything - they're not needed for running the ProxyVPN):

---- start ----

Template=t-fedora-29-sys
AppVM=sys-vpn2

qvm-create --template=$Template --label=blue $AppVM

qvm-prefs --set $AppVM provides_network True

qvm-run --auto --pass-io --no-gui --user root $AppVM \
  'dnf install -y git wget unzip && \
  mkdir -p /rw/config/vpn && \
  cd /root && \
  git clone https://github.com/tasket/Qubes-vpn-support.git && \
  cd Qubes-vpn-support && \
  bash ./install'

qvm-run --auto --pass-io --no-gui --user root $AppVM \
  'cd /rw/config/vpn && \
  wget https://www.privateinternetaccess.com/openvpn/openvpn-ip.zip && \
  unzip openvpn-ip.zip && \
  # Link to your favorite VPN-Entry Point here I'm using Switzerland && \
  ln -s Switzerland.ovpn vpn-client.conf'

qvm-shutdown --wait $AppVM

# MANUAL step (at the moment):

# Add "vpn-handler-openvpn" to the Settings > Services Tab

qvm-start $AppVM
---- end ----

As mentioned above the AppVM is based on my own sys-template named t-fedora-29-minimal.

If you want to rebuild, this is how you build this template from dom0.

It can be used for sys-net / sys-firewall / sys-usb):

---- start ----

template=fedora-29-minimal
systemplate=t-fedora-29-sys

#remove old template
qvm-kill $systemplate
qvm-remove -f $systemplate

#clone template
qvm-clone $template $systemplate
# update template
qvm-run --auto --user root --pass-io --no-gui $systemplate \
  'dnf update -y'

# install a missing package for fedora-29-minimal
# without it, gui-apps will not start
# not needed in the latest fedora-29-minimal template (after april 2019)
qvm-run --auto --user root --pass-io --no-gui $systemplate \
  'dnf install -y e2fsprogs'

# Install required packages for Sys-VMs

# Hint: you might need to add your own wifi-firmware-drivers here instead of iwl6000g2a...

qvm-run --auto --user root --pass-io --no-gui $systemplate \
  'dnf -y install qubes-core-agent-qrexec qubes-core-agent-systemd \
  qubes-core-agent-networking polkit qubes-core-agent-network-manager \
  notification-daemon qubes-core-agent-dom0-updates qubes-usb-proxy \
  iwl6000g2a-firmware qubes-input-proxy-sender iproute iputils \
  NetworkManager-openvpn NetworkManager-openvpn-gnome \
  NetworkManager-wwan NetworkManager-wifi network-manager-applet'

# Optional packages you might want to install in the sys-template:
qvm-run --auto --user root --pass-io --no-gui $systemplate \
  'dnf -y install nano less pciutils xclip'

# Set new template as template for sys-vms
qvm-shutdown --all --wait --timeout 120
qvm-prefs --set sys-usb template $systemplate
qvm-prefs --set sys-net template $systemplate
qvm-prefs --set sys-firewall template $systemplate

---- end ----

[m...@militant.dk]

mandag den 12. august 2019 kl. 23.46.39 UTC+2 skrev 27casa...@gmail.com:

Hi, how god is the vpn that can be sett up in Qubes?

Any point in downloading a vpn when using Qubes? And in that case why?

I use VPN for work and created this simple GUIde for Qubes 4.0:

https://www.militant.dk/2018/04/15/configuring-cisco-asa-vpn-on-qubes-4-0-with-openconnect/

Enjoy

Sincerely

Max

[Jeffersonian American]

Phew! From the header ( "avalibel" ) I thought someone was being accused of defamation. BTW, a very easy way to have a VPN is to download the opera installer to your AppVMs, keep it there, and then just (re)install it on boot. A big advantage of this - I think - is that yo don't have to wipe your history and cookies as you have a freshly installed browser each boot-up. This is kind of cool because they keep coming up with persistent cookies and various junk they download onto our browsers. A "disposable" browser such as this creates should create another ring of security. Correct me if I'm wrong...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This email is confidential to the recipient named in the original. If you
receive and are not the named recipient *please delete and notify sender*
thank you in advance for your adherence.

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sbWbACK0jddxgBGibRRPLzXO57ZLursddDs-bFYA7W8w%40mail.gmail.com.

[Chris Laprise]

Thank you for the feedback. :)

On 8/17/19 9:34 PM, 799 wrote:
> # MANUAL step (at the moment):
> # Add "vpn-handler-openvpn" to the Settings > Services Tab

This part can be done in dom0 with:

qvm-service $AppVM vpn-handler-openvpn on