Scenario #2
VM------sys-vpn------sys-firewall---sys-net(Wireless and ethernet)
VM-------------------sys-firewall---sys-net(Wireless and ethernet)
VM-------------------sys-firewall---sys-net(Wireless and ethernet)
Scenario #3
VM----------sys-vpn---------sys-net(Wireless and ethernet)
VM----------sys-firewall----sys-net(Ethernet only)
VM----------sys-firewall----sys-net(Wireless only)
I am looking at configuring a VPN for 3.2 and I am trying to find the best configuration and firewall settings balancing usability, flexibility and security. My questions are:
1) If sys-net is not trustworthy do these scenarios matter from a security perspective regarding sys-net? Scenario #1 I assume consumes the least resources...
2) Regarding sys-vpn firewall...do these setting in effect create a kill switch in my firewall?(I only have a URL, not the IPs):
Address= *
Service= I enter the port number from my VPN provider
Protocol= I enter UDP or TCP depending on my VPN providers instructions?
Thanks...any dialogue, options or answers are appreciated....
Happy holiday and thanks again Qubes!
V
> Scenario #1
> VM---sys-vpn------\
> \
> \
> VM-------------------------sys-firewall---sys-net
> /
> /
> VM-----------------/
>
>
>
> Scenario #2
> VM------sys-vpn------sys-firewall---sys-net(Wireless and ethernet)
> VM-------------------sys-firewall---sys-net(Wireless and ethernet)
> VM-------------------sys-firewall---sys-net(Wireless and ethernet)
>
>
>
> Scenario #3
> VM----------sys-vpn---------sys-net(Wireless and ethernet)
> VM----------sys-firewall----sys-net(Ethernet only)
> VM----------sys-firewall----sys-net(Wireless only)
>
>
> I am looking at configuring a VPN for 3.2 and I am trying to find the best configuration and firewall settings balancing usability, efficiency and security. My questions are:
>
> 1) If sys-net is not trustworthy do these scenarios matter from a security perspective regarding sys-net? Scenario #1 I assume consumes the least resources...
>
> 2) Regarding sys-vpn firewall...do these setting in effect create a kill switch in my sys-vpn firewall?(I am only provided a URL from my VPN provider, not the IPs), firewall settings in my sys-vpn firewall:
> Address= *
> Service= I enter the port number provided by my VPN provider
> Protocol= I enter UDP or TCP depending on my VPN providers instructions?
>
> Thanks...any dialogue, options, opinions or answers are appreciated....
Scenario 2 was supposed to depict 3 separate sys-net, not running at the same time. clarified as follows:
Clarrified Scenario #2
a) VMa------sys-vpn------sys-firewall---sys-net(Wireless and ethernet)
b) VMb-------------------sys-firewall---sys-net(Wireless and ethernet)
c) VMc-------------------sys-firewall---sys-net(Wireless and ethernet)
If I want to get on VMa(VPN)...I would need to close all VMs in b) and c), if I wanted to get on VMb, I would need to close all VMs in a) and c), etc...pain in the but! But is this more secure due to multiple seperated sys-net?
Scenario #3 clarified
a) VMa----------sys-vpn---------sys-net(Wireless and ethernet)
b) VMb----------sys-firewall----sys-net(Ethernet only)
c) VMc----------sys-firewall----sys-net(Wireless only)
#3 Scenario is insipired by this post(multiple sys-net's):
Multiple sys-net:
http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html
...is the only benefit of this configuration that I can use VMb and VMc at the same time? or is there better isolation with this config having multiple sys-net's? This assumes all VMs in a) and b) would need to be closed to get on VMa(VPN)
Regarding the firewall rules in sys-vpn:
Unfortunately (or fortunately?) my VPN provides a domain name instead of IPs e.g. VPNprovider.Canada.com, the VPN provider requires port 1194(UDP only), with user name/password and a local cert(all set up in the OpenVPN client in sys-vpn).
In the sys-vpn VM firewall, I would "allow DNS queries" and "deny network access except": 1) put a rule that allows "*"(Which I believe allows "Any" domain/IP to pass, although it is limited to VPNprovider.Canada.com i.e. the Gateway in OpenVPN client )for "address", 2) port 1195 for "service" and 3) a protocol of "UDP". Wouldn't this block port 80, 443 and all other ports and only allow VPNprovider.Canada.com on port 1195 via UDP only? Therefor if VPN goes down all other ports 80, 443 would not be allowed? i.e. a kill switch?...similar to whats on the Qubes instructions except GUI configured?
Similar to this post:
https://github.com/Rudd-O/qubes-vpn
Specifically:
Firewall your VPN VM
Open the Firewall rules tab of your new VPN VM's preferences page.
Deny network access except for Allow DNS queries. If the VPN server is just an IP address (check the configuration given you by the VPN provider) then you do not have to Allow DNS queries at all.
Add a single rule:
Address: either * (all hosts) as address (use this when you do not know the IP address of the VPN server in advance, and all you have is a DNS host name), or the fixed VPN IP address (if your VPN configuration has a fixed IP address).
Protocol: choose the protocol that your VPN server configuration indicates (TCP or UDP).
Port number: type in the port number of your VPN server (with OpenVPN, it's typically 1194, 5000 or 443, but refer to your VPN configuration).
Thanks for the thoughts...I know there are multiple questions here that are difficult for me to articulate.