Trying to get my head around a configuration for a VPN-Proxy VM and its firewall?
vel...@tutamail.com
VM---sys-vpn--------\
\
\
VM---------------------\----sys-firewall---sys-net
/
/
VM-------------------/
Scenario #2
VM------sys-vpn------sys-firewall---sys-net(Wireless and ethernet)
VM-------------------sys-firewall---sys-net(Wireless and ethernet)
VM-------------------sys-firewall---sys-net(Wireless and ethernet)
Scenario #3
VM----------sys-vpn---------sys-net(Wireless and ethernet)
VM----------sys-firewall----sys-net(Ethernet only)
VM----------sys-firewall----sys-net(Wireless only)
I am looking at configuring a VPN for 3.2 and I am trying to find the best configuration and firewall settings balancing usability, flexibility and security. My questions are:
1) If sys-net is not trustworthy do these scenarios matter from a security perspective regarding sys-net? Scenario #1 I assume consumes the least resources...
2) Regarding sys-vpn firewall...do these setting in effect create a kill switch in my firewall?(I only have a URL, not the IPs):
Address= *
Service= I enter the port number from my VPN provider
Protocol= I enter UDP or TCP depending on my VPN providers instructions?
Thanks...any dialogue, options or answers are appreciated....
Happy holiday and thanks again Qubes!
V
vel...@tutamail.com
> Scenario #1
> VM---sys-vpn------\
> \
> \
> VM-------------------------sys-firewall---sys-net
> /
> /
> VM-----------------/
>
>
>
> Scenario #2
> VM------sys-vpn------sys-firewall---sys-net(Wireless and ethernet)
> VM-------------------sys-firewall---sys-net(Wireless and ethernet)
> VM-------------------sys-firewall---sys-net(Wireless and ethernet)
>
>
>
> Scenario #3
> VM----------sys-vpn---------sys-net(Wireless and ethernet)
> VM----------sys-firewall----sys-net(Ethernet only)
> VM----------sys-firewall----sys-net(Wireless only)
>
>
> I am looking at configuring a VPN for 3.2 and I am trying to find the best configuration and firewall settings balancing usability, efficiency and security. My questions are:
>
> 1) If sys-net is not trustworthy do these scenarios matter from a security perspective regarding sys-net? Scenario #1 I assume consumes the least resources...
>
> 2) Regarding sys-vpn firewall...do these setting in effect create a kill switch in my sys-vpn firewall?(I am only provided a URL from my VPN provider, not the IPs), firewall settings in my sys-vpn firewall:
> Address= *
> Service= I enter the port number provided by my VPN provider
> Protocol= I enter UDP or TCP depending on my VPN providers instructions?
>
> Thanks...any dialogue, options, opinions or answers are appreciated....
Chris Laprise
> Scenario #1
> VM---sys-vpn--------\
> \
> \
> VM---------------------\----sys-firewall---sys-net
> /
> /
> VM-------------------/
>
>
>
> Scenario #2
> VM------sys-vpn------sys-firewall---sys-net(Wireless and ethernet)
> VM-------------------sys-firewall---sys-net(Wireless and ethernet)
> VM-------------------sys-firewall---sys-net(Wireless and ethernet)
>
>
>
> Scenario #3
> VM----------sys-vpn---------sys-net(Wireless and ethernet)
> VM----------sys-firewall----sys-net(Ethernet only)
> VM----------sys-firewall----sys-net(Wireless only)
>
>
> I am looking at configuring a VPN for 3.2 and I am trying to find the best configuration and firewall settings balancing usability, flexibility and security. My questions are:
>
> 1) If sys-net is not trustworthy do these scenarios matter from a security perspective regarding sys-net? Scenario #1 I assume consumes the least resources...
that is assuming those lines denote parallel/simultaneous access.
The first two are essentially the same, though I'm not sure why #1 is
just 'sys-net' while #2 shows sys-net with wifi & ethernet.
> 2) Regarding sys-vpn firewall...do these setting in effect create a kill switch in my firewall?(I only have a URL, not the IPs):
> Address= *
> Service= I enter the port number from my VPN provider
> Protocol= I enter UDP or TCP depending on my VPN providers instructions?
1. The Qubes VPN howto doc has a leak-prevention feature. This
configuration can route packets only over the VPN tunnel.
2. Most subscription VPNs distribute validation certificates with their
config files. Using a certificate, VPN software will reject connections
with any impostor site.
So, as to the need for preventing the VPN VM from connecting with
anything other than the VPN provider, a firewall setting shouldn't be
necessary with a properly setup VPN client. Also, the Qubes firewall is
limited when domain names are used; you could end up with the firewall
trying to filter different addresses than what the VPN client is trying
to use (that is, if your VPN provider has multiple addresses kept in
rotation).
Finally, on Qubes 3.x it can make sense to use sys-firewall (or similar
proxyVM) the other way: Put it between the appVMs and VPN VM if you wish
to use "Deny except" mode in your appVM settings. The reason is this
mode will trigger a Qubes bug if the appVM is connected directly to the
VPN VM resulting in DNS blockage. However, the Qubes-vpn-support
project[1] has a workaround for the bug, making the following
arrangement perfectly fine even when using "Deny except" on the appVM:
appVM------->sys-vpn------->sys-net
If you're not using "Deny except" on appVMs this arrangement also works,
no workaround required.
[1] https://github.com/tasket/Qubes-vpn-support
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
vel...@tutamail.com
Scenario 2 was supposed to depict 3 separate sys-net, not running at the same time. clarified as follows:
Clarrified Scenario #2
a) VMa------sys-vpn------sys-firewall---sys-net(Wireless and ethernet)
b) VMb-------------------sys-firewall---sys-net(Wireless and ethernet)
c) VMc-------------------sys-firewall---sys-net(Wireless and ethernet)
If I want to get on VMa(VPN)...I would need to close all VMs in b) and c), if I wanted to get on VMb, I would need to close all VMs in a) and c), etc...pain in the but! But is this more secure due to multiple seperated sys-net?
Scenario #3 clarified
a) VMa----------sys-vpn---------sys-net(Wireless and ethernet)
b) VMb----------sys-firewall----sys-net(Ethernet only)
c) VMc----------sys-firewall----sys-net(Wireless only)
#3 Scenario is insipired by this post(multiple sys-net's):
Multiple sys-net:
http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html
...is the only benefit of this configuration that I can use VMb and VMc at the same time? or is there better isolation with this config having multiple sys-net's? This assumes all VMs in a) and b) would need to be closed to get on VMa(VPN)
Regarding the firewall rules in sys-vpn:
Unfortunately (or fortunately?) my VPN provides a domain name instead of IPs e.g. VPNprovider.Canada.com, the VPN provider requires port 1194(UDP only), with user name/password and a local cert(all set up in the OpenVPN client in sys-vpn).
In the sys-vpn VM firewall, I would "allow DNS queries" and "deny network access except": 1) put a rule that allows "*"(Which I believe allows "Any" domain/IP to pass, although it is limited to VPNprovider.Canada.com i.e. the Gateway in OpenVPN client )for "address", 2) port 1195 for "service" and 3) a protocol of "UDP". Wouldn't this block port 80, 443 and all other ports and only allow VPNprovider.Canada.com on port 1195 via UDP only? Therefor if VPN goes down all other ports 80, 443 would not be allowed? i.e. a kill switch?...similar to whats on the Qubes instructions except GUI configured?
Similar to this post:
https://github.com/Rudd-O/qubes-vpn
Specifically:
Firewall your VPN VM
Open the Firewall rules tab of your new VPN VM's preferences page.
Deny network access except for Allow DNS queries. If the VPN server is just an IP address (check the configuration given you by the VPN provider) then you do not have to Allow DNS queries at all.
Add a single rule:
Address: either * (all hosts) as address (use this when you do not know the IP address of the VPN server in advance, and all you have is a DNS host name), or the fixed VPN IP address (if your VPN configuration has a fixed IP address).
Protocol: choose the protocol that your VPN server configuration indicates (TCP or UDP).
Port number: type in the port number of your VPN server (with OpenVPN, it's typically 1194, 5000 or 443, but refer to your VPN configuration).
Thanks for the thoughts...I know there are multiple questions here that are difficult for me to articulate.
Chris Laprise
> I have scenario #1 working...I checked DNS leak and was able to get different results depending on the VM I was on. Is this just likely to break due to the bug you reference?
to block DNS. Bug isn't triggered if you use "Deny except" on the VPN VM
itself.
> Scenario 2 was supposed to depict 3 separate sys-net, not running at the same time. clarified as follows:
>
> Clarrified Scenario #2
> a) VMa------sys-vpn------sys-firewall---sys-net(Wireless and ethernet)
> b) VMb-------------------sys-firewall---sys-net(Wireless and ethernet)
> c) VMc-------------------sys-firewall---sys-net(Wireless and ethernet)
>
> If I want to get on VMa(VPN)...I would need to close all VMs in b) and c), if I wanted to get on VMb, I would need to close all VMs in a) and c), etc...pain in the but! But is this more secure due to multiple seperated sys-net?
any) security for the extra hassle.
> Scenario #3 clarified
> a) VMa----------sys-vpn---------sys-net(Wireless and ethernet)
> b) VMb----------sys-firewall----sys-net(Ethernet only)
> c) VMc----------sys-firewall----sys-net(Wireless only)
>
> #3 Scenario is insipired by this post(multiple sys-net's):
> Multiple sys-net:
> http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html
>
> ...is the only benefit of this configuration that I can use VMb and VMc at the same time? or is there better isolation with this config having multiple sys-net's? This assumes all VMs in a) and b) would need to be closed to get on VMa(VPN)
could help protect an ethernet LAN from malware acquired over wifi, for
example. But in this case combining them sometimes in one sys-net with
a) may not be a good idea. Instead, if you need to sometimes use the VPN
over wifi and sometimes over ethernet, you could easily switch the netvm
setting on the VPN VM; then your wifi and ethernet controllers stay in
separate VMs.
>
> Regarding the firewall rules in sys-vpn:
>
> Unfortunately (or fortunately?) my VPN provides a domain name instead of IPs e.g. VPNprovider.Canada.com, the VPN provider requires port 1194(UDP only), with user name/password and a local cert(all set up in the OpenVPN client in sys-vpn).
>
> In the sys-vpn VM firewall, I would "allow DNS queries" and "deny network access except": 1) put a rule that allows "*"(Which I believe allows "Any" domain/IP to pass, although it is limited to VPNprovider.Canada.com i.e. the Gateway in OpenVPN client )for "address", 2) port 1195 for "service" and 3) a protocol of "UDP". Wouldn't this block port 80, 443 and all other ports and only allow VPNprovider.Canada.com on port 1195 via UDP only?
> Therefor if VPN goes down all other ports 80, 443 would not be allowed? i.e. a kill switch?...similar to whats on the Qubes instructions except GUI configured?
why would other _ports_ be accessed? IOW, yes this nails down the ports
(because numbers are used for those) but whatever might access other
ports might access other addresses.
Using the VPN doc or Qubes-vpn-support such access attempts wouldn't
succeed. If you look at the firewall script, it restricts output solely
to the VPN client (i.e. openvpn) using a special group 'qvpn'. This
prevents incidental net access by other programs.
And again, putting domain names on the firewall settings tab tends to be
an unreliable, weak measure; its not good advice if DNS returns a random
selection from a pool of IPs. Its also weak if MITM is in the threat
model, allowing an attacker to easily spoof their own addresses and port
numbers ...and your worries about sys-net seem to indicate that such a
threat applies.
So all said and done, its not necessary to add firewall rules if your
VPN provider uses a cert and the sys-vpn config isolates the tunnel
traffic as VPN doc and Qubes-vpn-support do.