Right Way to Setup your VPN to prevent Leaks ?

96 views
Skip to first unread message

ulabunga

unread,
Jan 31, 2017, 1:38:03 PM1/31/17
to qubes-users
My Setup

proxy vm + airvpn in network manager ,TCP-53
-> appvm x

importing airvpn VPN configuration files (TCP-53) in my proxy vm network manager
and select this 'AirVpn' proxyvm in my netvm settings
for all my fedora/debain appvm's.


Is there any better more secure way (not tor)
to setup my internet security?

I noticed having DNS leaks the first 5 seconds after Im connected to a new server..

01v3g4n10

unread,
Jan 31, 2017, 1:44:35 PM1/31/17
to qubes-users, vincent.ma...@gmail.com

Follow Set up a ProxyVM as a VPN gateway using iptables and CLI scripts
https://www.qubes-os.org/doc/vpn/

Message has been deleted

vincent.ma...@gmail.com

unread,
Jan 31, 2017, 2:41:27 PM1/31/17
to qubes-users, vincent.ma...@gmail.com

that sounds REALLY complicated...
is there an easy fix to DNS leaks ?


in the proxyvm you have the options in the firewall rules
to disable

allow ICMP traffic
allow dns queries

should the box be white or black ?
(check or uncheck?)

john.david.r.smith

unread,
Jan 31, 2017, 2:47:56 PM1/31/17
to ulabunga, qubes-users
that is a known problem.
you can add some iptables rules to fix that.
there is a guide in the doc:
https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts

look at the iptables section

01v3g4n10

unread,
Jan 31, 2017, 2:55:30 PM1/31/17
to qubes-users, vincent.ma...@gmail.com

There are some changes that you can make to your browser

In Firefox, type in "about: config" in the URL bar. When the page comes up, enter "media.peerconnection.enabled" into the search bar. When it appears, set that entry to "false" (this can be done by double clicking it, or by right clicking and selecting "Toggle").

In Google Chrome a free extension has been made available for installation that patches the issues. It can be downloaded here https://chrome.google.com/webstore/detail/webrtc-network-limiter/npeicpdbkakmehahjeeohfdhnlpdklia?hl=en-US

Unman

unread,
Jan 31, 2017, 6:30:52 PM1/31/17
to vincent.ma...@gmail.com, qubes-users
Whatever anyone tries to tell you security IS complicated, and
there isn't an easy way to achieve it in a hostile environment.

There IS a somewhat easier way than described in those docs, but you
will have to change your set-up.
Put a firewall inline between proxy and sys-net, and use it to block all
traffic from the proxy except whatever is required to run your vpn. That
is, Deny all EXCEPT VPN protocol and port. If you have a single provider
specify that, or a number of IP addresses.
Don't allow ICMP or DNS traffic.

If I remember, the original VPN thread included folk who had real
opposition to this method, but it would work fine. It just adds another
Qubes networking layer in to the mix.
You are, of course, using a standard port for DNS, so there would still
be the possibility of some DNS traffic passing through with this
configuration, at least the request. If you were to change to some other
port this wouldn't be an issue.

unman
Reply all
Reply to author
Forward
0 new messages