On 09/25/2018 05:27 PM, Stuart Perkins wrote:
>
> On Tue, 25 Sep 2018 12:52:16 -0700 (PDT)
> Ninja-mania via qubes-users <
qubes...@googlegroups.com> wrote:
>
>> Dude I actually love you (no homo).
>>
>> Spent 20+ trying to set vpn up (Big ass noob) and never came across the Qubes tunnel. It’s awesome. You’re awesome.
Glad to help!
> I have two separate VPN's on my Qubes 3.2 laptop.
>
> One Cisco VPN running via OpenConnect in a dedicated appVM for a client.
> One OpenVPN running in a secondary copy of sys-net which I switch to when I need it. I run the server OpenVPN on a VM on my home server (Debian and VirtualBox).
>
> When I want to connect EVERYTHING to the VPN, I switch out and run the copy of sys-net with the VPN credentials and scripts.
>
> When I want to access the client, I start the appVM with the OpenConnect Cisco VPN client and credentials. I also use this appVM to run client specific software through Wine for most of my work on their equipment, although I do a fair amount of straight up command line stuff on their system as well. I can run this on top of the other VPN if absolutely necessary, but performance is not fast since my home connection is not fast.
>
> Haven't had occasion to try the Qubes tunnel. Is there a particular reason to?
Its good practice to use a Qubes-specific tool like qubes-tunnel to
ensure that DNS packets (and everything else) gets routed through the
tunnel and never _around_ it even when the link goes down. This is
important for Qubes because any service VM (NetVM or ProxyVM) that runs
VPN software is acting like a router, not a PC, and Qubes also has
special requirements for proper routing of DNS in this situation.
In your case the AppVM with OpenConnect acts like a PC endpoint and is
probably not a security issue. But the sys-net copy is acting like a
router as previously mentioned and that's an issue on Qubes; to improve
security you could move your openvpn config to a ProxyVM and use
qubes-tunnel.
There is also the issue of VPN passwords or keys being stored in a
sys-net type VM, since these VMs are considered vulnerable to attack.
Moving the VPN to a ProxyVM increases the security of your VPN secrets.