between Qubes-tunnel and Qubes-vpn-support

[w4oo2d...@scryptmail.com]

Hello,Chris Laprise,

I’ve been using qubes-tunnel  for a few months now, and first tried with qubes-vpn-support, ,thank you for develop them and answered so many questions in a very clear manner, that helped a lot, I accumulated some questions along this time, now would like to understand both of them better, could you answer some of them while you are free, thank you.

1.Qubes-tunnel and Qubes-vpn-support  ,chose which one on what stage is better?

from these two app’s Github description, ‘qubes-tunnel  is tested on Debian and Fedora, more for basic users’,‘qubes-vpn-support has ipv6 anti leak and whonix tested’

----does it mean qubes-vpn-suppor is more advanced, when a user is more familiar with Qubes, he’s suggested to move from tunnel to vpn-support?

---Since qubes-tunnel is  officially integrated in Qubes OS now,  is vpn-support still being maintained. BTW,does this mean the qubes official document on vpn is slightly out-dated as well.

2. how to use these security tools together?

When Im online, firefox won’t show ip, ipv6,dns, but tor, with it’s exit node, show them all. Please note this is not my info, but tor exit node’s.

However, tor team publish all ivp6 exit on their website publicly, with ipv6 is too traceable, and most of ipcheck website can tell a browser is from a tor exit, and you once suggested as well, ipv6 is a ‘naïve’ concept.

----Does this mean using tor for sign-in service like check email is not secure and not recommended, so it’s better just for browsing?

---In that case is  firefox  or opera  more secure for email-checking?-- Especially, when tor team claimed tor +vpn would make a user’s traffic ‘more obvious’.

----How to check webmails if it were you?

323.  Just to confirm some configure details

 --On firewall rules,Adding below lines

iptables -I FORWARD -o eth0 -j DROP

iptables -I FORWARD -i eth0 -j DROP

ip6tables -I FORWARD -o eth0 -j DROP

ip6tables -I FORWARD -i eth0 -j DROP

 

in /rw/config /qubes-firewall-user-script

This is in vpn-vm not app-vm, sys-net or dom0 right?

 

---When you suggested to test a uplink-vm with package send to non-vpn address,
  do you mean by something like ware-shark? in sys-net right?

---Disable ipv6 should by

   qvm-features VM ipv6 ''  should be in sys-net as well correct?  

   is it permanent, or should we  do it on each boot.

 

Lots of thank you again.

 

[Chris Laprise]

On 2/26/19 4:18 PM, w4oo2d...@scryptmail.com wrote:
> Hello,Chris Laprise,
>
> I’ve been using qubes-tunnel for a few months now, and first tried with
> qubes-vpn-support, ,thank you for develop them and answered so many
> questions in a very clear manner, that helped a lot, I accumulated some
> questions along this time, now would like to understand both of them
> better, could you answer some of them while you are free, thank you.
>
>
> 1.Qubes-tunnel and Qubes-vpn-support ,chose which one on what stage is
> better?

They're functionally identical. The only difference is the name and that
Qubes-vpn-support can be installed inside an appVM without touching a
template. The reason for this is that qubes-tunnel was created for
possible inclusion in Qubes OS.

>
> from these two app’s Github description, ‘qubes-tunnelis tested on

> Debian and Fedora, more for basic users’,‘qubes-vpn-support has ipv6
> anti leak and whonix tested’
>
> ----does it mean qubes-vpn-suppor is more advanced, when a user is more
> familiar with Qubes, he’s suggested to move from tunnel to vpn-support?
>
> ---Since qubes-tunnel is officially integrated in Qubes OS now, is
> vpn-support still being maintained. BTW,does this mean the qubes
> official document on vpn is slightly out-dated as well.

The two perform exactly the same, with same features (incl. ipv6
protection). Although qubes-tunnel has been forked by Marek, it hasn't
yet gone into the Qubes project repo.

>
>
> 2. how to use these security tools together?
>
> When Im online, firefox won’t show ip, ipv6,dns, but tor, with it’s exit
> node, show them all. Please note this is not my info, but tor exit node’s.

There will always be some kind of ip address associated with your
connections. The appVM's ip may even be known under some circumstances,
but this is only virtual. The point of the vpn (and tor) is that other
sites are seeing a virtual address, not from your physical ISP link.

>
> However, tor team publish all ivp6 exit on their website publicly, with
> ipv6 is too traceable, and most of ipcheck website can tell a browser is
> from a tor exit, and you once suggested as well, ipv6 is a ‘naïve’ concept.
>
> ----Does this mean using tor for sign-in service like check email is not
> secure and not recommended, so it’s better just for browsing?

If the mail service has an .onion or .i2p address, then you can connect
with high confidence in the link security. With a regular https address,
it is theoretically secure but this may not be true for every type of
adversary.

The same caveat about https holds when using a vpn, except that a vpn
you trust probably won't try to attack you when a tor exit node might.
That's why an .onion address is safer because exit nodes aren't involved.


>
> ---In that case is firefoxor opera more secure for email-checking?--

> Especially, when tor team claimed tor +vpn would make a user’s traffic
> ‘more obvious’.

Wish I knew more about recent Opera releases; They have a vpn but this
doesn't make it better than a good vpn configured in Qubes. I'd say the
latter is superior bc if the browser is compromised (as is likely at
some point) then the attacker could get access to your opera vpn
credentials.

I feel its also better to subscribe to vpns from companies that are
identified as only that... virtual private network providers. They can't
pretend that privacy is a secondary concern, so their reputation is made
or broken on their privacy promise.

>
> ----How to check webmails if it were you?

Using an .onion address from Whonix/Torbrowser is probably best for
email. It could also be pop3 or imap, not necessarily in a web browser.
Protonmail.com has an .onion address.

But keep in mind that email is also an old format that didn't anticipate
a very hostile network environment. I would look to alternatives like
i2p-bote, signal, wire, matrix, and the one that used to be called
"Ring". These specialize in decentralized messaging that is end-to-end
encrypted.

>
>
> 323.Just to confirm some configure details

>
>  --On firewall rules,Adding below lines
>
> iptables -I FORWARD -o eth0 -j DROP
>
> iptables -I FORWARD -i eth0 -j DROP
>
> ip6tables -I FORWARD -o eth0 -j DROP
>
> ip6tables -I FORWARD -i eth0 -j DROP
>
> in /rw/config /qubes-firewall-user-script
>
> This is in vpn-vm not app-vm, sys-net or dom0 right?

Correct. They are effective in a proxyvm or "network-providing" VM. It
is based on the VM's forwarding function.

>
> ---When you suggested to test a uplink-vm with package send to non-vpn
> address,
> do you mean by something like ware-shark? in sys-net right?

That depends on which doc you're referring to, but non-vpn address
probably means something out on the Internet.

>
> ---Disable ipv6 should by
>
>    qvm-features VM ipv6 ''should be in sys-net as well correct?
>
>    is it permanent, or should we do it on each boot.

According to Marek this should do the trick. But its best to also have
an anti-leak firewall that covers ipv6 (like the rules you mentioned
previously).

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886