VPN from a ProxyVM
Drew White
I've searched and searched and I am unable to locate the information I require.
I'm trying to get a VPN to work from a ProxyVM.
It is failing with no reason why.
From the NetVM I am able to connect the VPN.
What is it that I am doing wrong please?
There has to be something?
Doesn't matter if I use Debian or Fedora as the ProxyVM.
Thanks in advance.
Sincerely,
Drew.
Chris Laprise
https://www.qubes-os.org/doc/vpn/
It is in need of an update (Qubes 4.0 and ease of use) and we're waiting
for review and approval of new scripts and documentation.
You can get something very close to the proposed update by using
Qubes-vpn-support instead:
https://github.com/tasket/Qubes-vpn-support
This one is much easier to setup, reconnects more reliably and now
supports Qubes 4.0.
BTW.... If for some reason you prefer to use Network Manager in a
proxyVM instead of the scripts, the anti-leak firewall script
(proxy-firewall-restrict) will still work. All you have to do (insteal
of running "install") is replace qubes-firewall-user-script, for example:
ln -s -f /rw/config/proxy-firewall-restrict
/rw/config/qubes-firewall-user-script
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Drew White
> The current VPN doc is here:
>
> https://www.qubes-os.org/doc/vpn/
> It is in need of an update (Qubes 4.0 and ease of use) and we're waiting
> for review and approval of new scripts and documentation.
I'm using Qubes 3.2, because that's the most recent version that is runnable.
The thing is, a VPN is created from inside the Guest to call outside, so there should be nothing needed to be altered other than allowing the proxy to have access to the outside world.
Once the VPN is created, that connection is used for everything that is not on the internal network.
I also want to have one where everything that is going to happen on the remote network is pushed through the VPN, and everything else remains using the local connection.
So there are 2 ways I'm looking at having it work.
But at first, I just want a standard PPTP connection.
Sicnerely,
Drew.
Chris Laprise
> On Wednesday, 14 March 2018 11:06:22 UTC+11, Chris Laprise wrote:
>> The current VPN doc is here:
>>
>> https://www.qubes-os.org/doc/vpn/
>
> Thanks for the reply Chris, but that is not what I was looking for as I was wanting to use pptp VPN connections (and similar), not a Qubes VPN.
FWIW, the resources at those links are meant to be adaptable for
non-OpenVPN setups, and they don't impose any particular type of routing
(other than forbidding access that most call 'leaks'). As for accessing
the LAN directly through a VPN VM, there are simple ways to make an
exception for it.
>
>> It is in need of an update (Qubes 4.0 and ease of use) and we're waiting
>> for review and approval of new scripts and documentation.
>
> I'm using Qubes 3.2, because that's the most recent version that is runnable.
>
> The thing is, a VPN is created from inside the Guest to call outside, so there should be nothing needed to be altered other than allowing the proxy to have access to the outside world.
>
> Once the VPN is created, that connection is used for everything that is not on the internal network.
OpenVPN, whatever. The default routing that for-pay VPN providers use is
"route everything upstream" but user has some control. If you
run/control the remote end also, then it all depends on what you want.
>
> I also want to have one where everything that is going to happen on the remote network is pushed through the VPN, and everything else remains using the local connection.
>
> So there are 2 ways I'm looking at having it work.
>
> But at first, I just want a standard PPTP connection.
keep in mind that a Qubes proxyVM behaves much like a router (not a PC
endpoint) so that may be the best type of guide to use.
Drew White
> On 03/13/2018 08:20 PM, Drew White wrote:
> > On Wednesday, 14 March 2018 11:06:22 UTC+11, Chris Laprise wrote:
> >> The current VPN doc is here:
> >>
> >> https://www.qubes-os.org/doc/vpn/
> >
> > Thanks for the reply Chris, but that is not what I was looking for as I was wanting to use pptp VPN connections (and similar), not a Qubes VPN.
>
> I think you mean "not an OpenVPN..."?
I am guessing so, yes, thanks for clarifying.
> FWIW, the resources at those links are meant to be adaptable for
> non-OpenVPN setups, and they don't impose any particular type of routing
> (other than forbidding access that most call 'leaks'). As for accessing
> the LAN directly through a VPN VM, there are simple ways to make an
> exception for it.
That's what I don't get. All I want to do is have the VPN connect, nothing else. So that my AppVM can talk through it to the external.
> >
> >> It is in need of an update (Qubes 4.0 and ease of use) and we're waiting
> >> for review and approval of new scripts and documentation.
> >
> > I'm using Qubes 3.2, because that's the most recent version that is runnable.
> >
> > The thing is, a VPN is created from inside the Guest to call outside, so there should be nothing needed to be altered other than allowing the proxy to have access to the outside world.
> >
> > Once the VPN is created, that connection is used for everything that is not on the internal network.
>
> It depends on the routes setup for the VPN, and this goes for PPTP,
> OpenVPN, whatever. The default routing that for-pay VPN providers use is
> "route everything upstream" but user has some control. If you
> run/control the remote end also, then it all depends on what you want.
That is true, and that is something I can do. I have done many many things with the VMs before anyone even thought about doing it, because I used Qubes for Development purposes. So routing isn't too hard for it. If I have any isues with the Routing sides of it I'll be sure to ask.
> >
> > I also want to have one where everything that is going to happen on the remote network is pushed through the VPN, and everything else remains using the local connection.
> >
> > So there are 2 ways I'm looking at having it work.
> >
> > But at first, I just want a standard PPTP connection.
>
> There are plenty of guides out there. But when searching for examples
> keep in mind that a Qubes proxyVM behaves much like a router (not a PC
> endpoint) so that may be the best type of guide to use.
Exactly, and as a router it should connect a VPN.
I used to have it able to do it. So that's why I don't understand why it isn't working. Since I had it able to do it once before, ages ago, and nothing has changed since then, and now it isn't working. So it's odd. Thus I figured maybe something has changed.
Sincerely,
Drew.
Chris Laprise
> On Wednesday, 14 March 2018 12:25:12 UTC+11, Chris Laprise wrote:
>> On 03/13/2018 08:20 PM, Drew White wrote:
>>> On Wednesday, 14 March 2018 11:06:22 UTC+11, Chris Laprise wrote:
>>>> The current VPN doc is here:
>>>>
>>>> https://www.qubes-os.org/doc/vpn/
>>>
>>> Thanks for the reply Chris, but that is not what I was looking for as I was wanting to use pptp VPN connections (and similar), not a Qubes VPN.
>>
>> I think you mean "not an OpenVPN..."?
>
> I am guessing so, yes, thanks for clarifying.
>
>> FWIW, the resources at those links are meant to be adaptable for
>> non-OpenVPN setups, and they don't impose any particular type of routing
>> (other than forbidding access that most call 'leaks'). As for accessing
>> the LAN directly through a VPN VM, there are simple ways to make an
>> exception for it.
>
> That's what I don't get. All I want to do is have the VPN connect, nothing else. So that my AppVM can talk through it to the external.
>>>
>>> I also want to have one where everything that is going to happen on the remote network is pushed through the VPN, and everything else remains using the local connection.
>>>
>>> So there are 2 ways I'm looking at having it work.
>>>
>>> But at first, I just want a standard PPTP connection.
>>
>> There are plenty of guides out there. But when searching for examples
>> keep in mind that a Qubes proxyVM behaves much like a router (not a PC
>> endpoint) so that may be the best type of guide to use.
>
> Exactly, and as a router it should connect a VPN.
> I used to have it able to do it. So that's why I don't understand why it isn't working. Since I had it able to do it once before, ages ago, and nothing has changed since then, and now it isn't working. So it's odd. Thus I figured maybe something has changed.
distros in the templates have changed somewhat over the years. In any
case, you'll need to review your configuration and maybe post setup
steps to get specific troubleshooting advice.
At this point, you could focus on fixing the existing configuration or
consider a new setup. Unfortunately I haven't noticed other Qubes users
posting about PPTP and haven't used it myself for a very long time (only
used it on Windows). That may be because PPTP is considered insecure
(one reason to switch to OpenVPN or protocol).
Matty South
I'll chime in here. You can ignore the firewall scripts and such in that VPN doc if you don't care about DNS leaking and such (depends of course on your attack model). For all intensive purposes, connecting to your VPN from a proxy VM is the same as from an app VM.
Drew White
> On 03/13/2018 09:53 PM, Drew White wrote:
> > On Wednesday, 14 March 2018 12:25:12 UTC+11, Chris Laprise wrote:
> >> On 03/13/2018 08:20 PM, Drew White wrote:
> >>> On Wednesday, 14 March 2018 11:06:22 UTC+11, Chris Laprise wrote:
> >>>> The current VPN doc is here:
> >>>>
> >>>> https://www.qubes-os.org/doc/vpn/
> >>>
> >>> Thanks for the reply Chris, but that is not what I was looking for as I was wanting to use pptp VPN connections (and similar), not a Qubes VPN.
> >>
> >> I think you mean "not an OpenVPN..."?
> >
> > I am guessing so, yes, thanks for clarifying.
> >
> >> FWIW, the resources at those links are meant to be adaptable for
> >> non-OpenVPN setups, and they don't impose any particular type of routing
> >> (other than forbidding access that most call 'leaks'). As for accessing
> >> the LAN directly through a VPN VM, there are simple ways to make an
> >> exception for it.
> >
> > That's what I don't get. All I want to do is have the VPN connect, nothing else. So that my AppVM can talk through it to the external.
>
> OK, this sounds like you want to connect to a remote LAN.
I thought that is what VPNs are for?
Well that is their primary intention, to connect from where you are to a remote network.
I should have clarified that in the first place due to many people these days connecting to remote networks as a 255.255.255.255 and only doing it to connect out to the internet for privacy and security.
I shall endeavor to mention that in the future if it ever arises again.
>
> >>>
> >>> I also want to have one where everything that is going to happen on the remote network is pushed through the VPN, and everything else remains using the local connection.
> >>>
> >>> So there are 2 ways I'm looking at having it work.
> >>>
> >>> But at first, I just want a standard PPTP connection.
> >>
> >> There are plenty of guides out there. But when searching for examples
> >> keep in mind that a Qubes proxyVM behaves much like a router (not a PC
> >> endpoint) so that may be the best type of guide to use.
> >
> > Exactly, and as a router it should connect a VPN.
> > I used to have it able to do it. So that's why I don't understand why it isn't working. Since I had it able to do it once before, ages ago, and nothing has changed since then, and now it isn't working. So it's odd. Thus I figured maybe something has changed.
>
> I want to say "Not much has changed in R3.2 networking", but the Linux
> distros in the templates have changed somewhat over the years. In any
> case, you'll need to review your configuration and maybe post setup
> steps to get specific troubleshooting advice.
I'm still using F23 for it. Perhaps there is something else inside the Qubes Networking that has an issue with it after updating for security.
I'll have to just go through settings and try and try and try. Just go from one settings to another and trying to connect after altering each setting.
> At this point, you could focus on fixing the existing configuration or
> consider a new setup. Unfortunately I haven't noticed other Qubes users
> posting about PPTP and haven't used it myself for a very long time (only
> used it on Windows). That may be because PPTP is considered insecure
> (one reason to switch to OpenVPN or protocol).
Well not many people use PPTP anymore, as it has some inherent insecurities in it.
Unfortunately some of the older hardware only has PPTP built into it.
(personal opinion below)
There is no good Qubes Template out there yet.
They all use NetworkManager and SystemD, and that's just shit.
If they had a template that had no SystemD then things would work so much better and faster.
What else, other than NetworkManager can be used?
Drew White
What do you mean by "DNS leaking"?
Well, from a proxy I can connect multiple AppVMs, and the AppVMs connect to Proxy DNS which will be set to the network.
That is how I need it.
Chris Laprise
> On Wednesday, 14 March 2018 23:28:58 UTC+11, Chris Laprise wrote:
>> On 03/13/2018 09:53 PM, Drew White wrote:
>>> On Wednesday, 14 March 2018 12:25:12 UTC+11, Chris Laprise wrote:
>>>> On 03/13/2018 08:20 PM, Drew White wrote:
>>>>> On Wednesday, 14 March 2018 11:06:22 UTC+11, Chris Laprise wrote:
>>>>>> The current VPN doc is here:
>>>>>>
>>>>>> https://www.qubes-os.org/doc/vpn/
>>>>>
>>>>> Thanks for the reply Chris, but that is not what I was looking for as I was wanting to use pptp VPN connections (and similar), not a Qubes VPN.
>>>>
>>>> I think you mean "not an OpenVPN..."?
>>>
>>> I am guessing so, yes, thanks for clarifying.
>>>
>>>> FWIW, the resources at those links are meant to be adaptable for
>>>> non-OpenVPN setups, and they don't impose any particular type of routing
>>>> (other than forbidding access that most call 'leaks'). As for accessing
>>>> the LAN directly through a VPN VM, there are simple ways to make an
>>>> exception for it.
>>>
>>> That's what I don't get. All I want to do is have the VPN connect, nothing else. So that my AppVM can talk through it to the external.
>>
>> OK, this sounds like you want to connect to a remote LAN.
>
> I thought that is what VPNs are for?
Internet.
> Well that is their primary intention, to connect from where you are to a remote network.
> I should have clarified that in the first place due to many people these days connecting to remote networks as a 255.255.255.255 and only doing it to connect out to the internet for privacy and security.
>
> I shall endeavor to mention that in the future if it ever arises again.
>
>>
>>>>>
>>>>> I also want to have one where everything that is going to happen on the remote network is pushed through the VPN, and everything else remains using the local connection.
>>>>>
>>>>> So there are 2 ways I'm looking at having it work.
>>>>>
>>>>> But at first, I just want a standard PPTP connection.
>>>>
>>>> There are plenty of guides out there. But when searching for examples
>>>> keep in mind that a Qubes proxyVM behaves much like a router (not a PC
>>>> endpoint) so that may be the best type of guide to use.
>>>
>>> Exactly, and as a router it should connect a VPN.
>>> I used to have it able to do it. So that's why I don't understand why it isn't working. Since I had it able to do it once before, ages ago, and nothing has changed since then, and now it isn't working. So it's odd. Thus I figured maybe something has changed.
>>
>> I want to say "Not much has changed in R3.2 networking", but the Linux
>> distros in the templates have changed somewhat over the years. In any
>> case, you'll need to review your configuration and maybe post setup
>> steps to get specific troubleshooting advice.
>
> I'm still using F23 for it. Perhaps there is something else inside the Qubes Networking that has an issue with it after updating for security.
>
> I'll have to just go through settings and try and try and try. Just go from one settings to another and trying to connect after altering each setting.
> What else, other than NetworkManager can be used?
http://pptpclient.sourceforge.net/
Of course, Qubes proxyVMs have Network Manager disabled by default.
Drew White
> On 03/14/2018 08:47 PM, Drew White wrote:
> > On Wednesday, 14 March 2018 23:28:58 UTC+11, Chris Laprise wrote:
> >> On 03/13/2018 09:53 PM, Drew White wrote:
> >>> On Wednesday, 14 March 2018 12:25:12 UTC+11, Chris Laprise wrote:
> >>>> On 03/13/2018 08:20 PM, Drew White wrote:
> >>>>> On Wednesday, 14 March 2018 11:06:22 UTC+11, Chris Laprise wrote:
> >>>>>> The current VPN doc is here:
> >>>>>>
> >>>>>> https://www.qubes-os.org/doc/vpn/
> >>>>>
> >>>>> Thanks for the reply Chris, but that is not what I was looking for as I was wanting to use pptp VPN connections (and similar), not a Qubes VPN.
> >>>>
> >>>> I think you mean "not an OpenVPN..."?
> >>>
> >>> I am guessing so, yes, thanks for clarifying.
> >>>
> >>>> FWIW, the resources at those links are meant to be adaptable for
> >>>> non-OpenVPN setups, and they don't impose any particular type of routing
> >>>> (other than forbidding access that most call 'leaks'). As for accessing
> >>>> the LAN directly through a VPN VM, there are simple ways to make an
> >>>> exception for it.
> >>>
> >>> That's what I don't get. All I want to do is have the VPN connect, nothing else. So that my AppVM can talk through it to the external.
> >>
> >> OK, this sounds like you want to connect to a remote LAN.
> >
> > I thought that is what VPNs are for?
>
> They can be. Some configs are for remote LANs, others for connecting to
> Internet.
It's all remote LAN, just different restrictions on them.
> > Well that is their primary intention, to connect from where you are to a remote network.
> > I should have clarified that in the first place due to many people these days connecting to remote networks as a 255.255.255.255 and only doing it to connect out to the internet for privacy and security.
> >
> > I shall endeavor to mention that in the future if it ever arises again.
> >
> >>
> >>>>>
> >>>>> I also want to have one where everything that is going to happen on the remote network is pushed through the VPN, and everything else remains using the local connection.
> >>>>>
> >>>>> So there are 2 ways I'm looking at having it work.
> >>>>>
> >>>>> But at first, I just want a standard PPTP connection.
> >>>>
> >>>> There are plenty of guides out there. But when searching for examples
> >>>> keep in mind that a Qubes proxyVM behaves much like a router (not a PC
> >>>> endpoint) so that may be the best type of guide to use.
> >>>
> >>> Exactly, and as a router it should connect a VPN.
> >>> I used to have it able to do it. So that's why I don't understand why it isn't working. Since I had it able to do it once before, ages ago, and nothing has changed since then, and now it isn't working. So it's odd. Thus I figured maybe something has changed.
> >>
> >> I want to say "Not much has changed in R3.2 networking", but the Linux
> >> distros in the templates have changed somewhat over the years. In any
> >> case, you'll need to review your configuration and maybe post setup
> >> steps to get specific troubleshooting advice.
> >
> > I'm still using F23 for it. Perhaps there is something else inside the Qubes Networking that has an issue with it after updating for security.
> >
> > I'll have to just go through settings and try and try and try. Just go from one settings to another and trying to connect after altering each setting.
>
> I suggest moving your settings to F26 (i.e. change the template of your VM).
I have F20,21,23,24,26. Normal and Minimal.
Typically I have the minimal, then install what I want.
But since I can't remove the crap from the template, I have to alter the code in or disable about 60 things before I start, since there are things that are broken that Qubes developers said aren't.
> > What else, other than NetworkManager can be used?
>
> F26 has pptp-setup package. It lets you use shell commands:
> http://pptpclient.sourceforge.net/
I have F26 and that did not resolve the issue.
At the moment I'm waiting for someone to get pfSense working properly with Qubes, so that I have a decent firewall option as using Fedora or Debian (Debian is better) as a NetVM is just harsh. Due to the fact that it has so much in it that it does't need as a NetVM. Which is why I get the minimal, and then add what I need to create a VM for NetVM/ProxyVM, as we as one for AppVM.
Unfortunately, in Qubes you can't remove the standard RPM installed templates. It simply has a hissy fit if you do. But I still manually remove it from the XML as well as delete the files. Means I can't re-install from the RPM though.
If you know how to remove it via the RPM method, please let me know. It would be appreciated.
> Of course, Qubes proxyVMs have Network Manager disabled by default.
There are so many things about the way the systems are going these days that are just wrong it's not funny. They keep thinking newer is better, yet all they have to do is patch what they currently have that works perfectly. If they patch it and cure the issue then it is fixed. Creating a new thing leaves the bug still there and just adds something else that could be another attack surface.
Maybe all that is cured in Qubes 4, I have no idea since it doesn't work on my hardware due to their restrictions for the CPU. So all I'm going on is the now abandoned and unsupported Qubes 3.2.
If the initial issues are resolved in Qubes 4, would be good to know. But I know that there are many issues that will not be resolved (as far as I am aware)