Preventing VPN leaks once VPN connection is disconnect
46 views
Skip to first unread message
niepo...@gmail.com
Apr 22, 2018, 11:57:29 AM4/22/18
to qubes-users
I'm user of vpn bitmask software and accidentally, from time to time connection disconnect and there is few second to connect again.
How is easiest way to set up firewall rules that prevent leaks with clear and unencrypted traffic?
js...@bitmessage.ch
Apr 22, 2018, 12:53:01 PM4/22/18
to qubes...@googlegroups.com
niepo...@gmail.com:
automatically when VPN connection drops (fail closed). The old version
of bitmask had problems when running in a qubes proxyVM (DNS leaks in
particular), but the new version in their debian stretch repo seemingly
fixes these problems. i'm not sure if not failing closed is still a
problem tho.
If you're running the most recent version of bitmask in a proxyVM and
it's not failing closed, maybe run it in the appVM instead? Others will
have to answer the firewall question tho because i don't know much about
that.
--
Jackie
> I'm user of vpn bitmask software and accidentally, from time to time connection disconnect and there is few second to connect again.
>
> How is easiest way to set up firewall rules that prevent leaks with clear and unencrypted traffic?
I'm pretty sure bitmask is supposed to block unencrypted connections
>
> How is easiest way to set up firewall rules that prevent leaks with clear and unencrypted traffic?
automatically when VPN connection drops (fail closed). The old version
of bitmask had problems when running in a qubes proxyVM (DNS leaks in
particular), but the new version in their debian stretch repo seemingly
fixes these problems. i'm not sure if not failing closed is still a
problem tho.
If you're running the most recent version of bitmask in a proxyVM and
it's not failing closed, maybe run it in the appVM instead? Others will
have to answer the firewall question tho because i don't know much about
that.
--
Jackie
Chris Laprise
Apr 22, 2018, 1:43:33 PM4/22/18
to js...@bitmessage.ch, qubes...@googlegroups.com
next version will.
If you want to use bitmask in a proxyVM you can either download the
latest pre-release, or you can add a couple (internal) firewall rules to
the proxyVM in /rw/config/qubes-firewall-user-script:
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
Also, if you run bitmask just in individual appVMs (instead of proxyVM,
which shares the connection with some number of appVMs) then in that
situation it probably won't need Qubes-specific rules to prevent leaks.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Chris Laprise
Apr 22, 2018, 1:51:03 PM4/22/18
to js...@bitmessage.ch, qubes...@googlegroups.com
On 04/22/2018 01:43 PM, Chris Laprise wrote:
> On 04/22/2018 12:52 PM, js...@bitmessage.ch wrote:
>> niepo...@gmail.com:
>>> I'm user of vpn bitmask software and accidentally, from time to time
>>> connection disconnect and there is few second to connect again.
>>>
>>> How is easiest way to set up firewall rules that prevent leaks with
>>> clear and unencrypted traffic?
>>
>> I'm pretty sure bitmask is supposed to block unencrypted connections
>> automatically when VPN connection drops (fail closed). The old version
>> of bitmask had problems when running in a qubes proxyVM (DNS leaks in
>> particular), but the new version in their debian stretch repo seemingly
>> fixes these problems. i'm not sure if not failing closed is still a
>> problem tho.
>>
>> If you're running the most recent version of bitmask in a proxyVM and
>> it's not failing closed, maybe run it in the appVM instead? Others will
>> have to answer the firewall question tho because i don't know much about
>> that.
>>
>
>
> The regular release doesn't prevent leaks in Qubes proxyVMs, but the
> next version will.
>
> If you want to use bitmask in a proxyVM you can either download the
> latest pre-release, or you can add a couple (internal) firewall rules to
> the proxyVM in /rw/config/qubes-firewall-user-script:
>
> iptables -I FORWARD -o eth0 -j DROP
> iptables -I FORWARD -i eth0 -j DROP
BTW, these rules will block leaks, but they won't solve the other
> On 04/22/2018 12:52 PM, js...@bitmessage.ch wrote:
>> niepo...@gmail.com:
>>> I'm user of vpn bitmask software and accidentally, from time to time
>>> connection disconnect and there is few second to connect again.
>>>
>>> How is easiest way to set up firewall rules that prevent leaks with
>>> clear and unencrypted traffic?
>>
>> I'm pretty sure bitmask is supposed to block unencrypted connections
>> automatically when VPN connection drops (fail closed). The old version
>> of bitmask had problems when running in a qubes proxyVM (DNS leaks in
>> particular), but the new version in their debian stretch repo seemingly
>> fixes these problems. i'm not sure if not failing closed is still a
>> problem tho.
>>
>> If you're running the most recent version of bitmask in a proxyVM and
>> it's not failing closed, maybe run it in the appVM instead? Others will
>> have to answer the firewall question tho because i don't know much about
>> that.
>>
>
>
> The regular release doesn't prevent leaks in Qubes proxyVMs, but the
> next version will.
>
> If you want to use bitmask in a proxyVM you can either download the
> latest pre-release, or you can add a couple (internal) firewall rules to
> the proxyVM in /rw/config/qubes-firewall-user-script:
>
> iptables -I FORWARD -o eth0 -j DROP
> iptables -I FORWARD -i eth0 -j DROP
problem of configuring DNS correctly in the proxyVM. So you're better
off either trying the pre-release or only using bitmask in an appVM that
doesn't "provide network".
niepo...@gmail.com
Apr 22, 2018, 2:10:49 PM4/22/18
to qubes-users
> Also, if you run bitmask just in individual appVMs (instead of proxyVM,
> which shares the connection with some number of appVMs) then in that
> situation it probably won't need Qubes-specific rules to prevent leaks.
>
not true, bitmask in appVM's once VPN is disconnect allow clear and unencrypted traffic.
Chris Laprise
Apr 22, 2018, 2:34:06 PM4/22/18
to niepo...@gmail.com, qubes-users
designed bitmask for. IOW, the appVM is like a regular Linux PC and the
user must be mindful of the connection state.
niepo...@gmail.com
Apr 22, 2018, 2:39:59 PM4/22/18
to qubes-users
Is there option to add in firewall appVM rule that allows connection only with VPN server ip? and once connection is disconnect traffic will be stopped?
Chris Laprise
Apr 22, 2018, 2:51:15 PM4/22/18
to niepo...@gmail.com, qubes-users
add the allowed addresses to the 'Firewall rules' tab in the appVM's
settings window.
Reply all
Reply to author
Forward
0 new messages