Install VPN in anon-whonix
204 views
Skip to first unread message
asdf...@sigaint.org
Jun 8, 2016, 4:15:37 PM6/8/16
to qubes...@googlegroups.com
Hello
I read the guide on whonix site about how setup a VPN in workstation but
it is old and my VPN is a little different, it has a GUI interface but
also a setup for Open VPN (to work i have to use GUI). Do I setup like a
normal VPN in debian (network connection, import configuration,
certificate etc...) and change firewall?
Thank you
I read the guide on whonix site about how setup a VPN in workstation but
it is old and my VPN is a little different, it has a GUI interface but
also a setup for Open VPN (to work i have to use GUI). Do I setup like a
normal VPN in debian (network connection, import configuration,
certificate etc...) and change firewall?
Thank you
Andrew David Wong
Jun 8, 2016, 6:16:35 PM6/8/16
to asdf...@sigaint.org, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Take a look at our VPN documentation if you haven't already. It was
recently updated:
https://www.qubes-os.org/doc/vpn/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXWJk8AAoJENtN07w5UDAwOR8P/2/P8q03qeL4xmx3tkN8VOOT
jeJJaAKQOkPjNADQ+uFrAsqA/qTpD4KqESAcX8zJmMTAu3TGSA9U57yXggzSQBdG
rmOMgs5s7u3LRoMyoYqDYDG/nUn8wFvTyGp/yyunsx5oJ2WQgSaSCuUJRCKputAg
UIDMeD0+6Ci+uc0KG6zzMiPa9WfhsnGjcIZ7vEmUeP+xi0IGOOhQkRQgWKL3PAp3
wB63FJHMW9qOBYsjQrqOLh7dupqgekh98nDY+IOs9UclBN3/IQOeuKWe9GFEAzA5
ywhR6BWP1lxmTXRKw6Cm8oFvw9+axxnX2E0Nq2DIpQ2F5GGAQPkgqiN7d++ji1Cu
W6TmMeXXM15FZuE8QneZFA+J6eLiJ2GzOE+gam1ZmVU4Hgn56yPIhDto0vTyNvFn
Cf5tDllC4jHaus9zx2ombkH3Fd2vWj9Lq5x2uKjc6bRxuvG6GTuqMHJMnEu62D+M
jKrwnZMydrsGjHNyeBA8ktac3jtSxYgXMNV/DQBC8xBGdtJ8VsvJ9Jy1su8cIFBS
6jXsd1Kb6mf2w59WD3gGLrsCm/TtfxfzXJbxtSjJ/EsdPhCfEZKBtumTqyx9XMO9
vNTwZK/HKkN9AQvVulnj8yChkxTPXNi5O35msCzWISQqBFn2MYRoN3/HoEoGOrj/
2iW2tUnlxhbm3Te1AEC+
=B9Ij
-----END PGP SIGNATURE-----
Hash: SHA512
recently updated:
https://www.qubes-os.org/doc/vpn/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXWJk8AAoJENtN07w5UDAwOR8P/2/P8q03qeL4xmx3tkN8VOOT
jeJJaAKQOkPjNADQ+uFrAsqA/qTpD4KqESAcX8zJmMTAu3TGSA9U57yXggzSQBdG
rmOMgs5s7u3LRoMyoYqDYDG/nUn8wFvTyGp/yyunsx5oJ2WQgSaSCuUJRCKputAg
UIDMeD0+6Ci+uc0KG6zzMiPa9WfhsnGjcIZ7vEmUeP+xi0IGOOhQkRQgWKL3PAp3
wB63FJHMW9qOBYsjQrqOLh7dupqgekh98nDY+IOs9UclBN3/IQOeuKWe9GFEAzA5
ywhR6BWP1lxmTXRKw6Cm8oFvw9+axxnX2E0Nq2DIpQ2F5GGAQPkgqiN7d++ji1Cu
W6TmMeXXM15FZuE8QneZFA+J6eLiJ2GzOE+gam1ZmVU4Hgn56yPIhDto0vTyNvFn
Cf5tDllC4jHaus9zx2ombkH3Fd2vWj9Lq5x2uKjc6bRxuvG6GTuqMHJMnEu62D+M
jKrwnZMydrsGjHNyeBA8ktac3jtSxYgXMNV/DQBC8xBGdtJ8VsvJ9Jy1su8cIFBS
6jXsd1Kb6mf2w59WD3gGLrsCm/TtfxfzXJbxtSjJ/EsdPhCfEZKBtumTqyx9XMO9
vNTwZK/HKkN9AQvVulnj8yChkxTPXNi5O35msCzWISQqBFn2MYRoN3/HoEoGOrj/
2iW2tUnlxhbm3Te1AEC+
=B9Ij
-----END PGP SIGNATURE-----
Chris Laprise
Jun 8, 2016, 10:58:37 PM6/8/16
to asdf...@sigaint.org, qubes...@googlegroups.com
complex affair. Qubes proxy VMs allow us to do this kind of thing more
cleanly.
So I recommend using a debian proxy VM. The doc Andrew linked to
contains a firewall script I created with Whonix (and other apps) in
mind. Its designed to fail closed (block traffic) if openvpn stops
working, and to stop all leaks. The only thing in or out is tunneled
traffic and related ICMP. Its designed for simple VPNs that tunnel all
traffic upstream (i.e. no special subnet selections), so it'll work with
most services.
There is a fancier version that creates systemd service and has a more
explicit firewall setup, though its about the same protection:
https://github.com/ttasket/Qubes-vpn-support
What's more, you don't have to alter any template beyond installing
openvpn to get this working.
OTOH, if you're looking for a solution for Network Manager, the doc
shows you how but its without a firewall. I am looking into a way to
make the firewall script work with NM.
Chris
Chris Laprise
Jun 9, 2016, 2:50:38 PM6/9/16
to asdf...@sigaint.org, qubes-users
> I have a problem when run this command
> sudo chown -R root:root openvpn (no directory)
The contents of the openvpn/ dir need to be transferred to /rw/config/
including the openvpn/ dir itself.
Chris
Chris Laprise
Jun 9, 2016, 2:53:44 PM6/9/16
to asdf...@sigaint.org, qubes-users
On 06/09/2016 08:23 AM, asdf...@sigaint.org wrote:
> Hello
> I use network-manager to connect to a vpn, in the case that a vpn
> disconnect does internet connection stop?
>
> Thank you
If you don't create a /rw/config/qubes-firewall-user-script to handle
that condition, the connection will continue.
Chris
Patrick Schleizer
Jun 9, 2016, 4:54:11 PM6/9/16
to qubes...@googlegroups.com
Andrew David Wong:
- a) Connecting to a VPN before Tor
- a) User -> proxy/VPN/SSH -> Tor -> Internet
VPN in Whonix-Workstation results in:
- b) Connecting to Tor before a VPN
- b) User -> Tor -> proxy/VPN/SSH -> Internet
These use cases are very different.
See also:
https://www.whonix.org/wiki/Tunnels/Introduction
https://www.qubes-os.org/doc/vpn/ is closer to:
- a) Connecting to a VPN before Tor
- a) User -> proxy/VPN/SSH -> Tor -> Internet
It would be interesting to wretch a Qubes VPN ProxyVM between
Whonix-Workstation and Whonix-Gateway. I.e. anon-whonix -> sys-vpn ->
sys-whonix. Which would then result in b).
You might still need bits from chapter "Prevent Bypassing the Tunnel-Link"
https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN#Prevent_Bypassing_the_Tunnel-Link
Although it would not be for purposes of "Prevent Bypassing the
Tunnel-Link", but for connectivity. The following from that chapter
would still be required:
- deactivate uwt wrappers
- Tor Browser Remove Proxy Settings
- Deactivate Misc Proxy Settings
So new documentation would be required for this. A lot stuff could be
re-used since all of the three above are wiki templates.
Anyone interested in this? Up to try this, document this, etc.?
Cheers,
Patrick
> On 2016-06-08 13:15, asdf...@sigaint.org wrote:
>> Hello I read the guide on whonix site about how setup a VPN in
>> workstation but it is old and my VPN is a little different, it has
>> a GUI interface but also a setup for Open VPN (to work i have to
>> use GUI). Do I setup like a normal VPN in debian (network
>> connection, import configuration, certificate etc...) and change
>> firewall?
>
>> Thank you
>
>
> Take a look at our VPN documentation if you haven't already. It was
> recently updated:
>
> https://www.qubes-os.org/doc/vpn/
>
>
VPN in Whonix-Gateway results in:
>> Hello I read the guide on whonix site about how setup a VPN in
>> workstation but it is old and my VPN is a little different, it has
>> a GUI interface but also a setup for Open VPN (to work i have to
>> use GUI). Do I setup like a normal VPN in debian (network
>> connection, import configuration, certificate etc...) and change
>> firewall?
>
>> Thank you
>
>
> Take a look at our VPN documentation if you haven't already. It was
> recently updated:
>
> https://www.qubes-os.org/doc/vpn/
>
>
- a) Connecting to a VPN before Tor
- a) User -> proxy/VPN/SSH -> Tor -> Internet
VPN in Whonix-Workstation results in:
- b) Connecting to Tor before a VPN
- b) User -> Tor -> proxy/VPN/SSH -> Internet
These use cases are very different.
See also:
https://www.whonix.org/wiki/Tunnels/Introduction
https://www.qubes-os.org/doc/vpn/ is closer to:
- a) Connecting to a VPN before Tor
- a) User -> proxy/VPN/SSH -> Tor -> Internet
It would be interesting to wretch a Qubes VPN ProxyVM between
Whonix-Workstation and Whonix-Gateway. I.e. anon-whonix -> sys-vpn ->
sys-whonix. Which would then result in b).
You might still need bits from chapter "Prevent Bypassing the Tunnel-Link"
https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN#Prevent_Bypassing_the_Tunnel-Link
Although it would not be for purposes of "Prevent Bypassing the
Tunnel-Link", but for connectivity. The following from that chapter
would still be required:
- deactivate uwt wrappers
- Tor Browser Remove Proxy Settings
- Deactivate Misc Proxy Settings
So new documentation would be required for this. A lot stuff could be
re-used since all of the three above are wiki templates.
Anyone interested in this? Up to try this, document this, etc.?
Cheers,
Patrick
Andrew David Wong
Jun 11, 2016, 5:40:31 PM6/11/16
to Patrick Schleizer, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-06-09 13:54, Patrick Schleizer wrote:
Hash: SHA512
>
> [...]
>
> So new documentation would be required for this. A lot stuff could
> be re-used since all of the three above are wiki templates.
>
> Anyone interested in this? Up to try this, document this, etc.?
>
> Cheers, Patrick
>
Tracking and labeling as "help wanted," in case anyone is ever
> So new documentation would be required for this. A lot stuff could
> be re-used since all of the three above are wiki templates.
>
> Anyone interested in this? Up to try this, document this, etc.?
>
> Cheers, Patrick
>
interested:
https://github.com/QubesOS/qubes-issues/issues/2060
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
7TM0ifOCquM8jumNZjxemAT9Goh34mv2qgy/IbP9lVETpOgmQMtg4qxyVuIBpUz7
m7ya1yub0v66mEYBTZl+HbSQTxdNna/oAtnaP/eoIGnZKbbp2IOimP5nhMdqojrD
TNWCzfeZrCx7xg1N9c1VqF2Rv7goc4HleybTDUIssCnZ9hb4xgRgzuLkZl0RFfNR
90JMxKSs+8yQq5ZwZjPzsseXeSWXFpW4MXoG66VRJtl2YOy0VsDTMG52DFaUGagl
ncx8byc1uFqHXXOC1gf5+1BInlwlpRAawN4RXWyRLqVQOAL18vOF+dC6Ohu75Dhd
YfH10sg1bnOYY66C/czBszviZAFXCt9KHemLswz/nH9yn6PqPsd2fY6CeJ0eFVSv
bTU6Wu1vKiK3+q55EHOUqbyKj+gpbal7lAKwHs9Ccc07+471eT7PgdLtlynGaNa8
ZsGugkAgWNH6/Ti55sEPTg6lhDjVjbdQf9cQx4pVmAN/f//MXnihL1T0zUtoEh1X
QLWUCG6n9i3UcmvsxFbl3zGYsEZ5JsP2hsbuWDOLrvJNsLD9/b7p0psGHVBnhZip
1N0cMORzrFQZ7OWZDxpTfEp/BxVuegkTpefLYgCQ/CREliDaT/1XbOH6R2H6Plg2
FMsozJHOm7MmmYQOZT/P
=N4BM
-----END PGP SIGNATURE-----
Patrick Schleizer
Jun 15, 2016, 2:17:00 PM6/15/16
to Andrew David Wong, qubes...@googlegroups.com
Andrew David Wong:
https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN#Separate_VPN-Gateway
Recommended order of reading:
* 1) https://www.whonix.org/wiki/Tunnels/Introduction
* 2) https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN
* 3)
https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN#Separate_VPN-Gateway
Cheers,
Patrick
> On 2016-06-09 13:54, Patrick Schleizer wrote:
>
>> [...]
>
>> So new documentation would be required for this. A lot stuff could
>> be re-used since all of the three above are wiki templates.
>
>> Anyone interested in this? Up to try this, document this, etc.?
>
>> Cheers, Patrick
>
>
> Tracking and labeling as "help wanted," in case anyone is ever
> interested:
>
> https://github.com/QubesOS/qubes-issues/issues/2060
>
>
>
This is now documented here:
>
>> [...]
>
>> So new documentation would be required for this. A lot stuff could
>> be re-used since all of the three above are wiki templates.
>
>> Anyone interested in this? Up to try this, document this, etc.?
>
>> Cheers, Patrick
>
>
> Tracking and labeling as "help wanted," in case anyone is ever
> interested:
>
> https://github.com/QubesOS/qubes-issues/issues/2060
>
>
>
https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN#Separate_VPN-Gateway
Recommended order of reading:
* 1) https://www.whonix.org/wiki/Tunnels/Introduction
* 2) https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN
* 3)
https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN#Separate_VPN-Gateway
Cheers,
Patrick
Reply all
Reply to author
Forward
0 new messages