VPN before Tor setup using Whonix help
alex...@gmail.com
This is my setup in qubes:
fedora-29-vpn (templatevm- has openvpn installed)
VPN-appvm (has openvpn running in it. It is using fedora-29-vpn template)------> vpn-sys-whonix(ProxyVM based on whonix-gw-14 template and its NETVM is VPN-appVM------>Internet AppVM(based on template whonix-ws-14. Its NETVM is set as vpn-sys-whonix).
I have been following this guide https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts when I was setting up VPN-appvm which I followed to a tee and completed without too much trouble.
The Issue is, I have DNS leaks by doing some online DNS checks with VPN-appvm. Any Idea why/how to possibly fix this.
Chris Laprise
> Hello, I am trying to achieve this: User -> VPN -> Tor -> Internet
>
> This is my setup in qubes:
>
> fedora-29-vpn (templatevm- has openvpn installed)
>
> VPN-appvm (has openvpn running in it. It is using fedora-29-vpn template)------> vpn-sys-whonix(ProxyVM based on whonix-gw-14 template and its NETVM is VPN-appVM------>Internet AppVM(based on template whonix-ws-14. Its NETVM is set as vpn-sys-whonix).
expect something more like: Anon1(whonix-ws)-->VPN(fedora or
debian)-->sys-whonix(whonix-gw)-->sys-net.
It also matters precisely where you are checking for DNS packets.
>
> I have been following this guide https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts when I was setting up VPN-appvm which I followed to a tee and completed without too much trouble.
>
> The Issue is, I have DNS leaks by doing some online DNS checks with VPN-appvm. Any Idea why/how to possibly fix this.
servers. Beyond that, you shouldn't see any.
You can try a more thorough vpn setup here:
https://github.com/tasket/Qubes-vpn-support
This will check that the anti-leak firewall rules are in place before
starting the vpn client, and generally keep the link running more smoothly.
However, I should note there is at least one issue open there for Fedora
29 weirdness. In general, I recommend using Debian (which is what Whonix
is based on) as it has been better behaved than Fedora overall. Its also
the case that Fedora is intended to be a testbed, NON-production OS and
Qubes has plans to migrate away from it.
You should also read the vpn-related sections of the Whonix docs; There
are tradeoffs to using a vpn with Whonix.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
alex...@gmail.com
> On 5/13/19 9:36 AM, alex...@gmail.com wrote:
> > Hello, I am trying to achieve this: User -> VPN -> Tor -> Internet
> >
> > This is my setup in qubes:
> >
> > fedora-29-vpn (templatevm- has openvpn installed)
> >
> > VPN-appvm (has openvpn running in it. It is using fedora-29-vpn template)------> vpn-sys-whonix(ProxyVM based on whonix-gw-14 template and its NETVM is VPN-appVM------>Internet AppVM(based on template whonix-ws-14. Its NETVM is set as vpn-sys-whonix).
>
> You might double-check this diagram. It doesn't look right. I would
> expect something more like: Anon1(whonix-ws)-->VPN(fedora or
> debian)-->sys-whonix(whonix-gw)-->sys-net.
wouldnt this way be User -> TOR -> VPN -> Internet? Sorry if it was a bit confusing my explanation of the setup. maybe this is better explained.
whonix-ws -->Whonix-gw---->sys-vm------>sys-firewall
Internet VPN
Internet(NETVM=vpn-sys-whonix)---->vpn-sys-whonix(NETVM=sys-vm)----->sys-vm (NETVM=sys-firewall)
(whonix-ws template) (whonix-gw template) (fedora-29-vpn template)
>
> It also matters precisely where you are checking for DNS packets.
>
> >
> > I have been following this guide https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts when I was setting up VPN-appvm which I followed to a tee and completed without too much trouble.
> >
> > The Issue is, I have DNS leaks by doing some online DNS checks with VPN-appvm. Any Idea why/how to possibly fix this.
>
> A vpn vm may still send out DNS packets in the clear to look up its own
> servers. Beyond that, you shouldn't see any.
>
> You can try a more thorough vpn setup here:
>
> https://github.com/tasket/Qubes-vpn-support
>
> This will check that the anti-leak firewall rules are in place before
> starting the vpn client, and generally keep the link running more smoothly.
I can try this method see the difference.
>
> However, I should note there is at least one issue open there for Fedora
> 29 weirdness. In general, I recommend using Debian (which is what Whonix
> is based on) as it has been better behaved than Fedora overall. Its also
> the case that Fedora is intended to be a testbed, NON-production OS and
> Qubes has plans to migrate away from it.
Yes I can switch over to debian and see if that fixes the problem aswell.
q...@disroot.org
sys-firewall -> sys-net
tor-dispVM uses sys-whonix as netVM and so on...
If I start Arm in sys-whonix it says that it connects to the first hop
(guard) from my VPN IP. This looks good to me.
awokd
> Its also
> the case that Fedora is intended to be a testbed, NON-production OS and
> Qubes has plans to migrate away from it.
Chris Laprise
awokd
>> Chris Laprise:
>>
>>> Its also the case that Fedora is intended to be a testbed,
>>> NON-production OS and Qubes has plans to migrate away from it.
>>
>> Interesting; more details on this somewhere, or was it IRC chatter?
>>
>
> There's an issue for it:
>
> https://github.com/QubesOS/qubes-issues/issues/1919
looks like something that could be easier to do with 4.1 and sys-gui, or
would the same Debian packages still need to be developed?