VPN before Tor setup using Whonix help

72 views
Skip to first unread message

alex...@gmail.com

unread,
May 13, 2019, 9:36:00 AM5/13/19
to qubes-users
Hello, I am trying to achieve this: User -> VPN -> Tor -> Internet

This is my setup in qubes:

fedora-29-vpn (templatevm- has openvpn installed)

VPN-appvm (has openvpn running in it. It is using fedora-29-vpn template)------> vpn-sys-whonix(ProxyVM based on whonix-gw-14 template and its NETVM is VPN-appVM------>Internet AppVM(based on template whonix-ws-14. Its NETVM is set as vpn-sys-whonix).

I have been following this guide https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts when I was setting up VPN-appvm which I followed to a tee and completed without too much trouble.

The Issue is, I have DNS leaks by doing some online DNS checks with VPN-appvm. Any Idea why/how to possibly fix this.

Chris Laprise

unread,
May 13, 2019, 12:03:18 PM5/13/19
to alex...@gmail.com, qubes-users
On 5/13/19 9:36 AM, alex...@gmail.com wrote:
> Hello, I am trying to achieve this: User -> VPN -> Tor -> Internet
>
> This is my setup in qubes:
>
> fedora-29-vpn (templatevm- has openvpn installed)
>
> VPN-appvm (has openvpn running in it. It is using fedora-29-vpn template)------> vpn-sys-whonix(ProxyVM based on whonix-gw-14 template and its NETVM is VPN-appVM------>Internet AppVM(based on template whonix-ws-14. Its NETVM is set as vpn-sys-whonix).

You might double-check this diagram. It doesn't look right. I would
expect something more like: Anon1(whonix-ws)-->VPN(fedora or
debian)-->sys-whonix(whonix-gw)-->sys-net.

It also matters precisely where you are checking for DNS packets.

>
> I have been following this guide https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts when I was setting up VPN-appvm which I followed to a tee and completed without too much trouble.
>
> The Issue is, I have DNS leaks by doing some online DNS checks with VPN-appvm. Any Idea why/how to possibly fix this.

A vpn vm may still send out DNS packets in the clear to look up its own
servers. Beyond that, you shouldn't see any.

You can try a more thorough vpn setup here:

https://github.com/tasket/Qubes-vpn-support

This will check that the anti-leak firewall rules are in place before
starting the vpn client, and generally keep the link running more smoothly.

However, I should note there is at least one issue open there for Fedora
29 weirdness. In general, I recommend using Debian (which is what Whonix
is based on) as it has been better behaved than Fedora overall. Its also
the case that Fedora is intended to be a testbed, NON-production OS and
Qubes has plans to migrate away from it.

You should also read the vpn-related sections of the Whonix docs; There
are tradeoffs to using a vpn with Whonix.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

alex...@gmail.com

unread,
May 13, 2019, 12:48:39 PM5/13/19
to qubes-users
On Monday, May 13, 2019 at 12:03:18 PM UTC-4, Chris Laprise wrote:
> On 5/13/19 9:36 AM, alex...@gmail.com wrote:
> > Hello, I am trying to achieve this: User -> VPN -> Tor -> Internet
> >
> > This is my setup in qubes:
> >
> > fedora-29-vpn (templatevm- has openvpn installed)
> >
> > VPN-appvm (has openvpn running in it. It is using fedora-29-vpn template)------> vpn-sys-whonix(ProxyVM based on whonix-gw-14 template and its NETVM is VPN-appVM------>Internet AppVM(based on template whonix-ws-14. Its NETVM is set as vpn-sys-whonix).
>
> You might double-check this diagram. It doesn't look right. I would
> expect something more like: Anon1(whonix-ws)-->VPN(fedora or
> debian)-->sys-whonix(whonix-gw)-->sys-net.

wouldnt this way be User -> TOR -> VPN -> Internet? Sorry if it was a bit confusing my explanation of the setup. maybe this is better explained.

whonix-ws -->Whonix-gw---->sys-vm------>sys-firewall
Internet VPN


Internet(NETVM=vpn-sys-whonix)---->vpn-sys-whonix(NETVM=sys-vm)----->sys-vm (NETVM=sys-firewall)
(whonix-ws template) (whonix-gw template) (fedora-29-vpn template)


>
> It also matters precisely where you are checking for DNS packets.
>
> >
> > I have been following this guide https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts when I was setting up VPN-appvm which I followed to a tee and completed without too much trouble.
> >
> > The Issue is, I have DNS leaks by doing some online DNS checks with VPN-appvm. Any Idea why/how to possibly fix this.
>
> A vpn vm may still send out DNS packets in the clear to look up its own
> servers. Beyond that, you shouldn't see any.
>
> You can try a more thorough vpn setup here:
>
> https://github.com/tasket/Qubes-vpn-support
>
> This will check that the anti-leak firewall rules are in place before
> starting the vpn client, and generally keep the link running more smoothly.

I can try this method see the difference.


>
> However, I should note there is at least one issue open there for Fedora
> 29 weirdness. In general, I recommend using Debian (which is what Whonix
> is based on) as it has been better behaved than Fedora overall. Its also
> the case that Fedora is intended to be a testbed, NON-production OS and
> Qubes has plans to migrate away from it.

Yes I can switch over to debian and see if that fixes the problem aswell.

q...@disroot.org

unread,
May 13, 2019, 6:12:54 PM5/13/19
to qubes...@googlegroups.com
My setup looks like this; tor-dispVM -> sys-whonix -> openvpn ->
sys-firewall -> sys-net

tor-dispVM uses sys-whonix as netVM and so on...

If I start Arm in sys-whonix it says that it connects to the first hop
(guard) from my VPN IP. This looks good to me.

awokd

unread,
May 13, 2019, 6:52:17 PM5/13/19
to qubes...@googlegroups.com
Chris Laprise:

> Its also
> the case that Fedora is intended to be a testbed, NON-production OS and
> Qubes has plans to migrate away from it.

Interesting; more details on this somewhere, or was it IRC chatter?

Chris Laprise

unread,
May 15, 2019, 6:13:40 AM5/15/19
to awokd, qubes...@googlegroups.com

awokd

unread,
May 15, 2019, 7:55:43 AM5/15/19
to qubes...@googlegroups.com
Chris Laprise:
> On 5/13/19 6:52 PM, 'awokd' via qubes-users wrote:
>> Chris Laprise:
>>
>>> Its also the case that Fedora is intended to be a testbed,
>>> NON-production OS and Qubes has plans to migrate away from it.
>>
>> Interesting; more details on this somewhere, or was it IRC chatter?
>>
>
> There's an issue for it:
>
> https://github.com/QubesOS/qubes-issues/issues/1919

Thanks, hadn't seen the Apr. 2019 updates. If I understand it right,
looks like something that could be easier to do with 4.1 and sys-gui, or
would the same Debian packages still need to be developed?
Reply all
Reply to author
Forward
0 new messages