On 11/3/19 4:16 PM, seshu wrote:
> Chris a question. I just installed mullvad on my template debian-10. Set
> it up in there following the mullvad instructions. This is the template
> for my sys-vpn. When I start up sys-vpn, the connect to the mullvad
> server I wanted is operational and things seem to be working fine. When
> I test using the
https://am.i.mullvad.net link, it says I have a DNS leak
FWIW, if using the proprietary mullvad app, a standalone VM is probably
a better target for installation. A template is probably not a good
place to install it.
>
> So a few questions.
> 1. in looking at the instructions for qubes-vpn-support, you have it set
> for use of openvpn or for the vpn software provider. So, if I use the
> mullvad app but follow the instructions for qubes-vpn-support, I"m not
> sure how to get it to use the config files that mullvad provides? So,
> mullvad app shouldn't be used with the qubes-vpn-support, rather use
> only openvpn and get the mullvad config files and setup as the
> instructions specify?
Right, you shouldn't mix qubes-vpn-support with a proprietary VPN app.
To use qubes-vpn-support with the Mullvad service, you need to use
Mullvad's config downloader page. The Readme has a section with VPN
provider links and one points to the Mullvad config dl page:
https://github.com/tasket/Qubes-vpn-support#locating-and-downloading-vpn-config-files
>
> 2. Mullvad provides instructions for installing thier product on Qubes
> OS 4 <
https://mullvad.net/en/help/qubes-os-4-and-mullvad-vpn/> This is
> just using openvpn though, but the instructions are different then you
> have for open-vpn-support, so I'm wondering what the difference is?
Their approach is rather basic and requires the user to manually find
and hardcode IP addresses into their config. It is often easier for the
author to give users a long list of more complicated steps than to code
an automated solution. A better question might be why didn't Mullvad
integrate Qubes support into their own automated solution (their Linux app)?
In case this sounds a bit critical of Mullvad, I'm sure they have good
reasons. Its often easier to contribute money to support a project like
Qubes (as they have) than to code something specifically for an unusual
OS with a small user base.
>
> 3. Which leaves me more confused, as there are 3 options now to install
> mullvad on Qubes 4. Use the mullvad app but I seem to have a dns leak?
> Use mullvad's instructions for installing on Qubes 4 which uses openvpn
> but instructions seem different then qubes-vpn-support? or go with
> qubes-vpn-support but get the mullvad config files?
>
> I'm not sure what would be the advantage or disadvantage? And is there
> anyother way to test if I have a dns leak?
A secured VPN config has many moving parts, and (unlike Tor) the parts
tend to be regular OS features. Different people have different ways of
pulling those parts into a whole solution that suits a specific kind of
user and their use cases. Even just with Linux, users also have several
options (an app, Network Manager, and direct openvpn setup for example).
After I wrote the scripted portion of the Qubes-hosted vpn doc, where a
constraint was to have it all DIY and 'educational', it was obvious many
people were intimidated by that. So I made qubes-vpn-support to reduce
the fuss to a reasonable minimum: The configuration? Let the VPN
provider supply it. Preventing leaks? Automated. Addresses? Automated.
Setup? Create the VM, run 'install' and copy a file. For each issue in a
VPN config, I chose what is simplest for the user without locking them
into a specific VPN provider.
Obviously, I recommend qubes-vpn-support over the other options. And
looking at the Mullvad Qubes doc, I think qubes-vpn-support is safer to
use bc any change in IP addresses won't break the config and the
anti-leak features are more robust.