Correct user & permissions on /rw/config VPN Qube related files

[ScoreB]

Dear all,

Recently I set up a VPN Qube using a ProxyVM as a VPN gateway using iptables and CLI scripts as described step-by-step here (the official documentation). It worked like a charm (even though the guidelines seem to be aimed at Qubes R3 as still referring to setting up a proxy-vm with old screenshots). But it worked and once the VM started I got a nice pop-up message if it was up, and another one if it went down.

I noticed however that the pass.txt was readable for everyone. So I changed it via 'sudo chmod 600 /rw/config/vpn/pass.txt'. When I relaunched the VPN Qube after the changes it didn't seem to work anymore. There was no pop-up and no connection. So, I changed the permissions back to what they were before, but to no avail. Bad part is I tried to fix it by playing around with the permissions on the other files and now I am lost.

I know I could simply create a new VPN Qube but I am curious to learn:

* What should the owner & permissions be on to be safest as possible but also allow the VPN Qube to function properly:

- /rw/config/rc.local

-/rw/config/qubes-firewall-user-script

-/rw/config/vpn/pass.txt

-/rw/config/vpn/openvpn-client.ovpn

-/rw/config/vpn/qubes-vpn-handler.sh

Thnx in advance for any insights!

[awokd]

'ScoreB' via qubes-users:

> * What should the owner & permissions be on to be safest as possible but also allow the VPN Qube to function properly:
> - /rw/config/rc.local
> -/rw/config/qubes-firewall-user-script
> -/rw/config/vpn/pass.txt
> -/rw/config/vpn/openvpn-client.ovpn
> -/rw/config/vpn/qubes-vpn-handler.sh

Check out https://github.com/tasket/Qubes-vpn-support for a newer guide.
Also, check out his hardening section while you are there- it is good
stuff. Can't really speak to your specific question above, though.

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots