==================
Here's what works:
==================
Ive got AirVPN GUI setup and working on Fedora-23-minimal
My AppVM can proxy through VPN ProxyVM
whatismyip.com shows the VPN IP
====================
Here's whats broken:
====================
When i leak test the browser on the AppVM, my real IP leaks.
The AirVPN GUI has a nice Network lock feature, that works well on the ProxyVM, stops leaks.
However, the network lock feature blocks the AppVM too, cutting off its internet.
In the AirVPN GUI, there are advanced settings that are suppose to allow lockal vpn traffic. And you can even specify specific IP's. Unfortunately this isnt working.
=====================
Im hoping someone with a higher understanding of IP tables, and networking can help me find a solution.
Here is a link to the airVPN GUI client https://airvpn.org/linux/
If you email them they will likely give your a 3 day trial account to test. but you probably dont even need an account to see what the network lock is doing to tables, and why the exception isn't working.
I have been trying to solve this on the AirVPN forum, but no fix yet. Here is the thread > https://airvpn.org/topic/20157-problem-with-network-lock-on-qube-os/
Thanks for your time :)
PS: Ive tried using fedora-23 standard template too, same problem.
But this is currently beyond my skill set, so would need some hand holding to learn what to do.
I have looked at the section here on the Qubes site on how to stop leaks using scripts, but its kinda confusing, and looks like its for a CLI approach, when i would prefer to have my AirVPN GUI for convince.
Unfortunately at this stage no one seems to know a solution. I will try out the Qubes VPN guide, as i really need to use my vpn. But will miss the AirVPN GUI features.
I hope in time i'll find a way to secure from leaks while still using the GUI.
Please post steps if anyone finds a way.
"What test do you use?"
I just googled "VPN leak test", ran a few on the first page.
I also leak DNS when running OpenVPN in the VPN-Proxy-VM,
Havent yet applied Qubes scripts to stop leaks.
No more DNS leaks.
This means i can atleast use my vpn, until i find a way to make things work with the AirVPN GUI.
Im interested in building a script to work around AirVPN GUI, as opposed to OpenVPN. I would really have to research and understand exactly what each line of the current script is doing to manipulated it to work with AirVPN.
This is currently out of my ability. I would welcome collaboration on this task. If i do eventually get something working, i will be sure to post it back here
Just for anyones future reference, https://ipleak.net/ was a nice tool for leak tests. others worked as well tho.
Primary reason, the AirVPN GUI makes it very fast to change between the 172 servers AirVPN has https://airvpn.org/status/
GUI shows the stats for each server load, latency. Handy when picking which one to connect to.
Also handy to see current uplaod/download speeds. Shows current IP address.
I have successfully applied the setup and scripting in https://www.qubes-os.org/doc/vpn
No more DNS leaks.
Quite some time ago I created a number of proxyVMs using the template supplied by (I
think) Chris Laprise. The setup detailed in the Qubes docs, referred to
above, is considerably more complex than the setup I'm running.
Can anyone explain the advantages of the "new" proxyVM setup (ie the one described in the Qubes docs) compared to Chris's original template, and do people think it would be worth my while to update the dozen+ proxyVMs I currently have to the new format?
By 'template' you mean the setup at my github repo? If you look closely, they are 90% the same except the doc version uses rc.local to start the client and the one on github creates a systemd service for it. What makes it look simpler is the github readme says 'download the file, unzip in /rw/config and adjust the ovpn settings' and doesn't show script code.
Chris
No, it didn't come from github. After a brief search, I found the thread that was the source I used: https://groups.google.com/forum/#!msg/qubes-users/-9gR1Va3BnY/nQG6j-YOtZ4J;context-place=topic/qubes-users/T0wbCuIgISg which dates from March 2015. The author was cprise, so I was wrong to attribute it to Chris Laprise, though the names do seem suspiciously similar. ;)
I guess the question still stands: is the latest version materially superior to the March 2015 version? (And enough to want to re-create over a dozen proxyVMs?)
On 11/12/2016 05:47 PM, hed...@tutanota.com wrote:
I guess the question still stands: is the latest version materially superior to the March 2015 version? (And enough to want to re-create over a dozen proxyVMs?)
Yes, the VPN doc method is better in the sense that it separates packets generated from the VPN VM from the packets going to/from appVMs. So accidental net access generated while using the VPN CLI, for example, will be blocked and stay out of the VPN tunnel. Its not critical but Whonix people wanted it as a precaution.
Chris
Thanks for that. "Not critical" sounds like a good reason to stay with what I have for now, though I'll ensure that any new VPN proxyVMs I create use the new code. I might even lazily migrate them over one by one if I feel motivated enough to do so.
And just to clarify, your github repo code is at https://github.com/tasket/Qubes-vpn-support . Correct?