What's the best way to run a VPN app on Qubes?

31 views
Skip to first unread message

Totally Zoid

unread,
Oct 29, 2020, 8:31:40 AM10/29/20
to qubes...@googlegroups.com
Hello,

ATM I'm using standard Fedora qubes with NetworkManager enabled and OpenVPN in order to connect to a VPN. I'd like to switch to the VPN's own full-fledged program to use features such as easy switching between exit servers and killswitch. I've previously used exclusively OpenVPN, but on Qubes, stuck in its own qube, I guess there isn't really anything the VPN's program can spy (other than traffic obv), and I reasonably trust this particular service.

The app comes as .deb/.rpm or, mercifully, source code. I've tried installing the .rpm but naturally I'd have to either do it on each restart, do it in the main Fedora template (which could compromise it), or do it in its own TemplateVM which would take up another 5 GB. Bind-dirs looks like an option but I'm not sure which files the .rpm install changes, and it looks like an update could easily break it.

Is there anything I'm missing? Looks like I'll have to either waste another 5GB space on a new template for a single program (and run updates for that template regularly), or have to compile it from source, possibly every time there's an update for the VPN program (not looking forward to that hehe). I'm thinking there has to be a better way...

Sent with ProtonMail Secure Email.

Chris Laprise

unread,
Oct 29, 2020, 9:14:18 AM10/29/20
to qubes...@googlegroups.com
The things you may be missing here:

1. Its more secure to have a 'sys-vpn' VM dedicated to the VPN client.

2. Service provider apps generally don't work or don't secure a
dedicated VM properly. They assume a PC network architecture while a
Qubes proxy VM is more like a router.


From a security standpoint the best way is probably Qubes-vpn-support
(see my github link below). But it doesn't have easy GUI switching
between servers; you would have to 'cp' the config for the new server
then 'systemctl restart' the service to switch.

Its possible to setup Network Manager in a dedicated VPN VM including
added anti-leak firewall rules. See the Qubes vpn doc for details.

--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Reply all
Reply to author
Forward
0 new messages