Partially off-topic: best OpenVPN-Set-up with Qubes 3.2, AirVPN and Turris Omnia router?
49 views
Skip to first unread message
rob_66
May 27, 2017, 6:09:57 PM5/27/17
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello all.
What do you think would produce the best balance between security and
speed?
1. Running AirVPN's client 'Eddie' in sys-netVM.
2. Putting AirVPN's OpenVPN config into Turris Omnia 2 GB router.
3. Setting up a VPN gateway in Qubes as described in Qubes' docs.
Hardware: Asus »Zenbook«, Intel i5-5200U, 2.20 GHz, 12 GB RAM.
Any hint is very much appreciated.
Best regards,
rob
-----BEGIN PGP SIGNATURE-----
iQIwBAEBCgAaBQJZKfkXExxyb2JvdGljb0Bwb3N0ZW8uZXMACgkQxPzEC1AWVIWA
ARAAjsidL/LbmAmfwL0u+9F3rmcm6sLA/dLlI2NEJbNAA64YwP2UUbCOGh1+ELz2
pzrmeKdAmkBU2pu2XP7AuH85rNSf0t+PoN9mqYBJjkWL78QNYSHB1i+E4exwr4EF
l+F+0+rJHx6+OGQJBqXxahPCiAckA1AnGg/O5ttRFu/YzyHyLWooGUnjObfAlu8D
gwPF+7vtCSygWYPumq2E9A50NeO0NmLHmhQ7IjzXcs/EVQ+sh+fkQWLXNwa0reEY
XMAbYXyRqL5lKcMiUtRVuRDuNDNEqg1dgqRQQ1lUpg0oBGjVaYctmMScDpU9BZ0w
KUYtX815mx8gPep+iOKzLpBWVt2l5+Rt4bfPeg4vSmb20sAy+wwvmB/eiCFMs0zM
JwNnG20q8rf+O7qklkLSe5MhK4tz0+BV/Mp4cyWKrcLrObtvIGB9BS3QuogbLDG2
Yx0bAwLRTBl50swx82jQ666b82NT4ZxIzmfQRlmbGQ0hOIFS1UpDsw1uTgtWOkYy
Rl0pqftFpyqzmvuiFL3G9jJPFgtyv+CSFUDpspDggMiZWCGva+Ip/azlBg93l7iC
6IODaS/iwPouSv4EAh50H/HpMZc1DvzRsgcLknbpm/2JpaJMbh10oSYnZbIFHiy0
cfETKcy1Ksr6beW+DTfbgGGnycT7CDfAAr4W0711SXsXlig=
=yvA1
-----END PGP SIGNATURE-----
Hash: SHA512
Hello all.
What do you think would produce the best balance between security and
speed?
1. Running AirVPN's client 'Eddie' in sys-netVM.
2. Putting AirVPN's OpenVPN config into Turris Omnia 2 GB router.
3. Setting up a VPN gateway in Qubes as described in Qubes' docs.
Hardware: Asus »Zenbook«, Intel i5-5200U, 2.20 GHz, 12 GB RAM.
Any hint is very much appreciated.
Best regards,
rob
-----BEGIN PGP SIGNATURE-----
iQIwBAEBCgAaBQJZKfkXExxyb2JvdGljb0Bwb3N0ZW8uZXMACgkQxPzEC1AWVIWA
ARAAjsidL/LbmAmfwL0u+9F3rmcm6sLA/dLlI2NEJbNAA64YwP2UUbCOGh1+ELz2
pzrmeKdAmkBU2pu2XP7AuH85rNSf0t+PoN9mqYBJjkWL78QNYSHB1i+E4exwr4EF
l+F+0+rJHx6+OGQJBqXxahPCiAckA1AnGg/O5ttRFu/YzyHyLWooGUnjObfAlu8D
gwPF+7vtCSygWYPumq2E9A50NeO0NmLHmhQ7IjzXcs/EVQ+sh+fkQWLXNwa0reEY
XMAbYXyRqL5lKcMiUtRVuRDuNDNEqg1dgqRQQ1lUpg0oBGjVaYctmMScDpU9BZ0w
KUYtX815mx8gPep+iOKzLpBWVt2l5+Rt4bfPeg4vSmb20sAy+wwvmB/eiCFMs0zM
JwNnG20q8rf+O7qklkLSe5MhK4tz0+BV/Mp4cyWKrcLrObtvIGB9BS3QuogbLDG2
Yx0bAwLRTBl50swx82jQ666b82NT4ZxIzmfQRlmbGQ0hOIFS1UpDsw1uTgtWOkYy
Rl0pqftFpyqzmvuiFL3G9jJPFgtyv+CSFUDpspDggMiZWCGva+Ip/azlBg93l7iC
6IODaS/iwPouSv4EAh50H/HpMZc1DvzRsgcLknbpm/2JpaJMbh10oSYnZbIFHiy0
cfETKcy1Ksr6beW+DTfbgGGnycT7CDfAAr4W0711SXsXlig=
=yvA1
-----END PGP SIGNATURE-----
Chris Laprise
May 27, 2017, 7:50:07 PM5/27/17
to rob_66, qubes...@googlegroups.com
On 05/27/2017 06:09 PM, rob_66 wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hello all.
>
> What do you think would produce the best balance between security and
> speed?
>
> 1. Running AirVPN's client 'Eddie' in sys-netVM.
>
> 2. Putting AirVPN's OpenVPN config into Turris Omnia 2 GB router.
>
> 3. Setting up a VPN gateway in Qubes as described in Qubes' docs.
>
> Hardware: Asus »Zenbook«, Intel i5-5200U, 2.20 GHz, 12 GB RAM.
>
> Any hint is very much appreciated.
>
> Best regards,
> rob
Best overall approach is to download your service's openvpn config files
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hello all.
>
> What do you think would produce the best balance between security and
> speed?
>
> 1. Running AirVPN's client 'Eddie' in sys-netVM.
>
> 2. Putting AirVPN's OpenVPN config into Turris Omnia 2 GB router.
>
> 3. Setting up a VPN gateway in Qubes as described in Qubes' docs.
>
> Hardware: Asus »Zenbook«, Intel i5-5200U, 2.20 GHz, 12 GB RAM.
>
> Any hint is very much appreciated.
>
> Best regards,
> rob
and continue with the doc instructions or the slightly fancier setup here:
https://github.com/tasket/Qubes-vpn-support
The one at the link (my own project) configures the link as a systemd
service... gives you more control. The anti-leak measures are the same.
I haven't looked at 'Eddie' but usually these proprietary tools assume
you are configuring a traditional PC. OTOH, Qubes proxyVMs are akin to
_routers_ so protection features in Eddie et al might not work. (Anyway
it would go in a proxyVM, not sys-net.) There was some discussion here I
think about Mullvad and that service's special tool, and ultimately it
was better to download the config files and use the Qubes-specific
instructions.
As for Turris Omnia router setup, it depends on how much you trust the
security of that router -- generally, openvpn is safer in Qubes than in
router hardware (even the 'impressive' ones).
--
Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
rob_66
May 28, 2017, 7:49:43 AM5/28/17
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
rob_66:
Hash: SHA512
>> What do you think would produce the best balance between security
>> and speed?
>>
>> 1. Running AirVPN's client 'Eddie' in sys-netVM.
>>
>> 2. Putting AirVPN's OpenVPN config into Turris Omnia 2 GB
>> router.
>>
>> 3. Setting up a VPN gateway in Qubes as described in Qubes'
>> docs.
>>
>> Hardware: Asus »Zenbook«, Intel i5-5200U, 2.20 GHz, 12 GB RAM.
Chris Laprise:
>> and speed?
>>
>> 1. Running AirVPN's client 'Eddie' in sys-netVM.
>>
>> 2. Putting AirVPN's OpenVPN config into Turris Omnia 2 GB
>> router.
>>
>> 3. Setting up a VPN gateway in Qubes as described in Qubes'
>> docs.
>>
>> Hardware: Asus »Zenbook«, Intel i5-5200U, 2.20 GHz, 12 GB RAM.
> Best overall approach is to download your service's openvpn config
> files and continue with the doc instructions or the slightly
> fancier setup here:
>
> https://github.com/tasket/Qubes-vpn-support
>
> The one at the link (my own project) configures the link as a
> systemd service... gives you more control. The anti-leak measures
> are the same.
>
> I haven't looked at 'Eddie' but usually these proprietary tools
> assume you are configuring a traditional PC. OTOH, Qubes proxyVMs
> are akin to _routers_ so protection features in Eddie et al might
> not work. (Anyway it would go in a proxyVM, not sys-net.) There was
> some discussion here I think about Mullvad and that service's
> special tool, and ultimately it was better to download the config
> files and use the Qubes-specific instructions.
>
> As for Turris Omnia router setup, it depends on how much you trust
> the security of that router -- generally, openvpn is safer in Qubes
> than in router hardware (even the 'impressive' ones).
Hello again.
> files and continue with the doc instructions or the slightly
> fancier setup here:
>
> https://github.com/tasket/Qubes-vpn-support
>
> The one at the link (my own project) configures the link as a
> systemd service... gives you more control. The anti-leak measures
> are the same.
>
> I haven't looked at 'Eddie' but usually these proprietary tools
> assume you are configuring a traditional PC. OTOH, Qubes proxyVMs
> are akin to _routers_ so protection features in Eddie et al might
> not work. (Anyway it would go in a proxyVM, not sys-net.) There was
> some discussion here I think about Mullvad and that service's
> special tool, and ultimately it was better to download the config
> files and use the Qubes-specific instructions.
>
> As for Turris Omnia router setup, it depends on how much you trust
> the security of that router -- generally, openvpn is safer in Qubes
> than in router hardware (even the 'impressive' ones).
Even as a medium talented/experienced Qubes and Linux user I managed
to run your »slightly fancier« setup successfully in less than an
hour, following the instructions slowly, step by step.
Speeds are impressive also, > 60 MBit/s (100 MBit max. according to
the ISP) – I never reached this with my VPN before, neither with the
»impressive« Turris Omnia.
AirVPN's 'Eddie' client seems to work fine, too, but I'm not sure if
the protection features are working correctly. Maybe more advanced
users would get a grip on 'Eddies' numerous settings.
Thank you so much, Chris!
Best regards,
rob
-----BEGIN PGP SIGNATURE-----
OQ//UqX2moA7iIYJRC4+JqZotFtV/AyqLg6Iiw4w684y6paQRUTvR9T/NfBNSrv9
H7OrEndjGpMlzklRRlXmHEYnSsZyOHWc0dlPnrqfd/8uuaNDjqCNR2XhrjxSBTrs
Szdn4StKqg8McKkAurli6r1mhQNT0hcyC5KU/mnu0tW2f3HNk4giK4Rv9zIQdjbi
u8XfWxAlApgbYgMaTFNtUASBCJYVc8SFdTwRy1i+Jl24ga8B/uBmM0mZEXEZ5NOa
OpF6PRbs89I8UiQE0PhtsrPuIupX+8BpZpOuNFbpXNc0gKJWIMOMtOYgbNZpouFu
7JlJe+UwuNS6EZbgKLqw7f6eQz0zGf3YMZHbx61TmAYRDzcJiKzwApZ6eHRr9WL5
wYKBTdSDdobC5VxsfDYOXN6HEc2DvRiajBPSpUgPPNDIfh1Qx+Yz308koYCBW5CS
o8iRaH76q/bwQByHc/4QfLfAZqwTlgLmV9HsJb7pPe0LhUADh9HUL7Zae/VOygEz
puIA97EUqn3GgyXuKANfT6mfMqZPtcQQSvfz/+dRjxMPJP+4xsJ6couYdEtPJCxj
q0mTztLotME064ica9aECONRHERqQairezVgsy2wpPkqcSqZbYCMIAy4olkFGw7N
1/DL9B0BvA9j8/BqnMtwaBm6ZoeRJwVTCBAcDH7SYNaO83g=
=Y/Xw
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages