How do I install this Firewall HVM ?

82 views
Skip to first unread message

Who Cares

unread,
Aug 14, 2018, 1:40:44 PM8/14/18
to qubes-users
Hello,

I am using qubes 4.0 and i am trying to install a firewall.
I try to isntall kerio control (http://www.kerio.de/products/kerio-control) as it supports VPN. At the end i want to use it as the firewall-VM rather than buy a physical firewall.

Kerio-control got some several versions:

1: software Applience (linux kernel 3.16 based OS)
2: VMware Virtual Applience
3: Hyper-V Virtual Applience

I thought it would be possible first to install the it using the software applience in a HVM. So I made a HVM with no kernel and started it assigning the installation ISO like this :

qvm-start kerio --cdrom=<someVM>:/home/user/Downloads/kerio.iso

It is booting it in the VM, but installation fails at the point where it says " no supported drive found ".
Then I searched if it would be possible attaching a specific drive-device just for this VM in the Quebes Manager. And this it so far. I am stuck here now.

I dont know how i could install it so I can use it as Firewall and the VPN-features.

Did I use the wrong Applience ?
Or can I imitate a physical Drive only for this VM ?

I hope anyone would spend some time helping me with this project of mine.

At the end it is one PC where is installed qubes. This one is a local-server
This PC got 2 LAN devices i could attach separately.
I want 2 routes.

Route 1: Net-VM(LAN 1) --> firewall-VM(Kerio-Control with VPN)
Route 2: Windows-Server HVM with a specific Programm.(attached LAN 2)

Scenario 1: Local Network Windows PC working with a Programm wich need this Windows Server Programm Service

Scenario 2: A dude located in Timbuktu(or whatever) want to work on the same local Network using the kerio-control VPN and his Windows device needs to communicate with the windows Server.

Any thougts about this ?


Thanks so far!

Steve Coleman

unread,
Aug 14, 2018, 2:20:50 PM8/14/18
to qubes-users
On 08/14/18 13:40, Who Cares wrote:

> I am using qubes 4.0 and i am trying to install a firewall.

Qubes comes with an integrated firewall in the sys-firewall VM. It uses
managed iptables which provide the basic rules to protect the system,
but also allow you to make adjustments as required for your unique
situation.

So, I'm not sure why you think you need to add yet another firewall

The architecture is generally

YourVM -> sys-firewall -> sys-net -> LAN Network

You get this setup right out of the box, with no configuration required.

Perhaps you could explain better what you are trying to accomplish?

Chris Laprise

unread,
Aug 14, 2018, 3:09:02 PM8/14/18
to Steve Coleman, qubes-users
If you can find out which VPN protocol this kerio-control is using, then
you may be able to do this better with native Qubes tools.

Their VPN protocol appears to be IPsec (which isn't great BTW); you
could start with a Linux IPsec tutorial in a proxyVM to see if you can
connect to this other person.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

Who Cares

unread,
Aug 14, 2018, 4:43:14 PM8/14/18
to qubes-users
I´m trying to implement this Kerio-control system.
I thought this would have been a nice combo of firewall and VPN.

Steve Coleman

unread,
Aug 14, 2018, 6:24:49 PM8/14/18
to qubes-users
On 08/14/18 16:43, Who Cares wrote:
> I´m trying to implement this Kerio-control system.
> I thought this would have been a nice combo of firewall and VPN.
>

You might want to read up on the Qubes Proxy VPN setup and compare how
that works with what KerioControl is expecting for its environment. That
way your client VM's can choose to connect to the proxy and possibly use
the VPN by default. The Whonix system would be a good example for this.

How To make a VPN Gateway in Qubes
https://www.qubes-os.org/doc/vpn/

Who Cares

unread,
Aug 27, 2018, 3:10:28 PM8/27/18
to qubes-users
At all quite nice ideas here but still not what I wanted.

At least I still wish I could run this Kerio-control in a Qubes VM/HVM.
At least I read smth about taking a VMware img and change its format so it works in Qubes but it won't work so far.

I tried taking a vmdk and then :

qemu-img convert -O raw Kerio.vmdk kerio.raw
qvm-run --pass-io work:/home/documents/kerio.raw > /home/user/kerio-root.img


Then i created a HVM with --root-move-from /home/user/Kerio-root.img
But neither it will start the HVM nor I can find the root.img in /var/lib/qubes/appvms/kerio/

I tried smth else so far: Installing the software Appliance on the same Pc on a different HDD and then copy its content to an AppVM but this one even won't work...

I am confused about this all.

Again I really appreciate what Input you all gave me about some other solutions, but I really want to install this Kerio System. So perhaps some input about that :).

unman

unread,
Aug 29, 2018, 9:06:52 AM8/29/18
to qubes-users
GFI block Tor and require registration so I cant help with the actual
product.

You tried the right thing with the HVM installation. The "no supported
drive found" error is one you would need to take up with GFI. (Boot the
HVM with a live iso and check what disks you have available.)

You should be able to use a converted disk image - the syntax is right
but you neglected to type "cat" - I assume just a typo.
Just to be on the safe side mount the root.img and make sure it looks
proper.
In 4.0 the images are no longer in /var/lib/qubes/ but are block devices under
/dev/ - useful named symlinks under /dev/mapper.
The syntax you are using to create the HVM looks right.
Reply all
Reply to author
Forward
0 new messages