Adding ProxyVM Support to Debian Community Template
39 views
Skip to first unread message
whoni...@mail2tor.com
Aug 18, 2014, 12:11:24 AM8/18/14
to qubes...@googlegroups.com
Hello,
I'm interested in what it would take to add ProxyVM support to the Qubes
Debian community template.
Maybe this is already planned or being worked on?
Adding this capability could go a long way for our current effort in
porting Whonix to Qubes. Whonix scripts are now Debian jessie/testing
compatible.
So the Qubes Debian template could make integration easy for the
Whonix-Gateway, if the Qubes template just had ProxyVM support.
I see that Fedora-based ProxyVMs seem to generally work by adding virtual
network interfaces (vifX) to the ProxyVM for each new AppVM that connects
through it. And it establishes different IP credentials than non-ProxyVM
interfaces, like (inet: 10.137.5.1, netmask: 255.255.255.255).
If not actively being worked on, then I'm wondering what mechanisms would
yet need to be developed and where in the Qubes scripts I might accomplish
this.
Thanks!
I'm interested in what it would take to add ProxyVM support to the Qubes
Debian community template.
Maybe this is already planned or being worked on?
Adding this capability could go a long way for our current effort in
porting Whonix to Qubes. Whonix scripts are now Debian jessie/testing
compatible.
So the Qubes Debian template could make integration easy for the
Whonix-Gateway, if the Qubes template just had ProxyVM support.
I see that Fedora-based ProxyVMs seem to generally work by adding virtual
network interfaces (vifX) to the ProxyVM for each new AppVM that connects
through it. And it establishes different IP credentials than non-ProxyVM
interfaces, like (inet: 10.137.5.1, netmask: 255.255.255.255).
If not actively being worked on, then I'm wondering what mechanisms would
yet need to be developed and where in the Qubes scripts I might accomplish
this.
Thanks!
Marek Marczykowski-Górecki
Sep 4, 2014, 7:45:04 PM9/4/14
to whoni...@mail2tor.com, qubes...@googlegroups.com, Davíð Steinn Geirsson
On 18.08.2014 06:11, whoni...@mail2tor.com wrote:
> Hello,
>
> I'm interested in what it would take to add ProxyVM support to the Qubes
> Debian community template.
>
> Maybe this is already planned or being worked on?
Yes, it is planned feature, but I'm not aware of anyone working on it.
> Hello,
>
> I'm interested in what it would take to add ProxyVM support to the Qubes
> Debian community template.
>
> Maybe this is already planned or being worked on?
> Adding this capability could go a long way for our current effort in
> porting Whonix to Qubes. Whonix scripts are now Debian jessie/testing
> compatible.
>
> So the Qubes Debian template could make integration easy for the
> Whonix-Gateway, if the Qubes template just had ProxyVM support.
>
>
> I see that Fedora-based ProxyVMs seem to generally work by adding virtual
> network interfaces (vifX) to the ProxyVM for each new AppVM that connects
> through it. And it establishes different IP credentials than non-ProxyVM
> interfaces, like (inet: 10.137.5.1, netmask: 255.255.255.255).
>
>
> If not actively being worked on, then I'm wondering what mechanisms would
> yet need to be developed and where in the Qubes scripts I might accomplish
> this.
tested it now. It is "not working" ;)
Quick and dirty way to have basic functionality (without full qubes-firewall
support):
apt-get install xen-utils-common
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables-restore /etc/sysconfig/iptables
# for some reason /var/run/qubes/qubes-ns not created at startup
INTERFACE=eth0 /usr/lib/qubes/setup-ip
# rerun qubes-setup-dnat-to-ns with bash
bash /usr/lib/qubes/qubes-setup-dnat-to-ns
Most likely iptables and DNS part are not needed for Whonix case, as will be
overriden anyway.
Anyone willing to convert above to proper patches? :)
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Reply all
Reply to author
Forward
0 new messages