Torify dom0/template update

[d7yuxuz...@guerrillamail.com]

Hello,

How can I put yum update proxy/update checks through torvm?

Thank you much

----
Sent using GuerrillMail.com
Block or report abuse: https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D

[Axon]

d7yuxuz...@guerrillamail.com:

> Hello,
>
> How can I put yum update proxy/update checks through torvm?
>
> Thank you much
>

Select your torvm as your TemplateVM's NetVM.

[Zrubecz Laszlo]

Have You ever tried this solution?

1. It is not working - because the qubes proxy set up for yum.
Sou you should (at least) remove the proxy (configured in
'/etc/yum.conf.d/qubes-proxy.conf') as well.

2. it is only 'solve' the template upgrade, but not:
- the dom0 update
- the update checks itself.


So it is not so simple and not even trivial to set up ALL the update
related traffic forced trough the TOR proxy.



--
Zrubi

[Axon]

Zrubecz Laszlo:

Ah, sorry. Thank you for the correction. No, I have not tried it. I was
just relaying what I remembered from this email:
https://groups.google.com/d/msg/qubes-devel/2vnGqsoM9p0/0YCltU-Qs-MJ

But, actually re-reading that email, I now see that my reply above was
incomplete. In addition, there are the other issues you mentioned. (Are
they known issues? Any workarounds?)

[Zrubi]

On Tue, May 27, 2014 at 1:09 PM, Axon <ax...@openmailbox.org> wrote:

> But, actually re-reading that email, I now see that my reply above was
> incomplete. In addition, there are the other issues you mentioned. (Are
> they known issues? Any workarounds?)

The full solution would be:
0. Make sure not any leaking from the TOR VM :) - just referring to a
discussion about this before.
1. setup a qubes-yum-proxy in the TOR VM,
2. setup the global update VM to the TOR,
3. set the netvm of all the templates to the TOR as well.


But I not care enough to try this out ;)
I'm using TOR just ocassionally.


--
Zrubi

[Marek Marczykowski-Górecki]

On 27.05.2014 12:11, Zrubecz Laszlo wrote:
> On 27 May 2014 11:43, Axon <ax...@openmailbox.org> wrote:
>> d7yuxuz...@guerrillamail.com:
>>> Hello,
>>>
>>> How can I put yum update proxy/update checks through torvm?
>>>
>>> Thank you much
>>>
>>
>> Select your torvm as your TemplateVM's NetVM.
>
> Have You ever tried this solution?
>
> 1. It is not working - because the qubes proxy set up for yum.
> Sou you should (at least) remove the proxy (configured in
> '/etc/yum.conf.d/qubes-proxy.conf') as well.

This can be easily changed in template VM settings - firewall tab.

> 2. it is only 'solve' the template upgrade, but not:
> - the dom0 update

You can select which VM is used for dom0 updates in Qubes manager -> system ->
global settings -> UpdateVM (can be done with qubes-prefs tool also).

> - the update checks itself.

This can't be easily forced to use tor only, but you can simply disable
updates check. In global settings, same as VM for dom0 updates.

>
>
> So it is not so simple and not even trivial to set up ALL the update
> related traffic forced trough the TOR proxy.
>
>
>


--

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[Marek Marczykowski-Górecki]

On 27.05.2014 13:49, Zrubi wrote:
> On Tue, May 27, 2014 at 1:09 PM, Axon <ax...@openmailbox.org> wrote:
>
>> But, actually re-reading that email, I now see that my reply above was
>> incomplete. In addition, there are the other issues you mentioned. (Are
>> they known issues? Any workarounds?)
>
> The full solution would be:
> 0. Make sure not any leaking from the TOR VM :) - just referring to a
> discussion about this before.
> 1. setup a qubes-yum-proxy in the TOR VM,

This will not work as expected - proxy running in TorVM will not be routed via
tor. From TorVM documentation:
"Traffic originating from the TorVM itself IS NOT routed through Tor. This
includes system updates to the TorVM. Only traffic from VMs using TorVM as
their NetVM is torified."

This can be improved with some firewall rules (or additional configuration of
updates proxy), but needs a careful testing.

> 2. setup the global update VM to the TOR,
> 3. set the netvm of all the templates to the TOR as well.
>
>
> But I not care enough to try this out ;)
> I'm using TOR just ocassionally.
>
>


--

[Marek Marczykowski-Górecki]

On 27.05.2014 13:52, Marek Marczykowski-Górecki wrote:
> On 27.05.2014 12:11, Zrubecz Laszlo wrote:
>> On 27 May 2014 11:43, Axon <ax...@openmailbox.org> wrote:
>>> d7yuxuz...@guerrillamail.com:
>>>> Hello,
>>>>
>>>> How can I put yum update proxy/update checks through torvm?
>>>>
>>>> Thank you much
>>>>
>>>
>>> Select your torvm as your TemplateVM's NetVM.
>>
>> Have You ever tried this solution?
>>
>> 1. It is not working - because the qubes proxy set up for yum.
>> Sou you should (at least) remove the proxy (configured in
>> '/etc/yum.conf.d/qubes-proxy.conf') as well.
>
> This can be easily changed in template VM settings - firewall tab.

I wasn't clear here: you need to *disable* access to updates proxy as it isn't
accessible through torvm. Alternatively you can setup updates proxy in torvm,
but isn't straight forward, as said in another email minutes ago.

[Zrubecz Laszlo]

On 27 May 2014 14:04, Marek Marczykowski-Górecki

<marm...@invisiblethingslab.com> wrote:

> This will not work as expected - proxy running in TorVM will not be routed via
> tor. From TorVM documentation:
> "Traffic originating from the TorVM itself IS NOT routed through Tor. This
> includes system updates to the TorVM. Only traffic from VMs using TorVM as
> their NetVM is torified."
>
> This can be improved with some firewall rules (or additional configuration of
> updates proxy), but needs a careful testing.

Or we need to create a toryfied update ProxyVM:

Templates->UpdateVM->TOR->NetVM

But it is worth so much 'trouble' for anonym updates? :P

--
Zrubi

[Axon]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Given the difficulties people have had with trying to do Torified
dom0 / Template updates in the past, I was very surprised to see Unman's
remark [1] that he was able to set up Torified updates with little
trouble.

Unman, would you mind sharing your setup with us and perhaps the steps
to implement it?


[1]https://github.com/QubesOS/qubes-issues/issues/1159#issuecomment-1368
80641
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWAc2wAAoJEJh4Btx1RPV8UzUP/0upGlPhOU86+PYar2JnDkgc
iLXtymk1Scx6hSUSKVx7sczUQdSeTBBlJ0Of9tJtJ10XD+K+SeQiVqdgryes1npi
rv8KpCk0kNyIp13jkaZNkTOGqQe6oe8wc7YrXLdZdf7ibCm5vCCUhycfByxP6FPv
GLsb6Hu0rvr6vO9h73vHmXZ0BCcY6X0TRzxb3Vh5XwxXsMs6wzEgVo7TzEGvH8rR
3IrN3zVk50GMbriisyR4IvLpoujzAIZoJIumpt+F80E+tkYRp5axm4XyjfnLOlRb
quWZVuON8UqoNMiUHDagW12xC5g9Wf+n5LufLLvar2gGRxHw4jhif1PtTxQfgHZ1
oz4aH8mZ9NLH/qh3rr2oEvd1U3/V1+41Zb6hQhI+SdY7fC+61k8OOkrfOej0vvXp
XQbH0PE9TLZ5DqaESYgHBYof+eAyJs+kTPxIGb6D48+yatGT1abYKnYhGgdB23Jz
t4s60qtPUZT2rXA8vyuTPIbBmnCzRsPuKOM9q87qO7NY50ew3UeCFeHTC/po/LGO
aVpMRiGcVL++qZx5KTpAWfHT3x3F0dyswFsmagKqdFv6hDqtcbuvjkF8tZpu/rJ4
B6UspYsvVOJCFjjGPk8IMMhvMlWtC5qwmDns4dpM+dTSVODxmHDrMf5Bbgq8Dsb3
D4oK9dEZHw+Trd3j6s35
=EKUU
-----END PGP SIGNATURE-----

[Unman]

Yes, I've been thinking of doing this as it seems to be a
recurrent issue.
In brief I use a somewhat modified torvm with a caching proxy and updateVM below:
attach templates to that.
All traffic goes through the torvm.
I'll do a quick write up and post it later.

[Unman]

On Tue, Sep 22, 2015 at 09:52:59PM +0000, Axon wrote:

Short Answer:
Template - UpdateVM - TorVM - sys-net


Long answer:

I use a debian minimal template with qubes-tor and tor-arm installed.
Follow usual steps in creating the TorVM, as per Qubes docs.
I make some minor changes:
Set the memory as low as possible and limit vcpus.
Use this torrc in /rw/config/qubes-tor:

SocksPort "10.137.x.x:9049 IsolateClientAddr IsolateSOCKSAuth
IsolateDestPort IsolateDestAddr"
SocksPort "10.137.x.x:9050 IsolateClientAddr IsolateSOCKSAuth"
TransPort "10.137.x.x:9040 IsolateClientAddr"
DNSPort "10.137.x.x:53 IsolateClientAddr IsolateSOCKSAuth"
ControlPort "9051"
VirtualAddrNetworkIPv4 "172.16.0.0/12"

(This opens the control port so I can use arm for monitoring and
control.)

I don't want clear traffic FROM the TorVM, and I only want torified
traffic, so I customize /usr/lib/qubes-tor/start_tor_proxy.sh to load
this iptables script:

*nat
:PREROUTING ACCEPT [64:4864]
:INPUT ACCEPT [17:1150]
:OUTPUT ACCEPT [5:300]
:POSTROUTING ACCEPT [5:300]
:PR-QBS - [0:0]
:PR-QBS-SERVICES - [0:0]
-A PREROUTING -i vif+ -p udp -m udp --dport 53 -j DNAT --to-destination 10.137.x.x:53
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9049 -j DNAT --to-destination 10.137.x.x:9049
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9050 -j DNAT --to-destination 10.137.x.x:9050
-A PREROUTING -i vif+ -p tcp -j DNAT --to-destination 10.137.x.x:9040
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i vif+ -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9049 -j ACCEPT
-A INPUT -i vif+ -p udp -m udp -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT ! -s 127.0.0.1/32 ! -d 127.0.0.1/32 ! -o lo -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -j DROP
-A OUTPUT ! -s 127.0.0.1/32 ! -d 127.0.0.1/32 ! -o lo -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -j DROP
-A OUTPUT -p tcp -m owner --uid-owner 106 -m tcp -j ACCEPT
-A OUTPUT -m owner --uid-owner 106 -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o vif+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j LOG --log-prefix "DROP OUT "
COMMIT

(I actually do this by placing new versions of the files in /rw/config
and moving them in place in rc.local, but you could make these changes
in the template.)

That's the normal iptables setup, but restricting outbound traffic from
the TorVM to traffic from qubes-tor. It's the same as used in Tails.

I use a standard proxy VM as updateVM, connect it to the TorVM, and use
that as netvm for the templates. Make this the updateVM for Dom0.
This gives torified updates for templates and Dom0.
Because all traffic runs though the torvm, it's trivial to use .onion
addresses too.

All this just works thanks to the great work done by Marek and abeluck.
Sometimes there are network issues - this is inevitable when updating
across Tor. I usually find that kicking the Tor service from arm fixes
them.

I've been running variations on this for some time without significant
problems. Traffic monitoring shows no leaks.


Other stuff:

On dev machine I put a standalone VM running apt-cacher in line between
the templates and the updateVM to act as a caching proxy. I use a
nat rule to redirect traffic for the update proxy (10.137.255.254) to
apt-cacher, and have apt-cacher configured to use the updateVM as proxy.
Sometimes the Fedora templates complain about this - I just switch netvm
to the UpdateVM, run a yum update, but stop at the actual download,
switch netvm back to apt-cacher and replay the transaction to get the
update running through the caching proxy..

I use a torfw to implement enforcement of separation between VMs using
network level policies.
As standard the fw will MASQUERADE all connected VMs to the same IP
address, which causes problems on the Tor isolation front.
To get round this I use custom nat rules to map the connected VMs to
new addresses, and an rpc service triggered on if-up to set routing on
the TorVM, and to manipulate the raw table.
That's really a separate topic.


The Qubes networking model is hugely flexible. As a matter of policy I
try to leave the VM unchanged and handle any configuration required in
the netvm. This means that it is easy to change netvm and still have
networking work.(For example, switch between vpn and normal traffic,
tor and clear.)

If I had time I could make this shorter.
I hope it's fairly clear.

unman

[Axon]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Unman:

Thank you very much for explaining all of this, unman! As it stands, I
think this requires more expertise than most Qubes users (myself
included) have to implement it *safely* ourselves, but I'm hopeful
that Torified dom0/Template updates become a feasible option for all
Qubes users in the not too distant future.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWA8UTAAoJEJh4Btx1RPV8TEIP/2WXOsTqp10s1MG1KIZTpE+n
SoHPiXaKvYjg1fzYrWAdfcwtd9CsdIBRktkCacL99AcKcZDM+ceNg48ObouKmIzF
tKabEQn1G37Z5bbZalxP4B68inuEhdBmzwNelbSdehGeK3j2dnEWvtXv97NYhtVW
D+c5o2bEqRypx+tT9g2eVqM1pi6vlhb6VFXzNX53uMQi5oXrzSqk0imqx+BWuK6E
ycKB2/1GNXkWJJ6SwcqFtAR72eg5RSnELb47TCe7r2+94EbrHEfXmFvJ9eo4ergA
/U8at9bBqvJU2P2J3F1f80JERltSzDtiAQFuCAEXQUnedAhYE38MT8ZKFNxub2va
rlsgNG/WEK4nyZ7CaNYLE3am3j/tVtVz2Xf8IqrCIhow91d+LUvEZZNM3jEU+6IS
XJz7bYVQcC+91rBVj09bPONoHY7pvVuIH0s2A2Fqku2c2VAHcp3/XP9uNeQPjHkr
AMeSzrkLjyOD7xqH778YWsYyafIseLdmsmGmZzfmqoYe9uK+ZQsvIKgoGkptkbhW
dEP8ZWlIQzh6YuwGf9SrV6t+jj35ZhAb9HKYtw2lBo2laEayczKb0OPgeeDq1Ual
6LqKDoKhbgOoE1ihidSaNyewApXEcmCQqRaYEoB9mo3wCOws8tJo+LVkaJHtsc9h
orzosxLBJyOZdrbWdEaD
=yHF9
-----END PGP SIGNATURE-----

[Patrick Schleizer]

Axon:

Qubes-Whonix 12 can be used for dom0/template updates. Ready soonish.

Cheers,
Patrick

[Unman]

On Thu, Sep 24, 2015 at 09:40:51AM +0000, Axon wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Unman:
> > Short Answer: Template - UpdateVM - TorVM - sys-net
> >

<snip hugely verbose stuff>

>
> Thank you very much for explaining all of this, unman! As it stands, I
> think this requires more expertise than most Qubes users (myself
> included) have to implement it *safely* ourselves, but I'm hopeful
> that Torified dom0/Template updates become a feasible option for all
> Qubes users in the not too distant future.
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJWA8UTAAoJEJh4Btx1RPV8TEIP/2WXOsTqp10s1MG1KIZTpE+n
> SoHPiXaKvYjg1fzYrWAdfcwtd9CsdIBRktkCacL99AcKcZDM+ceNg48ObouKmIzF
> tKabEQn1G37Z5bbZalxP4B68inuEhdBmzwNelbSdehGeK3j2dnEWvtXv97NYhtVW
> D+c5o2bEqRypx+tT9g2eVqM1pi6vlhb6VFXzNX53uMQi5oXrzSqk0imqx+BWuK6E
> ycKB2/1GNXkWJJ6SwcqFtAR72eg5RSnELb47TCe7r2+94EbrHEfXmFvJ9eo4ergA
> /U8at9bBqvJU2P2J3F1f80JERltSzDtiAQFuCAEXQUnedAhYE38MT8ZKFNxub2va
> rlsgNG/WEK4nyZ7CaNYLE3am3j/tVtVz2Xf8IqrCIhow91d+LUvEZZNM3jEU+6IS
> XJz7bYVQcC+91rBVj09bPONoHY7pvVuIH0s2A2Fqku2c2VAHcp3/XP9uNeQPjHkr
> AMeSzrkLjyOD7xqH778YWsYyafIseLdmsmGmZzfmqoYe9uK+ZQsvIKgoGkptkbhW
> dEP8ZWlIQzh6YuwGf9SrV6t+jj35ZhAb9HKYtw2lBo2laEayczKb0OPgeeDq1Ual
> 6LqKDoKhbgOoE1ihidSaNyewApXEcmCQqRaYEoB9mo3wCOws8tJo+LVkaJHtsc9h
> orzosxLBJyOZdrbWdEaD
> =yHF9
> -----END PGP SIGNATURE-----

I think *any* qubes user can get this done very quickly.
Here's my 10 step guide.

1. Follow the user guide to set up TorVM.
I recommend cloning to make a new template.
Follow steps 1-2 - you need to specify "--label red" in qvm-create at
step 2.
Step 3 is no longer needed.
Follow steps 4-5.

2. In the template -
$sudo yum install tor-arm

3. In the template - edit /usr/lib/qubes-tor/start_tor_proxy.sh
Line43 - Change TOR_CONTROL_PORT=0 to TOR_CONTROL_PORT=9051
Line75 - Change /sbin/iptables -P OUTPUT ACCEPT to /sbin/iptables -P OUTPUT DROP
Line98 - INSERT these lines before the line "# nat rules" :
/sbin/iptables -A OUTPUT -m owner --uid-owner $TOR_USER -p tcp -m tcp -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

Delete lines 80-82:
From "if [ "$TOR_CONTROL_PORT" down to "fi"

4. Save and Close the file.

5. Follow steps 6-9 in user guide.

6. Create a new ProxyVM - newupdateVM.
$qvm-create -p newupdateVM -t fedora-21 --label red
$qvm-service newupdateVM -e qubes-updates-proxu
$qvm-prefs newupdateVM -s netvm torvm

7.Set dom0 and templates to use newupdateVM:
$qubes-prefs -s updatevm newupdateVM
(for template) - $qvm-prefs <template> -s netvm newupdateVM

8. Start newupdateVM

9. Update dom0 and templates through tor.
(You can try the hidden service repos if you want.)

You can open a terminal in torvm, and run arm.
If an update is blocking, or runnning slow, then try new circuits.


OK, I cheated to get in the 10 steps, but that's all standard qubes, and
trivial edits in ONE file.
Everything is doable from GUI instead of command line if you wish.
Why not try it?

unman

[Axon]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Patrick:

> Qubes-Whonix 12 can be used for dom0/template updates. Ready
> soonish.
>
> Cheers, Patrick

Awesome! Looking forward to it.


Unman:

> On Thu, Sep 24, 2015 at 09:40:51AM +0000, Axon wrote: Unman:
>>>> Short Answer: Template - UpdateVM - TorVM - sys-net
>>>>
>
>> <snip hugely verbose stuff>
>
>
> Thank you very much for explaining all of this, unman! As it
> stands, I think this requires more expertise than most Qubes users
> (myself included) have to implement it *safely* ourselves, but I'm
> hopeful that Torified dom0/Template updates become a feasible
> option for all Qubes users in the not too distant future.
>

You're right. It definitely looks much more feasible for the average
user when you break it down this way. Thank you for this!
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWBd0KAAoJEJh4Btx1RPV8TnUP/1zKOnZ1okRX12b/ThgbNH+E
gtjEVofU4R0N+aej3C9dWX6tP8nQpcDCQAGNu6pOoPmQItu/D42xUraKV+yDkCsv
Qemf8o9zQUiz/ZzYTLnq3NhlfAeUxheVwbooIjJXz2CAwexzN6Zh3kjgd5yEuwkG
DEwHjJHhNzp4BcF0kH+uGwy28nk86ZLvWf3vtb3gAIDO5QfjPqBY4SZsIOFvxYZr
xoB5nPSobL6UwcFZEj3WmP35rrIBgnI/bjC8pkOhHQtcQQa11Vd25au/EZ2UYJvh
x8vdKPlsqrn/ZvMxWpKcf/auaZ3+W6NEO7lfDYXH+02Rd9lVcFUkS2Y8ofcLPsMp
F56Pu9zeQnwNxgKGg1krl3ktXydMOiihAOSHGVTh0qpYCxjSkSnM94OLSjPXSCMH
zlDwJ6KjIJ/06Zo+LzJbERHyYrLmB+iugoImVnE+FGaHva3giZSLdSk+IwRJSdUB
r8ODFRe7CaVLw0Enwrlun+UO2la9BcgOD/5OJ6rcJBOmnPU905q4Z62k8y+p5Vli
XuS8KMXr4BInnwXT4r3iOiul/RbJ+E3TZb/hPzXcWAijHVzzkCHP6yHii09HEKSt
+HWGsYqpxrt4yuUxpaVqZzTzvMIiNqmVlGCTlO3QvOGfjfzQTH1DfPeUM8km6STK
fveqkLa1iGKEVnrniwwM
=6WMD
-----END PGP SIGNATURE-----