Using OpenVPN in Qubes
I wanted to set up a proxy VM to use OpenVPN so that I could connect
some of my VM's to the VPN server. My VPN of choice is
PrivateInternetAccess, so my instructions focus around using their
stuff. I think the principles could still be applied to any OpenVPN
service. Here's how I did it.
1. Make a new VM (I used the GUI). The new VM is a proxyVM, and I used
the default firewallVM as its NetVM. I called it cal-vpn, because this
particular proxyVM is used to connect to PrivateInternetAccess'
California server.
2. I downloaded a few free files from the PIA site, including the
configuration file, and some certificates (ca.crt and crl.pem).
Here's the raw configuration file (called "US California.ovpn") that's
straight from the PIA website:
#---------------------------------------------------
client
dev tun
proto udp
remote us-california.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem
#---------------------------------------------------
3. I copies all of the above files into /rw/config in preparation for
using these files when the VM starts up.
4. I made a couple of modifications to the configuration file to reflect
the absolute location of the certificate files. Also, I added a line to
reference a credentials file so that the username and password gets
added automatically:
#-----------------------------------------------------
client
dev tun
proto udp
remote us-california.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /rw/config/ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify /rw/config/crl.pem
auth-user-pass /rw/config/.vpncredentials
#-----------------------------------------------------
5. I then made the actual .vpncredentials file (which contains the
username and password). Contents of .vpncredentials (which I also put
in /rw/config):
#---------------------------------
myusername
mypassword
#---------------------------------
For what it's worth, I changed the permissions on this file to 600:
$ sudo chmod 600 .vpncredentials
6. I made one more file in /rw/config which holds the addresses of PIA's
nameservers. I'll use the contents of this file to replace those in
/etc/resolv.conf so that when I connect to the VPN, there is no DNS
leak. Contents of /rw/config/vpn-resolv.conf:
#---------------------------------
nameserver 209.222.18.222
nameserver 209.222.18.218
#---------------------------------
7. I added these lines to rc.local (making sure that rc.local is
executable):
#---------------------------------
openvpn /rw/config/US\ California.ovpn &
sleep 2
cp /rw/config/vpn-resolv.conf /etc/resolv.conf
/usr/lib/qubes/qubes-setup-dnat-to-ns
#---------------------------------
8. I made another appVM which uses my new cal-vpn as its proxyVM. Now,
when I start this new appVM, it will connect automatically to the VPN
server and alter the DNS addresses. Open firefox and go to dnsleak.com
to prove that not only am I using the VPN IP addresses, but also that
I'm not leaking DNS information.
If anyone notes that I'm doing something insecure or ineffecient here,
please let me know!