Suggestion on VPN Docs Qubes instructions
46 views
Skip to first unread message
yreb-qusw
Jun 10, 2017, 3:25:24 PM6/10/17
to qubes-users
In this section:
Set up a ProxyVM as a VPN gateway using iptables and CLI scripts
Where it says this:
Set up and test the VPN client.
Make sure the VPN VM and its template VM are not running.
Run a terminal (CLI) in the VPN VM this will start the VM. Then make a
new ‘vpn’ folder with sudo mkdir /rw/config/vpn and copy your VPN config
files here (the example config filename used here is
openvpn-client.ovpn). Files accompanying the main config such as *.crt
and *.pem should also go here, and should not be referenced in the main
config by absolute paths such as ‘/etc/…’.
Notes about VPN config options: The VPN scripts here are intended to
work with commonly used tun interfaces, whereas tap mode is untested.
Also, the config should route all traffic through your VPN’s interface
after a connection is created; For openvpn the directive for this is
redirect-gateway def1.
----
Lastly, the VPN client may not be able to prompt you for credentials
when connecting to the server: Creating a file in the ‘vpn’ folder with
your credentials and using a directive such as openvpn’s auth-user-pass
<filename> is recommended.
----
It seems like this file needs to be changed to be read-only, for the
appropriate ownership based on the complaints that pop up, when
testing in the terminal before one doesn't notice it later, when not
using the terminal to start the openvpn --config
Set up a ProxyVM as a VPN gateway using iptables and CLI scripts
Where it says this:
Set up and test the VPN client.
Make sure the VPN VM and its template VM are not running.
Run a terminal (CLI) in the VPN VM this will start the VM. Then make a
new ‘vpn’ folder with sudo mkdir /rw/config/vpn and copy your VPN config
files here (the example config filename used here is
openvpn-client.ovpn). Files accompanying the main config such as *.crt
and *.pem should also go here, and should not be referenced in the main
config by absolute paths such as ‘/etc/…’.
Notes about VPN config options: The VPN scripts here are intended to
work with commonly used tun interfaces, whereas tap mode is untested.
Also, the config should route all traffic through your VPN’s interface
after a connection is created; For openvpn the directive for this is
redirect-gateway def1.
----
Lastly, the VPN client may not be able to prompt you for credentials
when connecting to the server: Creating a file in the ‘vpn’ folder with
your credentials and using a directive such as openvpn’s auth-user-pass
<filename> is recommended.
----
It seems like this file needs to be changed to be read-only, for the
appropriate ownership based on the complaints that pop up, when
testing in the terminal before one doesn't notice it later, when not
using the terminal to start the openvpn --config
Chris Laprise
Jun 10, 2017, 8:51:47 PM6/10/17
to yreb-qusw, qubes-users
On 06/10/2017 03:25 PM, yreb-qusw wrote:
> In this section:
>
> Set up a ProxyVM as a VPN gateway using iptables and CLI scripts
>
> Where it says this:
>
> In this section:
>
> Set up a ProxyVM as a VPN gateway using iptables and CLI scripts
>
> Where it says this:
>
> Lastly, the VPN client may not be able to prompt you for credentials
> when connecting to the server: Creating a file in the ‘vpn’ folder with
> your credentials and using a directive such as openvpn’s auth-user-pass
> <filename> is recommended.
> ----
>
> It seems like this file needs to be changed to be read-only, for the
> appropriate ownership based on the complaints that pop up, when
> testing in the terminal before one doesn't notice it later, when not
> using the terminal to start the openvpn --config
File "is group or others accessible" is a common configuration "mistake"
> when connecting to the server: Creating a file in the ‘vpn’ folder with
> your credentials and using a directive such as openvpn’s auth-user-pass
> <filename> is recommended.
> ----
>
> It seems like this file needs to be changed to be read-only, for the
> appropriate ownership based on the complaints that pop up, when
> testing in the terminal before one doesn't notice it later, when not
> using the terminal to start the openvpn --config
on installations that are not multi-user, such as routers. A proxy VM is
basically a router, and its expected that you won't be running apps as
regular user in there. If that's the case you can disregard the warning.
OTOH, if you wish to satisfy the warning you can set privs like this:
chmod 600 /rw/config/vpn/filename.txt
--
Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Reply all
Reply to author
Forward
0 new messages