Running a VPN from a ProxyVM with NM
102 views
Skip to first unread message
Abel Luck
May 30, 2013, 9:49:46 AM5/30/13
to qubes...@googlegroups.com
It is easy to tunnel all traffic through a VPN, simply connect to the
VPN on netvm via the nm-applet.
However, I would like to tunnel only a few VMs through a VPN. To do
this, I created a ProxyVM and tried to run nm-applet and connect to the VPN.
However, Qubes' network service + firewall rules inside the ProxyVM seem
to interfere with NetworkManager.
That is, I can't run NetworkManager in a ProxyVM and still have the
ProxyVM proxy for other AppVMs.
Is there any way to do this?
~abel
VPN on netvm via the nm-applet.
However, I would like to tunnel only a few VMs through a VPN. To do
this, I created a ProxyVM and tried to run nm-applet and connect to the VPN.
However, Qubes' network service + firewall rules inside the ProxyVM seem
to interfere with NetworkManager.
That is, I can't run NetworkManager in a ProxyVM and still have the
ProxyVM proxy for other AppVMs.
Is there any way to do this?
~abel
Zrubecz Laszlo
May 30, 2013, 9:59:52 AM5/30/13
to qubes...@googlegroups.com
On 30 May 2013 15:49, Abel Luck <ab...@guardianproject.info> wrote:
> It is easy to tunnel all traffic through a VPN, simply connect to the
> VPN on netvm via the nm-applet.
>
> However, I would like to tunnel only a few VMs through a VPN. To do
> this, I created a ProxyVM and tried to run nm-applet and connect to the VPN.
>
> However, Qubes' network service + firewall rules inside the ProxyVM seem
> to interfere with NetworkManager.
Why don't you use just the Qubes firewall rules?
> It is easy to tunnel all traffic through a VPN, simply connect to the
> VPN on netvm via the nm-applet.
>
> However, I would like to tunnel only a few VMs through a VPN. To do
> this, I created a ProxyVM and tried to run nm-applet and connect to the VPN.
>
> However, Qubes' network service + firewall rules inside the ProxyVM seem
> to interfere with NetworkManager.
--
Zrubi
Abel Luck
May 30, 2013, 10:31:57 AM5/30/13
to qubes...@googlegroups.com
Zrubecz Laszlo:
I'm not specifying any firewall rules, Qubes is, as well as, presumably,
the VPN plugin for NetworkManager.
~abel
the VPN plugin for NetworkManager.
~abel
Abel Luck
Jun 4, 2013, 3:05:40 AM6/4/13
to qubes...@googlegroups.com
Abel Luck:
When I run NetworkManager in a ProxyVM, it ceases to be a ProxyVM :)
Marek or Joanna, pointers to where I can look to debug this? Or, ideas
as to how I can run NetworkManager and still retain the forwarding/proxy
capabilities of a ProxyVM?
(the goal is to connect to a VPN in a ProxyVM so all clients of it are
VPNed too)
~abel
> That is, I can't run NetworkManager in a ProxyVM and still have the
> ProxyVM proxy for other AppVMs.
>
This definitely seems to be the crux of the issue.
> ProxyVM proxy for other AppVMs.
>
When I run NetworkManager in a ProxyVM, it ceases to be a ProxyVM :)
Marek or Joanna, pointers to where I can look to debug this? Or, ideas
as to how I can run NetworkManager and still retain the forwarding/proxy
capabilities of a ProxyVM?
(the goal is to connect to a VPN in a ProxyVM so all clients of it are
VPNed too)
~abel
Marek Marczykowski
Jun 4, 2013, 3:41:17 AM6/4/13
to Abel Luck, qubes...@googlegroups.com
by setting eth0 as unmanaged). I'm not sure if this is enough.
--
Best Regards,
Marek Marczykowski
Invisible Things Lab
Abel Luck
Jun 4, 2013, 8:08:54 AM6/4/13
to qubes...@googlegroups.com
Marek Marczykowski:
* setting it as unmanaged
Setting it as unmanaged does not work because:
To set a device as unmanaged, you flag its mac address in
/etc/NetworkManager/NetworkManager.conf
However, it seems the mac address of the machine changes upon every
boot, causing NM to start managing that "new" device.
Even if you get NM to not manage the device, you cannot connect to a
VPN. The connect option is greyed out, presumably because NM thinks
there is no network connection?
*) disabling DHCP
This works, but I'm not sure how to make it automatic. Since the mac
address if the interface changes every boot, you have to manual set the
IP config every boot.
Is it possible for Qubes to write the appropriate
/etc/sysconfig/network-scripts/ifcfg-* files on boot? (see man
NetworkManager.conf)
That would solve this I think.
~abel
Setting it as unmanaged does not work because:
To set a device as unmanaged, you flag its mac address in
/etc/NetworkManager/NetworkManager.conf
However, it seems the mac address of the machine changes upon every
boot, causing NM to start managing that "new" device.
Even if you get NM to not manage the device, you cannot connect to a
VPN. The connect option is greyed out, presumably because NM thinks
there is no network connection?
*) disabling DHCP
This works, but I'm not sure how to make it automatic. Since the mac
address if the interface changes every boot, you have to manual set the
IP config every boot.
Is it possible for Qubes to write the appropriate
/etc/sysconfig/network-scripts/ifcfg-* files on boot? (see man
NetworkManager.conf)
That would solve this I think.
~abel
Abel Luck
Jun 6, 2013, 6:36:51 AM6/6/13
to qubes...@googlegroups.com, Marek Marczykowski
Abel Luck:
^ What do you think about that feature Marek?
In the meantime I can hack around it by editing the ini file in
/etc/NetworkManager/system-connections for the wired interface with a
script on startup
~abel
In the meantime I can hack around it by editing the ini file in
/etc/NetworkManager/system-connections for the wired interface with a
script on startup
~abel
0 new messages