Running a VPN from a ProxyVM with NM

102 views
Skip to first unread message

Abel Luck

unread,
May 30, 2013, 9:49:46 AM5/30/13
to qubes...@googlegroups.com
It is easy to tunnel all traffic through a VPN, simply connect to the
VPN on netvm via the nm-applet.

However, I would like to tunnel only a few VMs through a VPN. To do
this, I created a ProxyVM and tried to run nm-applet and connect to the VPN.

However, Qubes' network service + firewall rules inside the ProxyVM seem
to interfere with NetworkManager.

That is, I can't run NetworkManager in a ProxyVM and still have the
ProxyVM proxy for other AppVMs.

Is there any way to do this?

~abel

Zrubecz Laszlo

unread,
May 30, 2013, 9:59:52 AM5/30/13
to qubes...@googlegroups.com
On 30 May 2013 15:49, Abel Luck <ab...@guardianproject.info> wrote:
> It is easy to tunnel all traffic through a VPN, simply connect to the
> VPN on netvm via the nm-applet.
>
> However, I would like to tunnel only a few VMs through a VPN. To do
> this, I created a ProxyVM and tried to run nm-applet and connect to the VPN.
>
> However, Qubes' network service + firewall rules inside the ProxyVM seem
> to interfere with NetworkManager.

Why don't you use just the Qubes firewall rules?


--
Zrubi

Abel Luck

unread,
May 30, 2013, 10:31:57 AM5/30/13
to qubes...@googlegroups.com
Zrubecz Laszlo:
I'm not specifying any firewall rules, Qubes is, as well as, presumably,
the VPN plugin for NetworkManager.

~abel

Abel Luck

unread,
Jun 4, 2013, 3:05:40 AM6/4/13
to qubes...@googlegroups.com
Abel Luck:
> That is, I can't run NetworkManager in a ProxyVM and still have the
> ProxyVM proxy for other AppVMs.
>
This definitely seems to be the crux of the issue.

When I run NetworkManager in a ProxyVM, it ceases to be a ProxyVM :)

Marek or Joanna, pointers to where I can look to debug this? Or, ideas
as to how I can run NetworkManager and still retain the forwarding/proxy
capabilities of a ProxyVM?

(the goal is to connect to a VPN in a ProxyVM so all clients of it are
VPNed too)

~abel

Marek Marczykowski

unread,
Jun 4, 2013, 3:41:17 AM6/4/13
to Abel Luck, qubes...@googlegroups.com
Start with disabling DHCP for eth0 (either by setting static configuration or
by setting eth0 as unmanaged). I'm not sure if this is enough.

--
Best Regards,
Marek Marczykowski
Invisible Things Lab

signature.asc

Abel Luck

unread,
Jun 4, 2013, 8:08:54 AM6/4/13
to qubes...@googlegroups.com
Marek Marczykowski:
* setting it as unmanaged
Setting it as unmanaged does not work because:

To set a device as unmanaged, you flag its mac address in
/etc/NetworkManager/NetworkManager.conf

However, it seems the mac address of the machine changes upon every
boot, causing NM to start managing that "new" device.

Even if you get NM to not manage the device, you cannot connect to a
VPN. The connect option is greyed out, presumably because NM thinks
there is no network connection?

*) disabling DHCP

This works, but I'm not sure how to make it automatic. Since the mac
address if the interface changes every boot, you have to manual set the
IP config every boot.

Is it possible for Qubes to write the appropriate
/etc/sysconfig/network-scripts/ifcfg-* files on boot? (see man
NetworkManager.conf)

That would solve this I think.

~abel

Abel Luck

unread,
Jun 6, 2013, 6:36:51 AM6/6/13
to qubes...@googlegroups.com, Marek Marczykowski
Abel Luck:
^ What do you think about that feature Marek?

In the meantime I can hack around it by editing the ini file in
/etc/NetworkManager/system-connections for the wired interface with a
script on startup

~abel


Marek Marczykowski-Górecki

unread,
Jun 6, 2013, 6:43:02 AM6/6/13
to Abel Luck, qubes...@googlegroups.com
Are you sure about dynamic MAC address? AFAIR it is generated from Qubes ID
(QID), which static for VM lifetime. You can also set it via qvm-prefs.
signature.asc
Reply all
Reply to author
Forward
0 new messages