Additional VPN destinations via CLI config?

48 views
Skip to first unread message

anguil...@gmail.com

unread,
Sep 11, 2017, 1:37:19 PM9/11/17
to qubes-users
I followed the tutorial here, specifically "Set up a ProxyVM as a VPN gateway using iptables and CLI scripts"

https://www.qubes-os.org/doc/vpn/

I like having the iptables anti-leak rules. However, it's connecting automatically to my VPN providers destination that I downloaded their .ovpn for.

Is it possible to compile multiple locations and be able to select which one?

OR perhaps I'm going about this the wrong way? Should I instead use the GUI way via NetworkManager? Can I configure that for multiple destination choices then perhaps still add the iptables anti-leak rules?

What's the best way?

Thanks!

qubester

unread,
Sep 11, 2017, 11:52:01 PM9/11/17
to qubes-users
On 09/11/2017 07:37 AM,
na, just make another NetVM like you did for the one you got , or 2 3
etc up to you , what i've been doing is after suspend just start the
new non active VPN NetVM and use it , after changing the appVMs using
it , bit tedious but works

filtration

unread,
Sep 12, 2017, 1:15:19 AM9/12/17
to qubes...@googlegroups.com
qubester:
Create a different VPN ProxyVM for each location you want to use.
You lose leak protection if you use NetworkManager, you should use the
iptables way.

Once you get the first ProxyVM setup correctly, you can copy its files
to other ProxyVMs to save time. Just verify their permissions and change
the desired server in the .ovpn file. Check your MTU settings, too.



qubester

unread,
Sep 13, 2017, 3:21:03 AM9/13/17
to qubes-users
proxyVM rather fwiw

btw, how or why does one "check their MTU settings?"

pixel fairy

unread,
Sep 13, 2017, 3:37:46 AM9/13/17
to qubes-users
On Wednesday, September 13, 2017 at 12:21:03 AM UTC-7, qubester wrote:
> proxyVM rather fwiw
>
> btw, how or why does one "check their MTU settings?"

ip a

look for a line like this,

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000


filtration

unread,
Sep 13, 2017, 8:23:23 PM9/13/17
to qubes...@googlegroups.com
qubester:
> btw, how or why does one "check their MTU settings?"
>
Why? Incorrect MTU settings caused me to have disconnects from my VPN
connections. After I measured and compensated for poor MTU, my
connections have become much more stable and disconnects come back
online shortly.

How? MTU is essentially packet size. You can measure in CLI by pinging a
server. There are a few tutorials to correct MTU in OpenVPN. Go to one
of them to check it out.

Kushal Das

unread,
Sep 14, 2017, 12:50:56 AM9/14/17
to anguil...@gmail.com, qubes-users
I wrote a blog post [1] about how I am trying to do the similar thing.

[1] https://kushaldas.in/posts/network-isolation-using-netvms-and-vpn-in-qubes.html

Kushal
--
Fedora Cloud Engineer
CPython Core Developer
http://kushaldas.in

Chris Laprise

unread,
Sep 14, 2017, 4:17:14 PM9/14/17
to anguil...@gmail.com, qubes-users
If all the VPN links are the same provider or have the same trust
profile, then switching with a menu should be OK. But there is no "best"
way;  It depends greatly on how you use the VPNs.

With the VPN doc scripts, you could move the contents of rc.local to a
custom script in /rw/config so it isn't directly executed on startup.
Then at the start of the script read all the ovpn files from
/rw/config/vpn into an array and print that as a menu, then read input
from the user. Next, link the chosen file to openvpn-client.ovpn.

You could start this script automatically from rc.local using
'systemd-run xterm ' etc.

--

Chris Laprise, tas...@posteo.net
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

Reply all
Reply to author
Forward
0 new messages