VPN before sys-firewall ?

76 views
Skip to first unread message

Luc libaweb

unread,
Jul 9, 2019, 4:49:13 PM7/9/19
to qubes-users
Hello,

I read lot of things about VPN in Qubes OS.

I have mount a standalone VM with client VPN installed. This VPN VM connect to the network with sys-firewall.

Others VM connect them directly on this VM VPN.

So, AppVM connect to Netvm Standalone VM VPN connect to Netvm Sys-Firewall

It's good or not for security ? Maybe the VM VPN bypass the sys-Firewall ?

Chris Laprise

unread,
Jul 9, 2019, 5:22:23 PM7/9/19
to Luc libaweb, qubes-users
In practice, you won't see any difference between these configurations
unless you have placed special rules _inside_ sys-firewall (in the
/rw/config dir):

sys-vpn -> sys-firewall -> sys-net

sys-firewall -> sys-vpn -> sys-net

sys-vpn -> sys-net

The reason is that sys-vpn uses "provides network" and is thus a proxyVM
just like sys-firewall; if you add firewall rules to your appVMs, they
should be processed the same way in either sys-firewall or sys-vpn. As a
result, sys-vpn can perform both vpn and firewall functions. If you
consider sys-vpn's role to be trusted and low-risk, then the third
example can accomplish the same thing as the first two while consuming
less memory and CPU.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

Luc libaweb

unread,
Jul 10, 2019, 2:45:41 AM7/10/19
to qubes-users
Thanks, so, the default sys-firewall just block all ingoing traffic separatly. I think that it's better to place de sys-vpn after the sys-firewall because the configuration of the sys-vpn is just - install the client VPN and force autoconnection and autostart. If the client app VPN is compromised, it still exists the sys-firewall between at rest.

David Hobach

unread,
Jul 10, 2019, 4:18:01 AM7/10/19
to Luc libaweb, qubes-users
Qubes OS implements its firewall rules in the next upstream VM which
"provides network" (see qvm-prefs). So if you don't trust your VPN VM to
manage your firewall rules, you'll need
client VM --> sys-firewall-vpn --> sys-vpn --> sys-net

If you additionally want firewall rules for sys-vpn (e.g. allowing only
connections to your VPN provider) and don't trust your sys-net to manage
them (because it manages your network devices already which run a lot of
proprietary code?), you'll need
client VM --> sys-firewall-vpn --> sys-vpn --> sys-firewall --> sys-net

You'll also need the latter if you want other client VMs with clearnet
connections and managed firewall via sys-firewall.

It's also explained in [1], section "Network service qubes".

I'd also recommend using disposable VMs with static names for these
service VMs.

[1] https://www.qubes-os.org/doc/firewall/

brenda...@gmail.com

unread,
Jul 10, 2019, 5:15:19 AM7/10/19
to qubes-users
I’m currently using:

VMs -> sys-mirage-fw-int -> sys-vpn-tasket-> sys-mirage-fw-ext -> sys-net

Benefit of mirage in this situation is that each one consumes only 32MB of RAM.

B
Reply all
Reply to author
Forward
0 new messages