Best practice VPN in Qubes
22 views
Skip to first unread message
taran1s
May 10, 2023, 10:51:21 AM5/10/23
to qubes-users
Hi,
What is the best practice for setting up a VPN proxy in Qubes these days
(for Mullvad, VPN over Tor)?
I found two versions for setup of VPN proxy in Qubes:
The first one is from tasket called Qubes-vpn-support. The last version
is dated Dec 2020: https://github.com/tasket/Qubes-vpn-support/tree/v1.4.4
Second one is directly from Mullvad dated March 6th 2023 and so it seems
more fresh.
https://mullvad.net/en/help/qubes-os-4-and-mullvad-vpn/
I plan to use VPN over Tor with Mullvad. Which guide would you recommend
to use for this case and why?
Thank you a ton!
What is the best practice for setting up a VPN proxy in Qubes these days
(for Mullvad, VPN over Tor)?
I found two versions for setup of VPN proxy in Qubes:
The first one is from tasket called Qubes-vpn-support. The last version
is dated Dec 2020: https://github.com/tasket/Qubes-vpn-support/tree/v1.4.4
Second one is directly from Mullvad dated March 6th 2023 and so it seems
more fresh.
https://mullvad.net/en/help/qubes-os-4-and-mullvad-vpn/
I plan to use VPN over Tor with Mullvad. Which guide would you recommend
to use for this case and why?
Thank you a ton!
taran1s
May 12, 2023, 7:31:38 AM5/12/23
to Leo28C, qubes-users
I managed to make run the tasket guide even for VPN over Tor. The only
issue I didn't solve is that it is not working with Torbrowser in
anon-whonix AppVM.
If anon-whonix AppVM is set to use mullvad-VPN that is connected to
sys-whonix it doesn't connect to internet. If one uses Debian or Fedora
based AppVM and runs vanilla Firefox, it works like a breeze.
Any ideas how to solve this?
Leo28C:
> I followed this guide: https://micahflee.com/2019/11/using-mullvad-in-qubes/
> (works with others too not just Mullvad)
>> --
>> You received this message because you are subscribed to the Google Groups
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to qubes-users...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/qubes-users/35163750-58a0-66fd-d46c-8f755051f59c%40mailbox.org
>> .
>>
>
--
Kind regards
taran1s
gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3
issue I didn't solve is that it is not working with Torbrowser in
anon-whonix AppVM.
If anon-whonix AppVM is set to use mullvad-VPN that is connected to
sys-whonix it doesn't connect to internet. If one uses Debian or Fedora
based AppVM and runs vanilla Firefox, it works like a breeze.
Any ideas how to solve this?
Leo28C:
> I followed this guide: https://micahflee.com/2019/11/using-mullvad-in-qubes/
> (works with others too not just Mullvad)
>> You received this message because you are subscribed to the Google Groups
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to qubes-users...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/qubes-users/35163750-58a0-66fd-d46c-8f755051f59c%40mailbox.org
>> .
>>
>
--
Kind regards
taran1s
gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3
Andrew David Wong
May 12, 2023, 7:13:00 PM5/12/23
to taran1s, Patrick Schleizer, qubes-users
On 5/12/23 4:31 AM, 'taran1s' via qubes-users wrote:
> If anon-whonix AppVM is set to use mullvad-VPN that is connected to sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based AppVM and runs vanilla Firefox, it works like a breeze.
>
> Any ideas how to solve this?
>
I think that's by design. Whonix does that to protect you from accidentally compromising your own privacy.
> If anon-whonix AppVM is set to use mullvad-VPN that is connected to sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based AppVM and runs vanilla Firefox, it works like a breeze.
>
> Any ideas how to solve this?
>
taran1s
May 13, 2023, 6:57:48 AM5/13/23
to Andrew David Wong, Patrick Schleizer, qubes-users
Andrew David Wong:
does one use VPN over Tor in this case with Torbrowser that doesn't
compromise the privacy (see the use case below please).
The use case is to connect to a service like Twitter that is not Tor
friendly from a static non-tor IP address (VPN), but at the same time
hide my real IP address from the VPN provider by using Tor before I
connect to the VPN.
Some services, like Twitter even if they have onion site keep forcing me
to reset password periodically, reminding me that there is a suspicious
behavior (just by connecting from Tor, not even posting anything) in an
endless loop.
I would like to use the anon-whonix-twitter AppVM Torbrowser
specifically for connection to that particular account only and nothing
else, no other apps or even websites ever used in that
anon-whonix-twitter AppVM.
Do you have any advice how to enable Torbrowser in the
anon-whonix-twitter to work in the VPN over Tor scenario?
Demi Marie Obenour
May 13, 2023, 9:43:58 AM5/13/23
to taran1s, Andrew David Wong, Patrick Schleizer, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I would use the onion service and deal with the Twitter-side brokenness.
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmRflBQACgkQsoi1X/+c
IsG/ohAAs0r584ZGCNUOAeJ6+ViAjTiN/PllOsErT5SRIrMqBbJH3anB6DKQMGE5
aW+Y4H4xzmQh449LYhz8yVfHlMb0551m6ROTGainEKSneVFafKkMCR5E2Yl+jde+
CRCLGFZVQ9MZlrhMuehPWJ0jZXxI0DGuamm0o65Cgi/qiGGSuZqs3B+ZWLHQA2ZN
vIYwSyiw2eG4bY5/dpofXFZeDuNY+qkkXEWzLa1Fm//J/iC+Q2AJLi4ap5w2dyOn
THNhSW+ouPowjXSuzASwD8P3P3s0h2/9Yma1PgkV8xwtn6ACS8oTtdoZp8iycd7a
yNOTNNEo0wGapSrLrUrZJCYttNTAEqwdyeyrUHv4/C1BQxOJQHzEXh6w/VDtepmD
lbZd6roSNBZ+wK8grcmq5nRUEFxTEu+/LkF0fSDTOEvbIwbaPYY572S/GQjJwK9N
7sJbFJgHDWGqEwalXKibPacRQ6WwO9I/E+xq6R+jktgBsEadnLkFNocFhxx6fqoz
oXe5RoJxHw/li/7KVBmliu01SHho2Zhosdhx/cDKT6l8TLphPZPOK9TbQ2nUzFwa
m6RaDpHpQecRqvJlRUz4FSEp9FjFjBEcW35n2DJKBaV2aWudB4C2ROPbfHbk2HiV
d6pgo30pyr3vx+QpAjXdmYP2XBLnnLoIIX726dK6vH3n5+JKCIU=
=X7Te
-----END PGP SIGNATURE-----
Hash: SHA512
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmRflBQACgkQsoi1X/+c
IsG/ohAAs0r584ZGCNUOAeJ6+ViAjTiN/PllOsErT5SRIrMqBbJH3anB6DKQMGE5
aW+Y4H4xzmQh449LYhz8yVfHlMb0551m6ROTGainEKSneVFafKkMCR5E2Yl+jde+
CRCLGFZVQ9MZlrhMuehPWJ0jZXxI0DGuamm0o65Cgi/qiGGSuZqs3B+ZWLHQA2ZN
vIYwSyiw2eG4bY5/dpofXFZeDuNY+qkkXEWzLa1Fm//J/iC+Q2AJLi4ap5w2dyOn
THNhSW+ouPowjXSuzASwD8P3P3s0h2/9Yma1PgkV8xwtn6ACS8oTtdoZp8iycd7a
yNOTNNEo0wGapSrLrUrZJCYttNTAEqwdyeyrUHv4/C1BQxOJQHzEXh6w/VDtepmD
lbZd6roSNBZ+wK8grcmq5nRUEFxTEu+/LkF0fSDTOEvbIwbaPYY572S/GQjJwK9N
7sJbFJgHDWGqEwalXKibPacRQ6WwO9I/E+xq6R+jktgBsEadnLkFNocFhxx6fqoz
oXe5RoJxHw/li/7KVBmliu01SHho2Zhosdhx/cDKT6l8TLphPZPOK9TbQ2nUzFwa
m6RaDpHpQecRqvJlRUz4FSEp9FjFjBEcW35n2DJKBaV2aWudB4C2ROPbfHbk2HiV
d6pgo30pyr3vx+QpAjXdmYP2XBLnnLoIIX726dK6vH3n5+JKCIU=
=X7Te
-----END PGP SIGNATURE-----
taran1s
May 13, 2023, 10:33:40 AM5/13/23
to Demi Marie Obenour, Andrew David Wong, Patrick Schleizer, qubes-users
Demi Marie Obenour:
> On Sat, May 13, 2023 at 10:57:00AM +0000, Qubes OS Users Mailing List wrote:
>> Andrew David Wong:
>>> On 5/12/23 4:31 AM, 'taran1s' via qubes-users wrote:
>>>> If anon-whonix AppVM is set to use mullvad-VPN that is connected to sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based AppVM and runs vanilla Firefox, it works like a breeze.
>>>>
>>>> Any ideas how to solve this?
>>>>
>>>
>>> I think that's by design. Whonix does that to protect you from accidentally compromising your own privacy.
>
The answer below was meant to you David. I misidentified Patrick as the
>> Andrew David Wong:
>>> On 5/12/23 4:31 AM, 'taran1s' via qubes-users wrote:
>>>> If anon-whonix AppVM is set to use mullvad-VPN that is connected to sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based AppVM and runs vanilla Firefox, it works like a breeze.
>>>>
>>>> Any ideas how to solve this?
>>>>
>>>
>>> I think that's by design. Whonix does that to protect you from accidentally compromising your own privacy.
>
author of the answer.
>
>> Thank you for the answer Patrick. It is possible. The question is how does
>> one use VPN over Tor in this case with Torbrowser that doesn't compromise
>> the privacy (see the use case below please).
>> The use case is to connect to a service like Twitter that is not Tor
>> friendly from a static non-tor IP address (VPN), but at the same time hide
>> my real IP address from the VPN provider by using Tor before I connect to
>> the VPN.
>
>> Some services, like Twitter even if they have onion site keep forcing me to
>> reset password periodically, reminding me that there is a suspicious
>> behavior (just by connecting from Tor, not even posting anything) in an
>> endless loop.
>
>> I would like to use the anon-whonix-twitter AppVM Torbrowser specifically
>> for connection to that particular account only and nothing else, no other
>> apps or even websites ever used in that anon-whonix-twitter AppVM.
>
>> Do you have any advice how to enable Torbrowser in the anon-whonix-twitter
>> to work in the VPN over Tor scenario?
>
> I would use the onion service and deal with the Twitter-side brokenness.
twitter's onion service and just use normal sys-whonix networking in the
anon-whonix-twitter AppVM.
The issue I face is not much of a laziness to deal with the annoyance
but with the requests for additional, looped identity checks like sms (I
can deal with that from time to time, but not always), continuous
password changes and similar craziness. They want to "protect me", omg.
I have set the 2FA but still the same.
Funny part is that one even doesn't need to have any activity on the
account that could be suspicious, because there is no activity at all.
The issue is purely the fact of connection through their own onion
service. Which would be funny if it wasn't sad.
Are there any significant drawbacks to use Torbrowser in the VPN over
Tor scenario? Just in case they lock me out or something., for my
protection of course.
Andrew David Wong
May 13, 2023, 2:02:12 PM5/13/23
to taran1s, qubes-users
On 5/13/23 7:33 AM, taran1s wrote:
>
>
> Demi Marie Obenour:
>> On Sat, May 13, 2023 at 10:57:00AM +0000, Qubes OS Users Mailing List wrote:
>>> Andrew David Wong:
>>>> On 5/12/23 4:31 AM, 'taran1s' via qubes-users wrote:
>>>>> If anon-whonix AppVM is set to use mullvad-VPN that is connected to sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based AppVM and runs vanilla Firefox, it works like a breeze.
>>>>>
>>>>> Any ideas how to solve this?
>>>>>
>>>>
>>>> I think that's by design. Whonix does that to protect you from accidentally compromising your own privacy.
>>
>
> The answer below was meant to you David. I misidentified Patrick as the author of the answer.
>
You can call me "Andrew." "David" is my middle name. :)
>
>
> Demi Marie Obenour:
>> On Sat, May 13, 2023 at 10:57:00AM +0000, Qubes OS Users Mailing List wrote:
>>> Andrew David Wong:
>>>> On 5/12/23 4:31 AM, 'taran1s' via qubes-users wrote:
>>>>> If anon-whonix AppVM is set to use mullvad-VPN that is connected to sys-whonix it doesn't connect to internet. If one uses Debian or Fedora based AppVM and runs vanilla Firefox, it works like a breeze.
>>>>>
>>>>> Any ideas how to solve this?
>>>>>
>>>>
>>>> I think that's by design. Whonix does that to protect you from accidentally compromising your own privacy.
>>
>
> The answer below was meant to you David. I misidentified Patrick as the author of the answer.
>
>>
>>> Thank you for the answer Patrick. It is possible. The question is how does
>>> one use VPN over Tor in this case with Torbrowser that doesn't compromise
>>> the privacy (see the use case below please).
>>> The use case is to connect to a service like Twitter that is not Tor
>>> friendly from a static non-tor IP address (VPN), but at the same time hide
>>> my real IP address from the VPN provider by using Tor before I connect to
>>> the VPN.
>>
>>> Some services, like Twitter even if they have onion site keep forcing me to
>>> reset password periodically, reminding me that there is a suspicious
>>> behavior (just by connecting from Tor, not even posting anything) in an
>>> endless loop.
>>
>>> I would like to use the anon-whonix-twitter AppVM Torbrowser specifically
>>> for connection to that particular account only and nothing else, no other
>>> apps or even websites ever used in that anon-whonix-twitter AppVM.
>>
>>> Do you have any advice how to enable Torbrowser in the anon-whonix-twitter
>>> to work in the VPN over Tor scenario?
>>
>> I would use the onion service and deal with the Twitter-side brokenness.
>
https://www.whonix.org/wiki/Tunnels/Introduction
Reply all
Reply to author
Forward
0 new messages