Leap.se - Bitmask VPN client on Qubes

296 views
Skip to first unread message

donoban

unread,
May 6, 2016, 3:22:45 AM5/6/16
to qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

is anyone using this VPN on Qubes? I started using it last week and it
works fine except I have to manually update /etc/resolv.conf and run
/usr/lib/qubes/qubes-setup-dnat-to-ns

I opened this bug report:
https://leap.se/code/issues/8072

But I think that I will have to do some workaround.

Any ideas?

Regards.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXLEZBAAoJEBQTENjj7QilNCcQAMAfiPBCjlol3gwtQetdqLS2
7ndKJpJUOfVHZUjZSSCCycdKP5uPkbFCTzjOP2VpFqty0oFBHyg60HWmR1eqTczt
4g934tVgFDpcvsKoKrWHtaRlSq/WM8x8XSJ2r5PmAiAInL7dNDztn9tbrs/MCjqf
6JGyXryLiwt+sDnc1W6s9Zx6r9GZn9igqiVepDbJhUxKoc3Aca8BKkrgB4J65WL5
UzCBtbZ6yK+h6aWUuCGAk4jOeBoOkOP4DkS23yNIraKLDLNF1P52lSEImm3txVGg
LfgC6aPuFVgdY118bP2uUuPzYcGxfTl62UG8YX7L7NKLLaTVJlJPAX0yLgQbekmo
/uVc9OuRMKE+63CNXMfaXiJXbbTsHeu9xaGUWN5gnzKfgMMP1vviN66kUdPO5hUa
s2viPhHd3u0LjgOVpJtBykdxdWsI2K6dZ9VjxaTZuqy/JsuGExObWYnL6GS0kEHi
kLKsbLaE4rjyA/+ft/MZ3Sp+cxOo/slDGmnqT96xfkCufpHy+DFH/g+vq9VTNTgZ
XqV+2PHqtZ9kfmTr2aC/M6GbxaW8c3Nf7x6nFRzwfPX11h/q49y91L2N3gvwSMtw
ucQWucTjlyk2t7mDzbZstheVxIXkCTNLDA0PC5gVBbr5tBum8k6UfG43jyeidBiN
Ggw5/FoAltm4J/G7r8yN
=gG5W
-----END PGP SIGNATURE-----

Michael Carbone

unread,
May 6, 2016, 6:41:07 AM5/6/16
to qubes...@googlegroups.com
donoban:
> Hi,
>
> is anyone using this VPN on Qubes? I started using it last week and it
> works fine except I have to manually update /etc/resolv.conf and run
> /usr/lib/qubes/qubes-setup-dnat-to-ns
>
> I opened this bug report:
> https://leap.se/code/issues/8072
>
> But I think that I will have to do some workaround.
>
> Any ideas?
>
> Regards.
>

Yes I run Bitmask VPN in a Debian-8-based proxyvm, I haven't had any
recent issues with it.

If you are having issues with it it would be great to debug (thanks for
creating the leap.se bug report), and maybe document in the Qubes docs
once resolved. There is currently a discussion on improving the VPN
documentation:

https://github.com/QubesOS/qubes-issues/issues/1941

--
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

GPG fingerprint: 2DBE 2014 E7B0 0730 303D 7AAB 99AB 0624 6EEB F5A8


donoban

unread,
May 6, 2016, 6:47:45 AM5/6/16
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


On 06/05/16 12:40, Michael Carbone wrote:
> Yes I run Bitmask VPN in a Debian-8-based proxyvm, I haven't had
> any recent issues with it.
>
> If you are having issues with it it would be great to debug (thanks
> for creating the leap.se bug report), and maybe document in the
> Qubes docs once resolved. There is currently a discussion on
> improving the VPN documentation:
>
> https://github.com/QubesOS/qubes-issues/issues/1941
>

Do you have DNS working without doing anything?

uhM, I have this firewall rules:

iptables -I FORWARD 1 -o eth0 -j DROP
iptables -I FORWARD 2 -i eth0 -j DROP

for avoid any possible leak.

Maybe you are getting DNS request from clearnet, could you run this
https://www.dnsleaktest.com/ from an AppVM using this proxyVM?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXLHZDAAoJEBQTENjj7QilJwsP/1yRClYs2Yv1cXBwrU0kVQ6N
axxMUsVZePr5qNzK88pvLvTD3mqF959tWMkZl2sdzXoNVdCnAHl1Bnrf5nayg//p
w4UtDJvkE90Vuhr0VPVNprOUIN8hR52bIMx61HHylrNhMU7FDdG+flCJvCTCjzQu
/ZvphMRqZxF0NBmxQd5ZuxSUj/LkniyU4tOWfuADdrfjxX2URHcoR0IMPdPMMqOs
7vl7/bxD2mm5OgI80ReKBYn+ek4R2IA4B010wXanvyNJcwBq++t6JD/Psl6d/9eJ
p5F09IvsWlCCE42ay1MPMsvd8jgrr0OxwPUAsa32tWnutU9OFTpvg1YMtjHBdM/m
x7t+lSCSZP+MIvFNrj8Ca1Rd5zdP3xDcOBlnurLaXK/uhRYnVNn3Wehs9/ZNdnnH
jCR4QrW5Mge+DRrKD6pQPYyXkfwJbQiJw+IGPSgFLdtEU0FA7pnPCzzBPLQPzEfW
ZzJMGBCil8mZEhVW4Mt7oCMFZF+rsWvyd6xhcCnPuRBycxtsWo7MBeiNnQEAAa22
witeM6ZDREPp9O7QcooEHQcEuMvhlFdbWroXAknfb/hKEXe2z7agcEfMzXEzS1S1
5lpyjHWmrndG5u3fbVnGxgjiL5OVDZtHcDZWgaRlyFNcjg163CnOCN041Uu8QziC
ekHibX53TgNQ+KUhhjZK
=ejPd
-----END PGP SIGNATURE-----

Michael Carbone

unread,
May 6, 2016, 8:37:53 AM5/6/16
to qubes...@googlegroups.com
donoban:
>
> On 06/05/16 12:40, Michael Carbone wrote:
>> Yes I run Bitmask VPN in a Debian-8-based proxyvm, I haven't had
>> any recent issues with it.
>
>> If you are having issues with it it would be great to debug (thanks
>> for creating the leap.se bug report), and maybe document in the
>> Qubes docs once resolved. There is currently a discussion on
>> improving the VPN documentation:
>
>> https://github.com/QubesOS/qubes-issues/issues/1941
>
>
> Do you have DNS working without doing anything?
>
> uhM, I have this firewall rules:
>
> iptables -I FORWARD 1 -o eth0 -j DROP
> iptables -I FORWARD 2 -i eth0 -j DROP
>
> for avoid any possible leak.
>
> Maybe you are getting DNS request from clearnet, could you run this
> https://www.dnsleaktest.com/ from an AppVM using this proxyVM?

yes, I can confirm Bitmask is leaking DNS requests by default.

donoban

unread,
May 6, 2016, 11:09:59 AM5/6/16
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/06/2016 02:37 PM, Michael Carbone wrote:
> yes, I can confirm Bitmask is leaking DNS requests by default.
>

Ouch, really it is not exclusive of Bitmask. ProxyVM's are forwarding
DNS queries to their NetVM by default. So, if you do not disable/block
this explicitly, any VPN software is leaking by default
(since them do not run /usr/lib/qubes/qubes-setup-dnat-to-ns).

I think that ProxyVM should have an option for block all FORWARD chain
with eth0, like:

iptables -I FORWARD 1 -o eth0 -j DROP
iptables -I FORWARD 2 -i eth0 -j DROP

Some checkbox like "leak protection", "only VPN",...

Also, since we will have to edit all VPN or similar software to run
/usr/lib/qubes/qubes-setup-dnat-to-ns , maybe it should be auto
executed when /etc/resolv.conf is modified.

Regards.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXLLO/AAoJEBQTENjj7QildGwQAI7J89mPLAeV43oXztJk6lRI
CuQhwazpbWYtujTdS4HDQL20tO0XPN7t24MNtaOe+od+ZqHhoNButCnuvPPsdQF9
A88lxAAsnc0E6DtfY/ChqXH4T3vIeTM3wPvKxsIdGCs8e8+lzG1oXrYRhW58bjOk
Y7I5mFYoy3Ny/88apjaxYNU0xpJ8YW5N9penhWNZA054Di8CVYvIBCjW++awUSOo
HKegKeZs2u8HvbAekuM9K9w62FhwizrTN4/bTywuPvC8dAa+h4TTEhuaK2ssBAlh
bXXpKaQiTXfUrgcqrIVYPJZox5rZYGG2FbQtxZkoXkN5GqXjaFqODzWp4koa2wcQ
Lsh/3dNVHW/YqZrH1e9PQ3EI8Efiy0OfKNU7eatYQzao7vhqGnN4jsVKYMeteU7f
okMDr7WC3raxI/rGso5GtY1H+c2tS/3Hou35+hOoaUVmDyQDo76g6cRz0KVAqbV/
FSk3ZofhMGHpwg9tm8gdAL88xRIPxwV4xhJ6akXN5PCLeSHQfLwA/Z6c7HsSyYGb
E7d05isL4tPhBAYWflXtifhj0lerYCJJESmTdEyO1WKX91l7OSB4mTXw9+r0xhJj
/e5OBMkeLmF7EjwtTYRTBGcMfuU1aWmM/4TAvm/ehCLaeHnfqQOYHf4ChAMkbHgO
HbPQrOoDC654BAnCIznA
=ZFv1
-----END PGP SIGNATURE-----

donoban

unread,
May 13, 2016, 3:35:55 AM5/13/16
to qubes...@googlegroups.com
On 06/05/16 09:22, donoban wrote:
> is anyone using this VPN on Qubes? I started using it last week and it
> works fine except I have to manually update /etc/resolv.conf and run
> /usr/lib/qubes/qubes-setup-dnat-to-ns
>

well, I found the source of the problem. Bitmask does not use
/etc/resolv.conf:

https://leap.se/git/bitmask_client.git/blob/1162895e124191996cc448816ad5b26bad266cfa:/changes/feature-reroute_dns_packets

I was thinking on do some workaround on resolvconf, at least for call to
/usr/lib/qubes/qubes-setup-dnat-to-ns, but I have to think on another way.

Manuel Amador (Rudd-O)

unread,
May 16, 2016, 2:51:57 PM5/16/16
to qubes...@googlegroups.com
On 05/06/2016 10:47 AM, donoban wrote:
>
> On 06/05/16 12:40, Michael Carbone wrote:
> > Yes I run Bitmask VPN in a Debian-8-based proxyvm, I haven't had
> > any recent issues with it.
>
> > If you are having issues with it it would be great to debug (thanks
> > for creating the leap.se bug report), and maybe document in the
> > Qubes docs once resolved. There is currently a discussion on
> > improving the VPN documentation:
>
> > https://github.com/QubesOS/qubes-issues/issues/1941
>
>
> Do you have DNS working without doing anything?
>
> uhM, I have this firewall rules:
>
> iptables -I FORWARD 1 -o eth0 -j DROP
> iptables -I FORWARD 2 -i eth0 -j DROP

I see these as problematic because it's easy to drop them with a -F in
some script. I have a leakproof VPN system that, as part of what it
does, it creates an entire separate routing table for VMs and uses that
to route their traffic instead of the main routing table.

Someday I will open up the scripts.

--
Rudd-O
http://rudd-o.com/

Reply all
Reply to author
Forward
0 new messages