Network chain (VPN)

[variab...@gmail.com]

Hello

In this doc https://www.qubes-os.org/doc/vpn/, a configuration is described where app vms connect to the firewall VPN, which connects to the VPN proxy, and finally the net vm.

Was this correctly documented as a configuration? Should the VPN proxy sit behind the firewall?

Thanks

[Noor Christensen]

AFAIK, if you connect your AppVMs directly to the VPN proxy, you lose
the ability to firewall the traffic since it will be encrypted when it
leaves the VPN proxy.

So, for this reason, if you want to apply any filtering for that traffic
you would need a firewall VM between the AppVMs and the VPN VM. In this
situation, any firewall rules configured for the AppVMs will then be
applied by the firewall VM before it reaches the VPN VM.

There is a good explanation here (read "Security note" under Usage):

https://github.com/Rudd-O/qubes-vpn#usage


-- noor

|_|O|_|
|_|_|O| Noor Christensen
|O|O|O| 0x401DA1E0

[Noor Christensen]

Additionally, this graph might help to understand the flow:

https://raw.githubusercontent.com/Rudd-O/qubes-vpn/master/doc/Qubes%20VPN%20filtering%20rules.png

[Chris Laprise]

You should theoretically be able to use VPNVM as a firewall. However,
there is a bug in qubes-firewall that causes "Deny Except" mode to block
all DNS traffic when a VPN/tunnel is used. The obvious workaround is to
create another proxyVM to be placed between appVM and VPNVM.

If you would rather avoid creating an extra proxyVM, you can use a VPN
project that contains a fix for the DNS bug:

https://github.com/tasket/Qubes-vpn-support


Also, in most cases no firewallVM is needed between VPNVM and sys-net,
so the following chain is OK:
appVM -> VPNVM -> sys-net

--

Chris Laprise, tas...@posteo.net
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[aaron williams]

thank you all for your help

Virus-free. www.avg.com