On 11/28/20 9:26 PM,
setem...@posteo.net wrote:
> Documentation followed:
http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts
> Someone please help me, I'm fucking screaming here every time I try to do the right thing following documentation or try to figure out why my own OS is stopping me from doing basic shit.
Hmmm yes the official Qubes doc on VPN is still overcomplicating things a bit too much and even lacking in some areas.
Here's a simple and probably even better way than the official doc:
1. Set up a network infrastructure such as:
-------- your VPN client VM 1
sys-net -- sys-fw -- sys-vpn -- sys-fw-vpn --|
-------- your VPN client VM 2 etc.
Use `qvm-prefs netvm` and `qvm-prefs provides_network` for that.
2. IMPORTANT: Configure your Qubes Os firewall to only allow traffic from sys-vpn to your VPN provider.
I.e. `qvm-firewall sys-vpn --raw` should show something like
```
action=accept proto=tcp dst4=[VPN IP]/32 dstports=[port]-[port]
```
in the end. Use `qvm-firewall` and not the GUI as the GUI will allow e.g. DNS & pings by default IIRC (you need to remove those GUI rules).
If you leave out this step or get it wrong, VPN leaks may be possible.
For testing purposes you could skip this step and implement it after step 3 though.
3. Inside sys-vpn at `/rw/config/rc.local` (autostart file) start your VPN client, e.g. `openvpn` with whatever config you need.
That's it. No messing with iptables et al required... ^^
(Actually there's one iptables rule that would improve security by 0,01%, but I guess it's not really relevant to 99,9% of users.)
Maybe someone should update the official recommendations.
> Thank you for taking the time to help me so far. Be well.
You too.