Chris Laprise: > On 3/29/20 5:16 AM, scurge1tl wrote: >> >> >> Chris Laprise: >>> On 3/27/20 5:02 AM, scurge1tl wrote: >> >>>> >>>> Hello all, >>>> >>>> I would like to ask about proper setting of AppVM flow if using >>>> Mullvad VPN. I would like to connect to the clearnet following way: Me >>>> - -> Tor -> VPN -> clearnet. >>>> >>>> When setting up mullvad in their web page, I set the parameters for >>>> download here https://mullvad.net/en/download/openvpn-config/ in a >>>> following way: >>>> - - All countries (so that I can change my exit country as needed) >>>> - - Port -> TCP 443 (Tor doesn't use UDP, right?) >>>> - - tick Use IP addresses >>> >>> Using TCP 443 for the connection helps only if you are running the VPN >>> on top of Tor. With Tor on top of VPN, you're probably better off >>> with UDP. >> >> Would this mean, if I plan to go with Me -> Tor -> VPN -> clarnet, to go >> with UDP mullvad settings? Just to clear the "on top of". > > To make it less ambiguous: > > AppVM -> sys-whonix -> sys-vpn -> sys-net > > The above connection is Tor on top of (or inside of) VPN, so UDP can be > used for the VPN. If sys-whonix and sys-vpn places were reversed, then > VPN should switch to TCP mode. > > An easy way to remember this is that the sys-* VM attached to the AppVM > is the one the service sees on the other end. > >> >>> >>>> >>>> To set the Mullvad VPN AppVM, I followed this guide from micahflee >>>> https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with >>>> mullvad is vpn-mullvad. All works fine and connects to the network. >>>> >>>> How should I connect Me -> Tor -> VPN -> clearnet? Am I right with >>>> this setup (I didn't launch it yet): anon-whonix -> sys-whonix -> >>>> vpn-mullvad -> sys-firewall, or I should use different setup? >>> >>> Whonix has a guide that examines the issues of combining Tor and a VPN. >>> However, I think its better as a 'what-if/why' guide than a Howto... >>> >>> https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor >> >> Thank you I will check it. >> >>> >>>> >>>> Are there any other steps to follow to prevent leaks? >>> >>> Yes. >>> >>> The Qubes-vpn-support project is much easier to setup and should work >>> more smoothly, in addition to providing better protection against leaks: >>> >>> https://github.com/tasket/Qubes-vpn-support >>> >>> There is also a VPN setup guide on the Qubes doc page (this is the one >>> the Whonix page links to). FWIW, I wrote the scripts for both but the >>> idea for Qubes-vpn-support was to automate the setup and improve the >>> connection handling of Openvpn so re-connection doesn't take 5 minutes. >>> It also checks the firewall to make sure leak prevention is in place >>> before initiating connections. >> >> I will try to set the additional AppVM for this and try this guide. What >> would be the linking of the AppVMs, if I would like to go Me -> Tor -> >> VPN -> clearnet? Is it like anon-whonix -> sys-whonix -> mullvad-AppVM >> -> sys-firewall ? >> >> Also I would like to use different exit countries of choice, so I >> downloaded all countries from mullvad. Is there any simple way to switch >> countries with this VPN settings? > > There is no GUI way to do it when using the Qubes scripts. However, if > you use the Network Manager method on the Qubes vpn howto, then you can > import multiple configs (and cross your fingers that they can make > connections :) ). > > For a non-GUI solution, you could create a small script that lets you > choose which ovpn config to use, and 'cp' or 'ln' that choice to the > config filename that the scripts use (then restart the vpn). Some people > have used simple random selection without a prompt, like 'ln -s $( ls > *ovpn | shuf | head -n1 ) vpn-client.conf'. > >> Sorry for noob questions, I am new to the VPN stuff, just used Tor only >> till now, but I need to use tor-unfriendly services from time to time >> and even if it were tor-friendly, ExitNodes {xx} StrictNodes 1 doesn't >> work in qubes-whonix and I therefore can't select exit country easily if >> I need to. So I need to have the VPN country as a strict exit. > > To use Tor-unfriendly services, the service has to see the VPN IP not > Tor exit node IP. Therefore... > > AppVM -> sys-vpn -> sys-whonix -> sys-net > > If you add sys-firewall (or similar proxyVM, as you probably don't want > to change sys-firewall netvm setting) in the mix, it just depends on > which VM you wish to add 'Qubes firewall' rules to.... it always goes > 'to the right of' whichever VM you added rules. In my experience, > however, such rules are not required for securing a VPN link; The > internal (scripted) rules used by the VPN doc or Qubes-vpn-support > handle VPN security rather well. IOW, its better to forget placing > sys-firewall in the loop, at least until you're more used to Qubes > networking. > >> >> Thank you and I will let you know if it works! >> > >
Thank you for your help. I have written an email to your address from the PGP key in your signature, regarding hashes and pgp sig for the files on github, not to spam it here in the forum. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f26df74c-c349-efec-bb98-b207694bc452%40cock.li.
0xC1F4E83AF470A4ED.asc
Description: application/pgp-keys
