Chris Laprise: > On 3/29/20 5:16 AM, scurge1tl wrote: >> >> >> Chris Laprise: >>> On 3/27/20 5:02 AM, scurge1tl wrote: >> >>>> >>>> Hello all, >>>> >>>> I would like to ask about proper setting of AppVM flow if using >>>> Mullvad VPN. I would like to connect to the clearnet following way: Me >>>> - -> Tor -> VPN -> clearnet. >>>> >>>> When setting up mullvad in their web page, I set the parameters for >>>> download here https://mullvad.net/en/download/openvpn-config/ in a >>>> following way: >>>> - - All countries (so that I can change my exit country as needed) >>>> - - Port -> TCP 443 (Tor doesn't use UDP, right?) >>>> - - tick Use IP addresses >>> >>> Using TCP 443 for the connection helps only if you are running the VPN >>> on top of Tor. With Tor on top of VPN, you're probably better off >>> with UDP. >> >> Would this mean, if I plan to go with Me -> Tor -> VPN -> clarnet, to go >> with UDP mullvad settings? Just to clear the "on top of". > > To make it less ambiguous: > > AppVM -> sys-whonix -> sys-vpn -> sys-net > > The above connection is Tor on top of (or inside of) VPN, so UDP can be > used for the VPN. If sys-whonix and sys-vpn places were reversed, then > VPN should switch to TCP mode. > > An easy way to remember this is that the sys-* VM attached to the AppVM > is the one the service sees on the other end. > >> >>> >>>> >>>> To set the Mullvad VPN AppVM, I followed this guide from micahflee >>>> https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with >>>> mullvad is vpn-mullvad. All works fine and connects to the network. >>>> >>>> How should I connect Me -> Tor -> VPN -> clearnet? Am I right with >>>> this setup (I didn't launch it yet): anon-whonix -> sys-whonix -> >>>> vpn-mullvad -> sys-firewall, or I should use different setup? >>> >>> Whonix has a guide that examines the issues of combining Tor and a VPN. >>> However, I think its better as a 'what-if/why' guide than a Howto... >>> >>> https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor >> >> Thank you I will check it. >> >>> >>>> >>>> Are there any other steps to follow to prevent leaks? >>> >>> Yes. >>> >>> The Qubes-vpn-support project is much easier to setup and should work >>> more smoothly, in addition to providing better protection against leaks: >>> >>> https://github.com/tasket/Qubes-vpn-support >>> >>> There is also a VPN setup guide on the Qubes doc page (this is the one >>> the Whonix page links to). FWIW, I wrote the scripts for both but the >>> idea for Qubes-vpn-support was to automate the setup and improve the >>> connection handling of Openvpn so re-connection doesn't take 5 minutes. >>> It also checks the firewall to make sure leak prevention is in place >>> before initiating connections. >> >> I will try to set the additional AppVM for this and try this guide. What >> would be the linking of the AppVMs, if I would like to go Me -> Tor -> >> VPN -> clearnet? Is it like anon-whonix -> sys-whonix -> mullvad-AppVM >> -> sys-firewall ? >> >> Also I would like to use different exit countries of choice, so I >> downloaded all countries from mullvad. Is there any simple way to switch >> countries with this VPN settings? > > There is no GUI way to do it when using the Qubes scripts. However, if > you use the Network Manager method on the Qubes vpn howto, then you can > import multiple configs (and cross your fingers that they can make > connections :) ). > > For a non-GUI solution, you could create a small script that lets you > choose which ovpn config to use, and 'cp' or 'ln' that choice to the > config filename that the scripts use (then restart the vpn). Some people > have used simple random selection without a prompt, like 'ln -s $( ls > *ovpn | shuf | head -n1 ) vpn-client.conf'. > >> Sorry for noob questions, I am new to the VPN stuff, just used Tor only >> till now, but I need to use tor-unfriendly services from time to time >> and even if it were tor-friendly, ExitNodes {xx} StrictNodes 1 doesn't >> work in qubes-whonix and I therefore can't select exit country easily if >> I need to. So I need to have the VPN country as a strict exit. > > To use Tor-unfriendly services, the service has to see the VPN IP not > Tor exit node IP. Therefore... > > AppVM -> sys-vpn -> sys-whonix -> sys-net > > If you add sys-firewall (or similar proxyVM, as you probably don't want > to change sys-firewall netvm setting) in the mix, it just depends on > which VM you wish to add 'Qubes firewall' rules to.... it always goes > 'to the right of' whichever VM you added rules. In my experience, > however, such rules are not required for securing a VPN link; The > internal (scripted) rules used by the VPN doc or Qubes-vpn-support > handle VPN security rather well. IOW, its better to forget placing > sys-firewall in the loop, at least until you're more used to Qubes > networking. > >> >> Thank you and I will let you know if it works! >> > >
I sent an email to your protonmail, as stated in your signature PGP fingerprint BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 but I am not sure if it arrived. So I ask here. Is there any signed hash for the file from github and your PGP key sig so that I can check the authenticity and integrity of the file? Also, is the master the zip file to be downloaded? Thank you! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5f5b6d3a-ea9d-131c-de4b-37d04d625d6f%40cock.li.
0xC1F4E83AF470A4ED.asc
Description: application/pgp-keys
