scurge1tl: > > > Chris Laprise: >> On 3/29/20 5:16 AM, scurge1tl wrote: >>> >>> >>> Chris Laprise: >>>> On 3/27/20 5:02 AM, scurge1tl wrote: >>> >>>>> >>>>> Hello all, >>>>> >>>>> I would like to ask about proper setting of AppVM flow if using >>>>> Mullvad VPN. I would like to connect to the clearnet following way: Me >>>>> - -> Tor -> VPN -> clearnet. >>>>> >>>>> When setting up mullvad in their web page, I set the parameters for >>>>> download here https://mullvad.net/en/download/openvpn-config/ in a >>>>> following way: >>>>> - - All countries (so that I can change my exit country as needed) >>>>> - - Port -> TCP 443 (Tor doesn't use UDP, right?) >>>>> - - tick Use IP addresses >>>> >>>> Using TCP 443 for the connection helps only if you are running the VPN >>>> on top of Tor. With Tor on top of VPN, you're probably better off >>>> with UDP. >>> >>> Would this mean, if I plan to go with Me -> Tor -> VPN -> clarnet, to go >>> with UDP mullvad settings? Just to clear the "on top of". >> >> To make it less ambiguous: >> >> AppVM -> sys-whonix -> sys-vpn -> sys-net >> >> The above connection is Tor on top of (or inside of) VPN, so UDP can be >> used for the VPN. If sys-whonix and sys-vpn places were reversed, then >> VPN should switch to TCP mode. >> >> An easy way to remember this is that the sys-* VM attached to the AppVM >> is the one the service sees on the other end. >> >>> >>>> >>>>> >>>>> To set the Mullvad VPN AppVM, I followed this guide from micahflee >>>>> https://micahflee.com/2019/11/using-mullvad-in-qubes/ The AppVM with >>>>> mullvad is vpn-mullvad. All works fine and connects to the network. >>>>> >>>>> How should I connect Me -> Tor -> VPN -> clearnet? Am I right with >>>>> this setup (I didn't launch it yet): anon-whonix -> sys-whonix -> >>>>> vpn-mullvad -> sys-firewall, or I should use different setup? >>>> >>>> Whonix has a guide that examines the issues of combining Tor and a VPN. >>>> However, I think its better as a 'what-if/why' guide than a Howto... >>>> >>>> https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor >>> >>> Thank you I will check it. >>> >>>> >>>>> >>>>> Are there any other steps to follow to prevent leaks? >>>> >>>> Yes. >>>> >>>> The Qubes-vpn-support project is much easier to setup and should work >>>> more smoothly, in addition to providing better protection against leaks: >>>> >>>> https://github.com/tasket/Qubes-vpn-support >>>> >>>> There is also a VPN setup guide on the Qubes doc page (this is the one >>>> the Whonix page links to). FWIW, I wrote the scripts for both but the >>>> idea for Qubes-vpn-support was to automate the setup and improve the >>>> connection handling of Openvpn so re-connection doesn't take 5 minutes. >>>> It also checks the firewall to make sure leak prevention is in place >>>> before initiating connections. >>> >>> I will try to set the additional AppVM for this and try this guide. What >>> would be the linking of the AppVMs, if I would like to go Me -> Tor -> >>> VPN -> clearnet? Is it like anon-whonix -> sys-whonix -> mullvad-AppVM >>> -> sys-firewall ? >>> >>> Also I would like to use different exit countries of choice, so I >>> downloaded all countries from mullvad. Is there any simple way to switch >>> countries with this VPN settings? >> >> There is no GUI way to do it when using the Qubes scripts. However, if >> you use the Network Manager method on the Qubes vpn howto, then you can >> import multiple configs (and cross your fingers that they can make >> connections :) ). >> >> For a non-GUI solution, you could create a small script that lets you >> choose which ovpn config to use, and 'cp' or 'ln' that choice to the >> config filename that the scripts use (then restart the vpn). Some people >> have used simple random selection without a prompt, like 'ln -s $( ls >> *ovpn | shuf | head -n1 ) vpn-client.conf'. >> >>> Sorry for noob questions, I am new to the VPN stuff, just used Tor only >>> till now, but I need to use tor-unfriendly services from time to time >>> and even if it were tor-friendly, ExitNodes {xx} StrictNodes 1 doesn't >>> work in qubes-whonix and I therefore can't select exit country easily if >>> I need to. So I need to have the VPN country as a strict exit. >> >> To use Tor-unfriendly services, the service has to see the VPN IP not >> Tor exit node IP. Therefore... >> >> AppVM -> sys-vpn -> sys-whonix -> sys-net >> >> If you add sys-firewall (or similar proxyVM, as you probably don't want >> to change sys-firewall netvm setting) in the mix, it just depends on >> which VM you wish to add 'Qubes firewall' rules to.... it always goes >> 'to the right of' whichever VM you added rules. In my experience, >> however, such rules are not required for securing a VPN link; The >> internal (scripted) rules used by the VPN doc or Qubes-vpn-support >> handle VPN security rather well. IOW, its better to forget placing >> sys-firewall in the loop, at least until you're more used to Qubes >> networking. >> >>> >>> Thank you and I will let you know if it works! >>> >> >> > > Thank you for your help. I have written an email to your address from > the PGP key in your signature, regarding hashes and pgp sig for the > files on github, not to spam it here in the forum. >
I try to set the VPN in my laest qubes with your guide on https://github.com/tasket/Qubes-vpn-support. I use the version 1.4.3. and followed the guide. My setting from mullvad is UDP (default) for Linux. No IPs. When asked, I entered correct login. The link but doesn't go up, no popup notification LINK IS UP when restarting the proxy VM. I also added vpn-handler-openvpn to the proxy VM services as required. Executing systemctl status returns this: [user@ovpn ~]$ systemctl status qubes-vpn-handler ● qubes-vpn-handler.service - VPN Client for Qubes proxyVM Loaded: loaded (/usr/lib/systemd/system/qubes-vpn-handler.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/qubes-vpn-handler.service.d └─00_example.conf Active: activating (auto-restart) (Result: exit-code) since Tue 2020-04-07 15:30:15 CEST; 4s ago Process: 3098 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup --check-firewall (code=exited, status=0/SUCCESS) Process: 3105 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup --pre-start (code=exited, status=0/SUCCESS) Process: 3110 ExecStart=/usr/lib/qubes/qubes-vpn-setup --start-exec (code=exited, status=1/FAILURE) Process: 3111 ExecStartPost=/usr/lib/qubes/qubes-vpn-setup --post-start (code=exited, status=0/SUCCESS) Process: 3117 ExecStopPost=/usr/lib/qubes/qubes-vpn-setup --post-stop (code=exited, status=0/SUCCESS) Main PID: 3110 (code=exited, status=1/FAILURE) Any idea how to set this up properly? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8a836903-b3f3-7b1d-2929-c693ca5c937c%40mailbox.org.
0xA664B90BD3BE59B3.asc
Description: application/pgp-keys
