Git-Mirrors/anarsec.guide
1
0
Fork 0
mirror of https://0xacab.org/anarsec/anarsec.guide.git synced 2025-07-24 23:25:44 -04:00
Code Issues Projects Releases Packages Wiki Activity

VPN overhaul

Browse source
This commit is contained in:
anarsec 2024-04-26 03:24:58 +00:00
parent f95c4b0a6a
commit 15b23bb7b9
No known key found for this signature in database
4 changed files with 69 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

24
content/posts/qubes/index.md
View file

@ -298,17 +298,25 @@ Like any software, the Tor Browser has vulnerabilities that can be exploited —
Occasionally, Tor Browser will notify you that a new version is available before it can be updated by using the Qubes Update tool. When this happens, you can [run **Tor Browser Downloader**](https://www.whonix.org/wiki/Tor_Browser#Installation_Process) from the Whonix-Workstation Template (`whonix-workstation-17`). As noted in the [docs](https://www.whonix.org/wiki/Tor_Browser#Summary), do **not** run this tool from a disposable Template — the disposable Template will be updated automatically.
# Create a VPN Qube
# Force All Network Traffic Through a VPN
You should create a [VPN](/glossary/#vpn-virtual-private-network) qube, for reasons that are well-summarized by the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/):
When using the Internet from home, it is best to use a [VPN](/glossary/#vpn-virtual-private-network) for all network traffic — this puts your trust in your VPN instead of an inherently untrustworthy Internet Service Provider. As the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/) notes:
>Using a reputable VPN provider can provide more privacy against surveillance from your ISP or government and prevent network injection attacks from those entities. A VPN will also make traffic correlation attacks — especially those targeting messaging apps — more difficult to perform and less effective.
We recommend both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). A VPN subscription should be purchased anonymously — vouchers are available from [Mullvad](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/) and [IVPN](https://www.ivpn.net/knowledgebase/billing/voucher-cards-faq/) to purchase the subscription anonymously without cryptocurrency.
For your VPN provider, we recommend either [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) or [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). A VPN subscription should be purchased anonymously — vouchers are available from [Mullvad](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/) and [IVPN](https://www.ivpn.net/knowledgebase/billing/voucher-cards-faq/) to purchase the subscription anonymously without [Monero](https://www.privacyguides.org/en/cryptocurrency/#monero).
We're going to name the new VPN qube `sys-vpn`. Follow the guide for [the Mullvad app](https://privsec.dev/posts/qubes/using-mullvad-vpn-on-qubes-os/) or the [the IVPN app](https://forum.qubes-os.org/t/ivpn-app-4-2-setup-guide/23804). Now `sys-vpn` will force all network traffic through the VPN before it reaches `sys-firewall`.
There are two ways you can run a VPN: from your laptop or from your router. You don't want to "double up" a VPN so if its running on your router, it shouldn't be running on your laptop, and vice-versa.
## Change the default net qube
**Running a VPN from your router**: If you mostly use Qubes OS from home, we recommend [running the VPN from your router](/posts/tails-best/#appendix-setting-up-a-vpn-on-a-router), which requires no configuration of Qubes OS. If this is the approach you choose, you can [skip ahead to the next topic](/posts/qubes/#how-to-use-devices-like-usbs).
**Running a VPN from your laptop**: If you regularly use Qubes OS away from home, we recommend creating a VPN qube that runs the VPN client app. If you configure Qubes OS to force all networking through the VPN qube, the laptop should connect to a VLAN of the router which is **not** running a VPN.
## Creating a VPN qube
To create a VPN qube, follow the guide for [the Mullvad app](https://privsec.dev/posts/qubes/using-mullvad-vpn-on-qubes-os/) or the [the IVPN app](https://forum.qubes-os.org/t/ivpn-app-4-2-setup-guide/23804). We'll assume that you named the new VPN qube `sys-vpn`. It will force all network traffic through the VPN before it reaches `sys-firewall`.
### Configure qubes that were using sys-firewall
* Go to **Applications menu → Qubes Tools → Qubes Global Settings**. Switch the default net qube from `sys-firewall` to `sys-vpn`.
* Then, go to debian-12-dvm's **Settings → Basic** tab and change the net qube to `sys-vpn`.
@ -323,12 +331,12 @@ To understand this configuration, it may help to visualize the qubes involved in
| `sys-vpn` | The VPN qube you created | sys-firewall |
| debian-12-dvm | Your disposable Debian qube | `sys-vpn` |
## Configure connecting to the VPN before Tor
### Configure Whonix-Gateway
We recommend connecting to a VPN *before* connecting to Tor (i.e. [You → VPN → Tor → Internet](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-vpnssh-tor)) when you are using an Internet connection tied to your identity.
* To configure connecting to a VPN *before* connecting to Tor, go to sys-whonix's **Settings → Basic** tab and change the net qube to `sys-vpn`.
* When using the Internet from home, it is best to use a VPN for all network traffic — this puts your trust in your VPN instead of an inherently untrustworthy Internet Service Provider. But if you are intentionally using an [Internet connection not tied to your identity](/posts/tails-best/#an-internet-connection-not-tied-to-your-identity), such as Wi-Fi at a random cafe, the VPN ties you to any other computer activity you've used it for (via your subscription). In this scenario, you can change sys-whonix's net qube back to `sys-firewall` (connect to Tor directly), or change sys-whonix's net qube to another VPN qube (`sys-vpn-2`) that uses a compartmentalized VPN subscription.
* To configure connecting to a VPN before connecting to Tor, go to sys-whonix's **Settings → Basic** tab and change the net qube to `sys-vpn`.
* If you are intentionally using an [Internet connection not tied to your identity](/posts/tails-best/#an-internet-connection-not-tied-to-your-identity), such as Wi-Fi at a random cafe, a VPN ties you to any other computer activity you've used it for (via your subscription). In this scenario, change sys-whonix's net qube back to `sys-firewall` (connect to Tor directly), or change sys-whonix's net qube to another VPN qube (`sys-vpn-2`) that uses a compartmentalized VPN subscription.
* As a last step, we will verify that only `sys-vpn` has its net qube set to `sys-firewall`. Go to **Applications menu → Qubes Tools → Qube Manager** and sort the entries by "Net qube" to make this easier.
For more information on the rationale of this configuration, see [Privacy Guides](https://privacyguides.org/en/advanced/tor-overview/#safely-connecting-to-tor). Note that you should not connect to a VPN *after* Tor because this [breaks Stream Isolation](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-tor-x).