Tommy
GitHub
@ -5,7 +5,7 @@ tags: ['Operating Systems', 'MirageOS', 'Qubes OS', 'Security']
|
||||
author: Tommy
|
||||
---
|
||||
|
||||
|
||||
|
||||
|
||||
[MirageOS](https://mirage.io/) is a library operating system with which you can create a unikernel for the sole purpose of acting as Qubes OS's firewall. In this post, I will walk you through how to set this up.
|
||||
|
||||
|
Before Width: | Height: | Size: 360 KiB After Width: | Height: | Size: 360 KiB |
@ -5,7 +5,7 @@ tags: ['Applications', 'Qubes OS', 'Privacy']
|
||||
author: Tommy
|
||||
---
|
||||
|
||||
|
||||
|
||||
|
||||
IVPN is a fairly popular and generally trustworthy VPN provider. In this post, I will walk you through how to use the official IVPN client in a ProxyVM on Qubes OS. We will deviate from the [official guide](https://www.ivpn.net/knowledgebase/linux/ivpn-on-qubes-os/) by using systemd path to handle DNAT. This will provide the same robustness as their approach to modify `/opt/ivpn/etc/firewall.sh`, while avoiding the risk that the modifications will be overwritten by a future app update. We will also be using a TemplateVM for IVPN ProxyVMs instead of using Standalone VMs.
|
||||
|
||||
@ -99,7 +99,7 @@ sudo shutdown now
|
||||
|
||||
Create an AppVM based on the TemplateVM you have just created. Set `sys-firewall` (or whatever FirewallVM you have connected to your `sys-net`) as the net qube. If you do not have such FirewallVM, use `sys-net` as the net qube. Next, go to the advanced tab and tick the `provides network access to other qubes` box.
|
||||
|
||||
|
||||
|
||||
|
||||
Open the IVPN and select `Settings` → `DNS` → `Force management of DNS using resolv.conf`.
|
||||
|
||||
@ -123,5 +123,3 @@ This is not strictly necessary, as I have not observed any leaks with the VPN ki
|
||||
With this current setup, the ProxyVM you have just created will be responsible for handling Firewall rules for the qubes behind it. This is not ideal, as this is still a fairly large VM, and there is a risk that IVPN or some other apps may interfere with its firewall handling.
|
||||
|
||||
Instead, I highly recommend that you [create a minimal Mirage FirewallVM](/posts/qubes/firewalling-with-mirageos-on-qubes-os/) and use it as a firewall **behind** the IVPN ProxyVM. Other AppVMs then should use the Mirage Firewall as the net qube instead. This way, you can make sure that firewall rules are properly enforced.
|
||||
|
||||
|
||||
|
Before Width: | Height: | Size: 78 KiB After Width: | Height: | Size: 78 KiB |
|
Before Width: | Height: | Size: 33 KiB After Width: | Height: | Size: 33 KiB |
@ -5,7 +5,7 @@ tags: ['Applications', 'Qubes OS', 'Anonymity', 'Privacy']
|
||||
author: Tommy
|
||||
---
|
||||
|
||||
|
||||
|
||||
|
||||
[Lokinet](https://lokinet.org) is an Internet overlay network utilizing onion routing to provide anonymity for its users, similar to Tor network. This post will go over how to set it up on Qubes OS.
|
||||
|
||||
|
Before Width: | Height: | Size: 29 KiB After Width: | Height: | Size: 29 KiB |
@ -5,7 +5,7 @@ tags: ['Applications', 'Qubes OS', 'Privacy']
|
||||
author: Tommy
|
||||
---
|
||||
|
||||
|
||||
|
||||
|
||||
Mullvad is a fairly popular and generally trustworthy VPN provider. In this post, I will walk you through how to use the official Mullvad client in a ProxyVM on Qubes OS. This method is a lot more convenient than the [official guide](https://mullvad.net/en/help/qubes-os-4-and-mullvad-vpn/) from Mullvad (which recommends that you manually load in OpenVPN or Wireguard profiles) and will let you seamlessly switch between different location and network setups just as you would on a normal Linux installation.
|
||||
|
||||
@ -82,7 +82,7 @@ sudo shutdown now
|
||||
|
||||
Create an AppVM based on the TemplateVM you have just created. Set `sys-firewall` (or whatever FirewallVM you have connected to your `sys-net`) as the net qube. If you do not have such FirewallVM, use `sys-net` as the net qube. Next, go to the advanced tab and tick the `provides network access to other qubes` box.
|
||||
|
||||
|
||||
|
||||
|
||||
Open the Mullvad VPN app. Go to `Settings` → `VPN settings` and toggle `Local network sharing`. Due to some strange interaction between qubes services and Mullvad VPN, certain apps will get internet connections while others do not if this toggle is not enabled. This toggle will **not** actually allow AppVMs connected to the ProxyVM to connect to the local network.
|
||||
|
||||
@ -104,5 +104,3 @@ This is not strictly necessary, as I have not observed any leaks with the VPN ki
|
||||
With this current setup, the ProxyVM you have just created will be responsible for handling Firewall rules for the qubes behind it. This is not ideal, as this is still a fairly large VM, and there is a risk that Mullvad or some other apps may interfere with its firewall handling.
|
||||
|
||||
Instead, I highly recommend that you [create a minimal Mirage FirewallVM](/posts/qubes/firewalling-with-mirageos-on-qubes-os/) and use it as a firewall **behind** the Mullvad ProxyVM. Other AppVMs then should use the Mirage Firewall as the net qube instead. This way, you can make sure that firewall rules are properly enforced.
|
||||
|
||||
|
||||
|
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 10 KiB |
|
After Width: | Height: | Size: 33 KiB |
@ -5,7 +5,7 @@ tags: ['Operating Systems', 'Qubes OS', 'Security']
|
||||
author: Tommy
|
||||
---
|
||||
|
||||
|
||||
|
||||
|
||||
This post will go over setting up Split GPG, then setting up Split SSH with the same PGP keys. Effectively, we are emulating what you can do with a PGP smartcard on Qubes OS.
|
||||
|
||||
@ -28,7 +28,7 @@ This part is based on the Qubes Community's [guide](https://forum.qubes-os.org/t
|
||||
- Get your keygrip with `gpg --with-keygrip -k`
|
||||
- Add your keygrip to the end of `~/.gnupg/sshcontrol`
|
||||
|
||||
|
||||
|
||||
|
||||
### In `vault`'s TemplateVM
|
||||
|
||||
|
Before Width: | Height: | Size: 22 KiB After Width: | Height: | Size: 22 KiB |
|
Before Width: | Height: | Size: 277 KiB After Width: | Height: | Size: 277 KiB |