Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-10-01 01:25:40 -04:00
Code Issues Packages Projects Releases Wiki Activity
141ed82589
qubes-doc/configuration/vpn.md

224 lines
10 KiB
Markdown
Raw Normal View History

VPN changed
2014-05-23 06:42:09 -04:00
---
wiki -> doc migration
2015-04-10 16:17:45 -04:00
layout: doc
VPN changed
2014-05-23 06:42:09 -04:00
title: VPN
Clean up and organize privacy pages * Logically organize the Whonix-related pages * Move the VPN page to /configuration/ * VPNs are used for more than just privacy, and many VPN setups and services either can't or don't claim to provide privacy. * Remove `/privacy/` from URLs * These directory names are just for organizing the source pages, *unless* an actual page resides there. Since there is no /doc/privacy/ page, it's unnecessary and misleading to have this in the URLs. It also breaks uniformity, since none of the other pages have their informal group name in their URL (again, unless there's a page with that name).
2016-02-20 16:15:30 -05:00
permalink: /doc/vpn/
Change URIs from CamelCase to lowercase-hyphen-separated
2015-10-11 03:04:59 -04:00
redirect_from:
Clean up and organize privacy pages * Logically organize the Whonix-related pages * Move the VPN page to /configuration/ * VPNs are used for more than just privacy, and many VPN setups and services either can't or don't claim to provide privacy. * Remove `/privacy/` from URLs * These directory names are just for organizing the source pages, *unless* an actual page resides there. Since there is no /doc/privacy/ page, it's unnecessary and misleading to have this in the URLs. It also breaks uniformity, since none of the other pages have their informal group name in their URL (again, unless there's a page with that name).
2016-02-20 16:15:30 -05:00
- /doc/privacy/vpn/
Remove en/ from URLs (QubesOS/qubes-issues#1333)
2015-10-28 18:14:40 -04:00
- /en/doc/vpn/
Change URIs from CamelCase to lowercase-hyphen-separated
2015-10-11 03:04:59 -04:00
- /doc/VPN/
- /wiki/VPN/
VPN changed
2014-05-23 06:42:09 -04:00
---
VPN changed
2014-05-23 08:47:14 -04:00
How To make a VPN Gateway in Qubes
Fix table of contents (QubesOS/qubes-issues#1941)
2016-09-24 16:12:37 -04:00
==================================
VPN changed
2014-05-23 06:42:09 -04:00
Fixed a typo in first paragraph.
2017-04-02 13:19:38 -04:00
Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.
VPN changed
2014-05-23 06:42:09 -04:00
Small edits to vpn.md A few new or revised sentences in the goal of accuracy. Also fixed some grammar issues and simplified some roundabout phrases.
2017-04-01 15:09:04 -04:00
Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)
VPN changed
2014-05-23 06:42:09 -04:00
### NetVM
Minor VPN doc syntax cleanup
2016-01-31 22:11:18 -05:00
The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:
VPN changed
2014-05-23 06:42:09 -04:00
Minor VPN doc syntax cleanup
2016-01-31 22:11:18 -05:00
- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
Updated docs, fixed spelling and use Markdown code syntax for commands. * Add FIXMEs.
2015-07-23 07:19:16 -04:00
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)
VPN changed
2014-05-23 06:42:09 -04:00
VPN changed
2014-05-23 10:16:18 -04:00
### AppVM
Minor VPN doc syntax cleanup
2016-01-31 22:11:18 -05:00
While the NetworkManager service is not started here (for a good reason), you can configure any kind of VPN client in your AppVM as well. However this is only suggested if your VPN client has special requirements.
VPN changed
2014-05-23 10:16:18 -04:00
VPN changed
2014-05-23 06:42:09 -04:00
### ProxyVM
Small edits to vpn.md A few new or revised sentences in the goal of accuracy. Also fixed some grammar issues and simplified some roundabout phrases.
2017-04-01 15:09:04 -04:00
One of the best unique features of Qubes OS is its special type of VM called a ProxyVM. The special thing is that your AppVMs see this as a NetVM (or uplink), and your NetVMs see it as a downstream AppVM. Because of this, you can place a ProxyVM between your AppVMs and your NetVM. This is how the default sys-firewall VM functions.
VPN changed
2014-05-23 06:42:09 -04:00
Updated docs, fixed spelling and use Markdown code syntax for commands. * Add FIXMEs.
2015-07-23 07:19:16 -04:00
Using a ProxyVM to set up a VPN client gives you the ability to:
VPN changed
2014-05-23 06:42:09 -04:00
Small edits to vpn.md A few new or revised sentences in the goal of accuracy. Also fixed some grammar issues and simplified some roundabout phrases.
2017-04-01 15:09:04 -04:00
- Separate your VPN credentials from your NetVM.
- Separate your VPN credentials from your AppVM data.
Updated docs, fixed spelling and use Markdown code syntax for commands. * Add FIXMEs.
2015-07-23 07:19:16 -04:00
- Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM.
VPN changed
2014-05-23 06:42:09 -04:00
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
Set up a ProxyVM as a VPN gateway using NetworkManager
------------------------------------------------------
VPN changed
2014-05-23 06:42:09 -04:00
Minor grammar fix
2017-04-03 00:01:17 -04:00
1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
VPN changed images added
2014-05-23 08:15:00 -04:00
Fix Markdown syntax and clean up text
2015-11-04 15:14:02 -05:00
![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
VPN changed images added
2014-05-23 08:15:00 -04:00
Update vpn.md #1052 fixed :)
2016-01-22 05:23:37 -05:00
2. Add the `network-manager` service to this new VM.
VPN changed images added
2014-05-23 08:15:00 -04:00
Fix Markdown syntax and clean up text
2015-11-04 15:14:02 -05:00
![Settings-services.png](/attachment/wiki/VPN/Settings-services.png)
VPN changed
2014-05-23 08:18:21 -04:00
Minor VPN doc syntax cleanup
2016-01-31 22:11:18 -05:00
3. Set up your VPN as described in the NetworkManager documentation linked above.
VPN changed images added
2014-05-23 08:15:00 -04:00
Minor VPN doc syntax cleanup
2016-01-31 22:11:18 -05:00
4. Configure your AppVMs to use the new VM as a NetVM.
Fix Markdown syntax and clean up text
2015-11-04 15:14:02 -05:00
![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)
custom VPN connection status icons for NetworkManager running in a ProxyVM
2016-01-26 05:01:14 -05:00
Minor VPN doc syntax cleanup
2016-01-31 22:11:18 -05:00
5. Optionally, you can install some [custom icons](https://github.com/Zrubi/qubes-artwork-proxy-vpn) for your VPN
how to setup an openvpn connection using iptables
2016-05-25 16:55:27 -04:00
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
Set up a ProxyVM as a VPN gateway using iptables and CLI scripts
----------------------------------------------------------------
how to setup an openvpn connection using iptables
2016-05-25 16:55:27 -04:00
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
This method is more involved than the one above, but has anti-leak features that also make the connection _fail closed_ should it be interrupted. It has been tested with Fedora 23 and Debian 8 templates.
how to setup an openvpn connection using iptables
2016-05-25 16:55:27 -04:00
Minor grammar fix
2017-04-03 00:01:17 -04:00
1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
Clean up text and fix formatting (closes #162)
2016-06-06 05:39:39 -04:00
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
how to setup an openvpn connection using iptables
2016-05-25 16:55:27 -04:00
Update vpn.md Elaborate note about NM, and fix paths in step 3.
2016-09-16 07:30:30 -04:00
Note: Do not enable NetworkManager in the ProxyVM, as it can interfere with the scripts' DNS features. If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM... Create a new one according to this step.
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
If your choice of template VM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. Disable any auto-starting service that comes with the software package: for example `sudo systemctl disable openvpn.service`.
Small edits to vpn.md A few new or revised sentences in the goal of accuracy. Also fixed some grammar issues and simplified some roundabout phrases.
2017-04-01 15:09:04 -04:00
You may also wish to install `nano` or another simple text editor for entering the scripts below.
Automatic; No manual coding of IP addresses. This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case). Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments. The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config. This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
2016-06-04 20:01:58 -04:00
Small edits to vpn.md A few new or revised sentences in the goal of accuracy. Also fixed some grammar issues and simplified some roundabout phrases.
2017-04-01 15:09:04 -04:00
2. Set up and test the VPN client.
Fix code block formatting (closes #161)
2016-06-06 05:31:37 -04:00
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
Make sure the VPN VM and its template VM are not running.
Run a terminal (CLI) in the VPN VM -- this will start the VM. Then make a new 'vpn' folder with `sudo mkdir /rw/config/vpn` and copy your VPN config files here (the example config filename used here is `openvpn-client.ovpn`). Files accompanying the main config such as *.crt and *.pem should also go here, and should not be referenced in the main config by absolute paths such as '/etc/...'.
Small edits to vpn.md A few new or revised sentences in the goal of accuracy. Also fixed some grammar issues and simplified some roundabout phrases.
2017-04-01 15:09:04 -04:00
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
Notes about VPN config options: The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested. Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. Lastly, the VPN client may not be able to prompt you for credentials when connecting to the server: Creating a file in the 'vpn' folder with your credentials and using a directive such as openvpn's `auth-user-pass <filename>` is recommended.
__Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example:
```
sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn
```
Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping` and `traceroute`. DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider.
Proceed to the next step when you're sure the basic VPN connection is working.
how to setup an openvpn connection using iptables
2016-05-25 16:55:27 -04:00
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
3. Create the DNS-handling script.
Update vpn.md Elaborate note about NM, and fix paths in step 3.
2016-09-16 07:30:30 -04:00
Use `sudo nano /rw/config/vpn/qubes-vpn-handler.sh` to edit and add:
Fix code block formatting (closes #161)
2016-06-06 05:31:37 -04:00
~~~
Automatic; No manual coding of IP addresses. This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case). Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments. The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config. This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
2016-06-04 20:01:58 -04:00
#!/bin/bash
set -e
quotes
2016-06-05 02:57:51 -04:00
export PATH="$PATH:/usr/sbin:/sbin"
Automatic; No manual coding of IP addresses. This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case). Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments. The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config. This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
2016-06-04 20:01:58 -04:00
Fix code block formatting (closes #161)
2016-06-06 05:31:37 -04:00
case "$1" in
Automatic; No manual coding of IP addresses. This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case). Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments. The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config. This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
2016-06-04 20:01:58 -04:00
Fix code block formatting (closes #161)
2016-06-06 05:31:37 -04:00
up)
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
# To override DHCP DNS, assign DNS addresses to 'vpn_dns' env variable before calling this script;
# Format is 'X.X.X.X Y.Y.Y.Y [...]'
Switch to 'su -' envs, quote vars, rm --dport 53 Thanks Marek!
2016-06-04 22:46:18 -04:00
if [[ -z "$vpn_dns" ]] ; then
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
# Parses DHCP foreign_option_* vars to automatically set DNS address translation:
Automatic; No manual coding of IP addresses. This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case). Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments. The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config. This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
2016-06-04 20:01:58 -04:00
for optionname in ${!foreign_option_*} ; do
option="${!optionname}"
unset fops; fops=($option)
if [ ${fops[1]} == "DNS" ] ; then vpn_dns="$vpn_dns ${fops[2]}" ; fi
done
fi
iptables -t nat -F PR-QBS
Switch to 'su -' envs, quote vars, rm --dport 53 Thanks Marek!
2016-06-04 22:46:18 -04:00
if [[ -n "$vpn_dns" ]] ; then
Automatic; No manual coding of IP addresses. This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case). Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments. The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config. This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
2016-06-04 20:01:58 -04:00
# Set DNS address translation in firewall:
for addr in $vpn_dns; do
iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr
done
Switch to 'su -' envs, quote vars, rm --dport 53 Thanks Marek!
2016-06-04 22:46:18 -04:00
su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user
Automatic; No manual coding of IP addresses. This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case). Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments. The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config. This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
2016-06-04 20:01:58 -04:00
else
Switch to 'su -' envs, quote vars, rm --dport 53 Thanks Marek!
2016-06-04 22:46:18 -04:00
su - -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user
Automatic; No manual coding of IP addresses. This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case). Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments. The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config. This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
2016-06-04 20:01:58 -04:00
fi
;;
Fix code block formatting (closes #161)
2016-06-06 05:31:37 -04:00
down)
Switch to 'su -' envs, quote vars, rm --dport 53 Thanks Marek!
2016-06-04 22:46:18 -04:00
su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user
Automatic; No manual coding of IP addresses. This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case). Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments. The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config. This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
2016-06-04 20:01:58 -04:00
;;
Fix code block formatting (closes #161)
2016-06-06 05:31:37 -04:00
esac
~~~
Automatic; No manual coding of IP addresses. This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case). Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments. The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config. This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
2016-06-04 20:01:58 -04:00
Now save the script and make it executable:
Update vpn.md Elaborate note about NM, and fix paths in step 3.
2016-09-16 07:30:30 -04:00
`sudo chmod +x /rw/config/vpn/qubes-vpn-handler.sh`
Automatic; No manual coding of IP addresses. This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case). Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments. The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config. This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
2016-06-04 20:01:58 -04:00
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
4. Configure client to use the DNS handling script. Using openvpn as an example, edit the config with `sudo nano /rw/config/vpn/openvpn-client.ovpn` and add these lines:
Fix code block and image QubesOS/qubes-issues#2317
2016-09-17 05:49:39 -04:00
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
~~~
script-security 2
up 'qubes-vpn-handler.sh up'
down 'qubes-vpn-handler.sh down'
~~~
**Restart the client and test the connection again** ...this time from an AppVM!
5. Set up iptables anti-leak rules.
Edit the firewall script with `sudo nano /rw/config/qubes-firewall-user-script` then clear out the existing lines and add:
~~~
#!/bin/bash
# Block forwarding of connections through upstream network device
# (in case the vpn tunnel breaks):
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
# Block all outgoing traffic
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -I OUTPUT -o lo -j ACCEPT
# Add the `qvpn` group to system, if it doesn't already exist
if ! grep -q "^qvpn:" /etc/group ; then
groupadd -rf qvpn
sync
fi
sleep 2s
# Allow traffic from the `qvpn` group to the uplink interface (eth0);
# Our VPN client will run with group `qvpn`.
iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT
~~~
Now save the script and make it executable:
`sudo chmod +x /rw/config/qubes-firewall-user-script`
Clean up text and fix formatting (closes #162)
2016-06-06 05:39:39 -04:00
5. Set up the VPN's autostart.
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
Use `sudo nano /rw/config/rc.local` to clear out the existing lines and add:
Fix code block formatting (closes #161)
2016-06-06 05:31:37 -04:00
~~~
Automatic; No manual coding of IP addresses. This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case). Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments. The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config. This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
2016-06-04 20:01:58 -04:00
#!/bin/bash
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
VPN_CLIENT='openvpn'
VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'
su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user
Automatic; No manual coding of IP addresses. This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case). Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments. The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config. This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
2016-06-04 20:01:58 -04:00
groupadd -rf qvpn ; sleep 2s
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS"
Fix code block formatting (closes #161)
2016-06-06 05:31:37 -04:00
~~~
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
Change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software.
Fix code block formatting (closes #161)
2016-06-06 05:31:37 -04:00
Automatic; No manual coding of IP addresses. This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case). Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments. The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config. This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
2016-06-04 20:01:58 -04:00
Now save the script and make it executable:
`sudo chmod +x /rw/config/rc.local`
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
6. Restart the new VM! The link should then be established automatically with a popup notification to that effect.
Usage
-----
how to setup an openvpn connection using iptables
2016-05-25 16:55:27 -04:00
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
Configure your AppVMs to use the VPN VM as a NetVM...
how to setup an openvpn connection using iptables
2016-05-25 16:55:27 -04:00
Fix code block and image QubesOS/qubes-issues#2317
2016-09-17 05:49:39 -04:00
![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)
how to setup an openvpn connection using iptables
2016-05-25 16:55:27 -04:00
Add support for updates proxy in VPN doc QubesOS/Qubes-issues#2383
2017-01-11 20:38:02 -05:00
Revise for clarity, terminology, and orthography
2017-01-11 22:50:31 -05:00
If you want to be able to use the [Qubes firewall](/doc/firewall), create a new FirewallVM (as a ProxyVM) and set it to use the VPN VM as its NetVM.
Then, configure AppVMs to use your new FirewallVM as their NetVM.
Add support for updates proxy in VPN doc QubesOS/Qubes-issues#2383
2017-01-11 20:38:02 -05:00
Revise for clarity, terminology, and orthography
2017-01-11 22:50:31 -05:00
If you want to update your TemplateVMs through the VPN, enable the `qubes-updates-proxy` service in your new FirewallVM.
You can do this in the Services tab in Qubes VM Manager or on the command-line:
$ qvm-service -e <name> qubes-updates-proxy
Then, configure your templates to use your new FirewallVM as their NetVM.
Add support for updates proxy in VPN doc QubesOS/Qubes-issues#2383
2017-01-11 20:38:02 -05:00
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
Troubleshooting
---------------
Clean up text and fix formatting (closes #162)
2016-06-06 05:39:39 -04:00
Update vpn.md * Scripts and text mention openvpn only in the context of examples. * Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule. * Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts). * Tells the user when and what they should test (iptables/scripts). * Change script order to enable testing flow. * Added Usage and Troubleshooting sections. https://github.com/QubesOS/qubes-issues/issues/2317
2016-09-15 08:14:54 -04:00
* Always test your basic VPN connection before adding scripts.
* Test DNS: Ping a familiar domain name from an appVM. It should print the IP address for the domain.
* For scripting: Ping external IP addresses from inside the VPN VM using `sudo sg qvpn -c 'ping ...'`, then from an appVM using just `ping ...`. Once the firewall rules are in place, you will have to use `sudo sg` to run any IP network commands in the VPN VM.
* Use `iptables -L -v` and `iptables -L -v -t nat` to check firewall rules. The latter shows the critical PR-QBS chain that enables DNS forwarding.
Reference in New Issue Copy Permalink