Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-02-17 21:34:17 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'patch-1' of https://github.com/stubbybubby/qubes-doc into stubbybubby-patch-1

Browse Source
This commit is contained in:
Andrew David Wong 2017-04-02 20:35:14 -07:00
commit 28a28d30c5
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
configuration/vpn.md
View File

@ -12,9 +12,9 @@ redirect_from:
How To make a VPN Gateway in Qubes How To make a VPN Gateway in Qubes
================================== ==================================
Although setting up a VPN connection is not by itself Qubes specific, there are a number of Qubes-related details that can make using the connection more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts. Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.
Please refer to guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html) Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)
### NetVM ### NetVM
@ -29,18 +29,18 @@ While the NetworkManager service is not started here (for a good reason), you ca
### ProxyVM ### ProxyVM
One of the best things in Qubes is that you can use a special type of VM called a ProxyVM. The special thing is that your AppVMs see this as a NetVM (or uplink), and your NetVMs see it as a downstream AppVM. Because of this, you can place a ProxyVM between your AppVMs and your NetVM. This is how the default sys-firewall VM functions. One of the best unique features of Qubes OS is its special type of VM called a ProxyVM. The special thing is that your AppVMs see this as a NetVM (or uplink), and your NetVMs see it as a downstream AppVM. Because of this, you can place a ProxyVM between your AppVMs and your NetVM. This is how the default sys-firewall VM functions.
Using a ProxyVM to set up a VPN client gives you the ability to: Using a ProxyVM to set up a VPN client gives you the ability to:
- Separate your VPN credentials from Your NetVM. - Separate your VPN credentials from your NetVM.
- Separate your VPN credentials from Your AppVM data. - Separate your VPN credentials from your AppVM data.
- Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM. - Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM.
Set up a ProxyVM as a VPN gateway using NetworkManager Set up a ProxyVM as a VPN gateway using NetworkManager
------------------------------------------------------ ------------------------------------------------------
1. Create a new VM: Name it, click the ProxyVM radio button then choose a color and template. 1. Create a new VM, name it, click the ProxyVM radio button, and then choose a color and template.
![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png) ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
@ -62,7 +62,7 @@ Set up a ProxyVM as a VPN gateway using iptables and CLI scripts
This method is more involved than the one above, but has anti-leak features that also make the connection _fail closed_ should it be interrupted. It has been tested with Fedora 23 and Debian 8 templates. This method is more involved than the one above, but has anti-leak features that also make the connection _fail closed_ should it be interrupted. It has been tested with Fedora 23 and Debian 8 templates.
1. Create a new VM: Name it, click the ProxyVM radio button then choose a color and template. 1. Create a new VM, name it, click the ProxyVM radio button, and then choose a color and template.
![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png) ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
@ -70,14 +70,14 @@ This method is more involved than the one above, but has anti-leak features that
If your choice of template VM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. Disable any auto-starting service that comes with the software package: for example `sudo systemctl disable openvpn.service`. If your choice of template VM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. Disable any auto-starting service that comes with the software package: for example `sudo systemctl disable openvpn.service`.
You may also wish to install `nano` or other simple text editor for entering the scripts below. You may also wish to install `nano` or another simple text editor for entering the scripts below.
2. Set up and initial test of the VPN client. 2. Set up and test the VPN client.
Make sure the VPN VM and its template VM are not running. Make sure the VPN VM and its template VM are not running.
Run a terminal (CLI) in the VPN VM -- this will start the VM. Then make a new 'vpn' folder with `sudo mkdir /rw/config/vpn` and copy your VPN config files here (the example config filename used here is `openvpn-client.ovpn`). Files accompanying the main config such as *.crt and *.pem should also go here, and should not be referenced in the main config by absolute paths such as '/etc/...'. Run a terminal (CLI) in the VPN VM -- this will start the VM. Then make a new 'vpn' folder with `sudo mkdir /rw/config/vpn` and copy your VPN config files here (the example config filename used here is `openvpn-client.ovpn`). Files accompanying the main config such as *.crt and *.pem should also go here, and should not be referenced in the main config by absolute paths such as '/etc/...'.
Notes about VPN config options: The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested. Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. Lastly, the VPN client may not be able to prompt you for credentials when connecting to the server: Creating a file in the 'vpn' folder with your credentials and using a directive such as openvpn's `auth-user-pass <filename>` is recommended. Notes about VPN config options: The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested. Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. Lastly, the VPN client may not be able to prompt you for credentials when connecting to the server: Creating a file in the 'vpn' folder with your credentials and using a directive such as openvpn's `auth-user-pass <filename>` is recommended.
__Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example: __Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example: