From bccd9558b36e286657449687912998743eb908e9 Mon Sep 17 00:00:00 2001 From: john-david-r-smith Date: Wed, 25 May 2016 22:55:27 +0200 Subject: [PATCH 1/4] how to setup an openvpn connection using iptables --- configuration/vpn.md | 106 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 105 insertions(+), 1 deletion(-) diff --git a/configuration/vpn.md b/configuration/vpn.md index 3594a912..74e9bb9f 100644 --- a/configuration/vpn.md +++ b/configuration/vpn.md @@ -29,6 +29,7 @@ While the NetworkManager service is not started here (for a good reason), you ca ### ProxyVM + **WARNING:** *You need to use Qubes 3.1-rc2 (or later)! In the previous releases the NetworkManager service was not working in ProxyVMs as expected.* ([#1052](https://github.com/QubesOS/qubes-issues/issues/1052)) One of the best thing in Qubes is that you can use a special type of VM called a ProxyVM (or FirewallVM). The special thing is that your AppVMs see this as a NetVM, and your NetVMs see it as an AppVM. Because of this, you can place a ProxyVM between your AppVMs and your NetVM. This is how the default FirewallVM functions. @@ -39,7 +40,9 @@ Using a ProxyVM to set up a VPN client gives you the ability to: - Separate your VPN credentials from Your AppVM data. - Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM. -**To setup a ProxyVM as a VPN gateway you should:** +#### Setup a ProxyVM as a VPN gateway + +**Using NetworkManager** 1. Create a new VM and check the ProxyVM radio button. @@ -56,3 +59,104 @@ Using a ProxyVM to set up a VPN client gives you the ability to: ![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png) 5. Optionally, you can install some [custom icons](https://github.com/Zrubi/qubes-artwork-proxy-vpn) for your VPN + +**Using iptables and openvpn** + +You need an openvpn server and a DNS server accessible through the vpn (use one from your vpn provider / a public one). + +1. Create a new VM and check the ProxyVM radio button. + + ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png) + +2. Setup openvpn: + Copy your openvpn config file to `/home/user/vpn.cfg`. + + It should have one line starting with `dev` and one starting with `proto`. + The first describes the connection type (`tun` or `tap`) and the second the used protocol (`tcp` or `udp`). + Depending on your connection type, openvpn will create a new network device (probably `tap0` or `tun0`). + + It also contains a line `remote X.X.X.X 1194`, where `X.X.X.X` is the ip of your openvpn server. + + If it does not contain a line `redirect-gateway def1`, add it. + This will route all traffic through your vpn's network device, after a connection was created. + If the connection breaks down all traffic will be routed through the original network device (we will top this with iptables). + + If your vpn config file contains `auth-user-pass`, change it to `auth-user-pass /home/user/auth.txt` and create a file `/home/user/auth.txt` containing the user name in the first line and the password in the second. + This will enable the vpn to login without requiring you to enter your username and password. + If a different authentication method is used, set it up to require no user input. + The vpn should now start by calling `sudo openvpn --config /home/user/vpn.cfg` and require no additional user input. + + In the following, we use the following placeholder: + `$DEV` For the device created for the connection. + `$PROT` For the protocol used for connection + `$SVR` For the openvpn server's ip. + `$DNS` For the dns server's ip. + + +3. Setup iptables: + Edit `/rw/config/qubes-firewall-user-script` and add: + + `iptables -P OUTPUT DROP` + This blocks all outgoing traffic, if not specified otherwise. + + `iptables -I OUTPUT -o $DEV -j ACCEPT` + This allows the local system to connect through the vpn (you dont need this). + + `iptables -I OUTPUT -o eth0 -d $SVR -p $PROT --dport 1194 -j ACCEPT` + This allows your system to connect to the vpn server with the protocol `$PROT` under the port 1194. + + `iptables -I OUTPUT -o lo -j ACCEPT` + This allows connections from the system to the system. + + `iptables -I FORWARD -o eth0 -j DROP` + `iptables -I FORWARD -i eth0 -j DROP` + This blocks forwarding of connections through your plain network device (in case the vpn tunnel breaks). + + `iptables -I FORWARD -o $DEV -j ACCEPT` + This allows forwarding of connections through the vpn. (So other AppVMs can use it) + + + `iptables -t nat -I PR-QBS -p udp --dport 53 -j DNAT --to-destination $DNS` + `iptables -t nat -I PR-QBS -p tcp --dport 53 -j DNAT --to-destination $DNS` + This will rewrite the DNS destination, and the traffic will be routed down the vpn tunnel. (to prevent DNS leaks) + + Now save `/rw/config/qubes-firewall-user-script` and make it executable: + `sudo chmod +x /rw/config/qubes-firewall-user-script` + +4. Setup the vpn's autostart: + Add `openvpn --config /home/user/vpn.cfg &` to `/rw/config/rc.local` and make it executable (`sudo chmod +x /rw/config/rc.local`). + + If your ProxyVM takes long to shut down, this may be caused by the vpn connection. + You can fix this by killing the connection on shutdown (issue `killall openvpn` on shutdown). + This can be done by adding + + echo "[Unit] + Description=shutdown + Before=shutdown.target reboot.target + + [Service] + RemainAfterExit=yes + ExecStart=/bin/true + ExecStop=/rw/config/rc.local.shutdown + + [Install] + WantedBy=shutdown.target multi-user.target reboot.target + " > /usr/lib/systemd/system/user_shutdown_hook.service; + + systemctl start user_shutdown_hook; + + to `/rw/config/rc.local`. + This creates and starts a service executing the script `/rw/config/rc.local.shutdown` on shutdown. + The service will be deleted after each shutdown, since the `root.img` gets reset at each reboot. + + Now create `/rw/config/rc.local.shutdown`, make it executable `chmod +x /rw/config/rc.local.shutdown` and put the kill command in it: + + #!/bin/bash + killall openvpn + + +5. Configure your AppVMs to use the new VM as a NetVM. + + ![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png) + +6. Optionally, you can install some [custom icons](https://github.com/Zrubi/qubes-artwork-proxy-vpn) for your VPN From bed89b7eab0c19a7be9542198c5b645b8379e0c9 Mon Sep 17 00:00:00 2001 From: john-david-r-smith Date: Wed, 25 May 2016 23:26:55 +0200 Subject: [PATCH 2/4] fixed typo --- configuration/vpn.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration/vpn.md b/configuration/vpn.md index 74e9bb9f..5711f936 100644 --- a/configuration/vpn.md +++ b/configuration/vpn.md @@ -79,7 +79,7 @@ You need an openvpn server and a DNS server accessible through the vpn (use one If it does not contain a line `redirect-gateway def1`, add it. This will route all traffic through your vpn's network device, after a connection was created. - If the connection breaks down all traffic will be routed through the original network device (we will top this with iptables). + If the connection breaks down all traffic will be routed through the original network device (we will stop this with iptables). If your vpn config file contains `auth-user-pass`, change it to `auth-user-pass /home/user/auth.txt` and create a file `/home/user/auth.txt` containing the user name in the first line and the password in the second. This will enable the vpn to login without requiring you to enter your username and password. From a9ae590f6f83989dcae9ee6418761a4da74ceba1 Mon Sep 17 00:00:00 2001 From: john-david-r-smith Date: Thu, 26 May 2016 08:42:25 +0200 Subject: [PATCH 3/4] removed unnecessary + dangerous iptables rule --- configuration/vpn.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/configuration/vpn.md b/configuration/vpn.md index 5711f936..9926df9a 100644 --- a/configuration/vpn.md +++ b/configuration/vpn.md @@ -111,10 +111,6 @@ You need an openvpn server and a DNS server accessible through the vpn (use one `iptables -I FORWARD -o eth0 -j DROP` `iptables -I FORWARD -i eth0 -j DROP` This blocks forwarding of connections through your plain network device (in case the vpn tunnel breaks). - - `iptables -I FORWARD -o $DEV -j ACCEPT` - This allows forwarding of connections through the vpn. (So other AppVMs can use it) - `iptables -t nat -I PR-QBS -p udp --dport 53 -j DNAT --to-destination $DNS` `iptables -t nat -I PR-QBS -p tcp --dport 53 -j DNAT --to-destination $DNS` From c6da0b066421b3ea6ce7fa37683c3e21aa74319d Mon Sep 17 00:00:00 2001 From: john-david-r-smith Date: Thu, 26 May 2016 09:02:52 +0200 Subject: [PATCH 4/4] now using systemd to start openvpn --- configuration/vpn.md | 32 +++----------------------------- 1 file changed, 3 insertions(+), 29 deletions(-) diff --git a/configuration/vpn.md b/configuration/vpn.md index 9926df9a..94ae2060 100644 --- a/configuration/vpn.md +++ b/configuration/vpn.md @@ -120,36 +120,10 @@ You need an openvpn server and a DNS server accessible through the vpn (use one `sudo chmod +x /rw/config/qubes-firewall-user-script` 4. Setup the vpn's autostart: - Add `openvpn --config /home/user/vpn.cfg &` to `/rw/config/rc.local` and make it executable (`sudo chmod +x /rw/config/rc.local`). + Edit to `/rw/config/rc.local`, make it executable (`sudo chmod +x /rw/config/rc.local`) and add: - If your ProxyVM takes long to shut down, this may be caused by the vpn connection. - You can fix this by killing the connection on shutdown (issue `killall openvpn` on shutdown). - This can be done by adding - - echo "[Unit] - Description=shutdown - Before=shutdown.target reboot.target - - [Service] - RemainAfterExit=yes - ExecStart=/bin/true - ExecStop=/rw/config/rc.local.shutdown - - [Install] - WantedBy=shutdown.target multi-user.target reboot.target - " > /usr/lib/systemd/system/user_shutdown_hook.service; - - systemctl start user_shutdown_hook; - - to `/rw/config/rc.local`. - This creates and starts a service executing the script `/rw/config/rc.local.shutdown` on shutdown. - The service will be deleted after each shutdown, since the `root.img` gets reset at each reboot. - - Now create `/rw/config/rc.local.shutdown`, make it executable `chmod +x /rw/config/rc.local.shutdown` and put the kill command in it: - - #!/bin/bash - killall openvpn - + ln -s /home/user/vpn.cfg /etc/openvpn/vpn.conf; + systemctl --no-block start openvpn@vpn.service; 5. Configure your AppVMs to use the new VM as a NetVM.