From 13d7375ff204ca5d05ee7b86f87bba458434b6b3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 25 Jan 2018 21:11:34 +0000 Subject: [PATCH 1/6] formatting and rewording enhancements --- configuration/vpn.md | 402 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 381 insertions(+), 21 deletions(-) diff --git a/configuration/vpn.md b/configuration/vpn.md index 41bd81d9..acff4421 100644 --- a/configuration/vpn.md +++ b/configuration/vpn.md @@ -68,29 +68,168 @@ This method is more involved than the one above, but has anti-leak features that Note: Do not enable NetworkManager in the ProxyVM, as it can interfere with the scripts' DNS features. If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM... Create a new one according to this step. - If your choice of template VM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. Disable any auto-starting service that comes with the software package: for example `sudo systemctl disable openvpn.service`. + If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. Disable any auto-starting service that comes with the software package. For example for OpenVPN. - You may also wish to install `nano` or another simple text editor for entering the scripts below. + sudo systemctl disable openvpn.service + +You may also wish to install `nano` or another simple text editor for entering the scripts below. 2. Set up and test the VPN client. Make sure the VPN VM and its template VM are not running. - Run a terminal (CLI) in the VPN VM -- this will start the VM. Then make a new 'vpn' folder with `sudo mkdir /rw/config/vpn` and copy your VPN config files here (the example config filename used here is `openvpn-client.ovpn`). Files accompanying the main config such as *.crt and *.pem should also go here, and should not be referenced in the main config by absolute paths such as '/etc/...'. + Run a terminal (CLI) in the VPN VM -- this will start the VM. Then make a new 'vpn' folder with. + + sudo mkdir /rw/config/vpn + +Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn` so you can use the instructions and scripts below as is without modification. Otherwise you would have to replace the file name. - Notes about VPN config options: The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested. Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. Lastly, the VPN client may not be able to prompt you for credentials when connecting to the server: Creating a file in the 'vpn' folder with your credentials and using a directive such as openvpn's `auth-user-pass ` is recommended. +Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn`. + +Files referenced in `openvpn-client.ovpn` should not be referenced by absolute paths such as `/etc/...`. + +--- +layout: doc +title: VPN +permalink: /doc/vpn/ +redirect_from: +- /doc/privacy/vpn/ +- /en/doc/vpn/ +- /doc/VPN/ +- /wiki/VPN/ +--- + +How To make a VPN Gateway in Qubes +================================== + +Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts. + +Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html) + +### NetVM + +The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages: + +- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world +- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default) + +### AppVM + +While the NetworkManager service is not started here (for a good reason), you can configure any kind of VPN client in your AppVM as well. However this is only suggested if your VPN client has special requirements. + +### ProxyVM + +One of the best unique features of Qubes OS is its special type of VM called a ProxyVM. The special thing is that your AppVMs see this as a NetVM (or uplink), and your NetVMs see it as a downstream AppVM. Because of this, you can place a ProxyVM between your AppVMs and your NetVM. This is how the default sys-firewall VM functions. + +Using a ProxyVM to set up a VPN client gives you the ability to: + +- Separate your VPN credentials from your NetVM. +- Separate your VPN credentials from your AppVM data. +- Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM. + +Set up a ProxyVM as a VPN gateway using NetworkManager +------------------------------------------------------ + +1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template. + + ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png) + +2. Add the `network-manager` service to this new VM. + + ![Settings-services.png](/attachment/wiki/VPN/Settings-services.png) + +3. Set up your VPN as described in the NetworkManager documentation linked above. + +4. Configure your AppVMs to use the new VM as a NetVM. + + ![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png) + +5. Optionally, you can install some [custom icons](https://github.com/Zrubi/qubes-artwork-proxy-vpn) for your VPN + + +Set up a ProxyVM as a VPN gateway using iptables and CLI scripts +---------------------------------------------------------------- + +This method is more involved than the one above, but has anti-leak features that also make the connection _fail closed_ should it be interrupted. It has been tested with Fedora 23 and Debian 8 templates. + +1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template. + + ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png) - __Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example: - ``` - sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn - ``` + Note: Do not enable NetworkManager in the ProxyVM, as it can interfere with the scripts' DNS features. If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM... Create a new one according to this step. - Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping` and `traceroute`. DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider. +If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. For example in any Debian based VM to install OpenVPN. + + sudo apt-get install openvpn + +Disable any auto-starting service that comes with the software package. For example for OpenVPN. - Proceed to the next step when you're sure the basic VPN connection is working. + sudo systemctl disable openvpn.service + +You may also wish to install `nano` or another simple text editor for entering the scripts below. + +2. Set up and test the VPN client. + +Make sure the VPN VM and its TemplateVM is not running. + +Run a terminal (CLI) in the VPN VM -- this will start the VM. Then create a new `/rw/config/vpn` folder with. + + sudo mkdir /rw/config/vpn + +Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification. Otherwise you would have to replace the file name. + +Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn`. + +Files reference in `openvpn-client.ovpn` should not be referenced in the main config by absolute paths such as `/etc/...`. + +`openvpn-client.ovpn` contents: The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested. + +Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. For OpenVPN. + + sudo nano /rw/config/vpn/openvpn-client.ovpn + + Make sure it already includes or add. + + redirect-gateway def1 + +The VPN client may not be able to prompt you for credentials when connecting to the server. Create a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add. + + auth-user-pass pass.txt + + Save file `/rw/config/vpn/openvpn-client.ovpn`. + + Make sure a `/rw/config/vpn/pass.txt` file actually exists. + + sudo nano /rw/config/vpn/pass.txt + + Add. + + ``` + username + password + ``` + + Replace `username` and `password` with your actual username and password. + + __Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example: + + sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn + +Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping`. + + ping 8.8.8.8 + +`ping` can be aborted by pressing the two keys `ctrl` + `c` at the same time. + +DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider. + +Proceed to the next step when you're sure the basic VPN connection is working. 3. Create the DNS-handling script. - Use `sudo nano /rw/config/vpn/qubes-vpn-handler.sh` to edit and add: + + sudo nano /rw/config/vpn/qubes-vpn-handler.sh + + Edit and add: ~~~ #!/bin/bash @@ -130,22 +269,37 @@ This method is more involved than the one above, but has anti-leak features that esac ~~~ - Now save the script and make it executable: - `sudo chmod +x /rw/config/vpn/qubes-vpn-handler.sh` +Save the script. + +Make it executable. + + sudo chmod +x /rw/config/vpn/qubes-vpn-handler.sh -4. Configure client to use the DNS handling script. Using openvpn as an example, edit the config with `sudo nano /rw/config/vpn/openvpn-client.ovpn` and add these lines: +4. Configure client to use the DNS handling script. Using openvpn as an example, edit the config. + + sudo nano /rw/config/vpn/openvpn-client.ovpn + + Add the following. ~~~ script-security 2 up 'qubes-vpn-handler.sh up' down 'qubes-vpn-handler.sh down' ~~~ + +Remove other instances of lines starting with `script-security`, `up` or `down` should there be any others. - **Restart the client and test the connection again** ...this time from an AppVM! +Save the script. + +**Restart the client and test the connection again** ...this time from an AppVM! 5. Set up iptables anti-leak rules. - Edit the firewall script with `sudo nano /rw/config/qubes-firewall-user-script` then clear out the existing lines and add: + Edit the firewall script. + + sudo nano /rw/config/qubes-firewall-user-script + +Clear out the existing lines and add. ~~~ #!/bin/bash @@ -171,12 +325,17 @@ This method is more involved than the one above, but has anti-leak features that iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT ~~~ - Now save the script and make it executable: - `sudo chmod +x /rw/config/qubes-firewall-user-script` +Save the script. + +Make it executable. + + sudo chmod +x /rw/config/qubes-firewall-user-script 5. Set up the VPN's autostart. - Use `sudo nano /rw/config/rc.local` to clear out the existing lines and add: + sudo nano /rw/config/rc.local + +Clear out the existing lines and add. ~~~ #!/bin/bash @@ -188,9 +347,11 @@ This method is more involved than the one above, but has anti-leak features that sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS" ~~~ - Change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software. +If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software. - Now save the script and make it executable: +Save the script. + +Make it executable: `sudo chmod +x /rw/config/rc.local` 6. Restart the new VM! The link should then be established automatically with a popup notification to that effect. @@ -214,6 +375,205 @@ You can do this in the Services tab in Qubes VM Manager or on the command-line: Then, configure your templates to use your new FirewallVM as their NetVM. +Troubleshooting +--------------- + +* Always test your basic VPN connection before adding scripts. +* Test DNS: Ping a familiar domain name from an appVM. It should print the IP address for the domain. +* For scripting: Ping external IP addresses from inside the VPN VM using `sudo sg qvpn -c 'ping ...'`, then from an appVM using just `ping ...`. Once the firewall rules are in place, you will have to use `sudo sg` to run any IP network commands in the VPN VM. +* Use `iptables -L -v` and `iptables -L -v -t nat` to check firewall rules. The latter shows the critical PR-QBS chain that enables DNS forwarding. + The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested. + +Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. For OpenVPN. + + sudo nano /rw/config/vpn/openvpn-client.ovpn + + Make sure it already includes or add. + + redirect-gateway def1 + +The VPN client may not be able to prompt you for credentials when connecting to the server: Creating a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add + + auth-user-pass pass.txt + + Make sure a `/rw/config/vpn/pass.txt` file actually exists. + + sudo nano /rw/config/vpn/pass.txt + + Add. + + ``` + username + password + ``` + + Replace the username and password with your actual username and password. + + __Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example: + + sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn + +Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping`. + + ping 8.8.8.8 + +ping can be aborted by pressing the two keys `ctrl` + `c` at the same time. + +DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider. + +Proceed to the next step when you're sure the basic VPN connection is working. + +3. Create the DNS-handling script. + + sudo nano /rw/config/vpn/qubes-vpn-handler.sh + + Edit and add: + + ~~~ + #!/bin/bash + set -e + export PATH="$PATH:/usr/sbin:/sbin" + + case "$1" in + + up) + # To override DHCP DNS, assign DNS addresses to 'vpn_dns' env variable before calling this script; + # Format is 'X.X.X.X Y.Y.Y.Y [...]' + if [[ -z "$vpn_dns" ]] ; then + # Parses DHCP foreign_option_* vars to automatically set DNS address translation: + for optionname in ${!foreign_option_*} ; do + option="${!optionname}" + unset fops; fops=($option) + if [ ${fops[1]} == "DNS" ] ; then vpn_dns="$vpn_dns ${fops[2]}" ; fi + done + fi + + iptables -t nat -F PR-QBS + if [[ -n "$vpn_dns" ]] ; then + # Set DNS address translation in firewall: + for addr in $vpn_dns; do + iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr + iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr + done + su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user + else + su - -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user + fi + + ;; + down) + su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user + ;; + esac + ~~~ + +Save the script. + +Make it executable. + + sudo chmod +x /rw/config/vpn/qubes-vpn-handler.sh + +4. Configure client to use the DNS handling script. Using openvpn as an example, edit the config. + + sudo nano /rw/config/vpn/openvpn-client.ovpn + + Add the following. + + ~~~ + script-security 2 + up 'qubes-vpn-handler.sh up' + down 'qubes-vpn-handler.sh down' + ~~~ + +Remove other instances of lines starting with `script-security`, `up` or `down` should there be any others. + +Save the script. + +**Restart the client and test the connection again** ...this time from an AppVM! + +5. Set up iptables anti-leak rules. + +Open Qubes firewall script. + + sudo nano /rw/config/qubes-firewall-user-script + +Clear out the existing lines and add. + + ~~~ + #!/bin/bash + # Block forwarding of connections through upstream network device + # (in case the vpn tunnel breaks): + iptables -I FORWARD -o eth0 -j DROP + iptables -I FORWARD -i eth0 -j DROP + + # Block all outgoing traffic + iptables -P OUTPUT DROP + iptables -F OUTPUT + iptables -I OUTPUT -o lo -j ACCEPT + + # Add the `qvpn` group to system, if it doesn't already exist + if ! grep -q "^qvpn:" /etc/group ; then + groupadd -rf qvpn + sync + fi + sleep 2s + + # Allow traffic from the `qvpn` group to the uplink interface (eth0); + # Our VPN client will run with group `qvpn`. + iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT + ~~~ + +Save the script. + +Make it executable. + + sudo chmod +x /rw/config/qubes-firewall-user-script + +5. Set up the VPN's autostart. + + sudo nano /rw/config/rc.local + +Clear out the existing lines and add. + + ~~~ + #!/bin/bash + VPN_CLIENT='openvpn' + VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon' + + su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user + groupadd -rf qvpn ; sleep 2s + sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS" + ~~~ + +If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software. + +Save the script. + +Make it executable. + + sudo chmod +x /rw/config/rc.local + +6. Restart the new VM! The link should then be established automatically with a popup notification to that effect. + +Usage +----- + +Configure your AppVMs to use the VPN VM as a NetVM... + +![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png) + + +If you want to be able to use the [Qubes firewall](/doc/firewall), create a new FirewallVM (as a ProxyVM) and set it to use the VPN VM as its NetVM. +Then, configure AppVMs to use your new FirewallVM as their NetVM. + +If you want to update your TemplateVMs through the VPN, enable the `qubes-updates-proxy` service in your new FirewallVM. +You can do this in the Services tab in Qubes VM Manager or on the command-line: + + $ qvm-service -e qubes-updates-proxy + +Then, configure your templates to use your new FirewallVM as their NetVM. + + Troubleshooting --------------- From 8e9982cf0828e9db01fac55a531da9ad5992d01f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 25 Jan 2018 22:46:24 +0000 Subject: [PATCH 2/6] fix --- configuration/vpn.md | 299 +------------------------------------------ 1 file changed, 3 insertions(+), 296 deletions(-) diff --git a/configuration/vpn.md b/configuration/vpn.md index acff4421..3a1a4574 100644 --- a/configuration/vpn.md +++ b/configuration/vpn.md @@ -74,100 +74,6 @@ This method is more involved than the one above, but has anti-leak features that You may also wish to install `nano` or another simple text editor for entering the scripts below. -2. Set up and test the VPN client. - - Make sure the VPN VM and its template VM are not running. - - Run a terminal (CLI) in the VPN VM -- this will start the VM. Then make a new 'vpn' folder with. - - sudo mkdir /rw/config/vpn - -Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn` so you can use the instructions and scripts below as is without modification. Otherwise you would have to replace the file name. - -Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn`. - -Files referenced in `openvpn-client.ovpn` should not be referenced by absolute paths such as `/etc/...`. - ---- -layout: doc -title: VPN -permalink: /doc/vpn/ -redirect_from: -- /doc/privacy/vpn/ -- /en/doc/vpn/ -- /doc/VPN/ -- /wiki/VPN/ ---- - -How To make a VPN Gateway in Qubes -================================== - -Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts. - -Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html) - -### NetVM - -The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages: - -- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world -- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default) - -### AppVM - -While the NetworkManager service is not started here (for a good reason), you can configure any kind of VPN client in your AppVM as well. However this is only suggested if your VPN client has special requirements. - -### ProxyVM - -One of the best unique features of Qubes OS is its special type of VM called a ProxyVM. The special thing is that your AppVMs see this as a NetVM (or uplink), and your NetVMs see it as a downstream AppVM. Because of this, you can place a ProxyVM between your AppVMs and your NetVM. This is how the default sys-firewall VM functions. - -Using a ProxyVM to set up a VPN client gives you the ability to: - -- Separate your VPN credentials from your NetVM. -- Separate your VPN credentials from your AppVM data. -- Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM. - -Set up a ProxyVM as a VPN gateway using NetworkManager ------------------------------------------------------- - -1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template. - - ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png) - -2. Add the `network-manager` service to this new VM. - - ![Settings-services.png](/attachment/wiki/VPN/Settings-services.png) - -3. Set up your VPN as described in the NetworkManager documentation linked above. - -4. Configure your AppVMs to use the new VM as a NetVM. - - ![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png) - -5. Optionally, you can install some [custom icons](https://github.com/Zrubi/qubes-artwork-proxy-vpn) for your VPN - - -Set up a ProxyVM as a VPN gateway using iptables and CLI scripts ----------------------------------------------------------------- - -This method is more involved than the one above, but has anti-leak features that also make the connection _fail closed_ should it be interrupted. It has been tested with Fedora 23 and Debian 8 templates. - -1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template. - - ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png) - - Note: Do not enable NetworkManager in the ProxyVM, as it can interfere with the scripts' DNS features. If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM... Create a new one according to this step. - -If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. For example in any Debian based VM to install OpenVPN. - - sudo apt-get install openvpn - -Disable any auto-starting service that comes with the software package. For example for OpenVPN. - - sudo systemctl disable openvpn.service - -You may also wish to install `nano` or another simple text editor for entering the scripts below. - 2. Set up and test the VPN client. Make sure the VPN VM and its TemplateVM is not running. @@ -178,9 +84,9 @@ Run a terminal (CLI) in the VPN VM -- this will start the VM. Then create a new Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification. Otherwise you would have to replace the file name. -Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn`. +Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn` folder. -Files reference in `openvpn-client.ovpn` should not be referenced in the main config by absolute paths such as `/etc/...`. +Files reference in `openvpn-client.ovpn` should not be referenced by absolute paths such as `/etc/...`. `openvpn-client.ovpn` contents: The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested. @@ -188,7 +94,7 @@ Also, the config should route all traffic through your VPN's interface after a c sudo nano /rw/config/vpn/openvpn-client.ovpn - Make sure it already includes or add. +Make sure it already includes or add. redirect-gateway def1 @@ -375,205 +281,6 @@ You can do this in the Services tab in Qubes VM Manager or on the command-line: Then, configure your templates to use your new FirewallVM as their NetVM. -Troubleshooting ---------------- - -* Always test your basic VPN connection before adding scripts. -* Test DNS: Ping a familiar domain name from an appVM. It should print the IP address for the domain. -* For scripting: Ping external IP addresses from inside the VPN VM using `sudo sg qvpn -c 'ping ...'`, then from an appVM using just `ping ...`. Once the firewall rules are in place, you will have to use `sudo sg` to run any IP network commands in the VPN VM. -* Use `iptables -L -v` and `iptables -L -v -t nat` to check firewall rules. The latter shows the critical PR-QBS chain that enables DNS forwarding. - The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested. - -Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. For OpenVPN. - - sudo nano /rw/config/vpn/openvpn-client.ovpn - - Make sure it already includes or add. - - redirect-gateway def1 - -The VPN client may not be able to prompt you for credentials when connecting to the server: Creating a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add - - auth-user-pass pass.txt - - Make sure a `/rw/config/vpn/pass.txt` file actually exists. - - sudo nano /rw/config/vpn/pass.txt - - Add. - - ``` - username - password - ``` - - Replace the username and password with your actual username and password. - - __Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example: - - sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn - -Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping`. - - ping 8.8.8.8 - -ping can be aborted by pressing the two keys `ctrl` + `c` at the same time. - -DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider. - -Proceed to the next step when you're sure the basic VPN connection is working. - -3. Create the DNS-handling script. - - sudo nano /rw/config/vpn/qubes-vpn-handler.sh - - Edit and add: - - ~~~ - #!/bin/bash - set -e - export PATH="$PATH:/usr/sbin:/sbin" - - case "$1" in - - up) - # To override DHCP DNS, assign DNS addresses to 'vpn_dns' env variable before calling this script; - # Format is 'X.X.X.X Y.Y.Y.Y [...]' - if [[ -z "$vpn_dns" ]] ; then - # Parses DHCP foreign_option_* vars to automatically set DNS address translation: - for optionname in ${!foreign_option_*} ; do - option="${!optionname}" - unset fops; fops=($option) - if [ ${fops[1]} == "DNS" ] ; then vpn_dns="$vpn_dns ${fops[2]}" ; fi - done - fi - - iptables -t nat -F PR-QBS - if [[ -n "$vpn_dns" ]] ; then - # Set DNS address translation in firewall: - for addr in $vpn_dns; do - iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr - iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr - done - su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user - else - su - -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user - fi - - ;; - down) - su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user - ;; - esac - ~~~ - -Save the script. - -Make it executable. - - sudo chmod +x /rw/config/vpn/qubes-vpn-handler.sh - -4. Configure client to use the DNS handling script. Using openvpn as an example, edit the config. - - sudo nano /rw/config/vpn/openvpn-client.ovpn - - Add the following. - - ~~~ - script-security 2 - up 'qubes-vpn-handler.sh up' - down 'qubes-vpn-handler.sh down' - ~~~ - -Remove other instances of lines starting with `script-security`, `up` or `down` should there be any others. - -Save the script. - -**Restart the client and test the connection again** ...this time from an AppVM! - -5. Set up iptables anti-leak rules. - -Open Qubes firewall script. - - sudo nano /rw/config/qubes-firewall-user-script - -Clear out the existing lines and add. - - ~~~ - #!/bin/bash - # Block forwarding of connections through upstream network device - # (in case the vpn tunnel breaks): - iptables -I FORWARD -o eth0 -j DROP - iptables -I FORWARD -i eth0 -j DROP - - # Block all outgoing traffic - iptables -P OUTPUT DROP - iptables -F OUTPUT - iptables -I OUTPUT -o lo -j ACCEPT - - # Add the `qvpn` group to system, if it doesn't already exist - if ! grep -q "^qvpn:" /etc/group ; then - groupadd -rf qvpn - sync - fi - sleep 2s - - # Allow traffic from the `qvpn` group to the uplink interface (eth0); - # Our VPN client will run with group `qvpn`. - iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT - ~~~ - -Save the script. - -Make it executable. - - sudo chmod +x /rw/config/qubes-firewall-user-script - -5. Set up the VPN's autostart. - - sudo nano /rw/config/rc.local - -Clear out the existing lines and add. - - ~~~ - #!/bin/bash - VPN_CLIENT='openvpn' - VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon' - - su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user - groupadd -rf qvpn ; sleep 2s - sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS" - ~~~ - -If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software. - -Save the script. - -Make it executable. - - sudo chmod +x /rw/config/rc.local - -6. Restart the new VM! The link should then be established automatically with a popup notification to that effect. - -Usage ------ - -Configure your AppVMs to use the VPN VM as a NetVM... - -![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png) - - -If you want to be able to use the [Qubes firewall](/doc/firewall), create a new FirewallVM (as a ProxyVM) and set it to use the VPN VM as its NetVM. -Then, configure AppVMs to use your new FirewallVM as their NetVM. - -If you want to update your TemplateVMs through the VPN, enable the `qubes-updates-proxy` service in your new FirewallVM. -You can do this in the Services tab in Qubes VM Manager or on the command-line: - - $ qvm-service -e qubes-updates-proxy - -Then, configure your templates to use your new FirewallVM as their NetVM. - - Troubleshooting --------------- From 56774d73eb8634d29b6d5f112ba2aeb20769bf5f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 25 Jan 2018 22:50:43 +0000 Subject: [PATCH 3/6] fix --- configuration/vpn.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/configuration/vpn.md b/configuration/vpn.md index 3a1a4574..ccb12c91 100644 --- a/configuration/vpn.md +++ b/configuration/vpn.md @@ -257,8 +257,9 @@ If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_O Save the script. -Make it executable: - `sudo chmod +x /rw/config/rc.local` +Make it executable. + + sudo chmod +x /rw/config/rc.local` 6. Restart the new VM! The link should then be established automatically with a popup notification to that effect. From 5fd8389c7399e21a09e17bfe0bf2c8a64688fcc1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 25 Jan 2018 22:52:47 +0000 Subject: [PATCH 4/6] fix --- configuration/vpn.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configuration/vpn.md b/configuration/vpn.md index ccb12c91..2d326aa0 100644 --- a/configuration/vpn.md +++ b/configuration/vpn.md @@ -82,13 +82,13 @@ Run a terminal (CLI) in the VPN VM -- this will start the VM. Then create a new sudo mkdir /rw/config/vpn -Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification. Otherwise you would have to replace the file name. +Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification. Otherwise you would have to replace the file name. `openvpn-client.ovpn` contents: Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn` folder. -Files reference in `openvpn-client.ovpn` should not be referenced by absolute paths such as `/etc/...`. +Files referenced in `openvpn-client.ovpn` should not use absolute paths such as `/etc/...`. -`openvpn-client.ovpn` contents: The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested. +The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested. Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. For OpenVPN. From 75a7a003c596ac07aa710c2b75c1bf48f5d3855e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 28 Jan 2018 19:23:24 +0100 Subject: [PATCH 5/6] fix duplicate "For OpenVPN." --- configuration/vpn.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration/vpn.md b/configuration/vpn.md index 2d326aa0..f0029828 100644 --- a/configuration/vpn.md +++ b/configuration/vpn.md @@ -90,7 +90,7 @@ Files referenced in `openvpn-client.ovpn` should not use absolute paths such as The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested. -Also, the config should route all traffic through your VPN's interface after a connection is created; For openvpn the directive for this is `redirect-gateway def1`. For OpenVPN. +Also, the config should route all traffic through your VPN's interface after a connection is created; For OpenVPN the directive for this is `redirect-gateway def1`. sudo nano /rw/config/vpn/openvpn-client.ovpn From 15bf72edad40c7de87113c1f404ccde6f86e821c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 28 Jan 2018 19:26:35 +0100 Subject: [PATCH 6/6] fixes --- configuration/vpn.md | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/configuration/vpn.md b/configuration/vpn.md index f0029828..3518b9ef 100644 --- a/configuration/vpn.md +++ b/configuration/vpn.md @@ -94,11 +94,11 @@ Also, the config should route all traffic through your VPN's interface after a c sudo nano /rw/config/vpn/openvpn-client.ovpn -Make sure it already includes or add. +Make sure it already includes or add: redirect-gateway def1 -The VPN client may not be able to prompt you for credentials when connecting to the server. Create a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add. +The VPN client may not be able to prompt you for credentials when connecting to the server. Create a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add: auth-user-pass pass.txt @@ -108,12 +108,10 @@ The VPN client may not be able to prompt you for credentials when connecting to sudo nano /rw/config/vpn/pass.txt - Add. + Add: - ``` - username - password - ``` + username + password Replace `username` and `password` with your actual username and password. @@ -205,7 +203,7 @@ Save the script. sudo nano /rw/config/qubes-firewall-user-script -Clear out the existing lines and add. +Clear out the existing lines and add: ~~~ #!/bin/bash @@ -241,7 +239,7 @@ Make it executable. sudo nano /rw/config/rc.local -Clear out the existing lines and add. +Clear out the existing lines and add: ~~~ #!/bin/bash