mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2025-01-13 16:29:59 -05:00
Clarify procedure in CLI step 2, more.
Change 'Edit and add' to better phrase. Change nano to gedit. Update 'Usage' to reflect R4.0 proxy capabilities.
This commit is contained in:
parent
ef22ff2f65
commit
63795e7374
58
external/configuration-guides/vpn.md
vendored
58
external/configuration-guides/vpn.md
vendored
@ -95,9 +95,11 @@ Set up a ProxyVM as a VPN gateway using iptables and CLI scripts
|
||||
----------------------------------------------------------------
|
||||
|
||||
This method is more involved than the one above, but has anti-leak features that also make the connection _fail closed_ should it be interrupted.
|
||||
It has been tested with Fedora 23 and Debian 8 templates.
|
||||
It has been tested with Fedora 30 and Debian 10 templates.
|
||||
|
||||
1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
|
||||
Before proceeding, you will need to download a copy of your VPN provider's configuration file(s) and have your VPN login information handy.
|
||||
|
||||
1. Create a new VM, name it, choose "provides network", and choose a color and template.
|
||||
|
||||
![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
|
||||
|
||||
@ -105,14 +107,15 @@ It has been tested with Fedora 23 and Debian 8 templates.
|
||||
If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM...
|
||||
Create a new one according to this step.
|
||||
|
||||
If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding.
|
||||
If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. The 'openvpn' package comes installed in the Fedora template, and in Debian it can be installed with the following command:
|
||||
|
||||
sudo apt-get install openvpn
|
||||
|
||||
Disable any auto-starting service that comes with the software package.
|
||||
For example for OpenVPN.
|
||||
|
||||
sudo systemctl disable openvpn.service
|
||||
|
||||
You may also wish to install `nano` or another simple text editor for entering the scripts below.
|
||||
|
||||
2. Set up and test the VPN client.
|
||||
Make sure the VPN VM and its TemplateVM is not running.
|
||||
Run a terminal (CLI) in the VPN VM -- this will start the VM.
|
||||
@ -120,33 +123,31 @@ It has been tested with Fedora 23 and Debian 8 templates.
|
||||
|
||||
sudo mkdir /rw/config/vpn
|
||||
|
||||
Copy your VPN config files to `/rw/config/vpn`.
|
||||
Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification.
|
||||
Otherwise you would have to replace the file name.
|
||||
`openvpn-client.ovpn` contents:
|
||||
Copy your VPN configuration files to `/rw/config/vpn`.
|
||||
Your VPN config file should be named `openvpn-client.ovpn` so you can use the scripts below as is without modification. Otherwise you would have to replace the file name. Files accompanying the main config such as `*.crt` and `*.pem` should also be placed in the `/rw/config/vpn` folder.
|
||||
|
||||
* Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn` folder.
|
||||
* Files referenced in `openvpn-client.ovpn` should not use absolute paths such as `/etc/...`.
|
||||
Check or modify configuration file contents using a text editor:
|
||||
|
||||
The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested.
|
||||
Also, the config should route all traffic through your VPN's interface after a connection is created; For OpenVPN the directive for this is `redirect-gateway def1`.
|
||||
sudo gedit /rw/config/vpn/openvpn-client.ovpn
|
||||
|
||||
sudo nano /rw/config/vpn/openvpn-client.ovpn
|
||||
Files referenced in `openvpn-client.ovpn` should not use absolute paths such as `/etc/...`.
|
||||
|
||||
The config should route all traffic through your VPN's interface after a connection is created; For OpenVPN the directive for this is `redirect-gateway def1`.
|
||||
|
||||
Make sure it already includes or add:
|
||||
|
||||
redirect-gateway def1
|
||||
|
||||
The VPN client may not be able to prompt you for credentials when connecting to the server.
|
||||
Create a file in the `/rw/config/vpn` folder with your credentials and using a directive.
|
||||
For example for OpenVPN, add:
|
||||
The VPN client may not be able to prompt you for credentials when connecting to the server, so we'll add a reference to a file containing the VPN username and password.
|
||||
For example for OpenVPN, add or modify `auth-user-pass` like so:
|
||||
|
||||
auth-user-pass pass.txt
|
||||
|
||||
Save file `/rw/config/vpn/openvpn-client.ovpn`.
|
||||
Make sure a `/rw/config/vpn/pass.txt` file actually exists.
|
||||
Save the `/rw/config/vpn/openvpn-client.ovpn` file.
|
||||
|
||||
sudo nano /rw/config/vpn/pass.txt
|
||||
Now make sure a `/rw/config/vpn/pass.txt` file actually exists.
|
||||
|
||||
sudo gedit /rw/config/vpn/pass.txt
|
||||
|
||||
Add:
|
||||
|
||||
@ -172,9 +173,9 @@ It has been tested with Fedora 23 and Debian 8 templates.
|
||||
|
||||
3. Create the DNS-handling script.
|
||||
|
||||
sudo nano /rw/config/vpn/qubes-vpn-handler.sh
|
||||
sudo gedit /rw/config/vpn/qubes-vpn-handler.sh
|
||||
|
||||
Edit and add:
|
||||
Add the following:
|
||||
|
||||
~~~
|
||||
#!/bin/bash
|
||||
@ -221,7 +222,7 @@ It has been tested with Fedora 23 and Debian 8 templates.
|
||||
|
||||
4. Configure client to use the DNS handling script. Using openvpn as an example, edit the config.
|
||||
|
||||
sudo nano /rw/config/vpn/openvpn-client.ovpn
|
||||
sudo gedit /rw/config/vpn/openvpn-client.ovpn
|
||||
|
||||
Add the following.
|
||||
|
||||
@ -236,7 +237,7 @@ It has been tested with Fedora 23 and Debian 8 templates.
|
||||
5. Set up iptables anti-leak rules.
|
||||
Edit the firewall script.
|
||||
|
||||
sudo nano /rw/config/qubes-firewall-user-script
|
||||
sudo gedit /rw/config/qubes-firewall-user-script
|
||||
|
||||
Clear out the existing lines and add:
|
||||
|
||||
@ -273,7 +274,7 @@ It has been tested with Fedora 23 and Debian 8 templates.
|
||||
|
||||
5. Set up the VPN's autostart.
|
||||
|
||||
sudo nano /rw/config/rc.local
|
||||
sudo gedit /rw/config/rc.local
|
||||
|
||||
Clear out the existing lines and add:
|
||||
|
||||
@ -304,16 +305,11 @@ Configure your AppVMs to use the VPN VM as a NetVM...
|
||||
|
||||
![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)
|
||||
|
||||
If you want to be able to use the [Qubes firewall](/doc/firewall), create a new FirewallVM (as a ProxyVM) and set it to use the VPN VM as its NetVM.
|
||||
Then, configure AppVMs to use your new FirewallVM as their NetVM.
|
||||
|
||||
If you want to update your TemplateVMs through the VPN, enable the `qubes-updates-proxy` service in your new FirewallVM.
|
||||
If you want to update your TemplateVMs through the VPN, it will be necessary to create a separate "sys-update" or "sys-firewall-vpn" VM with the "provides network" option set and with its netvm set to use the VPN VM. Next, use `qubes-global-settings` to change the update VM to the one you created. Then enable the `qubes-updates-proxy` service in your new update VM.
|
||||
You can do this in the Services tab in Qubes VM Manager or on the command-line:
|
||||
|
||||
qvm-service -e <name> qubes-updates-proxy
|
||||
|
||||
Then, configure your templates to use your new FirewallVM as their NetVM.
|
||||
|
||||
|
||||
Troubleshooting
|
||||
---------------
|
||||
|
Loading…
Reference in New Issue
Block a user