Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-12-28 16:59:40 -05:00
Code Issues Packages Projects Releases Wiki Activity

remove trailing spaces

Browse Source
This commit is contained in:
Patrick Schleizer 2018-01-29 14:10:53 +01:00
parent 5a8463a4c2
commit 9db21775d3
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 29 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
configuration/vpn.md
View File

@ -65,23 +65,23 @@ This method is more involved than the one above, but has anti-leak features that
1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template. 1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png) ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
Note: Do not enable NetworkManager in the ProxyVM, as it can interfere with the scripts' DNS features. If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM... Create a new one according to this step. Note: Do not enable NetworkManager in the ProxyVM, as it can interfere with the scripts' DNS features. If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM... Create a new one according to this step.
If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. Disable any auto-starting service that comes with the software package. For example for OpenVPN. If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. Disable any auto-starting service that comes with the software package. For example for OpenVPN.
sudo systemctl disable openvpn.service sudo systemctl disable openvpn.service
You may also wish to install `nano` or another simple text editor for entering the scripts below. You may also wish to install `nano` or another simple text editor for entering the scripts below.
2. Set up and test the VPN client. 2. Set up and test the VPN client.
Make sure the VPN VM and its TemplateVM is not running. Make sure the VPN VM and its TemplateVM is not running.
Run a terminal (CLI) in the VPN VM -- this will start the VM. Then create a new `/rw/config/vpn` folder with. Run a terminal (CLI) in the VPN VM -- this will start the VM. Then create a new `/rw/config/vpn` folder with.
sudo mkdir /rw/config/vpn sudo mkdir /rw/config/vpn
Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification. Otherwise you would have to replace the file name. `openvpn-client.ovpn` contents: Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification. Otherwise you would have to replace the file name. `openvpn-client.ovpn` contents:
Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn` folder. Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn` folder.
@ -93,7 +93,7 @@ The VPN scripts here are intended to work with commonly used `tun` interfaces, w
Also, the config should route all traffic through your VPN's interface after a connection is created; For OpenVPN the directive for this is `redirect-gateway def1`. Also, the config should route all traffic through your VPN's interface after a connection is created; For OpenVPN the directive for this is `redirect-gateway def1`.
sudo nano /rw/config/vpn/openvpn-client.ovpn sudo nano /rw/config/vpn/openvpn-client.ovpn
Make sure it already includes or add: Make sure it already includes or add:
redirect-gateway def1 redirect-gateway def1
@ -101,38 +101,38 @@ Make sure it already includes or add:
The VPN client may not be able to prompt you for credentials when connecting to the server. Create a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add: The VPN client may not be able to prompt you for credentials when connecting to the server. Create a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add:
auth-user-pass pass.txt auth-user-pass pass.txt
Save file `/rw/config/vpn/openvpn-client.ovpn`. Save file `/rw/config/vpn/openvpn-client.ovpn`.
Make sure a `/rw/config/vpn/pass.txt` file actually exists. Make sure a `/rw/config/vpn/pass.txt` file actually exists.
sudo nano /rw/config/vpn/pass.txt sudo nano /rw/config/vpn/pass.txt
Add: Add:
username username
password password
Replace `username` and `password` with your actual username and password. Replace `username` and `password` with your actual username and password.
__Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example: __Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example:
sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn
Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping`. Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping`.
ping 8.8.8.8 ping 8.8.8.8
`ping` can be aborted by pressing the two keys `ctrl` + `c` at the same time. `ping` can be aborted by pressing the two keys `ctrl` + `c` at the same time.
DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider. DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider.
Proceed to the next step when you're sure the basic VPN connection is working. Proceed to the next step when you're sure the basic VPN connection is working.
3. Create the DNS-handling script. 3. Create the DNS-handling script.
sudo nano /rw/config/vpn/qubes-vpn-handler.sh sudo nano /rw/config/vpn/qubes-vpn-handler.sh
Edit and add: Edit and add:
~~~ ~~~
@ -178,11 +178,11 @@ Save the script.
Make it executable. Make it executable.
sudo chmod +x /rw/config/vpn/qubes-vpn-handler.sh sudo chmod +x /rw/config/vpn/qubes-vpn-handler.sh
4. Configure client to use the DNS handling script. Using openvpn as an example, edit the config. 4. Configure client to use the DNS handling script. Using openvpn as an example, edit the config.
sudo nano /rw/config/vpn/openvpn-client.ovpn sudo nano /rw/config/vpn/openvpn-client.ovpn
Add the following. Add the following.
~~~ ~~~
@ -190,7 +190,7 @@ Make it executable.
up 'qubes-vpn-handler.sh up' up 'qubes-vpn-handler.sh up'
down 'qubes-vpn-handler.sh down' down 'qubes-vpn-handler.sh down'
~~~ ~~~
Remove other instances of lines starting with `script-security`, `up` or `down` should there be any others. Remove other instances of lines starting with `script-security`, `up` or `down` should there be any others.
Save the script. Save the script.
@ -200,9 +200,9 @@ Save the script.
5. Set up iptables anti-leak rules. 5. Set up iptables anti-leak rules.
Edit the firewall script. Edit the firewall script.
sudo nano /rw/config/qubes-firewall-user-script sudo nano /rw/config/qubes-firewall-user-script
Clear out the existing lines and add: Clear out the existing lines and add:
~~~ ~~~
@ -211,7 +211,7 @@ Clear out the existing lines and add:
# (in case the vpn tunnel breaks): # (in case the vpn tunnel breaks):
iptables -I FORWARD -o eth0 -j DROP iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP iptables -I FORWARD -i eth0 -j DROP
# Block all outgoing traffic # Block all outgoing traffic
iptables -P OUTPUT DROP iptables -P OUTPUT DROP
iptables -F OUTPUT iptables -F OUTPUT
@ -245,12 +245,12 @@ Clear out the existing lines and add:
#!/bin/bash #!/bin/bash
VPN_CLIENT='openvpn' VPN_CLIENT='openvpn'
VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon' VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'
su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user
groupadd -rf qvpn ; sleep 2s groupadd -rf qvpn ; sleep 2s
sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS" sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS"
~~~ ~~~
If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software. If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software.
Save the script. Save the script.
@ -258,7 +258,7 @@ Save the script.
Make it executable. Make it executable.
sudo chmod +x /rw/config/rc.local` sudo chmod +x /rw/config/rc.local`
6. Restart the new VM! The link should then be established automatically with a popup notification to that effect. 6. Restart the new VM! The link should then be established automatically with a popup notification to that effect.
Usage Usage