mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2025-01-13 16:29:59 -05:00
Andrew David Wong
parent
e59b6c29b1
commit
b41c8bf4ac
@ -20,8 +20,8 @@ Please refer to your guest OS and VPN service documentation when considering the
|
||||
|
||||
The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:
|
||||
|
||||
- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
|
||||
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)
|
||||
- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
|
||||
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)
|
||||
|
||||
### AppVM
|
||||
|
||||
@ -33,26 +33,26 @@ One of the best unique features of Qubes OS is its special type of VM called a P
|
||||
|
||||
Using a ProxyVM to set up a VPN client gives you the ability to:
|
||||
|
||||
- Separate your VPN credentials from your NetVM.
|
||||
- Separate your VPN credentials from your AppVM data.
|
||||
- Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM.
|
||||
- Separate your VPN credentials from your NetVM.
|
||||
- Separate your VPN credentials from your AppVM data.
|
||||
- Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM.
|
||||
|
||||
Set up a ProxyVM as a VPN gateway using NetworkManager
|
||||
------------------------------------------------------
|
||||
|
||||
1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
|
||||
1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
|
||||
|
||||
|
||||
|
||||
|
||||
2. Add the `network-manager` service to this new VM.
|
||||
2. Add the `network-manager` service to this new VM.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Set up your VPN as described in the NetworkManager documentation linked above.
|
||||
3. Set up your VPN as described in the NetworkManager documentation linked above.
|
||||
|
||||
4. Configure your AppVMs to use the new VM as a NetVM.
|
||||
4. Configure your AppVMs to use the new VM as a NetVM.
|
||||
|
||||
|
||||
|
||||
|
||||
5. Optionally, you can install some [custom icons](https://github.com/Zrubi/qubes-artwork-proxy-vpn) for your VPN
|
||||
|
||||
@ -60,206 +60,206 @@ Set up a ProxyVM as a VPN gateway using NetworkManager
|
||||
Set up a ProxyVM as a VPN gateway using iptables and CLI scripts
|
||||
----------------------------------------------------------------
|
||||
|
||||
This method is more involved than the one above, but has anti-leak features that also make the connection _fail closed_ should it be interrupted. It has been tested with Fedora 23 and Debian 8 templates.
|
||||
This method is more involved than the one above, but has anti-leak features that also make the connection _fail closed_ should it be interrupted.
|
||||
It has been tested with Fedora 23 and Debian 8 templates.
|
||||
|
||||
1. Create a new VM, name it, click the ProxyVM radio button, and choose a color and template.
|
||||
|
||||
|
||||
|
||||
|
||||
Note: Do not enable NetworkManager in the ProxyVM, as it can interfere with the scripts' DNS features. If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM... Create a new one according to this step.
|
||||
Note: Do not enable NetworkManager in the ProxyVM, as it can interfere with the scripts' DNS features.
|
||||
If you enabled NetworkManager or used other methods in a previous attempt, do not re-use the old ProxyVM...
|
||||
Create a new one according to this step.
|
||||
|
||||
If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding. Disable any auto-starting service that comes with the software package. For example for OpenVPN.
|
||||
If your choice of TemplateVM doesn't already have the VPN client software, you'll need to install the software in the template before proceeding.
|
||||
Disable any auto-starting service that comes with the software package.
|
||||
For example for OpenVPN.
|
||||
|
||||
sudo systemctl disable openvpn.service
|
||||
|
||||
You may also wish to install `nano` or another simple text editor for entering the scripts below.
|
||||
You may also wish to install `nano` or another simple text editor for entering the scripts below.
|
||||
|
||||
2. Set up and test the VPN client.
|
||||
2. Set up and test the VPN client.
|
||||
Make sure the VPN VM and its TemplateVM is not running.
|
||||
Run a terminal (CLI) in the VPN VM -- this will start the VM.
|
||||
Then create a new `/rw/config/vpn` folder with.
|
||||
|
||||
Make sure the VPN VM and its TemplateVM is not running.
|
||||
sudo mkdir /rw/config/vpn
|
||||
|
||||
Run a terminal (CLI) in the VPN VM -- this will start the VM. Then create a new `/rw/config/vpn` folder with.
|
||||
Copy your VPN config files to `/rw/config/vpn`.
|
||||
Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification.
|
||||
Otherwise you would have to replace the file name.
|
||||
`openvpn-client.ovpn` contents:
|
||||
|
||||
sudo mkdir /rw/config/vpn
|
||||
* Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn` folder.
|
||||
* Files referenced in `openvpn-client.ovpn` should not use absolute paths such as `/etc/...`.
|
||||
|
||||
Copy your VPN config files to `/rw/config/vpn`. Your VPN config file should be named `openvpn-client.ovpn`) so you can use the scripts below as is without modification. Otherwise you would have to replace the file name. `openvpn-client.ovpn` contents:
|
||||
|
||||
Files accompanying the main config such as `*.crt` and `*.pem` should also go to `/rw/config/vpn` folder.
|
||||
|
||||
Files referenced in `openvpn-client.ovpn` should not use absolute paths such as `/etc/...`.
|
||||
|
||||
The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested.
|
||||
|
||||
Also, the config should route all traffic through your VPN's interface after a connection is created; For OpenVPN the directive for this is `redirect-gateway def1`.
|
||||
The VPN scripts here are intended to work with commonly used `tun` interfaces, whereas `tap` mode is untested.
|
||||
Also, the config should route all traffic through your VPN's interface after a connection is created; For OpenVPN the directive for this is `redirect-gateway def1`.
|
||||
|
||||
sudo nano /rw/config/vpn/openvpn-client.ovpn
|
||||
|
||||
Make sure it already includes or add:
|
||||
Make sure it already includes or add:
|
||||
|
||||
redirect-gateway def1
|
||||
|
||||
The VPN client may not be able to prompt you for credentials when connecting to the server. Create a file in the `/rw/config/vpn` folder with your credentials and using a directive. For example for OpenVPN, add:
|
||||
The VPN client may not be able to prompt you for credentials when connecting to the server.
|
||||
Create a file in the `/rw/config/vpn` folder with your credentials and using a directive.
|
||||
For example for OpenVPN, add:
|
||||
|
||||
auth-user-pass pass.txt
|
||||
auth-user-pass pass.txt
|
||||
|
||||
Save file `/rw/config/vpn/openvpn-client.ovpn`.
|
||||
Save file `/rw/config/vpn/openvpn-client.ovpn`.
|
||||
Make sure a `/rw/config/vpn/pass.txt` file actually exists.
|
||||
|
||||
Make sure a `/rw/config/vpn/pass.txt` file actually exists.
|
||||
sudo nano /rw/config/vpn/pass.txt
|
||||
|
||||
sudo nano /rw/config/vpn/pass.txt
|
||||
Add:
|
||||
|
||||
Add:
|
||||
username
|
||||
password
|
||||
|
||||
username
|
||||
password
|
||||
Replace `username` and `password` with your actual username and password.
|
||||
|
||||
Replace `username` and `password` with your actual username and password.
|
||||
|
||||
__Test your client configuration:__ Run the client from a CLI prompt in the 'vpn' folder, preferably as root. For example:
|
||||
**Test your client configuration:**
|
||||
Run the client from a CLI prompt in the 'vpn' folder, preferably as root.
|
||||
For example:
|
||||
|
||||
sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn
|
||||
|
||||
Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping`.
|
||||
Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with `ping`.
|
||||
|
||||
ping 8.8.8.8
|
||||
|
||||
`ping` can be aborted by pressing the two keys `ctrl` + `c` at the same time.
|
||||
`ping` can be aborted by pressing the two keys `ctrl` + `c` at the same time.
|
||||
DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete).
|
||||
Diagnose any connection problems using resources such as client documentation and help from your VPN service provider.
|
||||
Proceed to the next step when you're sure the basic VPN connection is working.
|
||||
|
||||
DNS may be tested at this point by replacing addresses in `/etc/resolv.conf` with ones appropriate for your VPN (although this file will not be used when setup is complete). Diagnose any connection problems using resources such as client documentation and help from your VPN service provider.
|
||||
3. Create the DNS-handling script.
|
||||
|
||||
Proceed to the next step when you're sure the basic VPN connection is working.
|
||||
sudo nano /rw/config/vpn/qubes-vpn-handler.sh
|
||||
|
||||
3. Create the DNS-handling script.
|
||||
Edit and add:
|
||||
|
||||
sudo nano /rw/config/vpn/qubes-vpn-handler.sh
|
||||
~~~
|
||||
#!/bin/bash
|
||||
set -e
|
||||
export PATH="$PATH:/usr/sbin:/sbin"
|
||||
|
||||
case "$1" in
|
||||
|
||||
up)
|
||||
# To override DHCP DNS, assign DNS addresses to 'vpn_dns' env variable before calling this script;
|
||||
# Format is 'X.X.X.X Y.Y.Y.Y [...]'
|
||||
if [[ -z "$vpn_dns" ]] ; then
|
||||
# Parses DHCP foreign_option_* vars to automatically set DNS address translation:
|
||||
for optionname in ${!foreign_option_*} ; do
|
||||
option="${!optionname}"
|
||||
unset fops; fops=($option)
|
||||
if [ ${fops[1]} == "DNS" ] ; then vpn_dns="$vpn_dns ${fops[2]}" ; fi
|
||||
done
|
||||
fi
|
||||
|
||||
iptables -t nat -F PR-QBS
|
||||
if [[ -n "$vpn_dns" ]] ; then
|
||||
# Set DNS address translation in firewall:
|
||||
for addr in $vpn_dns; do
|
||||
iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
|
||||
iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr
|
||||
done
|
||||
su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user
|
||||
else
|
||||
su - -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user
|
||||
fi
|
||||
|
||||
;;
|
||||
down)
|
||||
su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user
|
||||
;;
|
||||
esac
|
||||
~~~
|
||||
|
||||
Edit and add:
|
||||
|
||||
~~~
|
||||
#!/bin/bash
|
||||
set -e
|
||||
export PATH="$PATH:/usr/sbin:/sbin"
|
||||
|
||||
case "$1" in
|
||||
|
||||
up)
|
||||
# To override DHCP DNS, assign DNS addresses to 'vpn_dns' env variable before calling this script;
|
||||
# Format is 'X.X.X.X Y.Y.Y.Y [...]'
|
||||
if [[ -z "$vpn_dns" ]] ; then
|
||||
# Parses DHCP foreign_option_* vars to automatically set DNS address translation:
|
||||
for optionname in ${!foreign_option_*} ; do
|
||||
option="${!optionname}"
|
||||
unset fops; fops=($option)
|
||||
if [ ${fops[1]} == "DNS" ] ; then vpn_dns="$vpn_dns ${fops[2]}" ; fi
|
||||
done
|
||||
fi
|
||||
|
||||
iptables -t nat -F PR-QBS
|
||||
if [[ -n "$vpn_dns" ]] ; then
|
||||
# Set DNS address translation in firewall:
|
||||
for addr in $vpn_dns; do
|
||||
iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
|
||||
iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr
|
||||
done
|
||||
su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user
|
||||
else
|
||||
su - -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user
|
||||
fi
|
||||
|
||||
;;
|
||||
down)
|
||||
su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user
|
||||
;;
|
||||
esac
|
||||
~~~
|
||||
|
||||
Save the script.
|
||||
|
||||
Make it executable.
|
||||
Save the script.
|
||||
Make it executable.
|
||||
|
||||
sudo chmod +x /rw/config/vpn/qubes-vpn-handler.sh
|
||||
|
||||
4. Configure client to use the DNS handling script. Using openvpn as an example, edit the config.
|
||||
4. Configure client to use the DNS handling script. Using openvpn as an example, edit the config.
|
||||
|
||||
sudo nano /rw/config/vpn/openvpn-client.ovpn
|
||||
|
||||
Add the following.
|
||||
Add the following.
|
||||
|
||||
~~~
|
||||
script-security 2
|
||||
up 'qubes-vpn-handler.sh up'
|
||||
down 'qubes-vpn-handler.sh down'
|
||||
~~~
|
||||
script-security 2
|
||||
up 'qubes-vpn-handler.sh up'
|
||||
down 'qubes-vpn-handler.sh down'
|
||||
|
||||
Remove other instances of lines starting with `script-security`, `up` or `down` should there be any others.
|
||||
Remove other instances of lines starting with `script-security`, `up` or `down` should there be any others.
|
||||
Save the script.
|
||||
**Restart the client and test the connection again** ...this time from an AppVM!
|
||||
|
||||
Save the script.
|
||||
|
||||
**Restart the client and test the connection again** ...this time from an AppVM!
|
||||
|
||||
5. Set up iptables anti-leak rules.
|
||||
|
||||
Edit the firewall script.
|
||||
5. Set up iptables anti-leak rules.
|
||||
Edit the firewall script.
|
||||
|
||||
sudo nano /rw/config/qubes-firewall-user-script
|
||||
|
||||
Clear out the existing lines and add:
|
||||
Clear out the existing lines and add:
|
||||
|
||||
~~~
|
||||
#!/bin/bash
|
||||
# Block forwarding of connections through upstream network device
|
||||
# (in case the vpn tunnel breaks):
|
||||
iptables -I FORWARD -o eth0 -j DROP
|
||||
iptables -I FORWARD -i eth0 -j DROP
|
||||
|
||||
# Block all outgoing traffic
|
||||
iptables -P OUTPUT DROP
|
||||
iptables -F OUTPUT
|
||||
iptables -I OUTPUT -o lo -j ACCEPT
|
||||
|
||||
# Add the `qvpn` group to system, if it doesn't already exist
|
||||
if ! grep -q "^qvpn:" /etc/group ; then
|
||||
~~~
|
||||
#!/bin/bash
|
||||
# Block forwarding of connections through upstream network device
|
||||
# (in case the vpn tunnel breaks):
|
||||
iptables -I FORWARD -o eth0 -j DROP
|
||||
iptables -I FORWARD -i eth0 -j DROP
|
||||
|
||||
# Block all outgoing traffic
|
||||
iptables -P OUTPUT DROP
|
||||
iptables -F OUTPUT
|
||||
iptables -I OUTPUT -o lo -j ACCEPT
|
||||
|
||||
# Add the `qvpn` group to system, if it doesn't already exist
|
||||
if ! grep -q "^qvpn:" /etc/group ; then
|
||||
groupadd -rf qvpn
|
||||
sync
|
||||
fi
|
||||
sleep 2s
|
||||
fi
|
||||
sleep 2s
|
||||
|
||||
# Allow traffic from the `qvpn` group to the uplink interface (eth0);
|
||||
# Our VPN client will run with group `qvpn`.
|
||||
iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT
|
||||
~~~
|
||||
|
||||
# Allow traffic from the `qvpn` group to the uplink interface (eth0);
|
||||
# Our VPN client will run with group `qvpn`.
|
||||
iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT
|
||||
~~~
|
||||
|
||||
Save the script.
|
||||
|
||||
Make it executable.
|
||||
Save the script.
|
||||
Make it executable.
|
||||
|
||||
sudo chmod +x /rw/config/qubes-firewall-user-script
|
||||
|
||||
5. Set up the VPN's autostart.
|
||||
5. Set up the VPN's autostart.
|
||||
|
||||
sudo nano /rw/config/rc.local
|
||||
|
||||
Clear out the existing lines and add:
|
||||
Clear out the existing lines and add:
|
||||
|
||||
~~~
|
||||
#!/bin/bash
|
||||
VPN_CLIENT='openvpn'
|
||||
VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'
|
||||
~~~
|
||||
#!/bin/bash
|
||||
VPN_CLIENT='openvpn'
|
||||
VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'
|
||||
|
||||
su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user
|
||||
groupadd -rf qvpn ; sleep 2s
|
||||
sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS"
|
||||
~~~
|
||||
|
||||
su - -c 'notify-send "$(hostname): Starting $VPN_CLIENT..." --icon=network-idle' user
|
||||
groupadd -rf qvpn ; sleep 2s
|
||||
sg qvpn -c "$VPN_CLIENT $VPN_OPTIONS"
|
||||
~~~
|
||||
|
||||
If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software.
|
||||
|
||||
Save the script.
|
||||
|
||||
Make it executable.
|
||||
If you are using anything other than OpenVPN, change the `VPN_CLIENT` and `VPN_OPTIONS` variables to match your VPN software.
|
||||
Save the script.
|
||||
Make it executable.
|
||||
|
||||
sudo chmod +x /rw/config/rc.local`
|
||||
|
||||
6. Restart the new VM! The link should then be established automatically with a popup notification to that effect.
|
||||
6. Restart the new VM!
|
||||
The link should then be established automatically with a popup notification to that effect.
|
||||
|
||||
|
||||
Usage
|
||||
-----
|
||||
@ -268,14 +268,13 @@ Configure your AppVMs to use the VPN VM as a NetVM...
|
||||
|
||||
|
||||
|
||||
|
||||
If you want to be able to use the [Qubes firewall](/doc/firewall), create a new FirewallVM (as a ProxyVM) and set it to use the VPN VM as its NetVM.
|
||||
Then, configure AppVMs to use your new FirewallVM as their NetVM.
|
||||
|
||||
If you want to update your TemplateVMs through the VPN, enable the `qubes-updates-proxy` service in your new FirewallVM.
|
||||
You can do this in the Services tab in Qubes VM Manager or on the command-line:
|
||||
|
||||
$ qvm-service -e <name> qubes-updates-proxy
|
||||
qvm-service -e <name> qubes-updates-proxy
|
||||
|
||||
Then, configure your templates to use your new FirewallVM as their NetVM.
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user