mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-31 18:26:19 -05:00
Merge branch 'patch-2' of git://github.com/john-david-r-smith/qubes-doc into john-david-r-smith-patch-2
This commit is contained in:
commit
c9891aa909
@ -29,6 +29,7 @@ While the NetworkManager service is not started here (for a good reason), you ca
|
||||
|
||||
### ProxyVM
|
||||
|
||||
|
||||
**WARNING:** *You need to use Qubes 3.1-rc2 (or later)! In the previous releases the NetworkManager service was not working in ProxyVMs as expected.* ([#1052](https://github.com/QubesOS/qubes-issues/issues/1052))
|
||||
|
||||
One of the best thing in Qubes is that you can use a special type of VM called a ProxyVM (or FirewallVM). The special thing is that your AppVMs see this as a NetVM, and your NetVMs see it as an AppVM. Because of this, you can place a ProxyVM between your AppVMs and your NetVM. This is how the default FirewallVM functions.
|
||||
@ -39,7 +40,9 @@ Using a ProxyVM to set up a VPN client gives you the ability to:
|
||||
- Separate your VPN credentials from Your AppVM data.
|
||||
- Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM.
|
||||
|
||||
**To setup a ProxyVM as a VPN gateway you should:**
|
||||
#### Setup a ProxyVM as a VPN gateway
|
||||
|
||||
**Using NetworkManager**
|
||||
|
||||
1. Create a new VM and check the ProxyVM radio button.
|
||||
|
||||
@ -56,3 +59,74 @@ Using a ProxyVM to set up a VPN client gives you the ability to:
|
||||
![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)
|
||||
|
||||
5. Optionally, you can install some [custom icons](https://github.com/Zrubi/qubes-artwork-proxy-vpn) for your VPN
|
||||
|
||||
**Using iptables and openvpn**
|
||||
|
||||
You need an openvpn server and a DNS server accessible through the vpn (use one from your vpn provider / a public one).
|
||||
|
||||
1. Create a new VM and check the ProxyVM radio button.
|
||||
|
||||
![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)
|
||||
|
||||
2. Setup openvpn:
|
||||
Copy your openvpn config file to `/home/user/vpn.cfg`.
|
||||
|
||||
It should have one line starting with `dev` and one starting with `proto`.
|
||||
The first describes the connection type (`tun` or `tap`) and the second the used protocol (`tcp` or `udp`).
|
||||
Depending on your connection type, openvpn will create a new network device (probably `tap0` or `tun0`).
|
||||
|
||||
It also contains a line `remote X.X.X.X 1194`, where `X.X.X.X` is the ip of your openvpn server.
|
||||
|
||||
If it does not contain a line `redirect-gateway def1`, add it.
|
||||
This will route all traffic through your vpn's network device, after a connection was created.
|
||||
If the connection breaks down all traffic will be routed through the original network device (we will stop this with iptables).
|
||||
|
||||
If your vpn config file contains `auth-user-pass`, change it to `auth-user-pass /home/user/auth.txt` and create a file `/home/user/auth.txt` containing the user name in the first line and the password in the second.
|
||||
This will enable the vpn to login without requiring you to enter your username and password.
|
||||
If a different authentication method is used, set it up to require no user input.
|
||||
The vpn should now start by calling `sudo openvpn --config /home/user/vpn.cfg` and require no additional user input.
|
||||
|
||||
In the following, we use the following placeholder:
|
||||
`$DEV` For the device created for the connection.
|
||||
`$PROT` For the protocol used for connection
|
||||
`$SVR` For the openvpn server's ip.
|
||||
`$DNS` For the dns server's ip.
|
||||
|
||||
|
||||
3. Setup iptables:
|
||||
Edit `/rw/config/qubes-firewall-user-script` and add:
|
||||
|
||||
`iptables -P OUTPUT DROP`
|
||||
This blocks all outgoing traffic, if not specified otherwise.
|
||||
|
||||
`iptables -I OUTPUT -o $DEV -j ACCEPT`
|
||||
This allows the local system to connect through the vpn (you dont need this).
|
||||
|
||||
`iptables -I OUTPUT -o eth0 -d $SVR -p $PROT --dport 1194 -j ACCEPT`
|
||||
This allows your system to connect to the vpn server with the protocol `$PROT` under the port 1194.
|
||||
|
||||
`iptables -I OUTPUT -o lo -j ACCEPT`
|
||||
This allows connections from the system to the system.
|
||||
|
||||
`iptables -I FORWARD -o eth0 -j DROP`
|
||||
`iptables -I FORWARD -i eth0 -j DROP`
|
||||
This blocks forwarding of connections through your plain network device (in case the vpn tunnel breaks).
|
||||
|
||||
`iptables -t nat -I PR-QBS -p udp --dport 53 -j DNAT --to-destination $DNS`
|
||||
`iptables -t nat -I PR-QBS -p tcp --dport 53 -j DNAT --to-destination $DNS`
|
||||
This will rewrite the DNS destination, and the traffic will be routed down the vpn tunnel. (to prevent DNS leaks)
|
||||
|
||||
Now save `/rw/config/qubes-firewall-user-script` and make it executable:
|
||||
`sudo chmod +x /rw/config/qubes-firewall-user-script`
|
||||
|
||||
4. Setup the vpn's autostart:
|
||||
Edit to `/rw/config/rc.local`, make it executable (`sudo chmod +x /rw/config/rc.local`) and add:
|
||||
|
||||
ln -s /home/user/vpn.cfg /etc/openvpn/vpn.conf;
|
||||
systemctl --no-block start openvpn@vpn.service;
|
||||
|
||||
5. Configure your AppVMs to use the new VM as a NetVM.
|
||||
|
||||
![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)
|
||||
|
||||
6. Optionally, you can install some [custom icons](https://github.com/Zrubi/qubes-artwork-proxy-vpn) for your VPN
|
||||
|
Loading…
Reference in New Issue
Block a user