`nm-online` doesn't seem reliable and many times it didn't work, and
piping it to `systemd-cat` would log a small binary blob. The new method
has worked for me 100% of the time.
Also fixing weirdly indented comment in bash script.
* Scripts and text mention openvpn only in the context of examples.
* Firewall commands slightly tweaked: Important blocking rules move to top. Removed superfluous check for qvpn OUTPUT rule.
* Clarifications, especially mentioning that NM shouldn't be enabled for iptables/scripts option (this was causing DNS to fail for people who tried both NM and scripts).
* Tells the user when and what they should test (iptables/scripts).
* Change script order to enable testing flow.
* Added Usage and Troubleshooting sections.
https://github.com/QubesOS/qubes-issues/issues/2317
This requires the user only to add a few lines to their ovpn config file, and copy a few scripts (verbatim). They do not have to figure out which IP addresses are appropriate and hard-code them--unless their VPN service is bereft of domain names. Even in that case, they can do it easily within the ovpn config file. This is much less error-prone and should work with a greater variety of services (large commercial services tend to change their IPs so using domain names and DHCP is preferable in that case).
Also converted firewall section (3) to one code block for much less cutting/pasting. Comments are still there as shell comments.
The only required template changes are adding openvpn itself and possibly disabling the default systemd service for it. Everything else should be there in /rw/config.
This doesn't include extra firewall protections against inadvertent net access from within the VPN VM. I'm thinking of proposing those additions in a separate edit.
* Logically organize the Whonix-related pages
* Move the VPN page to /configuration/
* VPNs are used for more than just privacy, and many VPN setups and
services either can't or don't claim to provide privacy.
* Remove `/privacy/` from URLs
* These directory names are just for organizing the source pages,
*unless* an actual page resides there. Since there is no
/doc/privacy/ page, it's unnecessary and misleading to have this in
the URLs. It also breaks uniformity, since none of the other pages
have their informal group name in their URL (again, unless there's
a page with that name).