qubes-doc/VPN.md
2015-07-23 13:19:16 +02:00

2.7 KiB

layout title permalink redirect_from
doc VPN /doc/VPN/ /wiki/VPN/

How To make a VPN Gateway in Qubes

The simplest case if you set up a VPN connection using the Network Manager inside one of your VMs. Setting up such a connection is really not Qubes specific and it is documented in Your operating system documentation. If you using the Qubes default Guest OS (Fedora): Establishing a VPN Connection

The Qubes specific part is to choose the right VM for the VPN client:

NetVM

The simplest case is to set up a VPN connection using the Network Manager inside your NetVM. Because the NetworkManager already started you are ready to set up your VPN connection. However this has some disadvantages:

  • You have to place (and probably save) Your VPN credentials inside the NetVM which is directly connected to the outside world
  • All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)

AppVM

While the Network Manager is not started here (for a good reason), you can configure any kind of VPN client in your AppVM as well, however it is only suggested if you have to use a special VPN client.

ProxyVM

WARNING: Currently the NetworkManager is not working in ProxyVMs as expected. Actually it will mess up the routing table and because of that your packets may not be routed to the VPN tunnel. - This surely occurs if your VPN wants to be the default gateway.

One of the best thing in Qubes that you can use a special type of VMs called ProxyVM (or FirewallVM). The special thing is that your AppVMs see this as a NetVM, and the NetVMs see it as an AppVM. Because of that You can place a ProxyVM between your AppVMs and Your NetVM. This is how the default firewall VM is working.

Using a ProxyVM to set up a VPN client gives you the ability to:

  • Separate your VPN credentials from Your AppVM data.
  • Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM.

To setup a ProxyVM as a VPN gateway you should:

  1. check (rpm -q qubes-core-vm) if you have the package qubes-core-vm version 2.1.36 (or later)
  2. create a new VM and check the ProxyVM radio button

Create\_New\_VM.png

  1. add the network-manager service to this new VM

Settings-services.png

  1. set up Your VPN as described in the Network Manager documentation linked above.

  2. connect your AppVMs to use the new VM as a NetVM.

[Settings-NetVM.png