Adrenalos Vpnfirewall Working but not routing traffic to AppVM.

jessewidget85 · December 30, 2015, 1:05am

Hi there,I am successfully running

NetVM > ProxyVM(VPN-Standalone Debian 8)

At ProxyVM I am also running this VPN firewall

exact same installation as usually and how is documented.
Always worked at Ubuntu fine, Now I am trying saddle Qubes, Having difficulties thought.

Guys can you advise me,what to modify in orginal "adrenalos firewall in order be able route traffic from ProxyVM - To others AppVM ?

My point is avoid leaks and have dns protection of my IP.
adrelanos/vpn-firewall always worked for this fine.

jessewidget85 · December 30, 2015, 1:46am

Also worth to mention,

Both I am running at startup, OpenVPN and Vpnfirewall as well,
If I disable firewall using this way

#!/bin/bash
set -x
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

than nothing has changed, still no connection go through,

In this ProxyVm is installed nothing else than strictly Vpnfirewall + OpenVpn

Did some research but haven’t found any well documented method of installation Great Bulletproof Firewall from which i would be wise.

Every Hint for me now,is appreciated ,and think will be useful also for others who have or will have same concern with setting up this.

Patrick · December 30, 2015, 4:35pm

VPN-Firewall currently does not support Qubes. Making that work would
require development work.

Qubes doesn’t need VPN-Firewall. Qubes has it’s own solution to that
issue. It may be in the Qubes documentation or on the Qubes mailing
list. Please refer to the Qubes support for that.

entr0py · December 30, 2015, 7:53pm

I am using the VPN-Firewall contained in whonix_firewall in my Whonix-Gateway ProxyVM. Just to clarify, this usage is supported, right? When you mean unsupported, that means using the VPN-Firewall Github script in a non-Whonix Qubes VM?

I decided to put VPN in Whonix-Gateway and not a separate ProxyVM for just this reason. I’ve seen the thread in the qubes-users mailing list and it is too long / convoluted / unknown quality to invest my time.

Patrick · December 30, 2015, 10:58pm

Standalone VPN-Firewall from github is unsupported in Qubes.

Whonix-Gateway’s VPN_FIREWALL feature works in Qubes as well as in
Non-Qubes-Whonix.

jessewidget85 · December 31, 2015, 5:40pm

I got also idea set it like this,but if ever your Whonix-Gateway would get compromised, the attacker could just drop the VPN and see your real IP ? I guess…

In all ways better setup VPN at standalone (Proxy VM) between sys-net and whonix-gateway.

And use this instance as VPN+Firewall.

Today it is 3th day I am messing around. With 0 success, because no iptables knowledge.

Tried some attempts like rerouting or forwarding packets using this

Conclusion

First I implemented Adrenalos Firewall as standalone ProxyVM debian 8 (Within this Instance All is working. The only thing is that it is not redirecting traffic to any APPVM,

Than Patrick says it is currently unsupported in qubes, Could you please modify it than ?

Next thing I tried is use Qubes build-in firewall and Edit Firewall rules in it’s own “Firewall rules” tab the problem here is that if I use in Firewall ProxyVM:

Deny network access except = and IP of my VPN, it than do not allow, access to the internet, however ping in between APPVM is working.

Next I tried something with rerouting iptable packets but here I am not sure much yet what i am doing so I would rather take advice from someone experienced.

Patrick · January 1, 2016, 5:14pm

Right.

No. This is what unsupported means:
https://www.whonix.org/wiki/FAQ#What_do_you_mean_by_unsupported.3F

entr0py · January 1, 2016, 7:34pm

I agree that it’s certainly not worse (Well, except for the hassle of configuring and maintaining another VM). Whether it’s “better” or not is debatable. I know that it’s not your intent to debate the merits of using a VPN but just some food for thought…

Assuming there was no user error and that your Gateway was compromised by a fairly skilled adversary, it wouldn’t be that difficult to link your physical IP to your revealed VPN IP. Even if your VPN doesn’t keep logs, it’s ISP certainly does. Remember they now control your Gateway - correlating traffic becomes trivial.

Once you become the target, you’ve lost half the battle. Using a VPN to hide Tor usage may help you from becoming targeted in the first place but whether it will protect you once you’re the target, maybe not so much…

In any case, if you wish to pursue VPN in standalone proxyVM, here’s the thread Patrick was referring to:

https://groups.google.com/d/msg/qubes-users/-9gR1Va3BnY/n02NJI3dRocJ

Good luck!

jessewidget85 · January 2, 2016, 6:49pm

Alright I will do some additional testings with iptables from thread above.
Also found Debian repository includes ufw
Which is easily configurable firewall. It might be also solution.

Thank you.

Patrick · January 2, 2016, 7:13pm

I don’t think so. It’s a very difficult to solve issue. See this one:
https://phabricator.whonix.org/T460

jessewidget85 · January 9, 2016, 3:40am

Oh it’s dangerous than, I am gonna fix it, I little confused how should I do that.Let’s clear this out.

create user ‘tunnel’

Question:Should I copy paste this script to root ? By debian you mean root right ?

/debian/whonix-gw-firewall.postinst

I am gonna use this at qubes. In VM where also openvpn is gonna run.

Should I do also something else “non documented” than simply copy paste your code in to system folders ? Except use my brain when implementing … I strive, though.

Patrick · January 9, 2016, 3:04pm

It’s not so trivial to fix. Explaining it takes longer than actually
fixing it.