VPN-Firewall currently does not support Qubes. Making that work would
require development work.
Qubes doesn’t need VPN-Firewall. Qubes has it’s own solution to that
issue. It may be in the Qubes documentation or on the Qubes mailing
list. Please refer to the Qubes support for that.
I am using the VPN-Firewall contained in whonix_firewall in my Whonix-Gateway ProxyVM. Just to clarify, this usage is supported, right? When you mean unsupported, that means using the VPN-Firewall Github script in a non-Whonix Qubes VM?
I decided to put VPN in Whonix-Gateway and not a separate ProxyVM for just this reason. I’ve seen the thread in the qubes-users mailing list and it is too long / convoluted / unknown quality to invest my time.
I got also idea set it like this,but if ever your Whonix-Gateway would get compromised, the attacker could just drop the VPN and see your real IP ? I guess…
In all ways better setup VPN at standalone (Proxy VM) between sys-net and whonix-gateway.
And use this instance as VPN+Firewall.
Today it is 3th day I am messing around. With 0 success, because no iptables knowledge.
Tried some attempts like rerouting or forwarding packets using this
Conclusion
First I implemented Adrenalos Firewall as standalone ProxyVM debian 8 (Within this Instance All is working. The only thing is that it is not redirecting traffic to any APPVM,
Than Patrick says it is currently unsupported in qubes, Could you please modify it than ?
Next thing I tried is use Qubes build-in firewall and Edit Firewall rules in it’s own “Firewall rules” tab the problem here is that if I use in Firewall ProxyVM:
Deny network access except = and IP of my VPN, it than do not allow, access to the internet, however ping in between APPVM is working.
Next I tried something with rerouting iptable packets but here I am not sure much yet what i am doing so I would rather take advice from someone experienced.
I agree that it’s certainly not worse (Well, except for the hassle of configuring and maintaining another VM). Whether it’s “better” or not is debatable. I know that it’s not your intent to debate the merits of using a VPN but just some food for thought…
Assuming there was no user error and that your Gateway was compromised by a fairly skilled adversary, it wouldn’t be that difficult to link your physical IP to your revealed VPN IP. Even if your VPN doesn’t keep logs, it’s ISP certainly does. Remember they now control your Gateway - correlating traffic becomes trivial.
Once you become the target, you’ve lost half the battle. Using a VPN to hide Tor usage may help you from becoming targeted in the first place but whether it will protect you once you’re the target, maybe not so much…
In any case, if you wish to pursue VPN in standalone proxyVM, here’s the thread Patrick was referring to:
Alright I will do some additional testings with iptables from thread above.
Also found Debian repository includes ufw
Which is easily configurable firewall. It might be also solution.
Oh it’s dangerous than, I am gonna fix it, I little confused how should I do that.Let’s clear this out.
create user ‘tunnel’
Question:Should I copy paste this script to root ? By debian you mean root right ?
/debian/whonix-gw-firewall.postinst
I am gonna use this at qubes. In VM where also openvpn is gonna run.
Should I do also something else “non documented” than simply copy paste your code in to system folders ? Except use my brain when implementing … I strive, though.