Continuing the discussion from Whonix-13-Workstation VPN-Firewall:
Working on Qubes!
Test Setup
VM Name: sys-vpn
VM Type: ProxyVM
Template: fedora-23-minimal
NetVM: Whonix 12 Gateway
AppVM: Whonix 13 Workstation DispVM
Fail-closed works!
sudo openvpn fails! (as it should)
SocksPorts traffic fails (obviously)
Just to confirm my understanding: the point of using user ‘tunnel’ is if attacker compromises openvpn process, he won’t gain root privileges but be limited to acting as ‘tunnel’, who does not have passwordless-root.
- ‘tunnel’ can change routes but can not alter whonix_firewall, meaning no traffic will bypass the tunnel (nor Tor - by Whonix design). However, tunnel can make connections through the vpn to the outside, as can any successful attacker.
- ‘tunnel’ should not have write access to openvpn.conf; otherwise, he can connect to a different vpn server, effectively bypassing the intended tunnel.
- ‘tunnel’ is not a member of group ‘user’ but will have read & execute access to most files in /home/user/ given Whonix default permissions. Would it break anything to chmod -R 750/751 /home/user?
Sorry, wasn’t able to check much of the documentation or the build since I didn’t have a Debian handy. On the bright side, I’ve got some notes on how to port to Fedora. 
Assuming manual (non-systemd) openvpn launch:
IN PROXYVM:
## CONFIGURE USER TUNNEL
adduser tunnel
chown -R tunnel:tunnel /var/run/openvpn
## To use openvpn conf dns script
chown tunnel:tunnel /etc/resolv.conf
touch /etc/resolv.conf.qubes
chown tunnel:tunnel /etc/resolv.conf.qubes
## PERSISTENT IPTABLES
(https://fedoraproject.org/wiki/FirewallD#Using_static_firewall_rules_with_the_iptables_and_ip6tables_services)
(https://docs.fedoraproject.org/en-US/Fedora/11/html/Security_Guide/sect-Security_Guide-IPTables-Saving_IPTables_Rules.html)
dnf install iptables-services
systemctl mask firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service
## VPN-FIREWALL INSTALL
clone repository
cp /etc/vpn-firewall.d (add Qubes LOCAL_NET)
cp /etc/sudoers.d/tunnel-unpriv (change to /sbin/ip)
cp /usr/bin/ip-unpriv (change to /sbin/ip)
"anondist-ify" /usr/lib/qubes/qubes-setup-dnat-ns
cp lib/systemd/system/qubes-iptables.service.d/40_vpn-firewall.conf (customize)
cp lib/systemd/system/qubes-firewall.service.d/40_vpn-firewall.conf (customize)
systemctl daemon-reload
edit vpn-firewall (add forward rules)
sh ./vpn-firewall start
/sbin/service iptables save (will restore rules on reboot)
IN APPVM:
edit /etc/resolv.conf to vpn's nameserver
(which is on proxyvm resolv.conf - just need to query that somehow)
no other changes (qvmm firewall is disabled)
Minor note (that cost me some hair):
Whonix TUNNEL_FIREWALL uses ip_unpriv (underscore)
Standalone VPN-FIREWALL uses ip-unpriv (hyphen)
And a reminder:
Signed git tags and commits available. TODO: document how to verify, use some wiki template
Current signing key is expired. Probably can reuse documentation from Build Documentation: Physical Isolation
!PS: Just saw your post to qubes-users but I’m gonna post this anyway cause I started this many hours ago and I want to take my victory lap. Never knew what iptables was before I started using Whonix and never tried Fedora before using Qubes so I’ll grin for a bit before I go read your updates and see everything I did wrong!